lucaspalomodevelop/core
1
0
Fork 0
mirror of https://github.com/lucaspalomodevelop/core.git synced 2026-03-13 00:07:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

web proxy: move all files to plugin #7030

Browse Source
This commit is contained in:
Franco Fichtner 2023-12-19 15:08:32 +01:00
parent 52fe119e0c
commit 8226c84a2f
90 changed files with 0 additions and 7320 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Makefile
View File

@ -185,8 +185,6 @@ CORE_DEPENDS?= ca_root_nss \
radvd \
rrdtool \
samplicator \
squid \
squid-langpack \
strongswan \
sudo \
syslog-ng \

88
plist
View File

@ -39,7 +39,6 @@
/usr/local/etc/inc/plugins.inc.d/openvpn/tunnel_endpoint.php
/usr/local/etc/inc/plugins.inc.d/openvpn/wizard.inc
/usr/local/etc/inc/plugins.inc.d/pf.inc
/usr/local/etc/inc/plugins.inc.d/squid.inc
/usr/local/etc/inc/plugins.inc.d/suricata.inc
/usr/local/etc/inc/plugins.inc.d/unbound.inc
/usr/local/etc/inc/plugins.inc.d/vxlan.inc
@ -207,50 +206,6 @@
/usr/local/opnsense/contrib/tzdata/iso3166.tab
/usr/local/opnsense/contrib/tzdata/zone.tab
/usr/local/opnsense/data/firmware/upgrade.html
/usr/local/opnsense/data/proxy/template_error_pages/ERR_ACCESS_DENIED.html
/usr/local/opnsense/data/proxy/template_error_pages/ERR_ACL_TIME_QUOTA_EXCEEDED.html
/usr/local/opnsense/data/proxy/template_error_pages/ERR_AGENT_CONFIGURE.html
/usr/local/opnsense/data/proxy/template_error_pages/ERR_AGENT_WPAD.html
/usr/local/opnsense/data/proxy/template_error_pages/ERR_CACHE_ACCESS_DENIED.html
/usr/local/opnsense/data/proxy/template_error_pages/ERR_CACHE_MGR_ACCESS_DENIED.html
/usr/local/opnsense/data/proxy/template_error_pages/ERR_CANNOT_FORWARD.html
/usr/local/opnsense/data/proxy/template_error_pages/ERR_CONFLICT_HOST.html
/usr/local/opnsense/data/proxy/template_error_pages/ERR_CONNECT_FAIL.html
/usr/local/opnsense/data/proxy/template_error_pages/ERR_DIR_LISTING.html
/usr/local/opnsense/data/proxy/template_error_pages/ERR_DNS_FAIL.html
/usr/local/opnsense/data/proxy/template_error_pages/ERR_ESI.html
/usr/local/opnsense/data/proxy/template_error_pages/ERR_FORWARDING_DENIED.html
/usr/local/opnsense/data/proxy/template_error_pages/ERR_FTP_DISABLED.html
/usr/local/opnsense/data/proxy/template_error_pages/ERR_FTP_FAILURE.html
/usr/local/opnsense/data/proxy/template_error_pages/ERR_FTP_FORBIDDEN.html
/usr/local/opnsense/data/proxy/template_error_pages/ERR_FTP_NOT_FOUND.html
/usr/local/opnsense/data/proxy/template_error_pages/ERR_FTP_PUT_CREATED.html
/usr/local/opnsense/data/proxy/template_error_pages/ERR_FTP_PUT_ERROR.html
/usr/local/opnsense/data/proxy/template_error_pages/ERR_FTP_PUT_MODIFIED.html
/usr/local/opnsense/data/proxy/template_error_pages/ERR_FTP_UNAVAILABLE.html
/usr/local/opnsense/data/proxy/template_error_pages/ERR_GATEWAY_FAILURE.html
/usr/local/opnsense/data/proxy/template_error_pages/ERR_ICAP_FAILURE.html
/usr/local/opnsense/data/proxy/template_error_pages/ERR_INVALID_REQ.html
/usr/local/opnsense/data/proxy/template_error_pages/ERR_INVALID_RESP.html
/usr/local/opnsense/data/proxy/template_error_pages/ERR_INVALID_URL.html
/usr/local/opnsense/data/proxy/template_error_pages/ERR_LIFETIME_EXP.html
/usr/local/opnsense/data/proxy/template_error_pages/ERR_NO_RELAY.html
/usr/local/opnsense/data/proxy/template_error_pages/ERR_ONLY_IF_CACHED_MISS.html
/usr/local/opnsense/data/proxy/template_error_pages/ERR_PRECONDITION_FAILED.html
/usr/local/opnsense/data/proxy/template_error_pages/ERR_PROTOCOL_UNKNOWN.html
/usr/local/opnsense/data/proxy/template_error_pages/ERR_READ_ERROR.html
/usr/local/opnsense/data/proxy/template_error_pages/ERR_READ_TIMEOUT.html
/usr/local/opnsense/data/proxy/template_error_pages/ERR_SECURE_CONNECT_FAIL.html
/usr/local/opnsense/data/proxy/template_error_pages/ERR_SHUTTING_DOWN.html
/usr/local/opnsense/data/proxy/template_error_pages/ERR_SOCKET_FAILURE.html
/usr/local/opnsense/data/proxy/template_error_pages/ERR_TOO_BIG.html
/usr/local/opnsense/data/proxy/template_error_pages/ERR_UNSUP_HTTPVERSION.html
/usr/local/opnsense/data/proxy/template_error_pages/ERR_UNSUP_REQ.html
/usr/local/opnsense/data/proxy/template_error_pages/ERR_URN_RESOLVE.html
/usr/local/opnsense/data/proxy/template_error_pages/ERR_WRITE_ERROR.html
/usr/local/opnsense/data/proxy/template_error_pages/ERR_ZERO_SIZE_OBJECT.html
/usr/local/opnsense/data/proxy/template_error_pages/error-details.txt
/usr/local/opnsense/data/proxy/template_error_pages/errorpage.css
/usr/local/opnsense/mvc/app/cache/README
/usr/local/opnsense/mvc/app/config/config.php
/usr/local/opnsense/mvc/app/config/loader.php
@ -435,15 +390,6 @@
/usr/local/opnsense/mvc/app/controllers/OPNsense/OpenVPN/forms/dialogInstance.xml
/usr/local/opnsense/mvc/app/controllers/OPNsense/OpenVPN/forms/dialogStaticKey.xml
/usr/local/opnsense/mvc/app/controllers/OPNsense/OpenVPN/forms/export_options.xml
/usr/local/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/ServiceController.php
/usr/local/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/SettingsController.php
/usr/local/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/TemplateController.php
/usr/local/opnsense/mvc/app/controllers/OPNsense/Proxy/IndexController.php
/usr/local/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/dialogEditBlacklist.xml
/usr/local/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/dialogEditPACMatch.xml
/usr/local/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/dialogEditPACProxy.xml
/usr/local/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/dialogEditPACRule.xml
/usr/local/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
/usr/local/opnsense/mvc/app/controllers/OPNsense/Routes/Api/GatewayController.php
/usr/local/opnsense/mvc/app/controllers/OPNsense/Routes/Api/RoutesController.php
/usr/local/opnsense/mvc/app/controllers/OPNsense/Routes/IndexController.php
@ -506,7 +452,6 @@
/usr/local/opnsense/mvc/app/library/OPNsense/Auth/LocalTOTP.php
/usr/local/opnsense/mvc/app/library/OPNsense/Auth/Radius.php
/usr/local/opnsense/mvc/app/library/OPNsense/Auth/Services/IPsec.php
/usr/local/opnsense/mvc/app/library/OPNsense/Auth/Services/Squid.php
/usr/local/opnsense/mvc/app/library/OPNsense/Auth/Services/System.php
/usr/local/opnsense/mvc/app/library/OPNsense/Auth/Services/WebGui.php
/usr/local/opnsense/mvc/app/library/OPNsense/Auth/TOTP.php
@ -741,11 +686,6 @@
/usr/local/opnsense/mvc/app/models/OPNsense/OpenVPN/Migrations/M1_0_0.php
/usr/local/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.php
/usr/local/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.xml
/usr/local/opnsense/mvc/app/models/OPNsense/Proxy/ACL/ACL.xml
/usr/local/opnsense/mvc/app/models/OPNsense/Proxy/Menu/Menu.xml
/usr/local/opnsense/mvc/app/models/OPNsense/Proxy/Migrations/M1_0_0.php
/usr/local/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.php
/usr/local/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
/usr/local/opnsense/mvc/app/models/OPNsense/Routes/Route.php
/usr/local/opnsense/mvc/app/models/OPNsense/Routes/Route.xml
/usr/local/opnsense/mvc/app/models/OPNsense/Routing/FieldTypes/GatewayField.php
@ -848,7 +788,6 @@
/usr/local/opnsense/mvc/app/views/OPNsense/OpenVPN/export.volt
/usr/local/opnsense/mvc/app/views/OPNsense/OpenVPN/instances.volt
/usr/local/opnsense/mvc/app/views/OPNsense/OpenVPN/status.volt
/usr/local/opnsense/mvc/app/views/OPNsense/Proxy/index.volt
/usr/local/opnsense/mvc/app/views/OPNsense/Routes/index.volt
/usr/local/opnsense/mvc/app/views/OPNsense/Routing/configuration.volt
/usr/local/opnsense/mvc/app/views/OPNsense/Syslog/index.volt
@ -1089,12 +1028,6 @@
/usr/local/opnsense/scripts/openvpn/ovpn_status.py
/usr/local/opnsense/scripts/openvpn/tls_verify.php
/usr/local/opnsense/scripts/openvpn/user_pass_verify.php
/usr/local/opnsense/scripts/proxy/deploy_error_pages.py
/usr/local/opnsense/scripts/proxy/download_error_pages.py
/usr/local/opnsense/scripts/proxy/fetchACLs.py
/usr/local/opnsense/scripts/proxy/generate_cert.php
/usr/local/opnsense/scripts/proxy/lib/__init__.py
/usr/local/opnsense/scripts/proxy/setup.sh
/usr/local/opnsense/scripts/routes/del_route.py
/usr/local/opnsense/scripts/routes/gateway_status.php
/usr/local/opnsense/scripts/routes/gateway_watcher.php
@ -1136,7 +1069,6 @@
/usr/local/opnsense/scripts/syslog/lockout_handler
/usr/local/opnsense/scripts/syslog/log_archive
/usr/local/opnsense/scripts/syslog/logformats/__init__.py
/usr/local/opnsense/scripts/syslog/logformats/squid.py
/usr/local/opnsense/scripts/syslog/logformats/syslog.py
/usr/local/opnsense/scripts/syslog/queryLog.py
/usr/local/opnsense/scripts/system/activity.py
@ -1180,7 +1112,6 @@
/usr/local/opnsense/service/conf/actions.d/actions_netflow.conf
/usr/local/opnsense/service/conf/actions.d/actions_openssh.conf
/usr/local/opnsense/service/conf/actions.d/actions_openvpn.conf
/usr/local/opnsense/service/conf/actions.d/actions_proxy.conf
/usr/local/opnsense/service/conf/actions.d/actions_syslog.conf
/usr/local/opnsense/service/conf/actions.d/actions_system.conf
/usr/local/opnsense/service/conf/actions.d/actions_template.conf
@ -1259,24 +1190,6 @@
/usr/local/opnsense/service/templates/OPNsense/Netflow/flowd_aggregate.rc.conf.d
/usr/local/opnsense/service/templates/OPNsense/Netflow/netflow.conf
/usr/local/opnsense/service/templates/OPNsense/Netflow/rc.conf.d
/usr/local/opnsense/service/templates/OPNsense/Proxy/+TARGETS
/usr/local/opnsense/service/templates/OPNsense/Proxy/auth.conf
/usr/local/opnsense/service/templates/OPNsense/Proxy/ca.pem.id
/usr/local/opnsense/service/templates/OPNsense/Proxy/cache.active
/usr/local/opnsense/service/templates/OPNsense/Proxy/error_directory_in
/usr/local/opnsense/service/templates/OPNsense/Proxy/externalACLs.conf
/usr/local/opnsense/service/templates/OPNsense/Proxy/newsyslog.conf
/usr/local/opnsense/service/templates/OPNsense/Proxy/nobumpsites.acl
/usr/local/opnsense/service/templates/OPNsense/Proxy/parentproxy.conf
/usr/local/opnsense/service/templates/OPNsense/Proxy/post-auth.conf
/usr/local/opnsense/service/templates/OPNsense/Proxy/pre-auth.conf
/usr/local/opnsense/service/templates/OPNsense/Proxy/rc.conf.d
/usr/local/opnsense/service/templates/OPNsense/Proxy/snmp.conf
/usr/local/opnsense/service/templates/OPNsense/Proxy/squid.acl.conf
/usr/local/opnsense/service/templates/OPNsense/Proxy/squid.conf
/usr/local/opnsense/service/templates/OPNsense/Proxy/squid.pam
/usr/local/opnsense/service/templates/OPNsense/Proxy/squid.user.local_auth.conf
/usr/local/opnsense/service/templates/OPNsense/Proxy/wpad.dat
/usr/local/opnsense/service/templates/OPNsense/Sample/+TARGETS
/usr/local/opnsense/service/templates/OPNsense/Sample/example_config.txt
/usr/local/opnsense/service/templates/OPNsense/Sample/example_parent.txt
@ -1305,7 +1218,6 @@
/usr/local/opnsense/service/templates/OPNsense/Syslog/local/ppps.conf
/usr/local/opnsense/service/templates/OPNsense/Syslog/local/resolver.conf
/usr/local/opnsense/service/templates/OPNsense/Syslog/local/routing.conf
/usr/local/opnsense/service/templates/OPNsense/Syslog/local/squid_access.conf
/usr/local/opnsense/service/templates/OPNsense/Syslog/local/suricata.conf
/usr/local/opnsense/service/templates/OPNsense/Syslog/local/vpn.conf
/usr/local/opnsense/service/templates/OPNsense/Syslog/local/wireguard.conf

79
src/etc/inc/plugins.inc.d/squid.inc
View File

@ -1,79 +0,0 @@
<?php
/*
* Copyright (C) 2016 Deciso B.V.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
* OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
function squid_services()
{
global $config;
$services = array();
if (
isset($config['OPNsense']['proxy']['general']['enabled']) &&
$config['OPNsense']['proxy']['general']['enabled'] == 1
) {
$services[] = array(
'description' => gettext('Squid Web Proxy'),
'configd' => array(
'restart' => array('proxy restart'),
'start' => array('proxy start'),
'stop' => array('proxy stop'),
),
'pidfile' => '/var/run/squid/squid.pid',
'name' => 'squid',
);
}
return $services;
}
function squid_xmlrpc_sync()
{
$result = array();
$result[] = array(
'description' => gettext('Squid Web Proxy'),
'section' => 'OPNsense.proxy',
'id' => 'squid',
'services' => ["squid"],
);
return $result;
}
/**
* our squid instance by default logs to file, when syslog is selected, we need a target definition to catch traffic.
* which flushes our local traffic to /var/log/squid.log (which would otherwise end up in /var/log/squid/access.log)
*/
function squid_syslog()
{
$logfacilities = array();
$logfacilities['squid'] = array(
'facility' => array('(squid-1)')
);
return $logfacilities;
}

42
src/opnsense/data/proxy/template_error_pages/ERR_ACCESS_DENIED.html
View File

@ -1,42 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head>
<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>ERROR: The requested URL could not be retrieved</title>
<!--EMBED:start-->
<!-- leave this block as is, our parser will convert links to inline content -->
<link rel="stylesheet" type="text/css" href="errorpage.css">
<!--EMBED:end -->
<style type="text/css"><!--
%l
body
:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
:lang(he) { direction: rtl; }
--></style>
</head><body id=%c>
<div id="titles">
<h1>ERROR</h1>
<h2>The requested URL could not be retrieved</h2>
</div>
<hr>
<div id="content">
<p>The following error was encountered while trying to retrieve the URL: <a href="%U">%U</a></p>
<blockquote id="error">
<p><b>Access Denied.</b></p>
</blockquote>
<p>Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.</p>
<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
<br>
</div>
<hr>
<div id="footer">
<p>Generated %T by %h (%s)</p>
<!-- %c -->
</div>
</body></html>

43
src/opnsense/data/proxy/template_error_pages/ERR_ACL_TIME_QUOTA_EXCEEDED.html
View File

@ -1,43 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head>
<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>ERROR: The requested URL could not be retrieved</title>
<!--EMBED:start-->
<!-- leave this block as is, our parser will convert links to inline content -->
<link rel="stylesheet" type="text/css" href="errorpage.css">
<!--EMBED:end -->
<style type="text/css"><!--
%l
body
:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
:lang(he) { direction: rtl; }
--></style>
</head><body id=%c>
<div id="titles">
<h1>ERROR</h1>
<h2>The requested URL could not be retrieved</h2>
</div>
<hr>
<div id="content">
<p>The following error was encountered while trying to retrieve the URL: <a href="%U">%U</a></p>
<blockquote id="error">
<p><b>Time Quota Exceeded.</b></p>
</blockquote>
<p>This proxy limits your time online with a quota. Your time budget is now empty but will be refilled when the configured time period starts again.</p>
<p>These limits have been established by the Internet Service Provider who operates this cache. Please contact them directly if you feel this is an error.</p>
<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
<br>
</div>
<hr>
<div id="footer">
<p>Generated %T by %h (%s)</p>
<!-- %c -->
</div>
</body></html>

64
src/opnsense/data/proxy/template_error_pages/ERR_AGENT_CONFIGURE.html
View File

@ -1,64 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head>
<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Web Browser Configuration</title>
<!--EMBED:start-->
<!-- leave this block as is, our parser will convert links to inline content -->
<link rel="stylesheet" type="text/css" href="errorpage.css">
<!--EMBED:end -->
<style type="text/css"><!--
%l
body
:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
:lang(he) { direction: rtl; }
--></style>
</head><body id=%c>
<div id="titles">
<h1>ERROR</h1>
<h2>Web Browser Configuration</h2>
</div>
<hr>
<div id="content">
<blockquote id="error">
<p>Your Web Browser configuration needs to be corrected to use this network.</p>
</blockquote>
<p>How to find these settings in your browser:</p>
<div id="firefox">
For Firefox browsers go to:
<ul>
<li>Tools -&gt; Options -&gt; Advanced -&gt; Network -&gt; Connection Settings</li>
<li>In the HTTP proxy box type the proxy name %h and port %b.</li>
</ul>
</div>
<div id="microsoft">
For Internet Explorer browsers go to:
<ul>
<li>Tools -&gt; Internet Options -&gt; Connection -&gt; LAN Settings -&gt;Proxy</li>
<li>In the HTTP proxy box type the proxy name %h and port %b.</li>
</ul>
</div>
<div id="opera">
For Opera browsers go to:
<ul>
<li>Tools -&gt; Preferences -&gt; Advanced -&gt; Network -&gt; Proxy Servers</li>
<li>In the HTTP proxy box type the proxy name %h and port %b.</li>
</ul>
</div>
<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
<br>
</div>
<hr>
<div id="footer">
<p>Generated %T by %h (%s)</p>
<!-- %c -->
</div>
</body></html>

64
src/opnsense/data/proxy/template_error_pages/ERR_AGENT_WPAD.html
View File

@ -1,64 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head>
<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Web Browser Configuration</title>
<!--EMBED:start-->
<!-- leave this block as is, our parser will convert links to inline content -->
<link rel="stylesheet" type="text/css" href="errorpage.css">
<!--EMBED:end -->
<style type="text/css"><!--
%l
body
:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
:lang(he) { direction: rtl; }
--></style>
</head><body id=%c>
<div id="titles">
<h1>ERROR</h1>
<h2>Web Browser Configuration</h2>
</div>
<hr>
<div id="content">
<blockquote id="error">
<p>Your Web Browser configuration needs to be corrected to use this network.</p>
</blockquote>
<p>How to find these settings in your browser:</p>
<div id="firefox">
For Firefox browsers go to:
<ul>
<li>Tools -&gt; Options -&gt; Advanced -&gt; Network -&gt; Connection Settings</li>
<li>Select Auto-detect proxy settings for this network</li>
</ul>
</div>
<div id="microsoft">
For Internet Explorer browsers go to:
<ul>
<li>Tools -&gt; Internet Options -&gt; Connection -&gt; LAN Settings -&gt;Proxy</li>
<li>Select Automatically detect settings</li>
</ul>
</div>
<div id="opera">
For Opera browsers go to:
<ul>
<li>Tools -&gt; Preferences -&gt; Advanced -&gt; Network -&gt; Proxy Servers</li>
<li>Select Use Automatic proxy configuration</li>
</ul>
</div>
<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
<br>
</div>
<hr>
<div id="footer">
<p>Generated %T by %h (%s)</p>
<!-- %c -->
</div>
</body></html>

43
src/opnsense/data/proxy/template_error_pages/ERR_CACHE_ACCESS_DENIED.html
View File

@ -1,43 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head>
<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>ERROR: Cache Access Denied</title>
<!--EMBED:start-->
<!-- leave this block as is, our parser will convert links to inline content -->
<link rel="stylesheet" type="text/css" href="errorpage.css">
<!--EMBED:end -->
<style type="text/css"><!--
%l
body
:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
:lang(he) { direction: rtl; }
--></style>
</head><body id=%c>
<div id="titles">
<h1>ERROR</h1>
<h2>Cache Access Denied.</h2>
</div>
<hr>
<div id="content">
<p>The following error was encountered while trying to retrieve the URL: <a href="%U">%U</a></p>
<blockquote id="error">
<p><b>Cache Access Denied.</b></p>
</blockquote>
<p>Sorry, you are not currently allowed to request %U from this cache until you have authenticated yourself.</p>
<p>Please contact the <a href="mailto:%w%W">cache administrator</a> if you have difficulties authenticating yourself.</p>
<br>
</div>
<hr>
<div id="footer">
<p>Generated %T by %h (%s)</p>
<!-- %c -->
</div>
</body></html>

43
src/opnsense/data/proxy/template_error_pages/ERR_CACHE_MGR_ACCESS_DENIED.html
View File

@ -1,43 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head>
<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>ERROR: Cache Manager Access Denied</title>
<!--EMBED:start-->
<!-- leave this block as is, our parser will convert links to inline content -->
<link rel="stylesheet" type="text/css" href="errorpage.css">
<!--EMBED:end -->
<style type="text/css"><!--
%l
body
:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
:lang(he) { direction: rtl; }
--></style>
</head><body id=%c>
<div id="titles">
<h1>ERROR</h1>
<h2>Cache Manager Access Denied.</h2>
</div>
<hr>
<div id="content">
<p>The following error was encountered while trying to retrieve the URL: <a href="%U">%U</a></p>
<blockquote id="error">
<p><b>Cache Manager Access Denied.</b></p>
</blockquote>
<p>Sorry, you are not currently allowed to request %U from this cache manager until you have authenticated yourself.</p>
<p>Please contact the <a href="mailto:%w%W">cache administrator</a> if you have difficulties authenticating yourself or, if you <em>are</em> the administrator, read Squid documentation on cache manager interface and check cache log for more detailed error messages.</p>
<br>
</div>
<hr>
<div id="footer">
<p>Generated %T by %h (%s)</p>
<!-- %c -->
</div>
</body></html>

50
src/opnsense/data/proxy/template_error_pages/ERR_CANNOT_FORWARD.html
View File

@ -1,50 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head>
<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>ERROR: The requested URL could not be retrieved</title>
<!--EMBED:start-->
<!-- leave this block as is, our parser will convert links to inline content -->
<link rel="stylesheet" type="text/css" href="errorpage.css">
<!--EMBED:end -->
<style type="text/css"><!--
%l
body
:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
:lang(he) { direction: rtl; }
--></style>
</head><body id=%c>
<div id="titles">
<h1>ERROR</h1>
<h2>The requested URL could not be retrieved</h2>
</div>
<hr>
<div id="content">
<p>The following error was encountered while trying to retrieve the URL: <a href="%U">%U</a></p>
<blockquote id="error">
<p><b>Unable to forward this request at this time.</b></p>
</blockquote>
<p>This request could not be forwarded to the origin server or to any parent caches.</p>
<p>Some possible problems are:</p>
<ul>
<li id="network-down">An Internet connection needed to access this domains origin servers may be down.</li>
<li id="no-peer">All configured parent caches may be currently unreachable.</li>
<li id="permission-denied">The administrator may not allow this cache to make direct connections to origin servers.</li>
</ul>
<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
<br>
</div>
<hr>
<div id="footer">
<p>Generated %T by %h (%s)</p>
<!-- %c -->
</div>
</body></html>

48
src/opnsense/data/proxy/template_error_pages/ERR_CONFLICT_HOST.html
View File

@ -1,48 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head>
<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>ERROR: The requested URL could not be retrieved</title>
<!--EMBED:start-->
<!-- leave this block as is, our parser will convert links to inline content -->
<link rel="stylesheet" type="text/css" href="errorpage.css">
<!--EMBED:end -->
<style type="text/css"><!--
%l
body
:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
:lang(he) { direction: rtl; }
--></style>
</head><body id=%c>
<div id="titles">
<h1>ERROR</h1>
<h2>The requested URL could not be retrieved</h2>
</div>
<hr>
<div id="content">
<p>The following error was encountered while trying to retrieve the URL: <a href="%U">%U</a></p>
<blockquote id="data">
<pre>URI Host Conflict</pre>
</blockquote>
<p>This means the domain name you are trying to access apparently no longer exists on the machine you are requesting it from.</p>
<p>Some possible problems are:</p>
<ul>
<li>The domain may have moved very recently. Trying again will resolve that.</li>
<li>The website may require you to use a local country-based version. Using your ISP provided DNS server(s) should resolve that.</li>
</ul>
<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
<br>
</div>
<hr>
<div id="footer">
<p>Generated %T by %h (%s)</p>
<!-- %c -->
</div>
</body></html>

45
src/opnsense/data/proxy/template_error_pages/ERR_CONNECT_FAIL.html
View File

@ -1,45 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head>
<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
<meta http-equiv="Content-Type" CONTENT="text/html; charset=utf-8">
<title>ERROR: The requested URL could not be retrieved</title>
<!--EMBED:start-->
<!-- leave this block as is, our parser will convert links to inline content -->
<link rel="stylesheet" type="text/css" href="errorpage.css">
<!--EMBED:end -->
<style type="text/css"><!--
%l
body
:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
:lang(he) { direction: rtl; }
--></style>
</head><body id=%c>
<div id="titles">
<h1>ERROR</h1>
<h2>The requested URL could not be retrieved</h2>
</div>
<hr>
<div id="content">
<p>The following error was encountered while trying to retrieve the URL: <a href="%U">%U</a></p>
<blockquote id="error">
<p><b>Connection to %I failed.</b></p>
</blockquote>
<p id="sysmsg">The system returned: <i>%E</i></p>
<p>The remote host or network may be down. Please try the request again.</p>
<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
<br>
</div>
<hr>
<div id="footer">
<p>Generated %T by %h (%s)</p>
<!-- %c -->
</div>
</body></html>

46
src/opnsense/data/proxy/template_error_pages/ERR_DIR_LISTING.html
View File

@ -1,46 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head>
<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Directory: %U</title>
<!--EMBED:start-->
<!-- leave this block as is, our parser will convert links to inline content -->
<link rel="stylesheet" type="text/css" href="errorpage.css">
<!--EMBED:end -->
<style type="text/css"><!--
%l
body
:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
:lang(he) { direction: rtl; }
--></style>
</head><body id=%c>
<div id="titles">
<h2>Directory: <a href="%U">%U</a>/</h2>
</div>
<hr>
<div id="content">
<h4>Directory Content:</h4>
<blockquote id="data">
<pre id="dirmsg">%z</pre>
</blockquote>
<table id="dirlisting" summary="Directory Listing">
<tr>
<th><a href="../"><img border="0" src="/squid-internal-static/icons/silk/arrow_up.png" alt=""></a></th>
<th nowrap="nowrap"><a href="../">Parent Directory</a> (<a href="/">Root Directory</a>)</th>
</tr>
%g
</table>
</div>
<hr>
<div id="footer">
<p>Generated %T by %h (%s)</p>
<!-- %c -->
</div>
</body></html>

47
src/opnsense/data/proxy/template_error_pages/ERR_DNS_FAIL.html
View File

@ -1,47 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head>
<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>ERROR: The requested URL could not be retrieved</title>
<!--EMBED:start-->
<!-- leave this block as is, our parser will convert links to inline content -->
<link rel="stylesheet" type="text/css" href="errorpage.css">
<!--EMBED:end -->
<style type="text/css"><!--
%l
body
:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
:lang(he) { direction: rtl; }
--></style>
</head><body id=%c>
<div id="titles">
<h1>ERROR</h1>
<h2>The requested URL could not be retrieved</h2>
</div>
<hr>
<div id="content">
<p>The following error was encountered while trying to retrieve the URL: <a href="%U">%U</a></p>
<blockquote id="error">
<p><b>Unable to determine IP address from host name <q>%H</q></b></p>
</blockquote>
<p>The DNS server returned:</p>
<blockquote id="data">
<pre>%z</pre>
</blockquote>
<p>This means that the cache was not able to resolve the hostname presented in the URL. Check if the address is correct.</p>
<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
<br>
</div>
<hr>
<div id="footer">
<p>Generated %T by %h (%s)</p>
<!-- %c -->
</div>
</body></html>

47
src/opnsense/data/proxy/template_error_pages/ERR_ESI.html
View File

@ -1,47 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head>
<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>ERROR: The requested URL could not be retrieved</title>
<!--EMBED:start-->
<!-- leave this block as is, our parser will convert links to inline content -->
<link rel="stylesheet" type="text/css" href="errorpage.css">
<!--EMBED:end -->
<style type="text/css"><!--
%l
body
:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
:lang(he) { direction: rtl; }
--></style>
</head><body id=%c>
<div id="titles">
<h1>ERROR</h1>
<h2>The requested URL could not be retrieved</h2>
</div>
<hr>
<div id="content">
<p>The following error was encountered while trying to retrieve the URL: <a href="%U">%U</a></p>
<blockquote id="error">
<p><b>ESI Processing failed.</b></p>
</blockquote>
<p>The ESI processor returned:</p>
<blockquote id="data">
<pre>%Z</pre>
</blockquote>
<p>This means that the surrogate was not able to process the ESI template. Please report this error to the webmaster.</p>
<p>Your webmaster is <a href="mailto:%w">%w</a>.</p>
<br>
</div>
<hr>
<div id="footer">
<p>Generated %T by %h (%s)</p>
<!-- %c -->
</div>
</body></html>

43
src/opnsense/data/proxy/template_error_pages/ERR_FORWARDING_DENIED.html
View File

@ -1,43 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head>
<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>ERROR: The requested URL could not be retrieved</title>
<!--EMBED:start-->
<!-- leave this block as is, our parser will convert links to inline content -->
<link rel="stylesheet" type="text/css" href="errorpage.css">
<!--EMBED:end -->
<style type="text/css"><!--
%l
body
:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
:lang(he) { direction: rtl; }
--></style>
</head><body id=%c>
<div id="titles">
<h1>ERROR</h1>
<h2>The requested URL could not be retrieved</h2>
</div>
<hr>
<div id="content">
<p>The following error was encountered while trying to retrieve the URL: <a href="%U">%U</a></p>
<blockquote id="error">
<p><b>Forwarding Denied.</b></p>
</blockquote>
<p>This cache will not forward your request because it is trying to enforce a sibling relationship. Perhaps the client at %i is a cache which has been misconfigured.</p>
<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
<br>
</div>
<hr>
<div id="footer">
<p>Generated %T by %h (%s)</p>
<!-- %c -->
</div>
</body></html>

43
src/opnsense/data/proxy/template_error_pages/ERR_FTP_DISABLED.html
View File

@ -1,43 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head>
<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>ERROR: The requested URL could not be retrieved</title>
<!--EMBED:start-->
<!-- leave this block as is, our parser will convert links to inline content -->
<link rel="stylesheet" type="text/css" href="errorpage.css">
<!--EMBED:end -->
<style type="text/css"><!--
%l
body
:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
:lang(he) { direction: rtl; }
--></style>
</head><body id=%c>
<div id="titles">
<h1>ERROR</h1>
<h2>The requested URL could not be retrieved</h2>
</div>
<hr>
<div id="content">
<p>The following error was encountered while trying to retrieve the URL: <a href="%U">%U</a></p>
<blockquote id="error">
<p><b>FTP is Disabled</b></p>
</blockquote>
<p>This cache does not support FTP.</p>
<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
<br>
</div>
<hr>
<div id="footer">
<p>Generated %T by %h (%s)</p>
<!-- %c -->
</div>
</body></html>

47
src/opnsense/data/proxy/template_error_pages/ERR_FTP_FAILURE.html
View File

@ -1,47 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head>
<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>ERROR: The requested URL could not be retrieved</title>
<!--EMBED:start-->
<!-- leave this block as is, our parser will convert links to inline content -->
<link rel="stylesheet" type="text/css" href="errorpage.css">
<!--EMBED:end -->
<style type="text/css"><!--
%l
body
:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
:lang(he) { direction: rtl; }
--></style>
</head><body id=%c>
<div id="titles">
<h1>ERROR</h1>
<h2>The requested URL could not be retrieved</h2>
</div>
<hr>
<div id="content">
<p>An FTP protocol error occurred while trying to retrieve the URL: <a href="%U">%U</a></p>
<p>Squid sent the following FTP command:</p>
<blockquote id="data">
<pre>%f</pre>
</blockquote>
<p>The server responded with:</p>
<blockquote id="error">
<pre>%F</pre>
<pre>%g</pre>
</blockquote>
<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
<br>
</div>
<hr>
<div id="footer">
<p>Generated %T by %h (%s)</p>
<!-- %c -->
</div>
</body></html>

47
src/opnsense/data/proxy/template_error_pages/ERR_FTP_FORBIDDEN.html
View File

@ -1,47 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head>
<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>ERROR: The requested URL could not be retrieved</title>
<!--EMBED:start-->
<!-- leave this block as is, our parser will convert links to inline content -->
<link rel="stylesheet" type="text/css" href="errorpage.css">
<!--EMBED:end -->
<style type="text/css"><!--
%l
body
:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
:lang(he) { direction: rtl; }
--></style>
</head><body id=%c>
<div id="titles">
<h1>ERROR</h1>
<h2>The requested URL could not be retrieved</h2>
</div>
<hr>
<div id="content">
<p>An FTP authentication failure occurred while trying to retrieve the URL: <a href="%U">%U</a></p>
<p>Squid sent the following FTP command:</p>
<blockquote id="data">
<pre>%f</pre>
</blockquote>
<p>The server responded with:</p>
<blockquote id="sysmsg">
<pre>%F</pre>
<pre>%g</pre>
</blockquote>
<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
<br>
</div>
<hr>
<div id="footer">
<p>Generated %T by %h (%s)</p>
<!-- %c -->
</div>
</body></html>

49
src/opnsense/data/proxy/template_error_pages/ERR_FTP_NOT_FOUND.html
View File

@ -1,49 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head>
<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>ERROR: The requested URL could not be retrieved</title>
<!--EMBED:start-->
<!-- leave this block as is, our parser will convert links to inline content -->
<link rel="stylesheet" type="text/css" href="errorpage.css">
<!--EMBED:end -->
<style type="text/css"><!--
%l
body
:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
:lang(he) { direction: rtl; }
--></style>
</head><body id=%c>
<div id="titles">
<h1>ERROR</h1>
<h2>The requested URL could not be retrieved</h2>
</div>
<hr>
<div id="content">
<p>The following URL could not be retrieved: <a href="%U">%U</a></p>
<p>Squid sent the following FTP command:</p>
<blockquote id="data">
<pre>%f</pre>
</blockquote>
<p>The server responded with:</p>
<blockquote id="sysmsg">
<pre>%F</pre>
<pre>%g</pre>
</blockquote>
<p>This might be caused by an FTP URL with an absolute path (which does not comply with RFC 1738). If this is the cause, then the file can be found at <a href="%B">%B</a>.</p>
<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
<br>
</div>
<hr>
<div id="footer">
<p>Generated %T by %h (%s)</p>
<!-- %c -->
</div>
</body></html>

31
src/opnsense/data/proxy/template_error_pages/ERR_FTP_PUT_CREATED.html
View File

@ -1,31 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head>
<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>FTP PUT Successful.</title>
<!--EMBED:start-->
<!-- leave this block as is, our parser will convert links to inline content -->
<link rel="stylesheet" type="text/css" href="errorpage.css">
<!--EMBED:end -->
<style type="text/css"><!--
%l
body
:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
:lang(he) { direction: rtl; }
--></style>
</head><body id=%c>
<div id="titles">
<h1 id="ftpsuccess">Operation successful</h1>
<h2>File created</h2>
</div>
<hr>
<br>
<hr>
<div id="footer">
<p>Generated %T by %h (%s)</p>
<!-- %c -->
</div>
</body></html>

48
src/opnsense/data/proxy/template_error_pages/ERR_FTP_PUT_ERROR.html
View File

@ -1,48 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head>
<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>ERROR: FTP upload failed</title>
<!--EMBED:start-->
<!-- leave this block as is, our parser will convert links to inline content -->
<link rel="stylesheet" type="text/css" href="errorpage.css">
<!--EMBED:end -->
<style type="text/css"><!--
%l
body
:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
:lang(he) { direction: rtl; }
--></style>
</head><body id=%c>
<div id="titles">
<h1>ERROR</h1>
<h2>FTP PUT upload failed</h2>
</div>
<hr>
<div id="content">
<p>An FTP protocol error occurred while trying to retrieve the URL: <a href="%U">%U</a></p>
<p>Squid sent the following FTP command:</p>
<blockquote id="data">
<pre>%f</pre>
</blockquote>
<p>The server responded with:</p>
<blockquote id="sysmsg">
<pre>%F</pre>
</blockquote>
<p>This means that the FTP server may not have permission or space to store the file. Check the path, permissions, diskspace and try again.</p>
<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
<br>
</div>
<hr>
<div id="footer">
<p>Generated %T by %h (%s)</p>
<!-- %c -->
</div>
</body></html>

31
src/opnsense/data/proxy/template_error_pages/ERR_FTP_PUT_MODIFIED.html
View File

@ -1,31 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head>
<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>FTP PUT Successful.</title>
<!--EMBED:start-->
<!-- leave this block as is, our parser will convert links to inline content -->
<link rel="stylesheet" type="text/css" href="errorpage.css">
<!--EMBED:end -->
<style type="text/css"><!--
%l
body
:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
:lang(he) { direction: rtl; }
--></style>
</head><body id=%c>
<div id="titles">
<h1 id="ftpsuccess">Operation successful</h1>
<h2>File updated</h2>
</div>
<hr>
<br>
<hr>
<div id="footer">
<p>Generated %T by %h (%s)</p>
<!-- %c -->
</div>
</body></html>

48
src/opnsense/data/proxy/template_error_pages/ERR_FTP_UNAVAILABLE.html
View File

@ -1,48 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head>
<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>ERROR: The requested URL could not be retrieved</title>
<!--EMBED:start-->
<!-- leave this block as is, our parser will convert links to inline content -->
<link rel="stylesheet" type="text/css" href="errorpage.css">
<!--EMBED:end -->
<style type="text/css"><!--
%l
body
:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
:lang(he) { direction: rtl; }
--></style>
</head><body id=%c>
<div id="titles">
<h1>ERROR</h1>
<h2>The requested URL could not be retrieved</h2>
</div>
<hr>
<div id="content">
<p>The FTP server was too busy to retrieve the URL: <a href="%U">%U</a></p>
<p>Squid sent the following FTP command:</p>
<blockquote id="data">
<pre>%f</pre>
</blockquote>
<p>The server responded with:</p>
<blockquote id="sysmsg">
<pre>%F</pre>
<pre>%g</pre>
</blockquote>
<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
<br>
</div>
<hr>
<div id="footer">
<p>Generated %T by %h (%s)</p>
<!-- %c -->
</div>
</body></html>

44
src/opnsense/data/proxy/template_error_pages/ERR_GATEWAY_FAILURE.html
View File

@ -1,44 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head>
<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>ERROR: The requested URL could not be retrieved</title>
<!--EMBED:start-->
<!-- leave this block as is, our parser will convert links to inline content -->
<link rel="stylesheet" type="text/css" href="errorpage.css">
<!--EMBED:end -->
<style type="text/css"><!--
%l
body
:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
:lang(he) { direction: rtl; }
--></style>
</head><body id=%c>
<div id="titles">
<h1>ERROR</h1>
<h2>The requested URL could not be retrieved</h2>
</div>
<hr>
<div id="content">
<p>The following error was encountered while trying to retrieve the URL: <a href="%U">%U</a></p>
<blockquote id="error">
<p><b>Gateway Proxy Failure</b></p>
</blockquote>
<p>A non-recoverable internal failure or configuration problem prevents this request from being completed.</p>
<p>This may be due to limits established by the Internet Service Provider who operates this cache. Please contact them directly for more information.</p>
<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
<br>
</div>
<hr>
<div id="footer">
<p>Generated %T by %h (%s)</p>
<!-- %c -->
</div>
</body></html>

49
src/opnsense/data/proxy/template_error_pages/ERR_ICAP_FAILURE.html
View File

@ -1,49 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head>
<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>ERROR: The requested URL could not be retrieved</title>
<!--EMBED:start-->
<!-- leave this block as is, our parser will convert links to inline content -->
<link rel="stylesheet" type="text/css" href="errorpage.css">
<!--EMBED:end -->
<style type="text/css"><!--
%l
body
:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
:lang(he) { direction: rtl; }
--></style>
</head><body id=%c>
<div id="titles">
<h1>ERROR</h1>
<h2>The requested URL could not be retrieved</h2>
</div>
<hr>
<div id="content">
<p>The following error was encountered while trying to retrieve the URL: <a href="%U">%U</a></p>
<blockquote id="error">
<p><b>ICAP protocol error.</b></p>
</blockquote>
<p id="sysmsg">The system returned: <i>%E</i></p>
<p>This means that some aspect of the ICAP communication failed.</p>
<p>Some possible problems are:</p>
<ul>
<li><p>The ICAP server is not reachable.</p></li>
<li><p>An Illegal response was received from the ICAP server.</p></li>
</ul>
<br>
</div>
<hr>
<div id="footer">
<p>Generated %T by %h (%s)</p>
<!-- %c -->
</div>
</body></html>

57
src/opnsense/data/proxy/template_error_pages/ERR_INVALID_REQ.html
View File

@ -1,57 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head>
<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>ERROR: The requested URL could not be retrieved</title>
<!--EMBED:start-->
<!-- leave this block as is, our parser will convert links to inline content -->
<link rel="stylesheet" type="text/css" href="errorpage.css">
<!--EMBED:end -->
<style type="text/css"><!--
%l
body
:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
:lang(he) { direction: rtl; }
--></style>
</head><body id=%c>
<div id="titles">
<h1>ERROR</h1>
<h2>The requested URL could not be retrieved</h2>
</div>
<hr>
<div id="content">
<p><b>Invalid Request</b> error was encountered while trying to process the request:</p>
<blockquote id="data">
<pre>%R</pre>
</blockquote>
<p>Some possible problems are:</p>
<ul>
<li id="missing-method"><p>Missing or unknown request method.</p></li>
<li id="missing-url"><p>Missing URL.</p></li>
<li id="missing-protocol"><p>Missing HTTP Identifier (HTTP/1.0).</p></li>
<li><p>Request is too large.</p></li>
<li><p>Content-Length missing for POST or PUT requests.</p></li>
<li><p>Illegal character in hostname; underscores are not allowed.</p></li>
<li><p>HTTP/1.1 <q>Expect:</q> feature is being asked from an HTTP/1.0 software.</p></li>
</ul>
<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
<br>
</div>
<script language="javascript">
if ('%M' != '[unknown method]') document.getElementById('missing-method').style.display = 'none';
if ('%u' != '[no URL]') document.getElementById('missing-url').style.display = 'none';
if ('%P' != '[unknown protocol]') document.getElementById('missing-protocol').style.display = 'none';
</script>
<hr>
<div id="footer">
<p>Generated %T by %h (%s)</p>
<!-- %c -->
</div>
</body></html>

44
src/opnsense/data/proxy/template_error_pages/ERR_INVALID_RESP.html
View File

@ -1,44 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head>
<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>ERROR: The requested URL could not be retrieved</title>
<!--EMBED:start-->
<!-- leave this block as is, our parser will convert links to inline content -->
<link rel="stylesheet" type="text/css" href="errorpage.css">
<!--EMBED:end -->
<style type="text/css"><!--
%l
body
:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
:lang(he) { direction: rtl; }
--></style>
</head><body id=%c>
<div id="titles">
<h1>ERROR</h1>
<h2>The requested URL could not be retrieved</h2>
</div>
<hr>
<div id="content">
<p><b>Invalid Response</b> error was encountered while trying to process the request:</p>
<blockquote id="data">
<pre>%R</pre>
</blockquote>
<p>The HTTP Response message received from the contacted server could not be understood or was otherwise malformed. Please contact the site operator.</p>
<p>Your cache administrator may be able to provide you with more details about the exact nature of the problem if needed.</p>
<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
<br>
</div>
<hr>
<div id="footer">
<p>Generated %T by %h (%s)</p>
<!-- %c -->
</div>
</body></html>

50
src/opnsense/data/proxy/template_error_pages/ERR_INVALID_URL.html
View File

@ -1,50 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head>
<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>ERROR: The requested URL could not be retrieved</title>
<!--EMBED:start-->
<!-- leave this block as is, our parser will convert links to inline content -->
<link rel="stylesheet" type="text/css" href="errorpage.css">
<!--EMBED:end -->
<style type="text/css"><!--
%l
body
:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
:lang(he) { direction: rtl; }
--></style>
</head><body id=%c>
<div id="titles">
<h1>ERROR</h1>
<h2>The requested URL could not be retrieved</h2>
</div>
<hr>
<div id="content">
<p>The following error was encountered while trying to retrieve the URL: <a href="%U">%U</a></p>
<blockquote id="error">
<p><b>Invalid URL</b></p>
</blockquote>
<p>Some aspect of the requested URL is incorrect.</p>
<p>Some possible problems are:</p>
<ul>
<li><p>Missing or incorrect access protocol (should be <q>http://</q> or similar)</p></li>
<li><p>Missing hostname</p></li>
<li><p>Illegal double-escape in the URL-Path</p></li>
<li><p>Illegal character in hostname; underscores are not allowed.</p></li>
</ul>
<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
<br>
</div>
<hr>
<div id="footer">
<p>Generated %T by %h (%s)</p>
<!-- %c -->
</div>
</body></html>

42
src/opnsense/data/proxy/template_error_pages/ERR_LIFETIME_EXP.html
View File

@ -1,42 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head>
<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>ERROR: The requested URL could not be retrieved</title>
<!--EMBED:start-->
<!-- leave this block as is, our parser will convert links to inline content -->
<link rel="stylesheet" type="text/css" href="errorpage.css">
<!--EMBED:end -->
<style type="text/css"><!--
%l
body
:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
:lang(he) { direction: rtl; }
--></style>
</head><body id=%c>
<div id="titles">
<h1>ERROR</h1>
<h2>The requested URL could not be retrieved</h2>
</div>
<hr>
<div id="content">
<p>The following error was encountered while trying to retrieve the URL: <a href="%U">%U</a></p>
<blockquote id="error">
<p><b>Connection Lifetime Expired</b></p>
</blockquote>
<p>Squid has terminated the request because it has exceeded the maximum connection lifetime.</p>
<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
<br>
</div>
<hr>
<div id="footer">
<p>Generated %T by %h (%s)</p>
<!-- %c -->
</div>
</body></html>

42
src/opnsense/data/proxy/template_error_pages/ERR_NO_RELAY.html
View File

@ -1,42 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head>
<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>ERROR: The requested URL could not be retrieved</title>
<!--EMBED:start-->
<!-- leave this block as is, our parser will convert links to inline content -->
<link rel="stylesheet" type="text/css" href="errorpage.css">
<!--EMBED:end -->
<style type="text/css"><!--
%l
body
:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
:lang(he) { direction: rtl; }
--></style>
</head><body id=%c>
<div id="titles">
<h1>ERROR</h1>
<h2>The requested URL could not be retrieved</h2>
</div>
<hr>
<div id="content">
<p>The following error was encountered while trying to retrieve the URL: <a href="%U">%U</a></p>
<blockquote id="error">
<p><b>No Wais Relay</b></p>
</blockquote>
<p>There is no WAIS Relay host defined for this Cache! Yell at the administrator.</p>
<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
<br>
</div>
<hr>
<div id="footer">
<p>Generated %T by %h (%s)</p>
<!-- %c -->
</div>
</body></html>

42
src/opnsense/data/proxy/template_error_pages/ERR_ONLY_IF_CACHED_MISS.html
View File

@ -1,42 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head>
<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>ERROR: The requested URL could not be retrieved</title>
<!--EMBED:start-->
<!-- leave this block as is, our parser will convert links to inline content -->
<link rel="stylesheet" type="text/css" href="errorpage.css">
<!--EMBED:end -->
<style type="text/css"><!--
%l
body
:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
:lang(he) { direction: rtl; }
--></style>
</head><body id=%c>
<div id="titles">
<h1>ERROR</h1>
<h2>The requested URL could not be retrieved</h2>
</div>
<hr>
<div id="content">
<p>The following error was encountered while trying to retrieve the URL: <a href="%U">%U</a></p>
<blockquote id="error">
<p><b>Valid document was not found in the cache and <q>only-if-cached</q> directive was specified.</b></p>
</blockquote>
<p>You have issued a request with a <q>only-if-cached</q> cache control directive. The document was not found in the cache, <em>or</em> it required revalidation prohibited by the <q>only-if-cached</q> directive.</p>
<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
<br>
</div>
<hr>
<div id="footer">
<p>Generated %T by %h (%s)</p>
<!-- %c -->
</div>
</body></html>

44
src/opnsense/data/proxy/template_error_pages/ERR_PRECONDITION_FAILED.html
View File

@ -1,44 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head>
<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>ERROR: The requested URL could not be retrieved</title>
<!--EMBED:start-->
<!-- leave this block as is, our parser will convert links to inline content -->
<link rel="stylesheet" type="text/css" href="errorpage.css">
<!--EMBED:end -->
<style type="text/css"><!--
%l
body
:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
:lang(he) { direction: rtl; }
--></style>
</head><body id=%c>
<div id="titles">
<h1>ERROR</h1>
<h2>The requested URL could not be retrieved</h2>
</div>
<hr>
<div id="content">
<p>The following error was encountered while trying to retrieve the URL: <a href="%U">%U</a></p>
<blockquote id="error">
<p><b>Precondition Failed.</b></p>
</blockquote>
<p>This means:</p>
<blockquote>
<p>At least one precondition specified by the HTTP client in the request header has failed.</p>
</blockquote>
<br>
</div>
<hr>
<div id="footer">
<p>Generated %T by %h (%s)</p>
<!-- %c -->
</div>
</body></html>

42
src/opnsense/data/proxy/template_error_pages/ERR_PROTOCOL_UNKNOWN.html
View File

@ -1,42 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head>
<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>ERROR: The requested URL could not be retrieved</title>
<!--EMBED:start-->
<!-- leave this block as is, our parser will convert links to inline content -->
<link rel="stylesheet" type="text/css" href="errorpage.css">
<!--EMBED:end -->
<style type="text/css"><!--
%l
body
:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
:lang(he) { direction: rtl; }
--></style>
</head><body id=%c>
<div id="titles">
<h1>ERROR</h1>
<h2>The requested URL could not be retrieved</h2>
</div>
<hr>
<div id="content">
<p>The following error was encountered while trying to retrieve the URL: <a href="%U">%U</a></p>
<blockquote id="error">
<p><b>Unsupported Protocol</b></p>
</blockquote>
<p>Squid does not support some access protocols. For example, the SSH protocol is currently not supported.</p>
<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
<br>
</div>
<hr>
<div id="footer">
<p>Generated %T by %h (%s)</p>
<!-- %c -->
</div>
</body></html>

44
src/opnsense/data/proxy/template_error_pages/ERR_READ_ERROR.html
View File

@ -1,44 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head>
<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>ERROR: The requested URL could not be retrieved</title>
<!--EMBED:start-->
<!-- leave this block as is, our parser will convert links to inline content -->
<link rel="stylesheet" type="text/css" href="errorpage.css">
<!--EMBED:end -->
<style type="text/css"><!--
%l
body
:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
:lang(he) { direction: rtl; }
--></style>
</head><body id=%c>
<div id="titles">
<h1>ERROR</h1>
<h2>The requested URL could not be retrieved</h2>
</div>
<hr>
<div id="content">
<p>The following error was encountered while trying to retrieve the URL: <a href="%U">%U</a></p>
<blockquote id="error">
<p><b>Read Error</b></p>
</blockquote>
<p id="sysmsg">The system returned: <i>%E</i></p>
<p>An error condition occurred while reading data from the network. Please retry your request.</p>
<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
<br>
</div>
<hr>
<div id="footer">
<p>Generated %T by %h (%s)</p>
<!-- %c -->
</div>
</body></html>

44
src/opnsense/data/proxy/template_error_pages/ERR_READ_TIMEOUT.html
View File

@ -1,44 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head>
<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>ERROR: The requested URL could not be retrieved</title>
<!--EMBED:start-->
<!-- leave this block as is, our parser will convert links to inline content -->
<link rel="stylesheet" type="text/css" href="errorpage.css">
<!--EMBED:end -->
<style type="text/css"><!--
%l
body
:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
:lang(he) { direction: rtl; }
--></style>
</head><body id=%c>
<div id="titles">
<h1>ERROR</h1>
<h2>The requested URL could not be retrieved</h2>
</div>
<hr>
<div id="content">
<p>The following error was encountered while trying to retrieve the URL: <a href="%U">%U</a></p>
<blockquote id="error">
<p><b>Read Timeout</b></p>
</blockquote>
<p id="sysmsg">The system returned: <i>%E</i></p>
<p>A Timeout occurred while waiting to read data from the network. The network or server may be down or congested. Please retry your request.</p>
<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
<br>
</div>
<hr>
<div id="footer">
<p>Generated %T by %h (%s)</p>
<!-- %c -->
</div>
</body></html>

50
src/opnsense/data/proxy/template_error_pages/ERR_SECURE_CONNECT_FAIL.html
View File

@ -1,50 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head>
<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>ERROR: The requested URL could not be retrieved</title>
<!--EMBED:start-->
<!-- leave this block as is, our parser will convert links to inline content -->
<link rel="stylesheet" type="text/css" href="errorpage.css">
<!--EMBED:end -->
<style type="text/css"><!--
%l
body
:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
:lang(he) { direction: rtl; }
--></style>
</head><body id=%c>
<div id="titles">
<h1>ERROR</h1>
<h2>The requested URL could not be retrieved</h2>
</div>
<hr>
<div id="content">
<p>The following error was encountered while trying to retrieve the URL: <a href="%U">%U</a></p>
<blockquote id="error">
<p><b>Failed to establish a secure connection to %I</b></p>
</blockquote>
<div id="sysmsg">
<p>The system returned:</p>
<blockquote id="data">
<pre>%E (TLS code: %x)</pre>
<p>%D</p>
</blockquote>
</div>
<p>This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.</p>
<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
<br>
</div>
<hr>
<div id="footer">
<p>Generated %T by %h (%s)</p>
<!-- %c -->
</div>
</body></html>

38
src/opnsense/data/proxy/template_error_pages/ERR_SHUTTING_DOWN.html
View File

@ -1,38 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head>
<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>ERROR: The requested URL could not be retrieved</title>
<!--EMBED:start-->
<!-- leave this block as is, our parser will convert links to inline content -->
<link rel="stylesheet" type="text/css" href="errorpage.css">
<!--EMBED:end -->
<style type="text/css"><!--
%l
body
:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
:lang(he) { direction: rtl; }
--></style>
</head><body id=%c>
<div id="titles">
<h1>ERROR</h1>
<h2>The requested URL could not be retrieved</h2>
</div>
<hr>
<div id="content">
<p>The following error was encountered while trying to retrieve the URL: <a href="%U">%U</a></p>
<p>This cache is in the process of shutting down and can not service your request at this time. Please retry your request again soon.</p>
<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
<br>
</div>
<hr>
<div id="footer">
<p>Generated %T by %h (%s)</p>
<!-- %c -->
</div>
</body></html>

44
src/opnsense/data/proxy/template_error_pages/ERR_SOCKET_FAILURE.html
View File

@ -1,44 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head>
<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>ERROR: The requested URL could not be retrieved</title>
<!--EMBED:start-->
<!-- leave this block as is, our parser will convert links to inline content -->
<link rel="stylesheet" type="text/css" href="errorpage.css">
<!--EMBED:end -->
<style type="text/css"><!--
%l
body
:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
:lang(he) { direction: rtl; }
--></style>
</head><body id=%c>
<div id="titles">
<h1>ERROR</h1>
<h2>The requested URL could not be retrieved</h2>
</div>
<hr>
<div id="content">
<p>The following error was encountered while trying to retrieve the URL: <a href="%U">%U</a></p>
<blockquote id="error">
<p><b>Socket Failure</b></p>
</blockquote>
<p id="sysmsg">The system returned: <i>%E</i></p>
<p>Squid is unable to create a TCP socket, presumably due to excessive load. Please retry your request.</p>
<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
<br>
</div>
<hr>
<div id="footer">
<p>Generated %T by %h (%s)</p>
<!-- %c -->
</div>
</body></html>

44
src/opnsense/data/proxy/template_error_pages/ERR_TOO_BIG.html
View File

@ -1,44 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head>
<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>ERROR: The requested URL could not be retrieved</title>
<!--EMBED:start-->
<!-- leave this block as is, our parser will convert links to inline content -->
<link rel="stylesheet" type="text/css" href="errorpage.css">
<!--EMBED:end -->
<style type="text/css"><!--
%l
body
:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
:lang(he) { direction: rtl; }
--></style>
</head><body id=%c>
<div id="titles">
<h1>ERROR</h1>
<h2>The requested URL could not be retrieved</h2>
</div>
<hr>
<div id="content">
<p>The following error was encountered while trying to retrieve the URL: <a href="%U">%U</a></p>
<blockquote id="error">
<p><b>The request or reply is too large.</b></p>
</blockquote>
<p>If you are making a POST or PUT request, then the item you are trying to upload is too large.</p>
<p>If you are making a GET request, then the item you are trying to download is too large.</p>
<p>These limits have been established by the Internet Service Provider who operates this cache. Please contact them directly if you feel this is an error.</p>
<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
<br>
</div>
<hr>
<div id="footer">
<p>Generated %T by %h (%s)</p>
<!-- %c -->
</div>
</body></html>

42
src/opnsense/data/proxy/template_error_pages/ERR_UNSUP_HTTPVERSION.html
View File

@ -1,42 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head>
<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>ERROR: The requested URL could not be retrieved</title>
<!--EMBED:start-->
<!-- leave this block as is, our parser will convert links to inline content -->
<link rel="stylesheet" type="text/css" href="errorpage.css">
<!--EMBED:end -->
<style type="text/css"><!--
%l
body
:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
:lang(he) { direction: rtl; }
--></style>
</head><body id=%c>
<div id="titles">
<h1>ERROR</h1>
<h2>Unsupported HTTP version</h2>
</div>
<hr>
<div id="content">
<p>The following error was encountered while trying to retrieve the URL: <a href="%U">%U</a></p>
<blockquote id="error">
<p><b>Unsupported HTTP version</b></p>
</blockquote>
<p>This Squid does not accept the HTTP version you are attempting to use.</p>
<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
<br>
</div>
<hr>
<div id="footer">
<p>Generated %T by %h (%s)</p>
<!-- %c -->
</div>
</body></html>

42
src/opnsense/data/proxy/template_error_pages/ERR_UNSUP_REQ.html
View File

@ -1,42 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head>
<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>ERROR: The requested URL could not be retrieved</title>
<!--EMBED:start-->
<!-- leave this block as is, our parser will convert links to inline content -->
<link rel="stylesheet" type="text/css" href="errorpage.css">
<!--EMBED:end -->
<style type="text/css"><!--
%l
body
:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
:lang(he) { direction: rtl; }
--></style>
</head><body id=%c>
<div id="titles">
<h1>ERROR</h1>
<h2>The requested URL could not be retrieved</h2>
</div>
<hr>
<div id="content">
<p>The following error was encountered while trying to retrieve the URL: <a href="%U">%U</a></p>
<blockquote id="error">
<p><b>Unsupported Request Method and Protocol</b></p>
</blockquote>
<p>Squid does not support all request methods for all access protocols.</p>
<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
<br>
</div>
<hr>
<div id="footer">
<p>Generated %T by %h (%s)</p>
<!-- %c -->
</div>
</body></html>

42
src/opnsense/data/proxy/template_error_pages/ERR_URN_RESOLVE.html
View File

@ -1,42 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head>
<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>ERROR: The requested URN could not be retrieved</title>
<!--EMBED:start-->
<!-- leave this block as is, our parser will convert links to inline content -->
<link rel="stylesheet" type="text/css" href="errorpage.css">
<!--EMBED:end -->
<style type="text/css"><!--
%l
body
:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
:lang(he) { direction: rtl; }
--></style>
</head><body id=%c>
<div id="titles">
<h1>ERROR</h1>
<h2>A URL for the requested URN could not be retrieved</h2>
</div>
<hr>
<div id="content">
<p>The following error was encountered while trying to retrieve the URN: <a href="%U">%U</a></p>
<blockquote id="error">
<p><b>Cannot Resolve URN</b></p>
</blockquote>
<p>Hey, don't expect too much from URNs on %T :)</p>
<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
<br>
</div>
<hr>
<div id="footer">
<p>Generated %T by %h (%s)</p>
<!-- %c -->
</div>
</body></html>

44
src/opnsense/data/proxy/template_error_pages/ERR_WRITE_ERROR.html
View File

@ -1,44 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head>
<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>ERROR: The requested URL could not be retrieved</title>
<!--EMBED:start-->
<!-- leave this block as is, our parser will convert links to inline content -->
<link rel="stylesheet" type="text/css" href="errorpage.css">
<!--EMBED:end -->
<style type="text/css"><!--
%l
body
:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
:lang(he) { direction: rtl; }
--></style>
</head><body id=%c>
<div id="titles">
<h1>ERROR</h1>
<h2>The requested URL could not be retrieved</h2>
</div>
<hr>
<div id="content">
<p>The following error was encountered while trying to retrieve the URL: <a href="%U">%U</a></p>
<blockquote id="error">
<p><b>Write Error</b></p>
</blockquote>
<p id="sysmsg">The system returned: <i>%E</i></p>
<p>An error condition occurred while writing to the network. Please retry your request.</p>
<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
<br>
</div>
<hr>
<div id="footer">
<p>Generated %T by %h (%s)</p>
<!-- %c -->
</div>
</body></html>

42
src/opnsense/data/proxy/template_error_pages/ERR_ZERO_SIZE_OBJECT.html
View File

@ -1,42 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head>
<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>ERROR: The requested URL could not be retrieved</title>
<!--EMBED:start-->
<!-- leave this block as is, our parser will convert links to inline content -->
<link rel="stylesheet" type="text/css" href="errorpage.css">
<!--EMBED:end -->
<style type="text/css"><!--
%l
body
:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
:lang(he) { direction: rtl; }
--></style>
</head><body id=%c>
<div id="titles">
<h1>ERROR</h1>
<h2>The requested URL could not be retrieved</h2>
</div>
<hr>
<div id="content">
<p>The following error was encountered while trying to retrieve the URL: <a href="%U">%U</a></p>
<blockquote id="error">
<p><b>Zero Sized Reply</b></p>
</blockquote>
<p>Squid did not receive any data for this request.</p>
<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
<br>
</div>
<hr>
<div id="footer">
<p>Generated %T by %h (%s)</p>
<!-- %c -->
</div>
</body></html>

227
src/opnsense/data/proxy/template_error_pages/error-details.txt
View File

@ -1,227 +0,0 @@
name: SQUID_X509_V_ERR_INFINITE_VALIDATION
detail: "%ssl_error_descr: %ssl_subject"
descr: "Cert validation infinite loop detected"
name: SQUID_TLS_ERR_ACCEPT
detail: "%ssl_error_descr: %ssl_lib_error"
descr: "Failed to accept a secure connection"
name: SQUID_TLS_ERR_CONNECT
detail: "%ssl_error_descr: %ssl_lib_error"
descr: "Failed to establish a secure connection"
name: SQUID_X509_V_ERR_DOMAIN_MISMATCH
detail: "%ssl_error_descr: %ssl_subject"
descr: "Certificate does not match domainname"
name: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT
detail: "SSL Certificate error: certificate issuer (CA) not known: %ssl_ca_name"
descr: "Unable to get issuer certificate"
name: X509_V_ERR_UNABLE_TO_GET_CRL
detail: "%ssl_error_descr: %ssl_subject"
descr: "Unable to get certificate CRL"
name: X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE
detail: "%ssl_error_descr: %ssl_subject"
descr: "Unable to decrypt certificate's signature"
name: X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE
detail: "%ssl_error_descr: %ssl_subject"
descr: "Unable to decrypt CRL's signature"
name: X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY
detail: "Unable to decode issuer (CA) public key: %ssl_ca_name"
descr: "Unable to decode issuer public key"
name: X509_V_ERR_CERT_SIGNATURE_FAILURE
detail: "%ssl_error_descr: %ssl_subject"
descr: "Certificate signature failure"
name: X509_V_ERR_CRL_SIGNATURE_FAILURE
detail: "%ssl_error_descr: %ssl_subject"
descr: "CRL signature failure"
name: X509_V_ERR_CERT_NOT_YET_VALID
detail: "SSL Certificate is not valid before: %ssl_notbefore"
descr: "Certificate is not yet valid"
name: X509_V_ERR_CERT_HAS_EXPIRED
detail: "SSL Certificate expired on: %ssl_notafter"
descr: "Certificate has expired"
name: X509_V_ERR_CRL_NOT_YET_VALID
detail: "%ssl_error_descr: %ssl_subject"
descr: "CRL is not yet valid"
name: X509_V_ERR_CRL_HAS_EXPIRED
detail: "%ssl_error_descr: %ssl_subject"
descr: "CRL has expired"
name: X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD
detail: "SSL Certificate has invalid start date (the 'not before' field): %ssl_subject"
descr: "Format error in certificate's notBefore field"
name: X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD
detail: "SSL Certificate has invalid expiration date (the 'not after' field): %ssl_subject"
descr: "Format error in certificate's notAfter field"
name: X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD
detail: "%ssl_error_descr: %ssl_subject"
descr: "Format error in CRL's lastUpdate field"
name: X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD
detail: "%ssl_error_descr: %ssl_subject"
descr: "Format error in CRL's nextUpdate field"
name: X509_V_ERR_OUT_OF_MEM
detail: "%ssl_error_descr"
descr: "Out of memory"
name: X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
detail: "Self-signed SSL Certificate: %ssl_subject"
descr: "Self signed certificate"
name: X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN
detail: "Self-signed SSL Certificate in chain: %ssl_subject"
descr: "Self signed certificate in certificate chain"
name: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
detail: "SSL Certificate error: certificate issuer (CA) not known: %ssl_ca_name"
descr: "Unable to get local issuer certificate"
name: X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
detail: "%ssl_error_descr: %ssl_subject"
descr: "Unable to verify the first certificate"
name: X509_V_ERR_CERT_CHAIN_TOO_LONG
detail: "%ssl_error_descr: %ssl_subject"
descr: "Certificate chain too long"
name: X509_V_ERR_CERT_REVOKED
detail: "%ssl_error_descr: %ssl_subject"
descr: "Certificate revoked"
name: X509_V_ERR_INVALID_CA
detail: "%ssl_error_descr: %ssl_ca_name"
descr: "Invalid CA certificate"
name: X509_V_ERR_PATH_LENGTH_EXCEEDED
detail: "%ssl_error_descr: %ssl_subject"
descr: "Path length constraint exceeded"
name: X509_V_ERR_INVALID_PURPOSE
detail: "%ssl_error_descr: %ssl_subject"
descr: "Unsupported certificate purpose"
name: X509_V_ERR_CERT_UNTRUSTED
detail: "%ssl_error_descr: %ssl_subject"
descr: "Certificate not trusted"
name: X509_V_ERR_CERT_REJECTED
detail: "%ssl_error_descr: %ssl_subject"
descr: "Certificate rejected"
name: X509_V_ERR_SUBJECT_ISSUER_MISMATCH
detail: "%ssl_error_descr: %ssl_ca_name"
descr: "Subject issuer mismatch"
name: X509_V_ERR_AKID_SKID_MISMATCH
detail: "%ssl_error_descr: %ssl_subject"
descr: "Authority and subject key identifier mismatch"
name: X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH
detail: "%ssl_error_descr: %ssl_ca_name"
descr: "Authority and issuer serial number mismatch"
name: X509_V_ERR_KEYUSAGE_NO_CERTSIGN
detail: "%ssl_error_descr: %ssl_subject"
descr: "Key usage does not include certificate signing"
name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
detail: "%ssl_error_descr: %ssl_subject"
descr: "unable to get CRL issuer certificate"
name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
detail: "%ssl_error_descr: %ssl_subject"
descr: "unhandled critical extension"
name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
detail: "%ssl_error_descr: %ssl_subject"
descr: "key usage does not include CRL signing"
name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
detail: "%ssl_error_descr: %ssl_subject"
descr: "unhandled critical CRL extension"
name: X509_V_ERR_INVALID_NON_CA
detail: "%ssl_error_descr: %ssl_subject"
descr: "invalid non-CA certificate (has CA markings)"
name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
detail: "%ssl_error_descr: %ssl_subject"
descr: "proxy path length constraint exceeded"
name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
detail: "%ssl_error_descr: %ssl_subject"
descr: "key usage does not include digital signature"
name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
detail: "%ssl_error_descr: %ssl_subject"
descr: "proxy certificates not allowed, please set the appropriate flag"
name: X509_V_ERR_INVALID_EXTENSION
detail: "%ssl_error_descr: %ssl_subject"
descr: "invalid or inconsistent certificate extension"
name: X509_V_ERR_INVALID_POLICY_EXTENSION
detail: "%ssl_error_descr: %ssl_subject"
descr: "invalid or inconsistent certificate policy extension"
name: X509_V_ERR_NO_EXPLICIT_POLICY
detail: "%ssl_error_descr: %ssl_subject"
descr: "no explicit policy"
name: X509_V_ERR_DIFFERENT_CRL_SCOPE
detail: "%ssl_error_descr: %ssl_subject"
descr: "Different CRL scope"
name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
detail: "%ssl_error_descr: %ssl_subject"
descr: "Unsupported extension feature"
name: X509_V_ERR_UNNESTED_RESOURCE
detail: "%ssl_error_descr: %ssl_subject"
descr: "RFC 3779 resource not subset of parent's resources"
name: X509_V_ERR_PERMITTED_VIOLATION
detail: "%ssl_error_descr: %ssl_subject"
descr: "permitted subtree violation"
name: X509_V_ERR_EXCLUDED_VIOLATION
detail: "%ssl_error_descr: %ssl_subject"
descr: "excluded subtree violation"
name: X509_V_ERR_SUBTREE_MINMAX
detail: "%ssl_error_descr: %ssl_subject"
descr: "name constraints minimum and maximum not supported"
name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
detail: "%ssl_error_descr: %ssl_subject"
descr: "unsupported name constraint type"
name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
detail: "%ssl_error_descr: %ssl_subject"
descr: "unsupported or invalid name constraint syntax"
name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
detail: "%ssl_error_descr: %ssl_subject"
descr: "unsupported or invalid name syntax"
name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
detail: "%ssl_error_descr: %ssl_subject"
descr: "CRL path validation error"
name: X509_V_ERR_APPLICATION_VERIFICATION
detail: "%ssl_error_descr: %ssl_subject"
descr: "Application verification failure"

104
src/opnsense/data/proxy/template_error_pages/errorpage.css
View File

File diff suppressed because one or more lines are too long

157
src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/ServiceController.php
View File

@ -1,157 +0,0 @@
<?php
/*
* Copyright (C) 2015 Deciso B.V.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
* OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
namespace OPNsense\Proxy\Api;
use OPNsense\Base\ApiMutableServiceControllerBase;
use OPNsense\Base\UserException;
use OPNsense\Core\Backend;
use OPNsense\Proxy\Proxy;
/**
* Class ServiceController
* @package OPNsense\Proxy
*/
class ServiceController extends ApiMutableServiceControllerBase
{
protected static $internalServiceClass = '\OPNsense\Proxy\Proxy';
protected static $internalServiceEnabled = 'general.enabled';
protected static $internalServiceTemplate = 'OPNsense/Proxy';
protected static $internalServiceName = 'proxy';
protected function reconfigureForceRestart()
{
$mdlProxy = new Proxy();
// some operations can not be performed by a squid -k reconfigure,
// try to determine if we need a stop/start here
$prev_sslbump_cert = trim(@file_get_contents('/var/squid/ssl_crtd.id'));
$prev_cache_active = !empty(trim(@file_get_contents('/var/squid/cache/active')));
return (((string)$mdlProxy->forward->sslcertificate) != $prev_sslbump_cert) ||
(!empty((string)$mdlProxy->general->cache->local->enabled) != $prev_cache_active);
}
private function hookStartErrorHandler($result)
{
if (preg_match('/__ok__$/', $result['response'])) {
$result['response'] = "ok";
} else {
throw new UserException($result['response'], gettext("proxy load error"));
}
return $result;
}
public function startAction()
{
return $this->hookStartErrorHandler(parent::startAction());
}
public function restartAction()
{
return $this->hookStartErrorHandler(parent::restartAction());
}
/**
* reload template only (for example PAC does not need to change squid configuration)
* @return array
*/
public function resetAction()
{
if ($this->request->isPost()) {
// close session for long running action
$this->sessionClose();
$backend = new Backend();
return array('status' => $backend->configdRun('proxy reset'));
} else {
return array('error' => 'This API endpoint must be called via POST',
'status' => 'error');
}
}
/**
* reload template only (for example PAC does not need to change squid configuration)
* @return array
*/
public function refreshTemplateAction()
{
if ($this->request->isPost()) {
// close session for long running action
$this->sessionClose();
$backend = new Backend();
return array('status' => $backend->configdRun('template reload OPNsense/Proxy'));
} else {
return array('error' => 'This API endpoint must be called via POST',
'status' => 'error');
}
}
/**
* fetch acls (download + install)
* @return array
*/
public function fetchaclsAction()
{
if ($this->request->isPost()) {
// close session for long running action
$this->sessionClose();
$backend = new Backend();
// generate template
$backend->configdRun('template reload OPNsense/Proxy');
// fetch files
$response = $backend->configdRun("proxy fetchacls");
return array("response" => $response,"status" => "ok");
} else {
return array("response" => array());
}
}
/**
* download (only) acls
* @return array
*/
public function downloadaclsAction()
{
if ($this->request->isPost()) {
// close session for long running action
$this->sessionClose();
$backend = new Backend();
// generate template
$backend->configdRun('template reload OPNsense/Proxy');
// download files
$response = $backend->configdRun("proxy downloadacls");
return array("response" => $response,"status" => "ok");
} else {
return array("response" => array());
}
}
}

334
src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/SettingsController.php
View File

@ -1,334 +0,0 @@
<?php
/**
* Copyright (C) 2015 Jos Schellevis <jos@opnsense.org>
* Copyright (C) 2017 Fabian Franz
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
* OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
namespace OPNsense\Proxy\Api;
use OPNsense\Base\ApiMutableModelControllerBase;
use OPNsense\Cron\Cron;
use OPNsense\Core\Config;
use OPNsense\Base\UIModelGrid;
/**
* Class SettingsController
* @package OPNsense\Proxy
*/
class SettingsController extends ApiMutableModelControllerBase
{
protected static $internalModelName = 'proxy';
protected static $internalModelClass = '\OPNsense\Proxy\Proxy';
/**
*
* search remote blacklists
* @return array
*/
public function searchRemoteBlacklistsAction()
{
$this->sessionClose();
$mdlProxy = $this->getModel();
$grid = new UIModelGrid($mdlProxy->forward->acl->remoteACLs->blacklists->blacklist);
return $grid->fetchBindRequest(
$this->request,
array("enabled", "filename", "url", "description"),
"description"
);
}
/**
* retrieve remote blacklist settings or return defaults
* @param $uuid item unique id
* @return array
*/
public function getRemoteBlacklistAction($uuid = null)
{
return $this->getBase("blacklist", "forward.acl.remoteACLs.blacklists.blacklist", $uuid);
}
/**
* update remote blacklist item
* @param string $uuid
* @return array result status
* @throws \Phalcon\Filter\Validation\Exception
*/
public function setRemoteBlacklistAction($uuid)
{
return $this->setBase('blacklist', 'forward.acl.remoteACLs.blacklists.blacklist', $uuid);
}
/**
* add new blacklist and set with attributes from post
* @return array
*/
public function addRemoteBlacklistAction()
{
return $this->addBase('blacklist', 'forward.acl.remoteACLs.blacklists.blacklist');
}
/**
* delete blacklist by uuid
* @param $uuid item unique id
* @return array status
*/
public function delRemoteBlacklistAction($uuid)
{
return $this->delBase('forward.acl.remoteACLs.blacklists.blacklist', $uuid);
}
/**
* toggle blacklist by uuid (enable/disable)
* @param $uuid item unique id
* @return array status
*/
public function toggleRemoteBlacklistAction($uuid)
{
return $this->toggleBase('forward.acl.remoteACLs.blacklists.blacklist', $uuid);
}
/**
* create new cron item for remote acl or return already available one
* @return array status action
*/
public function fetchRBCronAction()
{
$result = array("result" => "failed");
if ($this->request->isPost()) {
$mdlProxy = $this->getModel();
if ((string)$mdlProxy->forward->acl->remoteACLs->UpdateCron == "") {
$mdlCron = new Cron();
// update cron relation (if this doesn't break consistency)
$uuid = $mdlCron->newDailyJob("Proxy", "proxy fetchacls", "fetch proxy acls", "1");
$mdlProxy->forward->acl->remoteACLs->UpdateCron = $uuid;
if ($mdlCron->performValidation()->count() == 0) {
$mdlCron->serializeToConfig();
// save data to config, do not validate because the current in memory model doesn't know about the
// cron item just created.
$mdlProxy->serializeToConfig($validateFullModel = false, $disable_validation = true);
Config::getInstance()->save();
$result['result'] = "new";
$result['uuid'] = $uuid;
} else {
$result['result'] = "unable to add cron";
}
} else {
$result['result'] = "existing";
$result['uuid'] = (string)$mdlProxy->forward->acl->remoteACLs->UpdateCron;
}
}
return $result;
}
/**
*
* search PAC Rule
* @return array
*/
public function searchPACRuleAction()
{
$this->sessionClose();
return $this->searchBase('pac.rule', array("enabled", "description", "proxies", "matches"), "description");
}
/**
* retrieve PAC Rule or return defaults
* @param $uuid item unique id
* @return array
*/
public function getPACRuleAction($uuid = null)
{
$this->sessionClose();
return array("pac" => $this->getBase('rule', 'pac.rule', $uuid));
}
/**
* add new PAC Rule and set with attributes from post
* @return array
*/
public function addPACRuleAction()
{
$this->pac_set_helper();
return $this->addBase('rule', 'pac.rule');
}
/**
* update PAC Rule
* @param string $uuid
* @return array result status
* @throws \Phalcon\Filter\Validation\Exception
*/
public function setPACRuleAction($uuid)
{
$this->pac_set_helper();
return $this->setBase('rule', 'pac.rule', $uuid);
}
/**
* toggle PAC Rule by uuid (enable/disable)
* @param $uuid item unique id
* @return array status
*/
public function togglePACRuleAction($uuid)
{
return $this->toggleBase('pac.rule', $uuid);
}
/**
* delete PAC Rule by uuid
* @param $uuid item unique id
* @return array status
*/
public function delPACRuleAction($uuid)
{
return $this->delBase('pac.rule', $uuid);
}
/**
*
* search PAC Proxy
* @return array
*/
public function searchPACProxyAction()
{
$this->sessionClose();
return $this->searchBase('pac.proxy', array("enabled","proxy_type", "name", "url", "description"), "description");
}
/**
* retrieve PAC Proxy or return defaults
* @param $uuid item unique id
* @return array
*/
public function getPACProxyAction($uuid = null)
{
$this->sessionClose();
return array("pac" => $this->getBase('proxy', 'pac.proxy', $uuid));
}
/**
* add new PAC Proxy and set with attributes from post
* @return array
*/
public function addPACProxyAction()
{
$this->pac_set_helper();
return $this->addBase('proxy', 'pac.proxy');
}
/**
* update PAC Proxy
* @param string $uuid
* @return array result status
* @throws \Phalcon\Filter\Validation\Exception
*/
public function setPACProxyAction($uuid)
{
$this->pac_set_helper();
return $this->setBase('proxy', 'pac.proxy', $uuid);
}
/**
* delete PAC Proxy by uuid
* @param $uuid item unique id
* @return array status
*/
public function delPACProxyAction($uuid)
{
return $this->delBase('pac.proxy', $uuid);
}
/**
* search PAC Match
* @return array
*/
public function searchPACMatchAction()
{
$this->sessionClose();
return $this->searchBase('pac.match', array("enabled", "name", "description", "negate", "match_type"), "name");
}
/**
* retrieve PAC Match or return defaults
* @param $uuid item unique id
* @return array
*/
public function getPACMatchAction($uuid = null)
{
$this->sessionClose();
return array("pac" => $this->getBase('match', 'pac.match', $uuid));
}
/**
* add new PAC Proxy and set with attributes from post
* @return array
*/
public function addPACMatchAction()
{
$this->pac_set_helper();
return $this->addBase('match', 'pac.match');
}
/**
* update PAC Rule
* @param string $uuid
* @return array result status
* @throws \Phalcon\Filter\Validation\Exception
*/
public function setPACMatchAction($uuid)
{
$this->pac_set_helper();
return $this->setBase('match', 'pac.match', $uuid);
}
/**
* delete PAC Match by uuid
* @param $uuid item unique id
* @return array status
*/
public function delPACMatchAction($uuid)
{
return $this->delBase('pac.match', $uuid);
}
/**
* flatten post data structure
*/
private function pac_set_helper()
{
if ($this->request->isPost() && $this->request->hasPost("pac")) {
$pac_data = $this->request->getPost('pac');
if (is_array($pac_data)) {
foreach ($pac_data as $key => $value) {
$_POST[$key] = $value;
}
}
}
}
}

102
src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/TemplateController.php
View File

@ -1,102 +0,0 @@
<?php
/**
* Copyright (C) 2020 Deciso B.V.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
* OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
namespace OPNsense\Proxy\Api;
use OPNsense\Base\ApiMutableModelControllerBase;
use OPNsense\Core\Backend;
/**
* Class TemplateController
* @package OPNsense\Proxy
*/
class TemplateController extends ApiMutableModelControllerBase
{
protected static $internalModelName = 'proxy';
protected static $internalModelClass = '\OPNsense\Proxy\Proxy';
/**
* save template
* @return array status
* @throws \Phalcon\Filter\Validation\Exception on validation issues
* @throws \ReflectionException when binding to the model class fails
* @throws UserException when denied write access
*/
public function setAction()
{
if ($this->request->isPost() && $this->request->hasPost("content")) {
$this->sessionClose();
$mdl = $this->getModel();
$mdl->error_pages->template = $this->request->getPost("content", "striptags");
$result = $this->validate();
if (empty($result['validations'])) {
// save config if validated correctly
$this->save();
$result = array("result" => "saved");
} else {
$result["result"] = "failed";
}
return $result;
} else {
return array("result" => "failed");
}
}
/**
* reset error_pages template
*/
public function resetAction()
{
if ($this->request->isPost()) {
$mdl = $this->getModel();
$mdl->error_pages->template = null;
$this->save();
return array("result" => "saved");
}
return array("result" => "failed");
}
/**
* retrieve error pages template, overlay provided template zip file on top of OPNsense error pages
* using configd calls
*/
public function getAction()
{
$backend = new Backend();
$backend->configdRun("template reload OPNsense/Proxy");
$result = json_decode($backend->configdRun("proxy download_error_pages"), true);
if ($result != null) {
$this->response->setRawHeader("Content-Type: application/octet-stream");
$this->response->setRawHeader("Content-Disposition: attachment; filename=proxy_template.zip");
return base64_decode($result['payload']);
} else {
// return empty response on error
return "";
}
}
}

52
src/opnsense/mvc/app/controllers/OPNsense/Proxy/IndexController.php
View File

@ -1,52 +0,0 @@
<?php
/**
* Copyright (C) 2015 Deciso B.V.
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
* OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
*/
namespace OPNsense\Proxy;
/**
* Class IndexController
* @package OPNsense\Proxy
*/
class IndexController extends \OPNsense\Base\IndexController
{
/**
* proxy index page
* @throws \Exception
*/
public function indexAction()
{
$this->view->mainForm = $this->getForm("main");
$this->view->formDialogEditPACMatch = $this->getForm("dialogEditPACMatch");
$this->view->formDialogEditPACRule = $this->getForm("dialogEditPACRule");
$this->view->formDialogEditPACProxy = $this->getForm("dialogEditPACProxy");
$this->view->formDialogEditBlacklist = $this->getForm("dialogEditBlacklist");
$this->view->pick('OPNsense/Proxy/index');
}
}

51
src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/dialogEditBlacklist.xml
View File

@ -1,51 +0,0 @@
<form>
<field>
<id>blacklist.enabled</id>
<label>enabled</label>
<type>checkbox</type>
<help>Select if job is enabled or not</help>
</field>
<field>
<id>blacklist.filename</id>
<label>Filename</label>
<type>text</type>
<help>Enter a filename for storing the blacklist.</help>
</field>
<field>
<id>blacklist.url</id>
<label>URL</label>
<type>text</type>
<help>Enter an url to fetch the blacklist from.</help>
</field>
<field>
<id>blacklist.username</id>
<label>username (optional)</label>
<type>text</type>
<help>(optional) user credentials.</help>
</field>
<field>
<id>blacklist.password</id>
<label>password (optional)</label>
<type>password</type>
<help>(optional) user credentials.</help>
</field>
<field>
<id>blacklist.filter</id>
<label>categories (if available)</label>
<type>select_multiple</type>
<nbDropdownElements>300</nbDropdownElements>
<help><![CDATA[select categories to use, leave empty for all. Categories are visible after initial download.]]></help>
</field>
<field>
<id>blacklist.sslNoVerify</id>
<label>ssl ignore cert</label>
<type>checkbox</type>
<help>Ignore SSL certificate validation (for self-signed certificates)</help>
</field>
<field>
<id>blacklist.description</id>
<label>Description</label>
<type>text</type>
<help>Enter a description to explain what this blacklist is intended for.</help>
</field>
</form>

92
src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/dialogEditPACMatch.xml
View File

@ -1,92 +0,0 @@
<form>
<field>
<id>pac.match.name</id>
<label>Name</label>
<type>text</type>
<help>Select a name for this match.</help>
</field>
<field>
<id>pac.match.description</id>
<label>Description</label>
<type>text</type>
<help>Enter a description for this rule. The description should help you to identify this rule.</help>
</field>
<field>
<id>pac.match.negate</id>
<label>Negate</label>
<type>checkbox</type>
<help>Negate this match. For example you can match if a host is not inside a network.</help>
</field>
<field>
<id>pac.match.match_type</id>
<label>Match Type</label>
<type>dropdown</type>
<help>Select the type of the match. Depending on the match, you will need different arguments.</help>
</field>
<field>
<id>pac.match.network</id>
<label>Network</label>
<type>text</type>
<help>Enter the network address to match in CIDR notation for example like 127.0.0.1/8 or ::1/128</help>
</field>
<field>
<id>pac.match.hostname</id>
<label>Host Pattern</label>
<type>text</type>
<help>Enter a hostname pattern like *.opnsense.org.</help>
</field>
<field>
<id>pac.match.url</id>
<label>URL Pattern</label>
<type>text</type>
<help>Enter a URL pattern like forum.opnsense.org/index*.</help>
</field>
<field>
<id>pac.match.domain_level_from</id>
<label>Domain Level From</label>
<type>text</type>
<help>Enter the minimum amount of dots in the domain name.</help>
</field>
<field>
<id>pac.match.domain_level_to</id>
<label>Domain Level To</label>
<type>text</type>
<help>Enter the maximum amount of dots in the domain name.</help>
</field>
<field>
<id>pac.match.time_from</id>
<label>Beginning Hour</label>
<type>text</type>
<help>Enter start hour (minimum 0).</help>
</field>
<field>
<id>pac.match.time_to</id>
<label>Last Hour</label>
<type>text</type>
<help>Enter the end time (maximum 23, minimum 0 or start time).</help>
</field>
<field>
<id>pac.match.date_from</id>
<label>From Month</label>
<type>dropdown</type>
<help>Enter the first month.</help>
</field>
<field>
<id>pac.match.date_to</id>
<label>To Month</label>
<type>dropdown</type>
<help>Enter the last month (maximum December, minimum January or From Month).</help>
</field>
<field>
<id>pac.match.weekday_from</id>
<label>From Day</label>
<type>dropdown</type>
<help>Enter the first day of the week.</help>
</field>
<field>
<id>pac.match.weekday_to</id>
<label>To Day</label>
<type>dropdown</type>
<help>Enter the last day of the week.</help>
</field>
</form>

26
src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/dialogEditPACProxy.xml
View File

@ -1,26 +0,0 @@
<form>
<field>
<id>pac.proxy.name</id>
<label>Name</label>
<type>text</type>
<help>Enter a name for this match.</help>
</field>
<field>
<id>pac.proxy.description</id>
<label>Description</label>
<type>text</type>
<help>Enter a description for this proxy for your reference.</help>
</field>
<field>
<id>pac.proxy.proxy_type</id>
<label>Proxy Type</label>
<type>dropdown</type>
<help>Choose a proxy type. Usually you should use Direct for a direct connection or Proxy for a Proxy.</help>
</field>
<field>
<id>pac.proxy.url</id>
<label>URL</label>
<type>text</type>
<help>Enter a proxy URL in the form proxy.example.com:3128.</help>
</field>
</form>

40
src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/dialogEditPACRule.xml
View File

@ -1,40 +0,0 @@
<form>
<field>
<id>pac.rule.enabled</id>
<label>Enabled</label>
<type>checkbox</type>
<help>Please select if this rule should be added to the PAC file.</help>
</field>
<field>
<id>pac.rule.description</id>
<label>Description</label>
<type>text</type>
<help>Enter a description for this rule. The description should help you to identify this rule.</help>
</field>
<field>
<id>pac.rule.matches</id>
<label>Matches</label>
<type>select_multiple</type>
<style>tokenize</style>
<help>Select some matches you want to use in this rule. This matches are joined using the selected separator.</help>
</field>
<field>
<id>pac.rule.join_type</id>
<label>Join Type</label>
<type>dropdown</type>
<help>Please select a separator to join the matches. Or means any mach can be true which can be used to configure the same proxy for multiple networks while And means all matches must be true which can be used to assign the proxy in a more detailed way.</help>
</field>
<field>
<id>pac.rule.match_type</id>
<label>Match Type</label>
<type>dropdown</type>
<help>Choose If in case any case you want to ensure a match to evaluate as is, else choose unless if you want the negated version. Unless is used if you want to use the proxy for every host but not for some special ones.</help>
</field>
<field>
<id>pac.rule.proxies</id>
<label>Proxies</label>
<type>select_multiple</type>
<style>tokenize</style>
<sortable>true</sortable>
</field>
</form>

634
src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
View File

@ -1,634 +0,0 @@
<form>
<tab id="proxy-general" description="General Proxy Settings">
<subtab id="proxy-general-settings" description="General Proxy Settings">
<field>
<id>proxy.general.enabled</id>
<label>Enable proxy</label>
<type>checkbox</type>
<help>Enable or disable the proxy service.</help>
</field>
<field>
<id>proxy.general.error_pages</id>
<label>User error pages</label>
<type>dropdown</type>
<help>
The proxy error pages can be altered, default layout uses OPNsense content, when Squid is selected
the content for the selected language will be used (standard squid layout), Custom offers the possibility
to upload your own theme content.
</help>
</field>
<field>
<id>proxy.general.icpPort</id>
<label>ICP port</label>
<type>text</type>
<help>The port number where Squid sends and receives ICP queries to and from neighbor caches. Leave blank to disable (default). The standard UDP port for ICP is 3130.</help>
<advanced>true</advanced>
</field>
<field>
<id>proxy.general.logging.enable.accessLog</id>
<label>Enable access logging</label>
<type>checkbox</type>
<help>Enable access logging.</help>
<advanced>true</advanced>
</field>
<field>
<id>proxy.general.logging.target</id>
<label>Access log target</label>
<type>dropdown</type>
<help>Send log data to the selected target. When syslog is selected, facility local 4 will be used to send messages of info level for these logs.</help>
<advanced>true</advanced>
</field>
<field>
<id>proxy.general.logging.enable.storeLog</id>
<label>Enable store logging</label>
<type>checkbox</type>
<help>Enable store logging.</help>
<advanced>true</advanced>
</field>
<field>
<id>proxy.general.logging.ignoreLogACL</id>
<label>Ignore hosts in access.log</label>
<type>select_multiple</type>
<style>tokenize</style>
<help>Type subnets/addresses you want to ignore for the access.log.</help>
<allownew>true</allownew>
<advanced>true</advanced>
</field>
<field>
<id>proxy.general.alternateDNSservers</id>
<label>Use alternate DNS-servers</label>
<type>select_multiple</type>
<style>tokenize</style>
<help>Type IPs of alternative DNS servers you like to use.</help>
<allownew>true</allownew>
<advanced>true</advanced>
</field>
<field>
<id>proxy.general.useViaHeader</id>
<label>Use Via header</label>
<type>checkbox</type>
<help>If set (default), Squid will include a Via header in requests and replies as required by RFC2616.</help>
<advanced>true</advanced>
</field>
<field>
<id>proxy.general.forwardedForHandling</id>
<label>X-Forwarded-For header handling</label>
<type>dropdown</type>
<help>Select what to do with X-Forwarded-For header. If set to: "on", Squid will append your client's IP address in the HTTP requests it forwards. By default it looks like X-Forwarded-For: 192.1.2.3; If set to: "off", it will appear as X-Forwarded-For: unknown; "transparent", Squid will not alter the X-Forwarded-For header in any way; If set to: "delete", Squid will delete the entire X-Forwarded-For header; If set to: "truncate", Squid will remove all existing X-Forwarded-For entries, and place the client IP as the sole entry.</help>
<advanced>true</advanced>
</field>
<field>
<id>proxy.general.VisibleHostname</id>
<label>Visible Hostname</label>
<type>text</type>
<help>This is the hostname to be displayed in proxy server error messages.</help>
<advanced>true</advanced>
</field>
<field>
<id>proxy.general.VisibleEmail</id>
<label>Administrator's Email</label>
<type>text</type>
<help>This is the email address displayed in error messages to the users.</help>
<advanced>true</advanced>
</field>
<field>
<id>proxy.general.suppressVersion</id>
<label>Suppress version string</label>
<type>checkbox</type>
<help>Suppress Squid version string info in HTTP headers and HTML error pages.</help>
<advanced>true</advanced>
</field>
<field>
<id>proxy.general.connecttimeout</id>
<label>Connection Timeout</label>
<type>text</type>
<help>This can help you when having connection issues with IPv6 enabled servers. Set a value in seconds</help>
<advanced>true</advanced>
</field>
<field>
<id>proxy.general.uriWhitespaceHandling</id>
<label>Whitespace handling of URI</label>
<type>dropdown</type>
<help>Select what to do with URI that contain whitespaces. The current Squid implementation of encode and chop violates RFC2616 by not using a 301 redirect after altering the URL.</help>
<advanced>true</advanced>
</field>
<field>
<id>proxy.general.enablePinger</id>
<label>Enable pinger</label>
<type>checkbox</type>
<help>Toggles the Squid pinger service. This service is used in the selection of the best parent proxy.</help>
<advanced>true</advanced>
</field>
</subtab>
<subtab id="proxy-general-cache-local" description="Local Cache Settings">
<field>
<id>proxy.general.cache.local.cache_mem</id>
<label>Memory Cache size in Megabytes</label>
<type>text</type>
<help>Enter the cache memory size to use or zero to disable completely.</help>
</field>
<field>
<id>proxy.general.cache.local.enabled</id>
<label>Enable local cache</label>
<type>checkbox</type>
<help>Enable or disable the local cache. Only UFS directory cache type is supported. Do not enable on embedded systems with SD or CF cards as this will wear down your drive.</help>
</field>
<field>
<id>proxy.general.cache.local.size</id>
<label>Cache size in Megabytes</label>
<type>text</type>
<help>Enter the storage size for the local cache (default is 100).</help>
<advanced>true</advanced>
</field>
<field>
<id>proxy.general.cache.local.directory</id>
<label>Cache directory location</label>
<type>text</type>
<help>Enter the directory location for the local cache (default is /var/squid/cache).</help>
<advanced>true</advanced>
</field>
<field>
<id>proxy.general.cache.local.l1</id>
<label>Number of first-level subdirectories</label>
<type>text</type>
<help>Enter the number of first-level subdirectories for the local cache (default is 16).</help>
<advanced>true</advanced>
</field>
<field>
<id>proxy.general.cache.local.l2</id>
<label>Number of second-level subdirectories</label>
<type>text</type>
<help>Enter the number of second-level subdirectories for the local cache (default is 256).</help>
<advanced>true</advanced>
</field>
<field>
<id>proxy.general.cache.local.maximum_object_size</id>
<label>Maximum object size (MB)</label>
<type>text</type>
<help>Set the maximum object size (default 4MB when left empty).</help>
<advanced>true</advanced>
</field>
<field>
<id>proxy.general.cache.local.maximum_object_size_in_memory</id>
<label>Maximum object size in memory (KB)</label>
<type>text</type>
<help>Set the maximum object size in memory (default 512KB when left empty).</help>
<advanced>true</advanced>
</field>
<field>
<id>proxy.general.cache.local.memory_cache_mode</id>
<label>Memory cache mode</label>
<type>dropdown</type>
<help>
Controls which objects to keep in the memory cache (cache_mem)
always: Keep most recently fetched objects in memory (default)
disk: Only disk cache hits are kept in memory, which means an object must first be cached on disk and then hit a second time before cached in memory.
network: Only objects fetched from network is kept in memory
</help>
<advanced>true</advanced>
</field>
<field>
<id>proxy.general.cache.local.cache_linux_packages</id>
<label>Enable Linux Package Cache</label>
<type>checkbox</type>
<help>Enable or disable the caching of packages for linux distributions. This makes sense if you have multiple servers in your network and do not host your own package mirror. This will reduce internet traffic usage but increase disk access.</help>
</field>
<field>
<id>proxy.general.cache.local.cache_windows_updates</id>
<label>Enable Windows Update Cache</label>
<type>checkbox</type>
<help>Enable or disable the caching of Windows updates. This makes sense if you don't have a WSUS server. If you can setup a WSUS server, this solution should be preferred.</help>
</field>
</subtab>
<subtab id="proxy-general-traffic" description="Traffic Management Settings">
<field>
<id>proxy.general.traffic.enabled</id>
<label>Enable traffic management.</label>
<type>checkbox</type>
<help>Enable or disable traffic management.</help>
</field>
<field>
<id>proxy.general.traffic.maxDownloadSize</id>
<label>Maximum download size (kB)</label>
<type>text</type>
<help>Enter the maximum size for downloads in kilobytes (leave empty to disable).</help>
</field>
<field>
<id>proxy.general.traffic.maxUploadSize</id>
<label>Maximum upload size (kB)</label>
<type>text</type>
<help>Enter the maximum size for uploads in kilobytes (leave empty to disable).</help>
</field>
<field>
<id>proxy.general.traffic.OverallBandwidthTrotteling</id>
<label>Overall bandwidth throttling (kbps)</label>
<type>text</type>
<help>Enter the allowed overall bandwidth in kilobits per second (leave empty to disable).</help>
</field>
<field>
<id>proxy.general.traffic.perHostTrotteling</id>
<label>Per host bandwidth throttling (kbps)</label>
<type>text</type>
<help>Enter the allowed per host bandwidth in kilobits per second (leave empty to disable).</help>
</field>
</subtab>
<subtab id="proxy-general-parentproxy" description="Parent Proxy Settings">
<field>
<id>proxy.general.parentproxy.enabled</id>
<label>Enable Parent Proxy</label>
<type>checkbox</type>
<help>Enable parent proxy feature.</help>
</field>
<field>
<id>proxy.general.parentproxy.host</id>
<label>Host</label>
<type>text</type>
<help>Parent proxy IP address or hostname.</help>
</field>
<field>
<id>proxy.general.parentproxy.port</id>
<label>Port</label>
<type>text</type>
<help>Parent proxy port.</help>
</field>
<field>
<id>proxy.general.parentproxy.enableauth</id>
<label>Enable Authentication</label>
<type>checkbox</type>
<help>Enable authentication against the parent proxy.</help>
</field>
<field>
<id>proxy.general.parentproxy.user</id>
<label>Username</label>
<type>text</type>
<help>Set a username if parent proxy requires authentication.</help>
</field>
<field>
<id>proxy.general.parentproxy.password</id>
<label>Password</label>
<type>password</type>
<help>Set a password if parent proxy requires authentication.</help>
</field>
<field>
<id>proxy.general.parentproxy.localdomains</id>
<label>Local Domains</label>
<type>select_multiple</type>
<style>tokenize</style>
<allownew>true</allownew>
<help>List of domains not to be sent via parent proxy.</help>
</field>
<field>
<id>proxy.general.parentproxy.localips</id>
<label>Local IPs</label>
<type>select_multiple</type>
<style>tokenize</style>
<allownew>true</allownew>
<help>List of IP addresses not to be sent via parent proxy.</help>
</field>
</subtab>
</tab>
<tab id="proxy-forward" description="Forward Proxy">
<subtab id="proxy-forward-general" description="General Forward Settings">
<field>
<id>proxy.forward.interfaces</id>
<label>Proxy interfaces</label>
<type>select_multiple</type>
<help>Select interface(s) the proxy will bind to.</help>
</field>
<field>
<id>proxy.forward.port</id>
<label>Proxy port</label>
<type>text</type>
<help>The port the proxy service will listen to.</help>
</field>
<field>
<id>proxy.forward.transparentMode</id>
<label>Enable Transparent HTTP proxy</label>
<type>checkbox</type>
<help><![CDATA[Enable transparent proxy mode. You will need a firewall rule to forward traffic from the firewall to the proxy server. You may leave the proxy interfaces empty, but remember to set a valid ACL in that case. <a href="/firewall_nat_edit.php?template=transparent_proxy"> Add a new firewall rule </a>]]></help>
</field>
<field>
<id>proxy.forward.sslbump</id>
<label>Enable SSL inspection</label>
<type>checkbox</type>
<help><![CDATA[Enable SSL inspection mode, which allows to log HTTPS connections information, such as requested URL and/or make the proxy act as a man in the middle between the internet and your clients. Be aware of the security implications before enabling this option. If you plan to use transparent HTTPS mode, you need nat rules to reflect your traffic.<a href="/firewall_nat_edit.php?template=transparent_proxy&https=1">Add a new firewall rule </a>]]></help>
</field>
<field>
<id>proxy.forward.sslurlonly</id>
<label>Log SNI information only</label>
<type>checkbox</type>
<help>Do not decode and/or filter SSL content, only log requested domains and IP addresses. Some old servers may not provide SNI, so their addresses will not be indicated.</help>
</field>
<field>
<id>proxy.forward.sslbumpport</id>
<label>SSL Proxy port</label>
<type>text</type>
<help>The port the ssl proxy service will listen to.</help>
</field>
<field>
<id>proxy.forward.sslcertificate</id>
<label>CA to use</label>
<type>dropdown</type>
<help><![CDATA[Select a Certificate Authority to use. To create a CA, go to <a href="/system_camanager.php">CA Manager</a>.]]></help>
</field>
<field>
<id>proxy.forward.sslnobumpsites</id>
<label>SSL no bump sites</label>
<type>select_multiple</type>
<style>tokenize</style>
<allownew>true</allownew>
<help>Create a list of sites which may not be inspected, for example bank sites. Prefix the domain with a . to accept all subdomains (e.g. .google.com).</help>
</field>
<field>
<id>proxy.forward.ssl_crtd_storage_max_size</id>
<label>SSL cache size</label>
<type>text</type>
<help>Enter the maximum size (in MB) to use for SSL certificates.</help>
<advanced>true</advanced>
</field>
<field>
<id>proxy.forward.sslcrtd_children</id>
<label>SSL cert workers</label>
<type>text</type>
<help>Enter the number of ssl certificate workers to use (sslcrtd_children).</help>
<advanced>true</advanced>
</field>
<field>
<id>proxy.forward.addACLforInterfaceSubnets</id>
<label>Allow interface subnets</label>
<type>checkbox</type>
<help>When enabled the subnets of the selected interfaces will be added to the allow access list.</help>
<advanced>true</advanced>
</field>
</subtab>
<subtab id="proxy-forward-ftp" description="FTP Proxy Settings">
<field>
<id>proxy.forward.ftpInterfaces</id>
<label>FTP proxy interfaces</label>
<type>select_multiple</type>
<help>Select interface(s) the ftp proxy will bind to.</help>
</field>
<field>
<id>proxy.forward.ftpPort</id>
<label>FTP proxy port</label>
<type>text</type>
<help>The port the proxy service will listen to.</help>
</field>
<field>
<id>proxy.forward.ftpTransparentMode</id>
<label>Enable Transparent mode</label>
<type>checkbox</type>
<help>Enable transparent ftp proxy mode to forward all requests for destination port 21 to the proxy server without any additional configuration.</help>
</field>
</subtab>
<subtab id="proxy-forward-acl" description="Access Control List">
<field>
<id>proxy.forward.acl.allowedSubnets</id>
<label>Allowed Subnets</label>
<type>select_multiple</type>
<style>tokenize</style>
<help>Type subnets you want to allow access to the proxy server.</help>
<allownew>true</allownew>
</field>
<field>
<id>proxy.forward.acl.unrestricted</id>
<label>Unrestricted IP addresses</label>
<type>select_multiple</type>
<style>tokenize</style>
<help>Type IP addresses you want to allow access to the proxy server.</help>
<allownew>true</allownew>
</field>
<field>
<id>proxy.forward.acl.bannedHosts</id>
<label>Banned host IP addresses</label>
<type>select_multiple</type>
<style>tokenize</style>
<help>Type IP addresses you want to deny access to the proxy server.</help>
<allownew>true</allownew>
</field>
<field>
<id>proxy.forward.acl.whiteList</id>
<label>Whitelist</label>
<type>select_multiple</type>
<style>tokenize</style>
<help>Whitelist destination domains. You may use a regular expression, use a comma or press Enter for new item. Examples: "mydomain.com" matches on "*.mydomain.com"; "^https?:\/\/([a-zA-Z]+)\.mydomain\." matches on "http(s)://textONLY.mydomain.*"; "\.gif$" matches on "\*.gif" but not on "\*.gif\test"; "\[0-9]+\.gif$" matches on "\123.gif" but not on "\test.gif"</help>
<allownew>true</allownew>
</field>
<field>
<id>proxy.forward.acl.blackList</id>
<label>Blacklist</label>
<type>select_multiple</type>
<style>tokenize</style>
<help>Blacklist destination domains. You may use a regular expression, use a comma or press Enter for new item. Examples: "mydomain.com" matches on "*.mydomain.com"; "^https?:\/\/([a-zA-Z]+)\.mydomain\." matches on "http(s)://textONLY.mydomain.*"; "\.gif$" matches on "*.gif" but not on "\*.gif\test"; "\[0-9]+\.gif$" matches on "\123.gif" but not on "\test.gif"</help>
<allownew>true</allownew>
</field>
<field>
<id>proxy.forward.acl.browser</id>
<label>Block browser/user-agents</label>
<type>select_multiple</type>
<style>tokenize</style>
<help>Block user-agents. You may use a regular expression, use a comma or press Enter for new item. Examples: "^(.)+Macintosh(.)+Firefox/37\.0" matches on "Macintosh version of Firefox revision 37.0"; "^Mozilla" matches on "all Mozilla based browsers"</help>
<allownew>true</allownew>
<advanced>true</advanced>
</field>
<field>
<id>proxy.forward.acl.mimeType</id>
<label>Block specific MIME type reply</label>
<type>select_multiple</type>
<style>tokenize</style>
<help>Block specific MIME type reply. You may use a regular expression, use a comma or press Enter for new item. Examples: "video/flv" matches on "Flash Video"; "application/x-javascript" matches on "javascripts"</help>
<allownew>true</allownew>
<advanced>true</advanced>
</field>
<field>
<id>proxy.forward.acl.googleapps</id>
<label>Google GSuite restricted</label>
<type>text</type>
<advanced>true</advanced>
<help><![CDATA[Insert here the domain that will be allowed to use Google GSuite.
All accounts that are not in this domain will be blocked to use it.]]></help>
</field>
<field>
<id>proxy.forward.acl.youtube</id>
<label>YouTube Filter</label>
<type>dropdown</type>
<advanced>true</advanced>
<help><![CDATA[Select the Youtube filter level.]]></help>
</field>
<field>
<id>proxy.forward.acl.safePorts</id>
<label>Allowed destination TCP port</label>
<type>select_multiple</type>
<style>tokenize</style>
<help>Allowed destination TCP ports, you may use ranges (ex. 222-226) and add comments with colon (ex. 22:ssh).</help>
<allownew>true</allownew>
<advanced>true</advanced>
</field>
<field>
<id>proxy.forward.acl.sslPorts</id>
<label>Allowed SSL ports</label>
<type>select_multiple</type>
<style>tokenize</style>
<help>Allowed destination SSL ports, you may use ranges (ex. 222-226) and add comments with colon (ex. 22:ssh).</help>
<allownew>true</allownew>
<advanced>true</advanced>
</field>
</subtab>
<subtab id="proxy-icap" description="ICAP Settings">
<field>
<id>proxy.forward.icap.enable</id>
<label>Enable ICAP</label>
<type>checkbox</type>
<style>tokenize</style>
<help>If this checkbox is checked, you can use an ICAP server to filter or replace content.</help>
<allownew>true</allownew>
<advanced>false</advanced>
</field>
<field>
<id>proxy.forward.icap.RequestURL</id>
<label>Request Modify URL</label>
<type>text</type>
<style>tokenize</style>
<help>Enter the url where the REQMOD requests should be sent to.</help>
<allownew>true</allownew>
<advanced>false</advanced>
</field>
<field>
<id>proxy.forward.icap.ResponseURL</id>
<label>Response Modify URL</label>
<type>text</type>
<style>tokenize</style>
<help>Enter the url where the RESPMOD requests should be sent to.</help>
<allownew>true</allownew>
<advanced>false</advanced>
</field>
<field>
<id>proxy.forward.icap.OptionsTTL</id>
<label>Default Options TTL</label>
<type>text</type>
<style>tokenize</style>
<help>Default ttl</help>
<allownew>true</allownew>
<advanced>true</advanced>
</field>
<field>
<id>proxy.forward.icap.SendClientIP</id>
<label>Send Client IP</label>
<type>checkbox</type>
<style>tokenize</style>
<help>If you enable this option, the client IP address will be sent to the ICAP server. This can be useful if you want to filter traffic based on IP addresses.</help>
<allownew>true</allownew>
<advanced>true</advanced>
</field>
<field>
<id>proxy.forward.icap.SendUsername</id>
<label>Send Username</label>
<type>checkbox</type>
<style>tokenize</style>
<help>If you enable this option, the username of the client will be sent to the ICAP server. This can be useful if you want to filter traffic based on usernames. Authentication is required to use usernames.</help>
<allownew>true</allownew>
<advanced>true</advanced>
</field>
<field>
<id>proxy.forward.icap.EncodeUsername</id>
<label>Encode Username</label>
<type>checkbox</type>
<style>tokenize</style>
<help>Use this option if your usernames need to be encoded.</help>
<allownew>true</allownew>
<advanced>true</advanced>
</field>
<field>
<id>proxy.forward.icap.UsernameHeader</id>
<label>Username Header</label>
<type>text</type>
<style>tokenize</style>
<help>The header which should be used to send the username to the ICAP server.</help>
<allownew>true</allownew>
<advanced>true</advanced>
</field>
<field>
<id>proxy.forward.icap.EnablePreview</id>
<label>Enable Preview</label>
<type>checkbox</type>
<style>tokenize</style>
<help>If you use previews, only a part of the data is sent to the ICAP server. Setting this option can improve the performance.</help>
<allownew>true</allownew>
<advanced>true</advanced>
</field>
<field>
<id>proxy.forward.icap.PreviewSize</id>
<label>Preview Size</label>
<type>text</type>
<style>tokenize</style>
<help>Enter the size of the preview which is sent to the ICAP server.</help>
<allownew>true</allownew>
<advanced>true</advanced>
</field>
<field>
<id>proxy.forward.icap.exclude</id>
<label>Exclusion List</label>
<type>select_multiple</type>
<style>tokenize</style>
<help>Exclusion list destination domains.You may use a regular expression, use a comma or press Enter for new item. Examples: "mydomain.com" matches on "*.mydomain.com"; "https://([a-zA-Z]+)\.mydomain\." matches on "http(s)://textONLY.mydomain.*"; "\.gif$" matches on "\*.gif" but not on "\*.gif\test"; "\[0-9]+\.gif$" matches on "\123.gif" but not on "\test.gif"</help>
<allownew>true</allownew>
</field>
</subtab>
<subtab id="proxy-general-authentication" description="Authentication Settings">
<field>
<id>proxy.forward.authentication.method</id>
<label>Authentication method</label>
<type>select_multiple</type>
<help>Select Authentication method</help>
</field>
<field>
<id>proxy.forward.authentication.authEnforceGroup</id>
<label>Enforce local group</label>
<type>select_multiple</type>
<help><![CDATA[Restrict access to users in the selected (local)group. <br/>
<b>NOTE:</b> please be aware that users (or vouchers) which aren't administered locally will be denied when using this option.]]>
</help>
</field>
<field>
<id>proxy.forward.authentication.realm</id>
<label>Authentication Prompt</label>
<type>text</type>
<help>The prompt will be displayed in the authentication request window.</help>
</field>
<field>
<id>proxy.forward.authentication.credentialsttl</id>
<label>Authentication TTL (hours)</label>
<type>text</type>
<help>This specifies for how long (in hours) the proxy server assumes an externally validated username and password combination is valid (Time To Live). When the TTL expires, the user will be prompted for credentials again.</help>
</field>
<field>
<id>proxy.forward.authentication.children</id>
<label>Authentication processes</label>
<type>text</type>
<help>The total number of authenticator processes to spawn.</help>
</field>
</subtab>
<subtab id="proxy-forward-snmp" description="SNMP Agent Settings">
<field>
<id>proxy.forward.snmp_enable</id>
<label>Enable SNMP Agent</label>
<type>checkbox</type>
<help>Enable or disable the squid SNMP Agent.</help>
</field>
<field>
<id>proxy.forward.snmp_port</id>
<label>SNMP port</label>
<type>text</type>
<help>The port number where Squid listens for SNMP requests. To enable SNMP support set this to a suitable port number. Port number 3401 is often used for the Squid SNMP agent.</help>
</field>
<field>
<id>proxy.forward.snmp_password</id>
<label>SNMP password</label>
<type>text</type>
<help>The password for access to SNMP agent</help>
</field>
</subtab>
</tab>
<activetab>proxy-general-settings</activetab>
</form>

105
src/opnsense/mvc/app/library/OPNsense/Auth/Services/Squid.php
View File

@ -1,105 +0,0 @@
<?php
/*
* Copyright (C) 2019 Deciso B.V.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
* OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
namespace OPNsense\Auth\Services;
use OPNsense\Core\ACL;
use OPNsense\Core\Config;
use OPNsense\Auth\IService;
/**
* Proxy service
* @package OPNsense\Auth
*/
class Squid implements IService
{
/**
* @var string username for the current request
*/
private $username;
/**
* {@inheritdoc}
*/
public static function aliases()
{
return [];
}
/**
* {@inheritdoc}
*/
public function supportedAuthenticators()
{
$result = array();
$configObj = Config::getInstance()->object();
if (!empty((string)$configObj->OPNsense->proxy->forward->authentication->method)) {
$result = explode(',', (string)$configObj->OPNsense->proxy->forward->authentication->method);
} else {
$result[] = 'Local Database';
}
return $result;
}
/**
* {@inheritdoc}
*/
public function setUserName($username)
{
$this->username = $username;
}
/**
* {@inheritdoc}
*/
public function getUserName()
{
return $this->username;
}
/**
* {@inheritdoc}
*/
public function checkConstraints()
{
$configObj = Config::getInstance()->object();
if (!empty((string)$configObj->OPNsense->proxy->forward->authentication->authEnforceGroup)) {
$groups = explode(',', (string)$configObj->OPNsense->proxy->forward->authentication->authEnforceGroup);
$acl = new ACL();
foreach ($groups as $local_group) {
if ($acl->inGroup($this->getUserName(), $local_group, false)) {
return true;
}
}
return false;
} else {
return true;
}
}
}

11
src/opnsense/mvc/app/models/OPNsense/Proxy/ACL/ACL.xml
View File

@ -1,11 +0,0 @@
<acl>
<page-services-proxy>
<name>Services: Proxy</name>
<patterns>
<pattern>ui/proxy/*</pattern>
<pattern>api/proxy/*</pattern>
<pattern>ui/diagnostics/log/squid/*</pattern>
<pattern>api/diagnostics/log/squid/*</pattern>
</patterns>
</page-services-proxy>
</acl>

23
src/opnsense/mvc/app/models/OPNsense/Proxy/Menu/Menu.xml
View File

@ -1,23 +0,0 @@
<menu>
<Services>
<SquidWebProxy VisibleName="Squid Web Proxy" cssClass="fa fa-bolt fa-fw">
<Administration url="/ui/proxy">
<ACL VisibleName="ACL" url="/ui/proxy#subtab_proxy-forward-acl"/>
<Authentication VisibleName="Auth" url="/ui/proxy#subtab_proxy-general-authentication"/>
<FTP VisibleName="FTP" url="/ui/proxy#subtab_proxy-forward-ftp"/>
<Forward VisibleName="Forward" url="/ui/proxy#subtab_proxy-forward-general"/>
<GeneralSettings VisibleName="General" url="/ui/proxy#subtab_proxy-general-settings"/>
<ICAP VisibleName="ICAP" url="/ui/proxy#subtab_proxy-icap"/>
<LocalCache VisibleName="Cache" url="/ui/proxy#subtab_proxy-general-cache-local"/>
<PACMatches VisibleName="PAC Matches" url="/ui/proxy#subtab_pac_matches"/>
<PACProxies VisibleName="PAC Proxies" url="/ui/proxy#subtab_pac_proxies"/>
<PACRules VisibleName="PAC Rules" url="/ui/proxy#subtab_pac_rules"/>
<RemoteACL VisibleName="Remote ACL" url="/ui/proxy#remote_acls"/>
<TrafficManagement VisibleName="Traffic Mgmt" url="/ui/proxy#subtab_proxy-general-traffic"/>
</Administration>
<Cache order="20" VisibleName="Cache Log" url="/ui/diagnostics/log/squid/cache"/>
<Access order="30" VisibleName="Access Log" url="/ui/diagnostics/log/squid/access"/>
<Store order="40" VisibleName="Store Log" url="/ui/diagnostics/log/squid/store"/>
</SquidWebProxy>
</Services>
</menu>

37
src/opnsense/mvc/app/models/OPNsense/Proxy/Migrations/M1_0_0.php
View File

@ -1,37 +0,0 @@
<?php
/**
* Copyright (C) 2016 Deciso B.V.
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
* OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
*/
namespace OPNsense\Proxy\Migrations;
use OPNsense\Base\BaseModelMigration;
class M1_0_0 extends BaseModelMigration
{
}

90
src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.php
View File

@ -1,90 +0,0 @@
<?php
/*
* Copyright (C) 2015 Deciso B.V.
* Copyright (C) 2017 Fabian Franz
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
* OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
namespace OPNsense\Proxy;
use OPNsense\Base\BaseModel;
/**
* Class Proxy
* @package OPNsense\Proxy
*/
class Proxy extends BaseModel
{
public function performValidation($validateFullModel = false)
{
// perform standard validations
$result = parent::performValidation($validateFullModel);
// add validation for PAC match
foreach ($this->getFlatNodes() as $key => $node) {
if ($validateFullModel || $node->isFieldChanged()) {
// if match_type has changed we need to make some fields required
if ($node->getInternalXMLTagName() == "match_type") {
$match = $node->getParentNode();
$match_type = (string)$match->match_type;
switch ($match_type) {
case 'url_matches':
if (strlen((string)$match->url) == 0) {
$result->appendMessage(new \Phalcon\Messages\Message(
gettext('URL must be set.'),
'pac.match.url'
));
}
break;
case 'hostname_matches':
case 'dns_domain_is':
case 'is_resolvable':
if (strlen((string)$match->hostname) == 0) {
$result->appendMessage(new \Phalcon\Messages\Message(
gettext('Hostname must be set.'),
'pac.match.hostname'
));
}
break;
case 'destination_in_net':
case 'my_ip_in_net':
if (strlen((string)$match->network) == 0) {
$result->appendMessage(new \Phalcon\Messages\Message(
gettext('Network must be set.'),
'pac.match.network'
));
}
case 'plain_hostname':
case 'dns_domain_levels':
case 'weekday_range':
case 'date_range':
case 'time_range':
break; // no special validation
}
}
}
}
return $result;
}
}

686
src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
View File

@ -1,686 +0,0 @@
<model>
<mount>//OPNsense/proxy</mount>
<version>1.0.6</version>
<description>Squid web proxy settings</description>
<items>
<general>
<enabled type="BooleanField">
<Default>0</Default>
<Required>Y</Required>
</enabled>
<error_pages type="OptionField">
<BlankDesc>Squid</BlankDesc>
<OptionValues>
<opnsense>OPNsense</opnsense>
<custom>Custom</custom>
</OptionValues>
</error_pages>
<icpPort type="IntegerField">
<MinimumValue>1</MinimumValue>
<MaximumValue>65535</MaximumValue>
<ValidationMessage>ICP port needs to be an integer value between 1 and 65535</ValidationMessage>
</icpPort>
<logging>
<enable>
<accessLog type="BooleanField">
<Default>1</Default>
<Required>Y</Required>
</accessLog>
<storeLog type="BooleanField">
<Default>1</Default>
<Required>Y</Required>
</storeLog>
</enable>
<ignoreLogACL type="CSVListField">
<Mask>/^([\/0-9a-fA-F.:,])*/u</Mask>
</ignoreLogACL>
<target type="OptionField">
<BlankDesc>File</BlankDesc>
<OptionValues>
<file_extendend>File (Extended)</file_extendend>
<file_json>File (Json)</file_json>
<syslog>Syslog</syslog>
<syslog_json>Syslog (Json)</syslog_json>
</OptionValues>
</target>
</logging>
<alternateDNSservers type="CSVListField">
<Mask>/^([\/0-9a-fA-F.:,])*/u</Mask>
</alternateDNSservers>
<forwardedForHandling type="OptionField">
<BlankDesc>Default</BlankDesc>
<OptionValues>
<on>Append client's IP (on)</on>
<off>Set forward header to unknown (off)</off>
<transparent>Do not alter forward header (transparent)</transparent>
<delete>Remove forward header (delete)</delete>
<truncate>Replace all with client's IP (truncate)</truncate>
</OptionValues>
</forwardedForHandling>
<uriWhitespaceHandling type="OptionField">
<BlankDesc>Default</BlankDesc>
<OptionValues>
<strip>Strip whitespaces</strip>
<deny>Deny request</deny>
<allow>Allow whitespaces</allow>
<encode>Encode whitespaces (RFC1738)</encode>
<chop>Chop URI at first whitespace</chop>
</OptionValues>
</uriWhitespaceHandling>
<enablePinger type="BooleanField">
<Default>1</Default>
<Required>Y</Required>
</enablePinger>
<useViaHeader type="BooleanField"/>
<suppressVersion type="BooleanField"/>
<connecttimeout type="IntegerField">
<MinimumValue>1</MinimumValue>
<MaximumValue>120</MaximumValue>
</connecttimeout>
<VisibleEmail type="EmailField">
<ValidationMessage>Please enter a valid email address.</ValidationMessage>
</VisibleEmail>
<VisibleHostname type="TextField">
<Mask>/^([0-9a-zA-Z\.,_\-:]){0,1024}$/u</Mask>
<ValidationMessage>Please enter a valid servername, ip address or leave this option blank.</ValidationMessage>
</VisibleHostname>
<cache>
<local>
<enabled type="BooleanField">
<Default>0</Default>
<Required>Y</Required>
</enabled>
<directory type="TextField">
<Default>/var/squid/cache</Default>
<Required>Y</Required>
</directory>
<cache_mem type="IntegerField">
<Default>256</Default>
<MinimumValue>0</MinimumValue>
<ValidationMessage>Specify a positive memory cache size. (number of MB's)</ValidationMessage>
<Required>Y</Required>
</cache_mem>
<maximum_object_size type="IntegerField">
<MinimumValue>1</MinimumValue>
<MaximumValue>99999</MaximumValue>
<ValidationMessage>Specify a maximum object size. (number of MB's)</ValidationMessage>
</maximum_object_size>
<maximum_object_size_in_memory type="IntegerField">
<MinimumValue>1</MinimumValue>
<MaximumValue>99999</MaximumValue>
<ValidationMessage>Specify a maximum object size in memory. (number of KB's)</ValidationMessage>
</maximum_object_size_in_memory>
<memory_cache_mode type="OptionField">
<BlankDesc>Default</BlankDesc>
<OptionValues>
<always>Keep all most recent files (always)</always>
<disk>Keep most recent HIT files(disk)</disk>
<network>Keep only files fetched from network (network)</network>
</OptionValues>
</memory_cache_mode>
<size type="IntegerField">
<Default>100</Default>
<MinimumValue>1</MinimumValue>
<ValidationMessage>Specify a positive cache size. (number of MB's)</ValidationMessage>
<Required>Y</Required>
</size>
<l1 type="IntegerField">
<Default>16</Default>
<MinimumValue>1</MinimumValue>
<ValidationMessage>Specify a positive number of first-level subdirectories.</ValidationMessage>
<Required>Y</Required>
</l1>
<l2 type="IntegerField">
<Default>256</Default>
<MinimumValue>1</MinimumValue>
<ValidationMessage>Specify a positive number of second-level subdirectories.</ValidationMessage>
<Required>Y</Required>
</l2>
<cache_linux_packages type="BooleanField">
<Default>0</Default>
<Required>Y</Required>
</cache_linux_packages>
<cache_windows_updates type="BooleanField">
<Default>0</Default>
<Required>Y</Required>
</cache_windows_updates>
</local>
</cache>
<traffic>
<enabled type="BooleanField">
<Default>0</Default>
<Required>Y</Required>
</enabled>
<maxDownloadSize type="IntegerField">
<MinimumValue>1</MinimumValue>
<ValidationMessage>Specify the maximum download size (kB).</ValidationMessage>
</maxDownloadSize>
<maxUploadSize type="IntegerField">
<MinimumValue>1</MinimumValue>
<ValidationMessage>Specify the maximum upload size (kB).</ValidationMessage>
</maxUploadSize>
<OverallBandwidthTrotteling type="IntegerField">
<MinimumValue>1</MinimumValue>
<ValidationMessage>Specify the overall bandwidth for downloads in kilobits per second.</ValidationMessage>
<Constraints>
<check001>
<ValidationMessage>Both throttling parameters should either be filled or empty</ValidationMessage>
<type>AllOrNoneConstraint</type>
<addFields>
<field1>perHostTrotteling</field1>
</addFields>
</check001>
</Constraints>
</OverallBandwidthTrotteling>
<perHostTrotteling type="IntegerField">
<MinimumValue>1</MinimumValue>
<ValidationMessage>Specify the per host bandwidth for downloads in kilobits per second.</ValidationMessage>
<Constraints>
<check001>
<reference>OverallBandwidthTrotteling.check001</reference>
</check001>
</Constraints>
</perHostTrotteling>
</traffic>
<parentproxy>
<enabled type="BooleanField">
<Default>0</Default>
<Required>Y</Required>
</enabled>
<host type="HostnameField">
<Constraints>
<check001>
<ValidationMessage>A host must be set.</ValidationMessage>
<type>DependConstraint</type>
<addFields>
<field1>enabled</field1>
</addFields>
</check001>
</Constraints>
</host>
<enableauth type="BooleanField">
<Default>0</Default>
<Required>Y</Required>
</enableauth>
<user type="TextField">
<Default>username</Default>
<Required>Y</Required>
<Mask>/^([0-9a-zA-Z\._\-%@]){1,128}$/u</Mask>
<ValidationMessage>Username can be up to 128 signs long. Alphanumeric characters and also dot, dash, percent sign (for URL escapes), at sign and underscore allowed.</ValidationMessage>
</user>
<password type="TextField">
<Default>password</Default>
<Required>Y</Required>
<Mask>/^([0-9a-zA-Z\._\-%]){1,128}$/u</Mask>
<ValidationMessage>Password can be up to 128 signs long. Alphanumeric characters and also dot, dash, percent sign (for URL escapes) and underscore allowed.</ValidationMessage>
</password>
<port type="PortField">
<Constraints>
<check001>
<ValidationMessage>A port must be set.</ValidationMessage>
<type>DependConstraint</type>
<addFields>
<field1>enabled</field1>
</addFields>
</check001>
</Constraints>
</port>
<localdomains type="CSVListField"/>
<localips type="CSVListField"/>
</parentproxy>
</general>
<forward>
<interfaces type="InterfaceField">
<Multiple>Y</Multiple>
<AllowDynamic>S</AllowDynamic>
<filters>
<enable>/^(?!0).*$/</enable>
<ipaddr>/^((?!dhcp).)*$/</ipaddr>
</filters>
</interfaces>
<port type="IntegerField">
<Default>3128</Default>
<MinimumValue>1</MinimumValue>
<MaximumValue>65535</MaximumValue>
<ValidationMessage>Proxy port needs to be an integer value between 1 and 65535</ValidationMessage>
<Required>Y</Required>
</port>
<sslbumpport type="IntegerField">
<Default>3129</Default>
<MinimumValue>1</MinimumValue>
<MaximumValue>65535</MaximumValue>
<ValidationMessage>SSL Proxy port needs to be an integer value between 1 and 65535</ValidationMessage>
<Required>Y</Required>
</sslbumpport>
<sslbump type="BooleanField">
<Default>0</Default>
<Required>Y</Required>
<Constraints>
<check001>
<ValidationMessage>When enabling "Log SNI information only", SSL inspection must also be enabled</ValidationMessage>
<type>DependConstraint</type>
<addFields>
<field1>sslurlonly</field1>
</addFields>
</check001>
</Constraints>
</sslbump>
<sslurlonly type="BooleanField">
<Default>0</Default>
<Required>Y</Required>
<Constraints>
<check001>
<reference>sslbump.check001</reference>
</check001>
</Constraints>
</sslurlonly>
<sslcertificate type="CertificateField">
<Type>ca</Type>
<ValidationMessage>Please select a valid certificate from the list</ValidationMessage>
</sslcertificate>
<sslnobumpsites type="CSVListField">
<Mask>/^([a-zA-Z0-9\.:\[\]\s\-]*?,)*([a-zA-Z0-9\.:\[\]\s\-]*)$/</Mask>
<ValidationMessage>Please enter ip addresses or domain names here</ValidationMessage>
</sslnobumpsites>
<ssl_crtd_storage_max_size type="IntegerField">
<Required>Y</Required>
<Default>4</Default>
<MinimumValue>1</MinimumValue>
<MaximumValue>65535</MaximumValue>
<ValidationMessage>max size needs to be an integer value between 1 and 65535</ValidationMessage>
</ssl_crtd_storage_max_size>
<sslcrtd_children type="IntegerField">
<Required>Y</Required>
<Default>5</Default>
<MinimumValue>1</MinimumValue>
<MaximumValue>32</MaximumValue>
<ValidationMessage>the number of sslrtd children needs to be an integer value between 1 and 32</ValidationMessage>
</sslcrtd_children>
<snmp_enable type="BooleanField">
<Default>0</Default>
<Required>Y</Required>
</snmp_enable>
<snmp_port type="IntegerField">
<MinimumValue>1</MinimumValue>
<MaximumValue>65535</MaximumValue>
<ValidationMessage>SNMP port needs to be an integer value between 1 and 65535</ValidationMessage>
<Required>Y</Required>
<Default>3401</Default>
</snmp_port>
<snmp_password type="TextField">
<Default>public</Default>
<Required>Y</Required>
</snmp_password>
<ftpInterfaces type="InterfaceField">
<Multiple>Y</Multiple>
<filters>
<enable>/^(?!0).*$/</enable>
<ipaddr>/^((?!dhcp).)*$/</ipaddr>
</filters>
</ftpInterfaces>
<ftpPort type="IntegerField">
<Default>2121</Default>
<MinimumValue>1</MinimumValue>
<MaximumValue>65535</MaximumValue>
<ValidationMessage>FTP Proxy port needs to be an integer value between 1 and 65535</ValidationMessage>
<Required>Y</Required>
</ftpPort>
<ftpTransparentMode type="BooleanField">
<Default>0</Default>
<Required>Y</Required>
</ftpTransparentMode>
<addACLforInterfaceSubnets type="BooleanField">
<Default>1</Default>
<Required>Y</Required>
</addACLforInterfaceSubnets>
<transparentMode type="BooleanField">
<Default>0</Default>
<Required>Y</Required>
</transparentMode>
<acl>
<allowedSubnets type="CSVListField">
<Mask>/^([\/0-9a-fA-F.:,])*/u</Mask>
</allowedSubnets>
<unrestricted type="CSVListField">
<Mask>/^([\/0-9a-fA-F.:,])*/u</Mask>
</unrestricted>
<bannedHosts type="CSVListField">
<Mask>/^([\/0-9a-fA-F.:,])*/u</Mask>
</bannedHosts>
<whiteList type="CSVListField"/>
<blackList type="CSVListField"/>
<browser type="CSVListField"/>
<mimeType type="CSVListField"/>
<googleapps type="HostnameField">
<Mask>/^([a-zA-Z0-9]){0,}\.([a-zA-Z0-9].){0,}/</Mask>
<ValidationMessage>Please enter a valid domain name here</ValidationMessage>
</googleapps>
<youtube type="OptionField">
<OptionValues>
<strict>Strict</strict>
<moderate>Moderate</moderate>
</OptionValues>
</youtube>
<safePorts type="CSVListField">
<Mask>/^([ \-0-9a-zA-Z:,])*/u</Mask>
</safePorts>
<sslPorts type="CSVListField">
<Mask>/^([ \-0-9a-zA-Z:,])*/u</Mask>
</sslPorts>
<remoteACLs>
<blacklists>
<blacklist type="ArrayField">
<enabled type="BooleanField">
<Default>1</Default>
<Required>Y</Required>
</enabled>
<filename type="TextField">
<Required>Y</Required>
<Mask>/^[a-zA-Z0-9]{1,245}\.?[a-zA-z0-9]{1,10}$/</Mask>
<ValidationMessage>The filename may only contain letters, digits and one dot (not required).</ValidationMessage>
<Constraints>
<check001>
<ValidationMessage>Filename should be unique</ValidationMessage>
<type>UniqueConstraint</type>
</check001>
</Constraints>
</filename>
<url type="UrlField">
<Required>Y</Required>
</url>
<username type="TextField">
<Mask>/^([\t\n\v\f\r 0-9a-zA-Z.,_\x{00A0}-\x{FFFF}]){1,255}$/u</Mask>
</username>
<password type="TextField">
<Mask>/^([\t\n\v\f\r 0-9a-zA-Z.,_\x{00A0}-\x{FFFF}]){1,255}$/u</Mask>
</password>
<filter type="JsonKeyValueStoreField">
<SourceField>filename</SourceField>
<SourceFile>/usr/local/etc/squid/acl/%s.index</SourceFile>
<SelectAll>Y</SelectAll>
<Multiple>Y</Multiple>
</filter>
<sslNoVerify type="BooleanField">
<Default>0</Default>
<Required>Y</Required>
</sslNoVerify>
<description type="TextField">
<Required>Y</Required>
<Mask>/^([\t\n\v\f\r 0-9a-zA-Z.,_\x{00A0}-\x{FFFF}]){1,255}$/u</Mask>
</description>
</blacklist>
</blacklists>
<UpdateCron type="ModelRelationField">
<Model>
<queues>
<source>OPNsense.Cron.Cron</source>
<items>jobs.job</items>
<display>description</display>
<filters>
<origin>/Proxy/</origin>
</filters>
</queues>
</Model>
<ValidationMessage>Related cron not found</ValidationMessage>
</UpdateCron>
</remoteACLs>
</acl>
<icap>
<enable type="BooleanField">
<Default>0</Default>
<Required>Y</Required>
</enable>
<RequestURL type="TextField"/>
<ResponseURL type="TextField"/>
<SendClientIP type="BooleanField">
<Required>Y</Required>
<Default>1</Default>
</SendClientIP>
<SendUsername type="BooleanField">
<Default>0</Default>
<Required>Y</Required>
</SendUsername>
<EncodeUsername type="BooleanField">
<Default>0</Default>
<Required>Y</Required>
</EncodeUsername>
<UsernameHeader type="TextField">
<Required>Y</Required>
<Default>X-Username</Default>
<Mask>/^([a-zA-Z-]+)$/</Mask>
</UsernameHeader>
<EnablePreview type="BooleanField">
<Default>1</Default>
<Required>Y</Required>
</EnablePreview>
<PreviewSize type="IntegerField">
<Default>1024</Default>
<Required>Y</Required>
</PreviewSize>
<OptionsTTL type="IntegerField">
<Default>60</Default>
<Required>Y</Required>
</OptionsTTL>
<exclude type="CSVListField"/>
</icap>
<authentication>
<method type="AuthenticationServerField">
<Multiple>Y</Multiple>
</method>
<authEnforceGroup type="AuthGroupField">
<Multiple>Y</Multiple>
</authEnforceGroup>
<realm type="TextField">
<Mask>/^([\t\n\v\f\r 0-9a-zA-Z.,_\x{00A0}-\x{FFFF}]){0,255}$/u</Mask>
</realm>
<credentialsttl type="IntegerField">
<MinimumValue>1</MinimumValue>
<ValidationMessage>Credentials TTL needs to be an integer value above 0</ValidationMessage>
</credentialsttl>
<children type="IntegerField">
<MinimumValue>1</MinimumValue>
<ValidationMessage>Number of children needs to be an integer value above 0</ValidationMessage>
</children>
</authentication>
</forward>
<pac>
<proxy type="ArrayField">
<name type="TextField">
<Required>Y</Required>
<ValidationMessage>The proxy name must be set.</ValidationMessage>
<Constraints>
<check001>
<ValidationMessage>Proxy name should be unique</ValidationMessage>
<type>UniqueConstraint</type>
</check001>
</Constraints>
</name>
<proxy_type type="OptionField">
<Required>Y</Required>
<OptionValues>
<PROXY>Proxy</PROXY>
<DIRECT>Direct Connection (no Proxy)</DIRECT>
<HTTP>HTTP Proxy</HTTP>
<HTTPS>HTTPS Proxy</HTTPS>
<SOCKS>SOCKS</SOCKS>
<SOCKS4>SOCKS Version 4</SOCKS4>
<SOCKS5>SOCKS Version 5</SOCKS5>
</OptionValues>
</proxy_type>
<url type="TextField">
<ValidationMessage>This does not look like a valid proxy or direct connection.</ValidationMessage>
</url>
<description type="TextField">
<Mask>/^([\t\n\v\f\r 0-9a-zA-Z\-.,_\x{00A0}-\x{FFFF}]){1,255}$/u</Mask>
</description>
</proxy>
<match type="ArrayField">
<name type="TextField">
<Required>Y</Required>
<ValidationMessage>The match name must be set.</ValidationMessage>
<Constraints>
<check001>
<ValidationMessage>Match name should be unique</ValidationMessage>
<type>UniqueConstraint</type>
</check001>
</Constraints>
</name>
<description type="TextField">
<Mask>/^([\t\n\v\f\r 0-9a-zA-Z\-.,_\x{00A0}-\x{FFFF}]){1,255}$/u</Mask>
</description>
<negate type="BooleanField">
<Default>0</Default>
<Required>Y</Required>
</negate>
<match_type type="OptionField">
<Required>Y</Required>
<OptionValues>
<url_matches>URL Matches</url_matches>
<hostname_matches>Hostname Matches</hostname_matches>
<dns_domain_is>DNS Domain Is</dns_domain_is>
<destination_in_net>IP Is In Network</destination_in_net>
<my_ip_in_net>My IP Is In Network</my_ip_in_net>
<plain_hostname>Plain Hostname (No Dots Inside)</plain_hostname>
<is_resolvable>Is Resolvable</is_resolvable>
<dns_domain_levels>DNS Domain Levels (Count Of Dots)</dns_domain_levels>
<weekday_range>Weekday Range</weekday_range>
<date_range>Date Range</date_range>
<time_range>Time Range</time_range>
</OptionValues>
</match_type>
<hostname type="TextField"/>
<url type="TextField">
<Mask>/^[^"]*$/</Mask>
</url>
<network type="NetworkField"/>
<domain_level_from type="IntegerField">
<MinimumValue>0</MinimumValue>
<ValidationMessage>Minimum domain level must be bigger than 0.</ValidationMessage>
</domain_level_from>
<domain_level_to type="IntegerField">
<MinimumValue>0</MinimumValue>
<ValidationMessage>A hostname cannot have a negative count of levels.</ValidationMessage>
</domain_level_to>
<time_from type="IntegerField">
<MinimumValue>0</MinimumValue>
<ValidationMessage>The first hour of the day is 0.</ValidationMessage>
</time_from>
<time_to type="IntegerField">
<MinimumValue>0</MinimumValue>
<MaximumValue>23</MaximumValue>
<ValidationMessage>The last hour of the day is 23!</ValidationMessage>
</time_to>
<date_from type="OptionField">
<Required>Y</Required>
<OptionValues>
<JAN>January</JAN>
<FEB>February</FEB>
<MAR>March</MAR>
<APR>April</APR>
<MAY>May</MAY>
<JUN>June</JUN>
<JUL>July</JUL>
<AUG>August</AUG>
<SEP>September</SEP>
<OCT>October</OCT>
<NOV>November</NOV>
<DEC>December</DEC>
</OptionValues>
</date_from>
<date_to type="OptionField">
<Required>Y</Required>
<OptionValues>
<JAN>January</JAN>
<FEB>February</FEB>
<MAR>March</MAR>
<APR>April</APR>
<MAY>May</MAY>
<JUN>June</JUN>
<JUL>July</JUL>
<AUG>August</AUG>
<SEP>September</SEP>
<OCT>October</OCT>
<NOV>November</NOV>
<DEC>December</DEC>
</OptionValues>
</date_to>
<weekday_from type="OptionField">
<Required>Y</Required>
<OptionValues>
<MON>Monday</MON>
<TUE>Tuesday</TUE>
<WED>Wednesday</WED>
<THU>Thursday</THU>
<FRI>Friday</FRI>
<SAT>Saturday</SAT>
<SUN>Sunday</SUN>
</OptionValues>
</weekday_from>
<weekday_to type="OptionField">
<Required>Y</Required>
<OptionValues>
<MON>Monday</MON>
<TUE>Tuesday</TUE>
<WED>Wednesday</WED>
<THU>Thursday</THU>
<FRI>Friday</FRI>
<SAT>Saturday</SAT>
<SUN>Sunday</SUN>
</OptionValues>
</weekday_to>
</match>
<rule type="ArrayField">
<enabled type="BooleanField">
<Default>1</Default>
<Required>Y</Required>
</enabled>
<description type="TextField">
<Mask>/^([\t\n\v\f\r 0-9a-zA-Z\-.,_\x{00A0}-\x{FFFF}]){1,255}$/u</Mask>
</description>
<matches type="ModelRelationField">
<Model>
<queues>
<source>OPNsense.Proxy.Proxy</source>
<items>pac.match</items>
<display>name</display>
</queues>
</Model>
<Required>Y</Required>
<Multiple>Y</Multiple>
</matches>
<join_type type="OptionField">
<Required>Y</Required>
<OptionValues>
<and>And</and>
<or>Or</or>
</OptionValues>
</join_type>
<match_type type="OptionField">
<Required>Y</Required>
<OptionValues>
<if>If</if>
<unless>Unless</unless>
</OptionValues>
</match_type>
<proxies type="ModelRelationField">
<Sorted>Y</Sorted>
<Model>
<queues>
<source>OPNsense.Proxy.Proxy</source>
<items>pac.proxy</items>
<display>name</display>
</queues>
</Model>
<Required>Y</Required>
<Multiple>Y</Multiple>
</proxies>
</rule>
</pac>
<error_pages>
<template type="TextField">
<Mask>/[0-9a-zA-Z\+\=\/]{20,}/u</Mask>
<ValidationMessage>File content should be in (base64 encoded) zip format</ValidationMessage>
</template>
</error_pages>
</items>
</model>

602
src/opnsense/mvc/app/views/OPNsense/Proxy/index.volt
View File

@ -1,602 +0,0 @@
{#
# Copyright (c) 2014-2015 Deciso B.V.
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification,
# are permitted provided that the following conditions are met:
#
# 1. Redistributions of source code must retain the above copyright notice,
# this list of conditions and the following disclaimer.
#
# 2. Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
# AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
#}
<script>
$( document ).ready(function() {
var data_get_map = {'frm_proxy':"/api/proxy/settings/get"};
// show/hide error pages tab when applicable
$("#proxy\\.general\\.error_pages").change(function(e){
if ($(this).val() == 'custom') {
$("#subtab_error_pages").show();
} else {
$("#subtab_error_pages").hide();
}
});
// load initial data
mapDataToFormUI(data_get_map).done(function(){
formatTokenizersUI();
$('.selectpicker').selectpicker('refresh');
// request service status on load and update status box
updateServiceControlUI('proxy');
});
/*************************************************************************************************************
* link grid actions
*************************************************************************************************************/
$("#grid-remote-blacklists").UIBootgrid(
{ 'search':'/api/proxy/settings/searchRemoteBlacklists',
'get':'/api/proxy/settings/getRemoteBlacklist/',
'set':'/api/proxy/settings/setRemoteBlacklist/',
'add':'/api/proxy/settings/addRemoteBlacklist/',
'del':'/api/proxy/settings/delRemoteBlacklist/',
'toggle':'/api/proxy/settings/toggleRemoteBlacklist/'
}
);
$("#grid-pac-match").UIBootgrid(
{ 'search':'/api/proxy/settings/searchPACMatch',
'get':'/api/proxy/settings/getPACMatch/',
'set':'/api/proxy/settings/setPACMatch/',
'add':'/api/proxy/settings/addPACMatch/',
'del':'/api/proxy/settings/delPACMatch/',
'options': {
responseHandler: function (response) {
// concatenate fields for not.
if ('rows' in response) {
for (var i = 0; i < response.rowCount; i++) {
response.rows[i]['display_match_type'] = {'not':response.rows[i].negate == '1',
'val':response.rows[i].match_type}
}
}
return response;
}
}
}
);
$("#grid-pac-rule").UIBootgrid(
{ 'search':'/api/proxy/settings/searchPACRule',
'get':'/api/proxy/settings/getPACRule/',
'set':'/api/proxy/settings/setPACRule/',
'add':'/api/proxy/settings/addPACRule/',
'del':'/api/proxy/settings/delPACRule/',
'toggle':'/api/proxy/settings/togglePACRule/'
}
);
$("#grid-pac-proxy").UIBootgrid(
{ 'search':'/api/proxy/settings/searchPACProxy',
'get':'/api/proxy/settings/getPACProxy/',
'set':'/api/proxy/settings/setPACProxy/',
'add':'/api/proxy/settings/addPACProxy/',
'del':'/api/proxy/settings/delPACProxy/'
}
);
function update_pac_match_view(event) {
function show_line(the_id) {
$('tr[for=' + the_id + ']').show();
}
let value = $("#pac\\.match\\.match_type").val();
if (!value) {
// retry later
setTimeout(update_pac_match_view, 100);
return;
}
// hide tr of the element if not needed
["pac\\.match\\.network",
"pac\\.match\\.hostname",
"pac\\.match\\.url",
"pac\\.match\\.domain_level_from",
"pac\\.match\\.domain_level_to",
"pac\\.match\\.time_from",
"pac\\.match\\.time_to",
"pac\\.match\\.date_from",
"pac\\.match\\.date_to",
"pac\\.match\\.weekday_from",
"pac\\.match\\.weekday_to"].forEach (function (the_id) {
$('tr[for=' + the_id + ']').hide();
});
switch (value) {
case 'hostname_matches':
show_line("pac\\.match\\.hostname");
break;
case "url_matches":
show_line("pac\\.match\\.url");
break;
case "dns_domain_is":
show_line("pac\\.match\\.hostname");
break;
case "destination_in_net":
case "my_ip_in_net":
show_line("pac\\.match\\.network");
break;
case "plain_hostname":
break; // has no option
case "is_resolvable":
show_line("pac\\.match\\.hostname");
break;
case "dns_domain_levels":
show_line("pac\\.match\\.domain_level_from");
show_line("pac\\.match\\.domain_level_to");
break;
case "weekday_range":
show_line("pac\\.match\\.weekday_from");
show_line("pac\\.match\\.weekday_to");
break;
case "date_range":
show_line("pac\\.match\\.date_from");
show_line("pac\\.match\\.date_to");
break;
case "time_range":
show_line("pac\\.match\\.time_from");
show_line("pac\\.match\\.time_to");
break;
}
}
// when a modal is created, update the
$("#DialogEditPACMatch").on("opnsense_bootgrid_mapped", update_pac_match_view);
$("#pac\\.match\\.match_type").change(update_pac_match_view);
$('.reload-pac-btn').click(function () {
$('.reload-pac-btn .fa-refresh').addClass('fa-spin');
ajaxCall("/api/proxy/service/refreshTemplate", {}, function(data,status) {
$('.reload-pac-btn .fa-refresh').removeClass('fa-spin');
});
});
/**
* Reconfigure proxy - activate changes
*/
$("#reconfigureAct").SimpleActionButton();
/**
* Download ACLs and reconfigure poxy - activate changes
*/
$("#fetchandreconfigureAct").SimpleActionButton();
/**
*
* Download ACLs, no reconfigure
*/
$("#downloadAct").SimpleActionButton();
/**
* setup cron item
*/
$("#ScheduleAct").click(function() {
$("#scheduleAct_progress").addClass("fa fa-spinner fa-pulse");
ajaxCall("/api/proxy/settings/fetchRBCron", {}, function(data,status) {
$("#scheduleAct_progress").removeClass("fa fa-spinner fa-pulse");
if (data.uuid !=undefined) {
// redirect to cron page
$(location).attr('href',"/ui/cron/item/open/"+data.uuid);
}
});
});
// form save event handlers for all defined forms
$('[id*="save_"]').each(function(){
$(this).click(function() {
var frm_id = $(this).closest("form").attr("id");
var frm_title = $(this).closest("form").attr("data-title");
// save data for General TAB
saveFormToEndpoint("/api/proxy/settings/set", frm_id, function(){
// on correct save, perform reconfigure. set progress animation when reloading
$("#"+frm_id+"_progress").addClass("fa fa-spinner fa-pulse");
ajaxCall("/api/proxy/service/reconfigure", {}, function(data,status){
// when done, disable progress animation.
$("#"+frm_id+"_progress").removeClass("fa fa-spinner fa-pulse");
if (status != "success" || data['status'] != 'ok' ) {
// fix error handling
BootstrapDialog.show({
type:BootstrapDialog.TYPE_WARNING,
title: frm_title,
message: JSON.stringify(data),
draggable: true
});
} else {
updateServiceControlUI('proxy');
}
});
});
});
});
$("#resetAct").click(function() {
BootstrapDialog.show({
type:BootstrapDialog.TYPE_DANGER,
title: '{{ lang._('Reset') }} ',
message: '{{ lang._('Are you sure you want to flush all generated content and restart the proxy?') }}',
buttons: [{
label: '{{ lang._('Yes') }}',
cssClass: 'btn-primary',
action: function(dlg){
dlg.close();
$("#resetAct_progress").addClass("fa fa-spinner fa-pulse");
ajaxCall("/api/proxy/service/reset", {}, function(data,status) {
$("#resetAct_progress").removeClass("fa fa-spinner fa-pulse");
updateServiceControlUI('proxy');
});
}
}, {
label: '{{ lang._('No') }}',
action: function(dlg){
dlg.close();
}
}]
});
});
/**
* Error page template actions
*/
$("#error_pages_content_filename").click(function(evt) {
$("#error_pages_content_progress").addClass("fa fa-spinner fa-pulse");
$("#error_pages_content_icon").hide();
this.value = null;
});
$("#error_pages_content_filename").change(function(evt) {
if (evt.target.files[0]) {
var reader = new FileReader();
reader.onload = function(readerEvt) {
$("#error_pages_content_name").val(evt.target.files[0].name);
$("#error_pages_content").val(btoa(readerEvt.target.result));
$("#error_pages_content_progress").removeClass("fa fa-spinner fa-pulse");
$("#error_pages_content_icon").show();
};
reader.readAsBinaryString(evt.target.files[0]);
} else {
$("#error_pages_content_progress").removeClass("fa fa-spinner fa-pulse");
$("#error_pages_content_icon").show();
}
});
$("#error_pages_download").click(function(){
window.open('/api/proxy/template/get', 'downloadTemplate');
});
$("#error_pages_upload").click(function(){
if ($("#error_pages_content").val().length > 2) {
ajaxCall("/api/proxy/template/set", {'content': $("#error_pages_content").val()}, function(data,status) {
if (data['error'] !== undefined) {
// error saving
BootstrapDialog.show({
type: BootstrapDialog.TYPE_WARNING,
title: "{{ lang._('Error uploading template') }}",
message: data['error'],
draggable: true
});
} else {
$("#error_pages_content_name").val("{{ lang._('saved') }}");
}
});
}
});
$("#error_pages_reset").click(function(){
BootstrapDialog.show({
title: "{{ lang._('Reset custom template') }}",
message: "{{ lang._('Are you sure you want to flush the configured template (back to defaults)?') }}",
type: BootstrapDialog.TYPE_INFO,
draggable: true,
buttons: [{
label: '<i class="fa fa-check" aria-hidden="true"></i>',
action: function(sender){
ajaxCall("/api/proxy/template/reset", {});
sender.close();
}
},{
label: '<i class="fa fa-close" aria-hidden="true"></i>',
action: function(sender){
sender.close();
}
}]
});
});
// update history on tab state and implement navigation
if(window.location.hash != "") {
$('a[href="' + window.location.hash + '"]').click()
}
$('.nav-tabs a').on('shown.bs.tab', function (e) {
history.pushState(null, null, e.target.hash);
});
});
</script>
<ul class="nav nav-tabs" role="tablist" id="maintabs">
{{ partial("layout_partials/base_tabs_header",['formData':mainForm]) }}
{# add custom content #}
<li role="presentation" class="dropdown">
<a data-toggle="dropdown" href="#" class="dropdown-toggle pull-right visible-lg-inline-block visible-md-inline-block visible-xs-inline-block visible-sm-inline-block" role="button">
<b><span class="caret"></span></b>
</a>
<a data-toggle="tab" onclick="$('#subtab_item_pac_rules').click();" class="visible-lg-inline-block visible-md-inline-block visible-xs-inline-block visible-sm-inline-block" style="border-right:0px;"><b>{{ lang._('Proxy Auto-Config') }}</b></a>
<ul class="dropdown-menu" role="menu">
<li>
<a data-toggle="tab" id="subtab_item_pac_rules" href="#subtab_pac_rules">{{ lang._('Rules') }}</a>
</li>
<li>
<a data-toggle="tab" id="subtab_item_pac_rules" href="#subtab_pac_proxies">{{ lang._('Proxies') }}</a>
</li>
<li>
<a data-toggle="tab" id="subtab_item_pac_rules" href="#subtab_pac_matches">{{ lang._('Matches') }}</a>
</li>
</ul>
</li>
<li><a data-toggle="tab" href="#remote_acls"><b>{{ lang._('Remote Access Control Lists') }}</b></a></li>
<li><a data-toggle="tab" href="#support"><b>{{ lang._('Support') }}</b></a></li>
<li><a data-toggle="tab" id="subtab_error_pages" style="display:none" href="#error_pages"><b>{{ lang._('Error Pages') }}</b></a></li>
</ul>
<div class="content-box tab-content">
{{ partial("layout_partials/base_tabs_content",['formData':mainForm]) }}
<div id="subtab_pac_matches" class="tab-pane fade">
<table id="grid-pac-match" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogEditPACMatch">
<thead>
<tr>
<th data-column-id="name" data-type="string" data-sortable="false" data-visible="true">{{ lang._('Name') }}</th>
<th data-column-id="description" data-type="string" data-sortable="false" data-visible="true">{{ lang._('Description') }}</th>
<th data-column-id="display_match_type" data-type="notprefixable" data-sortable="false" data-visible="true">{{ lang._('Match Type') }}</th>
<th data-column-id="commands" data-width="10em" data-formatter="commands" data-sortable="false">{{ lang._('Action') }}</th>
</tr>
</thead>
<tbody>
</tbody>
<tfoot>
<tr>
<td colspan="3"></td>
<td>
<button data-action="add" type="button" class="btn btn-xs btn-primary"><span class="fa fa-plus fa-fw"></span></button>
<button type="button" class="btn btn-xs btn-primary reload-pac-btn" data-toggle="tooltip" title="{{ lang._('Reload') }}"><span class="fa fa-repeat fa-fw"></span></button>
</td>
</tr>
</tfoot>
</table>
</div>
<div id="subtab_pac_rules" class="tab-pane fade">
<table id="grid-pac-rule" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogEditPACRule">
<thead>
<tr>
<th data-column-id="enabled" data-formatter="rowtoggle" data-sortable="false" data-width="6em">{{ lang._('Enabled') }}</th>
<th data-column-id="description" data-type="string" data-sortable="false" data-visible="true">{{ lang._('Description') }}</th>
<th data-column-id="commands" data-width="10em" data-formatter="commands" data-sortable="false">{{ lang._('Actions') }}</th>
</tr>
</thead>
<tbody>
</tbody>
<tfoot>
<tr>
<td colspan="2"></td>
<td>
<button data-action="add" type="button" class="btn btn-xs btn-primary"><span class="fa fa-plus fa-fw"></span></button>
<button type="button" class="btn btn-xs btn-primary reload-pac-btn" data-toggle="tooltip" title="{{ lang._('Reload') }}"><span class="fa fa-repeat fa-fw"></span></button>
</td>
</tr>
</tfoot>
</table>
</div>
<div id="subtab_pac_proxies" class="tab-pane fade">
<table id="grid-pac-proxy" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogEditPACProxy">
<thead>
<tr>
<th data-column-id="name" data-type="string" data-sortable="false" data-visible="true">{{ lang._('Name') }}</th>
<th data-column-id="proxy_type" data-type="string" data-sortable="false" data-visible="true">{{ lang._('Type') }}</th>
<th data-column-id="url" data-type="string" data-sortable="false" data-visible="true">{{ lang._('URL') }}</th>
<th data-column-id="description" data-type="string" data-sortable="false" data-visible="true">{{ lang._('Description') }}</th>
<th data-column-id="commands" data-width="10em" data-formatter="commands" data-sortable="false">{{ lang._('Actions') }}</th>
</tr>
</thead>
<tbody>
</tbody>
<tfoot>
<tr>
<td colspan="3"></td>
<td>
<button data-action="add" type="button" class="btn btn-xs btn-primary"><span class="fa fa-plus fa-fw"></span></button>
<button type="button" class="btn btn-xs btn-primary reload-pac-btn" data-toggle="tooltip" title="{{ lang._('Reload') }}"><span class="fa fa-repeat fa-fw"></span></button>
</td>
</tr>
</tfoot>
</table>
</div>
<div id="remote_acls" class="tab-pane fade">
<table class="table table-striped table-condensed table-responsive">
<colgroup>
<col class="col-md-3"/>
<col class="col-md-9"/>
</colgroup>
<tbody>
<tr>
<td colspan="2" style="text-align:right">
<small>{{ lang._('full help') }} </small><a href="#"><i class="fa fa-toggle-off text-danger" id="show_all_help_show_all_help_frm_proxy-forward-acl-remoteACLS"></i></a>
</td>
</tr>
<tr>
<td><div class="control-label">
<a id="help_for_proxy.forward.acl.remoteACLs.blacklist" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a>
<b>{{ lang._('Remote Blacklist') }}</b>
</div>
</td>
<td>
<div class="hidden" data-for="help_for_proxy.forward.acl.remoteACLs.blacklist">
<small>
{{ lang._('Add an item to the table to fetch a remote acl for blacklisting.%s
You can enable or disable the blacklist list.%s
The active blacklists will be merged with the settings under %sForward Proxy -> Access Control List%s.') |
format('<br/>','<br/>','<b>','</b>') }}
</small>
</div>
</td>
</tr>
<tr>
<td colspan="2">
<div id="remoteACLchangeMessage" class="alert alert-info" style="display: none" role="alert">
{{ lang._('After changing categories, please remember to download the ACL again to apply your new settings') }}
</div>
<table id="grid-remote-blacklists" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogEditBlacklist" data-editAlert="remoteACLchangeMessage">
<thead>
<tr>
<th data-column-id="enabled" data-formatter="rowtoggle" data-sortable="false" data-width="6em">{{ lang._('Enabled') }}</th>
<th data-column-id="filename" data-type="string" data-sortable="false" data-visible="true">{{ lang._('Filename') }}</th>
<th data-column-id="url" data-type="string" data-sortable="false" data-visible="true">{{ lang._('URL') }}</th>
<th data-column-id="description" data-type="string" data-sortable="false" data-visible="true">{{ lang._('Description') }}</th>
<th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Edit | Delete') }}</th>
</tr>
</thead>
<tbody>
</tbody>
<tfoot>
<tr>
<td></td>
<td>
<button data-action="add" type="button" class="btn btn-xs btn-primary"><span class="fa fa-plus fa-fw"></span></button>
</td>
</tr>
</tfoot>
</table>
<div class="col-md-12">
<hr/>
<button class="btn btn-primary" id="reconfigureAct"
data-endpoint='/api/proxy/service/reconfigure'
data-label="{{ lang._('Apply') }}"
data-error-title="{{ lang._('Error reconfiguring proxy') }}"
type="button"
></button>
<button class="btn btn-primary" id="fetchandreconfigureAct"
data-endpoint='/api/proxy/service/fetchacls'
data-label="{{ lang._('Download ACLs & Apply') }}"
data-error-title="{{ lang._('Error fetching remote acls') }}"
type="button"
></button>
<button class="btn btn-primary" id="downloadAct"
data-endpoint='/api/proxy/service/downloadacls'
data-label="{{ lang._('Download ACLs') }}"
data-error-title="{{ lang._('Error fetching remote acls') }}"
type="button"
></button>
<button class="btn btn-primary" id="ScheduleAct" type="button">
<b>{{ lang._('Schedule with Cron') }}</b><i id="scheduleAct_progress" class=""></i>
</button>
</div>
</td>
</tr>
</tbody>
</table>
</div>
<div id="support" class="tab-pane fade">
<table class="table table-striped table-condensed">
<thead>
<tr>
<th>{{ lang._('Action')}}</th>
<th></th>
</tr>
</thead>
<tbody>
<tr>
<td>
<button class="btn btn-primary" id="resetAct" type="button">{{ lang._('Reset') }}<i id="resetAct_progress" class=""></button>
</td>
<td>
{{ lang._('Reset all generated content (cached files and certificates included) and restart the proxy.') }}
</td>
</tr>
</tbody>
</table>
</div>
<div id="error_pages" class="tab-pane fade">
<form id="frm_proxy-error_pages" data-title="{{ lang._('Error pages')}}">
<table class="table table-striped table-condensed">
<thead>
<tr>
<th>{{ lang._('Action')}}</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<button class="btn btn-default" style="padding-bottom: 7px;" id="error_pages_download" title="{{ lang._('Download')}}" data-toggle="tooltip">
<i class="fa fa-fw fa-download"></i>
</button>
</td>
</tr>
<tr>
<td>
<textarea id="error_pages_content" class="hidden form-control"></textarea>
<div class="input-group">
<label class="input-group-btn">
<label class="btn btn-default" style="padding-bottom: 7px;">
<i class="fa fa-fw fa-folder-o" id="error_pages_content_icon"></i>
<i id="error_pages_content_progress"></i>
<input type="file" id="error_pages_content_filename" style="display: none;">
</label>
</label>
<input type="text" class="form-control" readonly="" for="error_pages_content" id="error_pages_content_name">
<button class="btn btn-default" id="error_pages_upload" style="padding-bottom: 7px;" title="{{ lang._('Upload selected file')}}" data-toggle="tooltip">
<i class="fa fa-fw fa-upload"></i>
</button>
</div>
</td>
</tr>
<tr>
<td>
<button class="btn btn-default" style="padding-bottom: 7px;" id="error_pages_reset" title="{{ lang._('Reset')}}" data-toggle="tooltip">
<i class="fa fa-fw fa-remove"></i>
</button>
</td>
</tr>
</tbody>
<tfoot>
<tr>
<td>
{{ lang._('Download and upload custom error pages, if no (new) files are provided our defaults are used.')}}
</td>
</tr>
<tr>
<td>
<button class="btn btn-primary" id="save_proxy-error_pages" type="button">
<b>{{ lang._('Apply')}}</b>
<i id="frm_proxy-error_pages_progress" class=""></i>
</button>
</td>
</tr>
</tfoot>
</table>
</form>
</div>
</div>
{{ partial("layout_partials/base_dialog",['fields':formDialogEditBlacklist,'id':'DialogEditBlacklist','label':lang._('Edit blacklist')])}}
{{ partial("layout_partials/base_dialog",['fields':formDialogEditPACProxy,'id':'DialogEditPACProxy','label':lang._('Edit Proxy')])}}
{{ partial("layout_partials/base_dialog",['fields':formDialogEditPACMatch,'id':'DialogEditPACMatch','label':lang._('Edit Match')])}}
{{ partial("layout_partials/base_dialog",['fields':formDialogEditPACRule,'id':'DialogEditPACRule','label':lang._('Edit Rule')])}}

54
src/opnsense/scripts/proxy/deploy_error_pages.py
View File

@ -1,54 +0,0 @@
#!/usr/local/bin/python3
"""
Copyright (c) 2020 Ad Schellevis <ad@opnsense.org>
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
"""
import ujson
import os
import re
from lib import ProxyTemplates
target_directory = "/usr/local/etc/squid/errors/local"
if __name__ == '__main__':
proxy_templates = ProxyTemplates()
# install error_pages into target_directory
if not os.path.isdir(target_directory):
os.mkdir(target_directory)
for filename, data in proxy_templates.templates(proxy_templates.overlay_enabled()):
match = proxy_templates.css_section(data)
if match:
inline_css = list()
for dep_filename in proxy_templates.css_dependencies(filename, proxy_templates.overlay_enabled()):
css_content = proxy_templates.get_file(dep_filename, proxy_templates.overlay_enabled())
if css_content:
inline_css.append(b'<style type="text/css">\n%s\n</style>' % css_content)
data = b"%s%s%s" % (data[0:match.start()], b"\n".join(inline_css), data[match.end():])
with open("%s/%s" % (target_directory, os.path.splitext(filename)[0]), "wb") as target_fh:
target_fh.write(data)
print(ujson.dumps({
'overlay_status': proxy_templates.get_overlay_status()
}))

53
src/opnsense/scripts/proxy/download_error_pages.py
View File

@ -1,53 +0,0 @@
#!/usr/local/bin/python3
"""
Copyright (c) 2020 Ad Schellevis <ad@opnsense.org>
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
"""
import base64
import ujson
import os
import re
import zipfile
from io import BytesIO
from lib import ProxyTemplates
if __name__ == '__main__':
root_dir = "/proxy_template"
proxy_templates = ProxyTemplates()
output_data = BytesIO()
processed = list()
with zipfile.ZipFile(output_data, mode='w', compression=zipfile.ZIP_DEFLATED) as zf:
for filename, data in proxy_templates.templates(True):
zf.writestr("%s/%s" % (root_dir, filename), data)
for dep_filename in proxy_templates.css_dependencies(filename, True):
if dep_filename not in processed:
zf.writestr("%s/%s" % (root_dir, dep_filename), proxy_templates.get_file(dep_filename, True))
processed.append(dep_filename)
response = dict()
response['payload'] = base64.b64encode(output_data.getvalue()).decode()
response['size'] = len(response['payload'])
print(ujson.dumps(response))

381
src/opnsense/scripts/proxy/fetchACLs.py
View File

@ -1,381 +0,0 @@
#!/usr/local/bin/python3
"""
Copyright (c) 2016-2019 Ad Schellevis <ad@opnsense.org>
Copyright (c) 2015 Jos Schellevis <jos@opnsense.org>
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
"""
import tempfile
import os
import sys
import json
import glob
import os.path
import tarfile
import gzip
import zipfile
import syslog
import urllib3
from configparser import ConfigParser
from urllib.request import urlopen
from urllib.error import URLError
from urllib.error import HTTPError
import requests
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
acl_config_fn = '/usr/local/etc/squid/externalACLs.conf'
acl_target_dir = '/usr/local/etc/squid/acl'
acl_max_timeout = 30
class Downloader(object):
""" Download helper
"""
def __init__(self, url,username, password, timeout, ssl_no_verify=False):
""" init new
:param url: source url
:param timeout: timeout in seconds
"""
self._url = url.strip()
self._timeout = timeout
self._source_handle = None
self._username = username
self._password = password
self._ssl_no_verify = ssl_no_verify
def fetch(self):
""" fetch (raw) source data into tempfile using self._source_handle
"""
self._source_handle = None
if self._url.lower().startswith('http://') or self._url.lower().startswith('https://'):
# HTTP(S) download
req_opts = dict()
req_opts['url'] = self._url
req_opts['stream'] = True
req_opts['timeout'] = self._timeout
if self._ssl_no_verify:
req_opts['verify'] = False
if self._username is not None:
req_opts['auth'] = (self._username, self._password)
req = requests.get(**req_opts)
if req.status_code == 200:
req.raw.decode_content = True
self._source_handle = tempfile.NamedTemporaryFile('wb+', 10240)
while True:
data = req.raw.read(10240)
if not data:
break
else:
self._source_handle.write(data)
self._source_handle.seek(0)
else:
syslog.syslog(syslog.LOG_ERR, 'proxy acl: error downloading %s (http code: %s)' % (self._url,
req.status_code))
elif self._url.lower().startswith('ftp://'):
# FTP download
try:
f = urlopen(self._url, timeout=self._timeout)
self._source_handle = tempfile.NamedTemporaryFile('wb+', 10240)
while True:
data = f.read(10240)
if not data:
break
else:
self._source_handle.write(data)
self._source_handle.seek(0)
f.close()
except (URLError, HTTPError, IOError) as e:
syslog.syslog(syslog.LOG_ERR, 'proxy acl: error downloading %s' % self._url)
else:
syslog.syslog(syslog.LOG_ERR, 'proxy acl: unsupported protocol for %s' % self._url)
def get_files(self):
""" process downloaded data, handle compression
:return: iterator filename, file handle
"""
if self._source_handle is not None:
# handle compressed data
if (len(self._url) > 8 and self._url[-7:] == '.tar.gz') \
or (len(self._url) > 4 and self._url[-4:] == '.tgz'):
# source is in tar.gz format, extract all into a single string
try:
tf = tarfile.open(fileobj=self._source_handle)
for tf_file in tf.getmembers():
if tf_file.isfile():
yield tf_file.name, tf.extractfile(tf_file)
except IOError as e:
syslog.syslog(syslog.LOG_ERR, 'proxy acl: error downloading %s (%s)' % (self._url, e))
elif len(self._url) > 4 and self._url[-3:] == '.gz':
# source is in .gz format unpack
try:
gf = gzip.GzipFile(mode='r', fileobj=self._source_handle)
yield os.path.basename(self._url), gf
except IOError as e:
syslog.syslog(syslog.LOG_ERR, 'proxy acl: error downloading %s (%s)' % (self._url, e))
elif len(self._url) > 5 and self._url[-4:] == '.zip':
# source is in .zip format, extract all into a single string
with zipfile.ZipFile(self._source_handle,
mode='r',
compression=zipfile.ZIP_DEFLATED) as zf:
for item in zf.infolist():
if item.file_size > 0:
yield item.filename, zf.open(item)
else:
yield os.path.basename(self._url), self._source_handle
def download(self):
""" download / unpack ACL
:return: iterator filename, type, content
"""
self.fetch()
for filename, filehandle in self.get_files():
basefilename = os.path.basename(filename).lower()
file_ext = filename.split('.')[-1].lower()
while True:
line = filehandle.readline().decode(encoding='utf-8', errors='ignore')
if not line:
break
yield filename, basefilename, file_ext, line
class DomainSorter(object):
""" Helper class for building sorted squid domain acl list.
Use as file type object, close flushes the actual (sorted) data to disc
"""
def __init__(self, filename=None):
""" new sorted output file, uses an acl record in reverse order as sort key
:param filename: target filename
:param mode: file open mode
"""
self._num_targets = 20
self._separator = '|'
self._buckets = dict()
self._sort_map = dict()
# setup target
self._target_filename = filename
# setup temp files
self.generate_targets()
def generate_targets(self):
""" generate ordered targets
"""
sets = 255
for i in range(sets):
target = chr(i + 1)
setid = int(i / (sets / self._num_targets))
if setid not in self._buckets:
self._buckets[setid] = tempfile.NamedTemporaryFile('wb+', 10240)
self._sort_map[target] = self._buckets[setid]
def write(self, data):
""" save content, send reverse sorted to buffers
:param data: line to write
"""
line = data.strip().lower()
if len(line) > 0:
# Calculate sort key, which is the reversed url with dots (.) replaced by spaces.
# We need to replace dots (.) here to avoid having a wrong sorting order when dashes
# or similar characters are used inside the url.
# (The process writing out the domains checks for domain overlaps)
sort_key = line[::-1].replace('.', ' ')
self.add(sort_key, line)
def add(self, key, value):
""" spool data to temp
:param key: key to use
:param value: value to store
"""
target = key[0]
if target in self._sort_map:
for part in (key, self._separator, value, '\n'):
self._sort_map[target].write(part.encode('utf-8'))
else:
# not supposed to happen, every key should have a calculated target pool
pass
def reader(self):
""" read reverse
"""
for target in sorted(self._buckets):
self._buckets[target].seek(0)
set_content = dict()
while True:
line = self._buckets[target].readline().decode()
if not line:
break
else:
set_content[line.split('|')[0]] = '|'.join(line.split('|')[1:])
for itemkey in sorted(set_content, reverse=True):
yield set_content[itemkey]
@staticmethod
def is_domain(tag):
""" check if tag is probably a domain name
:param tag: tag to inspect
:return: boolean
"""
has_chars = False
for tag_item in tag:
if not tag_item.isdigit() and tag_item not in ('.', ',', '|', '/', '\n'):
has_chars = True
elif tag_item in (':', '|', '/'):
return False
if has_chars:
return True
else:
return False
def close(self):
""" close and dump content
"""
if self._target_filename is not None:
# flush to file on close
with open(self._target_filename, 'wb', buffering=10240) as f_out:
prev_line = None
for line in self.reader():
line = line.lstrip('.')
if prev_line == line:
# duplicate, skip
continue
if self.is_domain(line):
# prefix domain, if this domain is different then the previous one
if prev_line is None or '.%s' % line not in prev_line:
f_out.write(b'.')
f_out.write(line.encode())
prev_line = line
def filename_in_ignorelist(bfilename, filename_ext):
""" ignore certain files from processing.
:param bfilename: basefilename to inspect
:param filename_ext: extension of the filename
"""
if filename_ext in ['pdf', 'txt', 'doc']:
return True
elif bfilename in ('readme', 'license', 'usage', 'categories'):
return True
return False
def main():
# parse OPNsense external ACLs config
if os.path.exists(acl_config_fn):
# create acl directory (if new)
if not os.path.exists(acl_target_dir):
os.mkdir(acl_target_dir)
else:
# remove index files
for filename in glob.glob('%s/*.index' % acl_target_dir):
os.remove(filename)
# read config and download per section
cnf = ConfigParser()
cnf.read(acl_config_fn)
for section in cnf.sections():
target_filename = acl_target_dir + '/' + section
if cnf.has_option(section, 'url'):
# collect filters to apply
acl_filters = list()
if cnf.has_option(section, 'filter'):
for acl_filter in cnf.get(section, 'filter').strip().split(','):
if len(acl_filter.strip()) > 0:
acl_filters.append(acl_filter)
# define target(s)
targets = {'domain': {'filename': target_filename, 'handle': None, 'class': DomainSorter}}
# only generate files if enabled, otherwise dump empty files
if cnf.has_option(section, 'enabled') and cnf.get(section, 'enabled') == '1':
download_url = cnf.get(section, 'url')
if cnf.has_option(section, 'username'):
download_username = cnf.get(section, 'username')
download_password = cnf.get(section, 'password')
else:
download_username = None
download_password = None
if cnf.has_option(section, 'sslNoVerify') and cnf.get(section, 'sslNoVerify') == '1':
sslNoVerify = True
else:
sslNoVerify = False
acl = Downloader(download_url, download_username, download_password, acl_max_timeout, sslNoVerify)
all_filenames = list()
for filename, basefilename, file_ext, line in acl.download():
if filename_in_ignorelist(basefilename, file_ext):
# ignore documents, licenses and readme's
continue
# detect output type
if '/' in line or '|' in line:
filetype = 'url'
elif line.startswith('#'):
filetype = 'comment'
else:
filetype = 'domain'
if filename not in all_filenames:
all_filenames.append(filename)
if len(acl_filters) > 0:
acl_found = False
for acl_filter in acl_filters:
if acl_filter in filename:
acl_found = True
break
if not acl_found:
# skip this acl entry
continue
if filetype in targets and targets[filetype]['handle'] is None:
targets[filetype]['handle'] = targets[filetype]['class'](targets[filetype]['filename'])
if filetype in targets:
targets[filetype]['handle'].write(line)
targets[filetype]['handle'].write('\n')
# save index to disc
with open('%s.index' % target_filename, 'w', buffering=10240) as idx_out:
index_data = dict()
for filename in all_filenames:
if len(filename.split('/')) > 2:
index_key = '/'.join(filename.split('/')[1:-1])
if index_key not in index_data:
index_data[index_key] = index_key
idx_out.write(json.dumps(index_data))
# cleanup
for filetype in targets:
if targets[filetype]['handle'] is not None:
targets[filetype]['handle'].close()
elif cnf.has_option(section, 'enabled') and cnf.get(section, 'enabled') != '1':
if os.path.isfile(targets[filetype]['filename']):
# disabled, remove previous data
os.remove(targets[filetype]['filename'])
elif not os.path.isfile(targets[filetype]['filename']):
# no data fetched and no file available, create new empty file
with open(targets[filetype]['filename'], 'w') as target_out:
target_out.write("")
# execute downloader
main()

53
src/opnsense/scripts/proxy/generate_cert.php
View File

@ -1,53 +0,0 @@
#!/usr/local/bin/php
<?php
/*
* Copyright (C) 2016 Deciso B.V.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
* OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
/* XXX use legacy code to generate certs and CAs */
require_once("config.inc");
require_once("certs.inc");
use OPNsense\Core\Config;
// Our template systems stores the ca certid into /usr/local/etc/squid/ca.pem.id
// Which makes it easier for the setup script to detect cert changes (which should flush the stored cache)
if (is_file('/usr/local/etc/squid/ca.pem.id')) {
$cert_refid = trim(file_get_contents('/usr/local/etc/squid/ca.pem.id'));
if (!empty($config['ca'])) {
foreach ($config['ca'] as $ca) {
if (isset($ca['refid']) && $ca['refid'] == $cert_refid) {
$pem_contents = '';
$pem_contents .= trim(base64_decode($ca['prv'])) . "\n";
$pem_contents .= trim(base64_decode($ca['crt'])) . "\n";
$pem_contents .= ca_chain($ca);
echo "certificate generated\n";
file_put_contents('/var/squid/ssl/ca.pem', $pem_contents);
}
}
}
}

141
src/opnsense/scripts/proxy/lib/__init__.py
View File

@ -1,141 +0,0 @@
"""
Copyright (c) 2020 Ad Schellevis <ad@opnsense.org>
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
"""
import ujson
import os
import base64
import binascii
import re
import zipfile
import glob
from io import BytesIO
class ProxyTemplates:
error_config = "/usr/local/etc/squid/error_directory.in"
def __init__(self):
self._all_src_files = dict()
self._all_ovl_files = dict()
self._overlay_status = None
self._install_overlay = False
self._overlay_data = None
self._load_config()
self.load()
def _load_config(self):
""" initialize configuration
"""
if os.path.isfile(self.error_config):
error_cfg = ujson.loads(open(self.error_config, 'rb').read())
self._install_overlay = 'install' not in error_cfg or error_cfg['install'] != 'opnsense'
self._overlay_data = error_cfg['content'] if 'content' in error_cfg else None
def load(self):
""" load (custom) error pages in memory
"""
self._overlay_status = None
self._all_src_files = dict()
self._all_ovl_files = dict()
# base (OPNsense) template
for filename in glob.glob("/usr/local/opnsense/data/proxy/template_error_pages/*"):
bfilename = os.path.basename(filename)
with open(filename, "rb") as f_in:
self._all_src_files[bfilename] = f_in.read()
# when a (valid) overlay is provided, read it's contents
if self._overlay_data and self._install_overlay:
try:
input_data = BytesIO(base64.b64decode(self._overlay_data))
root_dir = ""
with zipfile.ZipFile(input_data, mode='r', compression=zipfile.ZIP_DEFLATED) as zf_in:
for zf_info in zf_in.infolist():
if not root_dir and zf_info.filename.endswith('/'):
root_dir = zf_info.filename
else:
self._all_ovl_files[zf_info.filename.replace(root_dir, "")] = zf_in.read(zf_info.filename)
except binascii.Error:
self._overlay_status = 'Not a base64 encoded file'
except zipfile.BadZipFile:
self._overlay_status = 'Illegal zip file'
except IOError:
self._overlay_status = 'Error reading file'
def templates(self, overlay=False):
""" return template html files
:param overlay: consider custom theme files when applicable
:rtype: [string, bytes]
"""
for filename in self._all_src_files:
if filename.endswith('.html'):
if overlay and filename in self._all_ovl_files:
yield filename, self._all_ovl_files[filename]
else:
yield filename, self._all_src_files[filename]
def get_file(self, filename, overlay=False):
""" return file content
:param filename: source filename
:param overlay: consider custom theme files when applicable
:return: string
"""
if filename in self._all_src_files:
if overlay and filename in self._all_ovl_files:
return self._all_ovl_files[filename]
else:
return self._all_src_files[filename]
@staticmethod
def css_section(data):
""" extract css definition block from provided data
:param data: html data
:return: MatchObject
"""
return re.search(b'(<!--[\s]*EMBED:start.*?EMBED:end[\s]*-->)', data, re.DOTALL)
def css_dependencies(self, filename, overlay=False):
""" extract css dependencies from provided filename
:param filename: source filename
:param overlay: consider custom theme files when applicable
:rtype: list
"""
data = self.get_file(filename, overlay)
if filename.endswith('.html') and data:
match = self.css_section(data)
if match:
for href in re.findall(b"(href[\s]*=[\s]*[\"|'])(.*?)([\"|'])" ,match.group(0)):
yield href[1].decode()
def overlay_enabled(self):
""" when deploying files, should we consider an overlay
:return: bool
"""
return self._install_overlay
def get_overlay_status(self):
""" return validity of the installed overlay
:return: string
"""
return self._overlay_status

42
src/opnsense/scripts/proxy/setup.sh
View File

@ -1,42 +0,0 @@
#!/bin/sh
SQUID_DIRS="/var/log/squid /var/run/squid /var/squid /var/squid/cache /var/squid/ssl /var/squid/logs /usr/local/etc/squid/errors/local"
for SQUID_DIR in ${SQUID_DIRS}; do
mkdir -p ${SQUID_DIR}
chown -R squid:squid ${SQUID_DIR}
chmod -R 750 ${SQUID_DIR}
done
/usr/sbin/pw groupmod proxy -m squid
/usr/local/sbin/squid -z -N > /dev/null 2>&1
# remove ssl certificate store in case the user changed the CA
if [ -f /usr/local/etc/squid/ca.pem.id ]; then
current_cert=`cat /usr/local/etc/squid/ca.pem.id`
if [ -d /var/squid/ssl_crtd ]; then
if [ -f /var/squid/ssl_crtd.id ]; then
running_cert=`cat /var/squid/ssl_crtd.id`
else
running_cert=""
fi
if [ "$current_cert" != "$running_cert" ]; then
rm -rf /var/squid/ssl_crtd
fi
fi
fi
# create ssl certificate store, in case sslbump is enabled we need this
if [ ! -d /var/squid/ssl_crtd ]; then
/usr/local/libexec/squid/security_file_certgen -c -s /var/squid/ssl_crtd -M 10 > /dev/null 2>&1
chown -R squid:squid /var/squid/ssl_crtd
chmod -R 750 /var/squid/ssl_crtd
if [ -f /usr/local/etc/squid/ca.pem.id ]; then
cat /usr/local/etc/squid/ca.pem.id > /var/squid/ssl_crtd.id
fi
fi
# generate SSL bump certificate
/usr/local/opnsense/scripts/proxy/generate_cert.php > /dev/null 2>&1
# install theme files
/usr/local/opnsense/scripts/proxy/deploy_error_pages.py > /dev/null 2>&1

107
src/opnsense/scripts/syslog/logformats/squid.py
View File

@ -1,107 +0,0 @@
"""
Copyright (c) 2020 Ad Schellevis <ad@opnsense.org>
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
"""
import re
import datetime
from . import NewBaseLogFormat
squid_ext_timeformat = r'.*(\[\d{1,2}/[A-Za-z]{3}/\d{4}:\d{1,2}:\d{1,2}:\d{1,2} \+\d{4}\]).*'
squid_timeformat = r'^(\d{4}/\d{1,2}/\d{1,2} \d{1,2}:\d{1,2}:\d{1,2}).*'
class SquidLogFormat(NewBaseLogFormat):
def __init__(self, filename):
super().__init__(filename)
self._priority = 100
def match(self, line):
return self._filename.find('squid') > -1 and re.match(squid_timeformat, line) is not None
@property
def timestamp(self):
tmp = re.match(squid_timeformat, self._line)
grp = tmp.group(1)
return datetime.datetime.strptime(grp, "%Y/%m/%d %H:%M:%S").isoformat()
@property
def process_name(self):
return "squid"
@property
def line(self):
return self._line[19:].strip()
class SquidExtLogFormat(NewBaseLogFormat):
def __init__(self, filename):
super().__init__(filename)
self._priority = 120
def match(self, line):
return self._filename.find('squid') > -1 and re.match(squid_ext_timeformat, line) is not None
@property
def timestamp(self):
tmp = re.match(squid_ext_timeformat, self._line)
grp = tmp.group(1)
return datetime.datetime.strptime(grp[1:].split()[0], "%d/%b/%Y:%H:%M:%S").isoformat()
@property
def process_name(self):
return "squid"
@property
def line(self):
tmp = re.match(squid_ext_timeformat, self._line)
grp = tmp.group(1)
return self._line.replace(grp, '')
class SquidJsonLogFormat(NewBaseLogFormat):
def __init__(self, filename):
super().__init__(filename)
self._priority = 140
local_now = datetime.datetime.now()
utc_now = datetime.datetime.utcnow()
self._localtimezone = datetime.timezone(local_now - utc_now)
def match(self, line):
return self._filename.find('squid') > -1 and line.find('"@timestamp"') > -1
@property
def timestamp(self, line):
tmp = line[line.find('"@timestamp"')+13:].split(',')[0].strip().strip('"')
try:
return datetime.datetime.strptime(tmp, "%Y-%m-%dT%H:%M:%S%z")\
.astimezone(self._localtimezone).isoformat().split('.')[0].split('+')[0]
except ValueError:
return None
@property
def process_name(self):
return "squid"
@property
def line(self):
return self._line

82
src/opnsense/service/conf/actions.d/actions_proxy.conf
View File

@ -1,82 +0,0 @@
[start]
command:
/usr/local/sbin/pluginctl -c webproxy start;
/usr/local/etc/rc.d/squid start 2>&1 && echo "__ok__"; exit 0
parameters:
type:script_output
message:starting proxy
[stop]
command:
/usr/local/etc/rc.d/squid stop;
/usr/bin/killall squid;
/usr/local/sbin/pluginctl -c webproxy stop;
exit 0
parameters:
type:script
message:stopping proxy
[restart]
command:
/usr/local/sbin/pluginctl -c webproxy restart;
/usr/local/etc/rc.d/squid restart 2>&1 && echo "__ok__"; exit 0
parameters:
type:script_output
message:restarting proxy
description:Restart Web Proxy service
[reset]
command:
/usr/bin/killall -9 squid;
rm /var/run/squid/squid.pid;
rm -rf /var/squid/*;
/usr/local/sbin/pluginctl -c webproxy start;
/usr/local/etc/rc.d/squid start
parameters:
type:script
message:reset and restart proxy
[reload]
command:
/usr/local/sbin/pluginctl -c webproxy reload;
/usr/local/opnsense/scripts/proxy/deploy_error_pages.py;
/usr/local/etc/rc.d/squid reload
parameters:
type:script
message:reload proxy
[status]
command:/usr/local/etc/rc.d/squid status;exit 0
parameters:
type:script_output
message:request proxy status
[fetchacls]
command:
/usr/local/bin/flock -n -E 0 -o /tmp/fetchACLs.lock /usr/local/opnsense/scripts/proxy/fetchACLs.py && (
/usr/local/sbin/pluginctl -c webproxy reload;
/usr/local/etc/rc.d/squid reload
)
parameters:
type:script
message:download and reload proxy ACLs from remote locations
description:Download and reload external proxy ACLs
[downloadacls]
command:/usr/local/bin/flock -n -E 0 -o /tmp/fetchACLs.lock /usr/local/opnsense/scripts/proxy/fetchACLs.py
parameters:
type:script
message:download proxy ACLs from remote locations
description:Download external proxy ACLs
[deploy_error_pages]
command:/usr/local/opnsense/scripts/proxy/deploy_error_pages.py
parameters:
type:script_output
message:deploy error pages
[download_error_pages]
command:/usr/local/opnsense/scripts/proxy/download_error_pages.py
parameters:
type:script_output
message:download error pages

15
src/opnsense/service/templates/OPNsense/Proxy/+TARGETS
View File

@ -1,15 +0,0 @@
auth.conf:/usr/local/etc/squid/auth/dummy.conf
ca.pem.id:/usr/local/etc/squid/ca.pem.id
cache.active:/var/squid/cache/active
error_directory_in:/usr/local/etc/squid/error_directory.in
externalACLs.conf:/usr/local/etc/squid/externalACLs.conf
newsyslog.conf:/etc/newsyslog.conf.d/squid
nobumpsites.acl:/usr/local/etc/squid/nobumpsites.acl
parentproxy.conf:/usr/local/etc/squid/pre-auth/parentproxy.conf
post-auth.conf:/usr/local/etc/squid/post-auth/dummy.conf
pre-auth.conf:/usr/local/etc/squid/pre-auth/dummy.conf
rc.conf.d:/etc/rc.conf.d/squid/squid
snmp.conf:/usr/local/etc/squid/pre-auth/40-snmp.conf
squid.conf:/usr/local/etc/squid/squid.conf
squid.pam:/etc/pam.d/squid
wpad.dat:/usr/local/www/wpad.dat

3
src/opnsense/service/templates/OPNsense/Proxy/auth.conf
View File

@ -1,3 +0,0 @@
# AUTOGENERATED FILE. DO NOT EDIT.
# DO NOT REMOVE THIS FILE!
# This directory is for auth config files

3
src/opnsense/service/templates/OPNsense/Proxy/ca.pem.id
View File

@ -1,3 +0,0 @@
{% if helpers.exists('OPNsense.proxy.forward.sslcertificate') %}
{{ OPNsense.proxy.forward.sslcertificate }}
{% endif %}

5
src/opnsense/service/templates/OPNsense/Proxy/cache.active
View File

@ -1,5 +0,0 @@
{% if helpers.exists('OPNsense.proxy.general.cache.local') %}
{% if OPNsense.proxy.general.cache.local.enabled == '1' %}
yes
{% endif %}
{% endif %}

7
src/opnsense/service/templates/OPNsense/Proxy/error_directory_in
View File

@ -1,7 +0,0 @@
{#
base64 encoded zip archive containing template overrides
#}
{
"install": "{{ OPNsense.proxy.general.error_pages|default('opnsense') }}",
"content": "{% if not helpers.empty('OPNsense.proxy.error_pages.template') %}{{ OPNsense.proxy.error_pages.template }}{% endif %}"
}

16
src/opnsense/service/templates/OPNsense/Proxy/externalACLs.conf
View File

@ -1,16 +0,0 @@
#
# Automatic generated configuration for fetching remote ACLs.
# Do not edit this file manually.
{% if helpers.exists('OPNsense.proxy.forward.acl.remoteACLs.blacklists') %}
{% for blacklist in helpers.toList('OPNsense.proxy.forward.acl.remoteACLs.blacklists.blacklist') %}
[{{blacklist.filename}}]
url:{{blacklist.url}}
enabled:{{blacklist.enabled}}
filter:{{blacklist.filter|default('')}}
{% if blacklist.username|default('') != '' %}
username={{blacklist.username}}
password={{blacklist.password|default('')}}
{% endif %}
sslNoVerify={{blacklist.sslNoVerify|default('0')}}
{% endfor %}
{% endif %}

6
src/opnsense/service/templates/OPNsense/Proxy/newsyslog.conf
View File

@ -1,6 +0,0 @@
# logfilename [owner:group] mode count size when flags [/pid_file] [sig_num]
{% if helpers.exists('OPNsense.proxy.general.enabled') and OPNsense.proxy.general.enabled|default("0") == "1" %}
/var/log/squid/access.log squid:squid 644 14 * @T00 ZB /var/run/squid/squid.pid 30
/var/log/squid/cache.log squid:squid 644 2 * @T00 ZB /var/run/squid/squid.pid 30
/var/log/squid/store.log squid:squid 644 2 * @T00 ZB /var/run/squid/squid.pid 30
{% endif %}

5
src/opnsense/service/templates/OPNsense/Proxy/nobumpsites.acl
View File

@ -1,5 +0,0 @@
{% if helpers.exists('OPNsense.proxy.forward.sslnobumpsites') and OPNsense.proxy.forward.sslnobumpsites != '' %}
{% for line in OPNsense.proxy.forward.sslnobumpsites.split(',') %}
{{ line }}
{% endfor %}
{% endif %}

24
src/opnsense/service/templates/OPNsense/Proxy/parentproxy.conf
View File

@ -1,24 +0,0 @@
{% if helpers.exists('OPNsense.proxy.general.parentproxy.enabled') and OPNsense.proxy.general.parentproxy.enabled == '1' %}
cache_peer {{ OPNsense.proxy.general.parentproxy.host }} parent {{ OPNsense.proxy.general.parentproxy.port }} 0 no-query default {% if helpers.exists('OPNsense.proxy.general.parentproxy.enableauth') and OPNsense.proxy.general.parentproxy.enableauth == '1' %} login={{ OPNsense.proxy.general.parentproxy.user }}:{{ OPNsense.proxy.general.parentproxy.password }}{% endif %}
{% if helpers.exists('OPNsense.proxy.general.parentproxy.localdomains') and OPNsense.proxy.general.parentproxy.localdomains != '' %}
acl ExcludePPDomains dstdomain {{ OPNsense.proxy.general.parentproxy.localdomains.replace(',', ' ') }}
{% endif %}
{% if helpers.exists('OPNsense.proxy.general.parentproxy.localips') and OPNsense.proxy.general.parentproxy.localips != '' %}
acl ExcludePPIPs dst {{ OPNsense.proxy.general.parentproxy.localips.replace(',', ' ') }}
{% endif %}
{% if helpers.exists('OPNsense.proxy.general.parentproxy.localdomains') and OPNsense.proxy.general.parentproxy.localdomains != '' %}
cache_peer_access {{ OPNsense.proxy.general.parentproxy.host }} deny ExcludePPDomains
{% endif %}
{% if helpers.exists('OPNsense.proxy.general.parentproxy.localips') and OPNsense.proxy.general.parentproxy.localips != '' %}
cache_peer_access {{ OPNsense.proxy.general.parentproxy.host }} deny ExcludePPIPs
{% endif %}
cache_peer_access {{ OPNsense.proxy.general.parentproxy.host }} allow all
{% if helpers.exists('OPNsense.proxy.general.parentproxy.localdomains') and OPNsense.proxy.general.parentproxy.localdomains != '' %}
never_direct deny ExcludePPDomains
{% endif %}
{% if helpers.exists('OPNsense.proxy.general.parentproxy.localips') and OPNsense.proxy.general.parentproxy.localips != '' %}
never_direct deny ExcludePPIPs
{% endif %}
never_direct allow all
{% endif %}

3
src/opnsense/service/templates/OPNsense/Proxy/post-auth.conf
View File

@ -1,3 +0,0 @@
# AUTOGENERATED FILE. DO NOT EDIT.
# DO NOT REMOVE THIS FILE!
# This directory is for post-auth config files

3
src/opnsense/service/templates/OPNsense/Proxy/pre-auth.conf
View File

@ -1,3 +0,0 @@
# AUTOGENERATED FILE. DO NOT EDIT.
# DO NOT REMOVE THIS FILE!
# This directory is for pre-auth config files

6
src/opnsense/service/templates/OPNsense/Proxy/rc.conf.d
View File

@ -1,6 +0,0 @@
{% if helpers.exists('OPNsense.proxy.general.enabled') and OPNsense.proxy.general.enabled|default("0") == "1" %}
squid_setup="/usr/local/opnsense/scripts/proxy/setup.sh"
squid_enable="YES"
{% else %}
squid_enable="NO"
{% endif %}

5
src/opnsense/service/templates/OPNsense/Proxy/snmp.conf
View File

@ -1,5 +0,0 @@
{% if helpers.exists('OPNsense.proxy.forward.snmp_enable') and OPNsense.proxy.forward.snmp_enable == '1' %}
snmp_port {{ OPNsense.proxy.forward.snmp_port }}
acl snmppublic snmp_community {{ OPNsense.proxy.forward.snmp_password }}
snmp_access allow snmppublic
{% endif %}

248
src/opnsense/service/templates/OPNsense/Proxy/squid.acl.conf
View File

@ -1,248 +0,0 @@
{% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}
# ALLOW UNRESTRICTED
# ACL list (Allow) unrestricted
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
{% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %}
adaptation_access response_mod allow unrestricted
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %}
adaptation_access request_mod allow unrestricted
{% endif %}
{% endif %}
http_access allow unrestricted
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.whiteList') %}
# ACL list (Allow) whitelist
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
{% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %}
adaptation_access response_mod allow whiteList
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %}
adaptation_access request_mod allow whiteList
{% endif %}
{% endif %}
http_access allow whiteList
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.blackList') %}
#
# ACL list (Deny) blacklist
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
{% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %}
adaptation_access response_mod deny blackList
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %}
adaptation_access request_mod deny blackList
{% endif %}
{% endif %}
http_access deny blackList
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.remoteACLs.blacklists') %}
{% for blacklist in helpers.toList('OPNsense.proxy.forward.acl.remoteACLs.blacklists.blacklist') if blacklist.enabled=='1' %}
# ACL list (Deny) remoteblacklist_{{blacklist.filename}}
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
{% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %}
adaptation_access response_mod deny remoteblacklist_{{blacklist.filename}}
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %}
adaptation_access request_mod deny remoteblacklist_{{blacklist.filename}}
{% endif %}
{% endif %}
http_access deny remoteblacklist_{{blacklist.filename}}
{% endfor %}
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.browser') %}
# ACL list (Deny) blockuseragent
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
{% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %}
adaptation_access response_mod deny blockuseragents
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %}
adaptation_access request_mod deny blockuseragents
{% endif %}
{% endif %}
http_access deny blockuseragents
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.mimeType') %}
# ACL list (Deny) blockmimetypes
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
{% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %}
adaptation_access response_mod deny blockmimetypes {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %}
adaptation_access request_mod deny blockmimetypes {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %}
adaptation_access response_mod deny blockmimetypes_requests {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %}
adaptation_access request_mod deny blockmimetypes_requests {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
{% endif %}
{% endif %}
http_reply_access deny blockmimetypes {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
http_access deny blockmimetypes_requests {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
{% endif %}
# Google Suite Filter
{% if not helpers.empty('OPNsense.proxy.forward.acl.googleapps') %}
request_header_add X-GoogApps-Allowed-Domains {{OPNsense.proxy.forward.acl.googleapps}}
{% endif %}
# YouTube Filter
{% if helpers.exists('OPNsense.proxy.forward.acl.youtube') and OPNsense.proxy.forward.acl.youtube|default('') != '' %}
request_header_add YouTube-Restrict {{OPNsense.proxy.forward.acl.youtube}}
{% endif %}
# Deny requests to certain unsafe ports
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
{% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %}
adaptation_access response_mod deny !Safe_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %}
adaptation_access request_mod deny !Safe_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
{% endif %}
{% endif %}
http_access deny !Safe_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
# Deny CONNECT to other than secure SSL ports
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
{% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %}
adaptation_access response_mod deny CONNECT !SSL_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %}
adaptation_access request_mod deny CONNECT !SSL_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
{% endif %}
{% endif %}
http_access deny CONNECT !SSL_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.bannedHosts') %}
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
{% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %}
adaptation_access response_mod deny bannedHosts
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %}
adaptation_access request_mod deny bannedHosts
{% endif %}
{% endif %}
http_access deny bannedHosts
{% endif %}
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
{% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %}
adaptation_access response_mod deny to_localhost
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %}
adaptation_access request_mod deny to_localhost
{% endif %}
{% endif %}
http_access deny to_localhost
{% if helpers.exists('OPNsense.proxy.forward.icap.exclude') %}
# ACL - Whitelist - User defined (whiteList)
{% for element in OPNsense.proxy.forward.icap.exclude.split(",") %}
{% if '^' in element or '\\' in element or '$' in element or '[' in element %}
acl exclude_icap url_regex {{element|encode_idna}}
{% else %}
acl exclude_icap url_regex {{element|encode_idna|replace(".","\.")}}
{% endif %}
{% endfor %}
{% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %}
adaptation_access response_mod deny exclude_icap
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %}
adaptation_access request_mod deny exclude_icap
{% endif %}
{% endif %}
# Auth plugins
include /usr/local/etc/squid/auth/*.conf
#
# Access Permission configuration:
#
# Deny request from unauthorized clients
{% if helpers.exists('OPNsense.proxy.forward.authentication.method') and OPNsense.proxy.forward.authentication.method != '' %}
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
{% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %}
adaptation_access response_mod allow local_auth
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %}
adaptation_access request_mod allow local_auth
{% endif %}
{% endif %}
http_access allow local_auth
{% endif %}
#
# ACL - localnet - default these include ranges from selected interfaces (Allow local subnets)
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
{% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %}
adaptation_access response_mod allow localnet
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %}
adaptation_access request_mod allow localnet
{% endif %}
{% endif %}
http_access allow localnet
# ACL - localhost
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
{% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %}
adaptation_access response_mod allow localhost
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %}
adaptation_access request_mod allow localhost
{% endif %}
{% endif %}
http_access allow localhost
{% if helpers.exists('OPNsense.proxy.forward.acl.allowedSubnets') %}
# ACL list (Allow) subnets
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
{% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %}
adaptation_access response_mod allow subnets
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %}
adaptation_access request_mod allow subnets
{% endif %}
{% endif %}
http_access allow subnets
{% endif %}
# Deny all other access to this proxy
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
{% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %}
adaptation_access response_mod deny all
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %}
adaptation_access request_mod deny all
{% endif %}
{% endif %}
http_access deny all

487
src/opnsense/service/templates/OPNsense/Proxy/squid.conf
View File

@ -1,487 +0,0 @@
#
# Automatic generated configuration for Squid.
# Do not edit this file manually.
#
{# wrap listener configuration for reuse #}
{% macro listener_config(network, port='3129', tags='', protocol='') -%}
{% if protocol == 'ssl' %}
{% set listener_type = 'https_port' %}
{% else %}
{% set listener_type = 'http_port' %}
{% endif %}
{% set sslparams = '' %}
{% if helpers.exists('OPNsense.proxy.forward.sslbump') and OPNsense.proxy.forward.sslbump == '1' %}
{% set sslparams = 'ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on' %}
{% endif %}
{{listener_type}} {{network}}:{{port}} {{tags}} {{sslparams}}
{%- endmacro %}
{% if helpers.exists('OPNsense.proxy.forward.transparentMode') and OPNsense.proxy.forward.transparentMode == '1' %}
# Setup transparent mode listeners on loopback interfaces
{{ listener_config('127.0.0.1', OPNsense.proxy.forward.port, 'intercept') }}
{{ listener_config('[::1]', OPNsense.proxy.forward.port, 'intercept') }}
{% if helpers.exists('OPNsense.proxy.forward.sslbump') and OPNsense.proxy.forward.sslbump == '1' %}
{{ listener_config('127.0.0.1', OPNsense.proxy.forward.sslbumpport, 'intercept', 'ssl') }}
{{ listener_config('[::1]', OPNsense.proxy.forward.sslbumpport, 'intercept', 'ssl') }}
{% endif %}
{% endif %}
# Setup regular listeners configuration
{% if helpers.exists('OPNsense.proxy.forward.interfaces') %}
{% for interface in OPNsense.proxy.forward.interfaces.split(",") %}
{% for intf_key,intf_item in interfaces.items() %}
{% if intf_key == interface and intf_item.ipaddr and intf_item.ipaddr != 'dhcp' %}
{{ listener_config(intf_item.ipaddr, OPNsense.proxy.forward.port) }}
{% endif %}
{% if intf_key == interface and intf_item.ipaddrv6 and intf_item.ipaddrv6.find(':') > -1 %}
{{ listener_config('['+intf_item.ipaddrv6+']', OPNsense.proxy.forward.port) }}
{% endif %}
{% endfor %}
{# virtual ip's #}
{% if helpers.exists('virtualip') %}
{% for intf_item in helpers.toList('virtualip.vip') %}
{% if intf_item.interface == interface and intf_item.mode in ['carp', 'ipalias'] %}
{% if intf_item.subnet.find(':') > -1 %}
{{ listener_config('['+intf_item.subnet+']', OPNsense.proxy.forward.port) }}
{% else %}
{{ listener_config(intf_item.subnet, OPNsense.proxy.forward.port) }}
{% endif %}
{% endif %}
{% endfor %}
{% endif %}
{% endfor %}
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.sslbump') and OPNsense.proxy.forward.sslbump == '1' %}
# setup ssl re-cert
sslcrtd_program /usr/local/libexec/squid/security_file_certgen -s /var/squid/ssl_crtd -M {{ OPNsense.proxy.forward.ssl_crtd_storage_max_size|default('4') }}MB
sslcrtd_children {{ OPNsense.proxy.forward.sslcrtd_children|default('5') }}
tls_outgoing_options options=NO_TLSv1 cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
# setup ssl bump acl's
acl bump_step1 at_step SslBump1
acl bump_step2 at_step SslBump2
acl bump_step3 at_step SslBump3
acl bump_nobumpsites ssl::server_name "/usr/local/etc/squid/nobumpsites.acl"
# configure bump
{% if helpers.exists('OPNsense.proxy.forward.sslurlonly') and OPNsense.proxy.forward.sslurlonly == '1' %}
ssl_bump peek bump_step1 all
ssl_bump splice all
ssl_bump peek bump_step2 all
ssl_bump splice bump_step3 all
ssl_bump bump
{% else %}
ssl_bump peek bump_step1 all
ssl_bump peek bump_step2 bump_nobumpsites
ssl_bump splice bump_step3 bump_nobumpsites
ssl_bump stare bump_step2
ssl_bump bump bump_step3
{% endif %}
sslproxy_cert_error deny all
{% endif %}
acl ftp proto FTP
http_access allow ftp
{% if helpers.exists('OPNsense.proxy.forward.ftpTransparentMode') and OPNsense.proxy.forward.ftpTransparentMode == '1' %}
# transparent mode, listen on localhost
ftp_port 127.0.0.1:{{ OPNsense.proxy.forward.ftpPort }} intercept
ftp_port [::1]:{{ OPNsense.proxy.forward.ftpPort }} intercept
{% endif %}
# Setup ftp proxy
{% if helpers.exists('OPNsense.proxy.forward.ftpInterfaces') %}
{% for interface in OPNsense.proxy.forward.ftpInterfaces.split(",") %}
{% for intf_key,intf_item in interfaces.items() %}
{% if intf_key == interface and intf_item.ipaddr and intf_item.ipaddr != 'dhcp' %}
ftp_port {{intf_item.ipaddr}}:{{ OPNsense.proxy.forward.ftpPort }} accel ftp-track-dirs protocol=HTTP
{% endif %}
{% endfor %}
{# virtual ip's #}
{% if helpers.exists('virtualip') %}
{% for intf_key,intf_item in virtualip.items() %}
{% if intf_item.interface == interface and intf_item.mode == 'ipalias' %}
ftp_port {{intf_item.subnet}}:{{ OPNsense.proxy.forward.ftpPort }} accel ftp-track-dirs protocol=HTTP
{% endif %}
{% endfor %}
{% endif %}
{% endfor %}
{% endif %}
# Rules allowing access from your local networks.
# Generated list of (internal) IP networks from where browsing
# should be allowed. (Allow interface subnets).
{% if helpers.exists('OPNsense.proxy.forward.interfaces') %}
{% if helpers.exists('OPNsense.proxy.forward.addACLforInterfaceSubnets') %}
{% if OPNsense.proxy.forward.addACLforInterfaceSubnets == '1' %}
{% for interface in OPNsense.proxy.forward.interfaces.split(",") %}
{% for intf_key,intf_item in interfaces.items() %}
{% if intf_key == interface and intf_item.ipaddr and intf_item.ipaddr != 'dhcp' %}
acl localnet src {{ helpers.getIPNetwork(intf_item.ipaddr+'/'+intf_item.subnet)[0].format() }}/{{intf_item.subnet}} # Possible internal network (interfaces v4)
{% endif %}
{% if intf_key == interface and intf_item.ipaddrv6 and intf_item.ipaddrv6.find(':') > -1 %}
acl localnet src {{helpers.getIPNetwork(intf_item.ipaddrv6+'/'+intf_item.subnetv6)[0].format()}}/{{intf_item.subnetv6}} # Possible internal network (interfaces v6)
{% endif %}
{% endfor %}
{% if helpers.exists('virtualip.vip') %}
{% for intf_item in helpers.toList('virtualip.vip') %}
{% if intf_item.interface == interface and intf_item.mode == 'ipalias' %}
acl localnet src {{intf_item.subnet}}/{{intf_item.subnet_bits}} # Possible internal network (aliases)
{% endif %}
{% endfor %}
{% endif %}
{% endfor %}
{% endif %}
{% endif %}
{% endif %}
# Default allow for local-link and private networks
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
# ACL - Allow localhost for PURGE cache if enabled
{% if helpers.exists('OPNsense.proxy.general.cache.local') and OPNsense.proxy.general.cache.local.enabled == '1' %}
acl PURGE method PURGE
http_access allow localhost PURGE
http_access deny PURGE
{% endif %}
# ACL lists
{% if helpers.exists('OPNsense.proxy.forward.acl.allowedSubnets') %}
# ACL - Allow Subnets - User defined (subnets)
{% for network in OPNsense.proxy.forward.acl.allowedSubnets.split(",") %}
acl subnets src {{network}}
{% endfor %}
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}
# ACL - Unrestricted IPs - User defined (unrestricted)
{% for ip in OPNsense.proxy.forward.acl.unrestricted.split(",") %}
acl unrestricted src {{ip}}
{% endfor %}
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.bannedHosts') %}
# ACL - Banned Hosts - User defined (bannedHosts)
{% for ip in OPNsense.proxy.forward.acl.bannedHosts.split(",") %}
acl bannedHosts src {{ip}}
{% endfor %}
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.whiteList') %}
# ACL - Whitelist - User defined (whiteList)
{% for element in OPNsense.proxy.forward.acl.whiteList.split(",") %}
{% if '^' in element or '\\' in element or '$' in element or '[' in element %}
acl whiteList url_regex {{element|encode_idna}}
{% else %}
acl whiteList url_regex {{element|encode_idna|replace(".","\.")}}
{% endif %}
{% endfor %}
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.blackList') %}
# ACL - Blacklist - User defined (blackList)
{% for element in OPNsense.proxy.forward.acl.blackList.split(",") %}
{% if '^' in element or '\\' in element or '$' in element or '[' in element %}
acl blackList url_regex {{element|encode_idna}}
{% else %}
acl blackList url_regex {{element|encode_idna|replace(".","\.")}}
{% endif %}
{% endfor %}
{% endif %}
# ACL - Remote fetched Blacklist (remoteblacklist)
{% if helpers.exists('OPNsense.proxy.forward.acl.remoteACLs.blacklists') %}
{% for blacklist in helpers.toList('OPNsense.proxy.forward.acl.remoteACLs.blacklists.blacklist') %}
{% if blacklist.enabled=='1' %}
acl remoteblacklist_{{blacklist.filename}} dstdomain "/usr/local/etc/squid/acl/{{blacklist.filename}}"
{% endif %}
{% endfor %}
{% endif %}
# ACL - Block browser/user-agent - User defined (browser)
{% if helpers.exists('OPNsense.proxy.forward.acl.browser') %}
{% for element in OPNsense.proxy.forward.acl.browser.split(",") %}
acl blockuseragents browser {{element}}
{% endfor %}
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.mimeType') %}
# ACL - Block MIME types - User defined (mimetype)
{% for element in OPNsense.proxy.forward.acl.mimeType.split(",") %}
acl blockmimetypes rep_mime_type {{element}}
acl blockmimetypes_requests req_mime_type {{element}}
{% endfor %}
{% endif %}
# ACL - SSL ports, default are configured in config.xml
# Configured SSL ports (if defaults are not listed, then they have been removed from the configuration!):
{% if helpers.exists('OPNsense.proxy.forward.acl.sslPorts') %}
{% for element in OPNsense.proxy.forward.acl.sslPorts.split(",") %}
acl SSL_ports port {{element.split(":")[0]}} # {{element.split(":")[1]|default('unknown')}}
{% endfor %}
{% endif %}
# Default Safe ports are now defined in config.xml
# Configured Safe ports (if defaults are not listed, then they have been removed from the configuration!):
{% if helpers.exists('OPNsense.proxy.forward.acl.safePorts') %}
# ACL - Safe_ports
{% for element in OPNsense.proxy.forward.acl.safePorts.split(",") %}
acl Safe_ports port {{element.split(":")[0]}} # {{element.split(":")[1]|default('unknown')}}
{% endfor %}
{% endif %}
acl CONNECT method CONNECT
# ICAP SETTINGS
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
# enable icap
icap_enable on
{% if helpers.exists('OPNsense.proxy.forward.icap.OptionsTTL') %}
icap_default_options_ttl {{OPNsense.proxy.forward.icap.OptionsTTL}}
{% endif %}
# send user information to the icap server
{% if helpers.exists('OPNsense.proxy.forward.icap.SendClientIP') and OPNsense.proxy.forward.icap.SendClientIP == '1' %}
adaptation_send_client_ip on
{% else %}
adaptation_send_client_ip off
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.icap.SendUsername') and OPNsense.proxy.forward.icap.SendUsername == '1' %}
adaptation_send_username on
{% else %}
adaptation_send_username off
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.icap.EncodeUsername') and OPNsense.proxy.forward.icap.EncodeUsername == '1' %}
icap_client_username_encode on
{% else %}
icap_client_username_encode off
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.icap.UsernameHeader') and OPNsense.proxy.forward.icap.UsernameHeader != '' %}
icap_client_username_header {{OPNsense.proxy.forward.icap.UsernameHeader}}
{% endif %}
# preview
{% if helpers.exists('OPNsense.proxy.forward.icap.EnablePreview') and OPNsense.proxy.forward.icap.EnablePreview == '1' %}
icap_preview_enable on
{% else %}
icap_preview_enable off
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.icap.PreviewSize') %}
icap_preview_size {{OPNsense.proxy.forward.icap.PreviewSize}}
{% endif %}
# add the servers
{% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %}
icap_service response_mod respmod_precache {{OPNsense.proxy.forward.icap.ResponseURL}}
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %}
icap_service request_mod reqmod_precache {{OPNsense.proxy.forward.icap.RequestURL}}
{% endif %}
{% else %}
# disable icap
icap_enable off
{% endif %}
# Pre-auth plugins
include /usr/local/etc/squid/pre-auth/*.conf
# Authentication Settings
{% if helpers.exists('OPNsense.proxy.forward.authentication.method') and OPNsense.proxy.forward.authentication.method != '' %}
{% include ['OPNsense/Proxy/squid.user.alt_auth.conf', 'OPNsense/Proxy/squid.user.local_auth.conf'] %}
{% endif %}
{% include "OPNsense/Proxy/squid.acl.conf" ignore missing with context %}
# Post-auth plugins
include /usr/local/etc/squid/post-auth/*.conf
# Caching settings
{% if helpers.exists('OPNsense.proxy.general.cache.local') %}
{% if OPNsense.proxy.general.cache.local.cache_mem|default('256')|int == 0 and OPNsense.proxy.general.cache.local.enabled == '0' %}
cache deny all
cache_mem 0
{% else %}
cache_mem {{ OPNsense.proxy.general.cache.local.cache_mem|default('256') }} MB
{% if OPNsense.proxy.general.cache.local.maximum_object_size|default('') != '' %}
maximum_object_size {{OPNsense.proxy.general.cache.local.maximum_object_size}} MB
{% if OPNsense.proxy.general.cache.local.maximum_object_size|int > 4 %}
cache_replacement_policy heap LFUDA
{% endif %}
{% endif %}
{% if OPNsense.proxy.general.cache.local.maximum_object_size_in_memory|default('') != '' %}
maximum_object_size_in_memory {{OPNsense.proxy.general.cache.local.maximum_object_size_in_memory}} KB
{% endif %}
{% if OPNsense.proxy.general.cache.local.memory_cache_mode|default('always') != 'always' %}
memory_cache_mode {{OPNsense.proxy.general.cache.local.memory_cache_mode}}
{% endif %}
{% if OPNsense.proxy.general.cache.local.enabled == '1' %}
cache_dir ufs {{OPNsense.proxy.general.cache.local.directory}} {{OPNsense.proxy.general.cache.local.size}} {{OPNsense.proxy.general.cache.local.l1}} {{OPNsense.proxy.general.cache.local.l2}}
{% endif %}
{% endif %}
{% endif %}
# Leave coredumps in the first cache dir
coredump_dir /var/squid/cache
#
# Add any of your own refresh_pattern entries above these.
#
{% if helpers.exists('OPNsense.proxy.general.cache.local.cache_linux_packages') and OPNsense.proxy.general.cache.local.cache_linux_packages == '1' %}
# Linux package cache:
refresh_pattern pkg\.tar\.zst$ 0 20% 4320 refresh-ims
refresh_pattern d?rpm$ 0 20% 4320 refresh-ims
refresh_pattern deb$ 0 20% 4320 refresh-ims
refresh_pattern udeb$ 0 20% 4320 refresh-ims
refresh_pattern Packages\.bz2$ 0 20% 4320 refresh-ims
refresh_pattern Sources\.bz2$ 0 20% 4320 refresh-ims
refresh_pattern Release\.gpg$ 0 20% 4320 refresh-ims
refresh_pattern Release$ 0 20% 4320 refresh-ims
{% endif %}
{% if helpers.exists('OPNsense.proxy.general.cache.local.cache_windows_updates') and OPNsense.proxy.general.cache.local.cache_windows_updates == '1' %}
# http://wiki.squid-cache.org/SquidFaq/WindowsUpdate
refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|esd) 4320 80% 129600 reload-into-ims
refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|esd) 4320 80% 129600 reload-into-ims
refresh_pattern -i windows.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|esd) 4320 80% 129600 reload-into-ims
{% endif %}
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
# Squid Options
{% if helpers.empty('OPNsense.proxy.general.enablePinger') %}
pinger_enable off
{% endif %}
{% if helpers.exists('OPNsense.proxy.general.logging.enable.accessLog') %}
{% if OPNsense.proxy.general.logging.enable.accessLog == '0' %}
# Disable access logging
access_log none
{% else %}
{% if OPNsense.proxy.general.logging.ignoreLogACL|default('') != '' %}
# ignore source hosts from access.log
acl accesslog_ignore src {{ OPNsense.proxy.general.logging.ignoreLogACL.replace(',', ' ') }}
{% endif %}
{% if OPNsense.proxy.general.logging.target|default('') == 'syslog' %}
access_log syslog:local4.info {% if not helpers.empty('OPNsense.proxy.general.logging.ignoreLogACL') %}!accesslog_ignore {% endif %}
{% elif OPNsense.proxy.general.logging.target|default('') == 'file_extendend' %}
logformat opnsense %>a %[ui %>eui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
access_log stdio:/var/log/squid/access.log opnsense {% if not helpers.empty('OPNsense.proxy.general.logging.ignoreLogACL') %}!accesslog_ignore {% endif %}
{% elif OPNsense.proxy.general.logging.target|default('') in ('file_json', 'syslog_json') %}
logformat opnsense {% raw %} {"@timestamp":"%{%Y-%m-%dT%H:%M:%S%z}tg","ecs":{"version":"1.0.0"},"event":{"id":"%{X-Request-Event-Id}>ha","dataset":"squid.access","duration":"%tr"},"http":{"version":"%rv","request":{"method":"%rm","referrer":"%{Referer}>h"},"response":{"bytes": %<st, "body":{"status_code": %>Hs}}},"host":{"hostname":"%>A"},"service":{"name":"proxy","type":"squid"},"source":{"ip":"%>a"},"url":{"original":"%ru"},"user":{"name":"%un"},"user_agent":{"original":"%{User-Agent}>h"},"labels":{"request_status":"%Ss","hierarchy_status":"%Sh"},"message":"%rm %ru HTTP/%rv"} {% endraw %}
{% if OPNsense.proxy.general.logging.target == 'file_json'%}
access_log stdio:/var/log/squid/access.log opnsense {% if not helpers.empty('OPNsense.proxy.general.logging.ignoreLogACL') %}!accesslog_ignore {% endif %}
{% else %}
access_log syslog:local4.info opnsense {% if not helpers.empty('OPNsense.proxy.general.logging.ignoreLogACL') %}!accesslog_ignore {% endif %}
{% endif %}
{% else %}
access_log stdio:/var/log/squid/access.log squid {% if not helpers.empty('OPNsense.proxy.general.logging.ignoreLogACL') %}!accesslog_ignore {% endif %}
{% endif %}
{% endif %}
{% endif %}
{% if helpers.exists('OPNsense.proxy.general.logging.enable.storeLog') %}
{% if OPNsense.proxy.general.logging.enable.storeLog == '0' %}
# Disable cache store log
cache_store_log none
{% else %}
cache_store_log stdio:/var/log/squid/store.log
{% endif %}
{% endif %}
{% if helpers.exists('OPNsense.proxy.general.alternateDNSservers' ) %}
{% for dns in OPNsense.proxy.general.alternateDNSservers.split(",") %}
dns_nameservers {{dns}}
{% endfor %}
{% endif %}
{% if helpers.exists('OPNsense.proxy.general.useViaHeader') %}
{% if OPNsense.proxy.general.useViaHeader == '0' %}
# Disable via Header
via off
{% endif %}
{% endif %}
{% if helpers.exists('OPNsense.proxy.general.suppressVersion') %}
{% if OPNsense.proxy.general.suppressVersion == '1' %}
# Suppress http version string (default=off)
httpd_suppress_version_string on
{% endif %}
{% endif %}
{% if helpers.exists('OPNsense.proxy.general.icpPort') %}
{% if OPNsense.proxy.general.icpPort != '' %}
icp_port {{OPNsense.proxy.general.icpPort}}
{% endif %}
{% endif %}
{% if helpers.exists('OPNsense.proxy.general.uriWhitespaceHandling') %}
# URI handling with Whitespaces (default=strip)
uri_whitespace {{OPNsense.proxy.general.uriWhitespaceHandling}}
{% endif %}
{% if helpers.exists('OPNsense.proxy.general.forwardedForHandling') %}
# X-Forwarded header handling (default=on)
forwarded_for {{OPNsense.proxy.general.forwardedForHandling}}
{% endif %}
{% if helpers.exists('OPNsense.proxy.general.traffic.enabled') and OPNsense.proxy.general.traffic.enabled == '1' %}
{% if helpers.exists('OPNsense.proxy.general.traffic.maxDownloadSize') %}
# Define max download size
reply_body_max_size {{OPNsense.proxy.general.traffic.maxDownloadSize}} KB
{% endif %}
{% if helpers.exists('OPNsense.proxy.general.traffic.maxUploadSize') %}
# Define max upload size
request_body_max_size {{OPNsense.proxy.general.traffic.maxUploadSize}} KB
{% endif %}
{% if helpers.exists('OPNsense.proxy.general.traffic.perHostTrotteling') %}
delay_pools 1
delay_class 1 3
delay_access 1 allow all
{% if helpers.exists('OPNsense.proxy.general.traffic.OverallBandwidthTrotteling') %}
# Define PerHost and Overall Bandwidth Trotteling
delay_parameters 1 {{OPNsense.proxy.general.traffic.OverallBandwidthTrotteling|int // 8 * 1000}}/{{OPNsense.proxy.general.traffic.OverallBandwidthTrotteling|int // 8 * 1000}} -1/-1 {{OPNsense.proxy.general.traffic.perHostTrotteling|int // 8 * 1000}}/{{OPNsense.proxy.general.traffic.OverallBandwidthTrotteling|int // 8 * 1000}}
{% else %}
# Define PerHost Trotteling
delay_parameters -1/-1 {{OPNsense.proxy.general.traffic.perHostTrotteling|int // 8 * 1000}}/{{OPNsense.proxy.general.traffic.perHostTrotteling|int // 8 * 1000}}
{% endif %}
{% endif %}
{% if helpers.exists('OPNsense.proxy.general.traffic.OverallBandwidthTrotteling') and not helpers.exists('OPNsense.proxy.general.traffic.perHostTrotteling') %}
# Define Overall Bandwidth Trotteling
delay_pools 1
delay_class 1 1
delay_access 1 allow all
delay_parameters 1 {{OPNsense.proxy.general.traffic.OverallBandwidthTrotteling|int // 8 * 1000}}/{{OPNsense.proxy.general.traffic.OverallBandwidthTrotteling|int // 8 * 1000}}
{% endif %}
{% endif %}
# Disable squid logfile rotate to use system defaults
logfile_rotate 0
{% if helpers.exists('OPNsense.proxy.general.VisibleHostname') %}
# Define visible hostname
visible_hostname {{OPNsense.proxy.general.VisibleHostname}}
{% endif %}
{% if helpers.exists('OPNsense.proxy.general.VisibleEmail') %}
# Define visible email
cache_mgr {{OPNsense.proxy.general.VisibleEmail}}
{% endif %}
{% if not helpers.empty('OPNsense.proxy.general.connecttimeout') %}
# Set connection timeout
connect_timeout {{OPNsense.proxy.general.connecttimeout}} seconds
{% endif %}
# Set error directory language
{% set lang = namespace(dirs = [], done = false) %}
{% if not helpers.empty('OPNsense.proxy.general.error_pages') %}
{% do lang.dirs.append('/usr/local/etc/squid/errors/local') %}
{% elif helpers.exists('system.language') and system.language != "" %}
{% set langdir = system.language|lower|replace('_', '-') %}
{% do lang.dirs.append('/usr/local/share/squid-langpack/' + langdir) %}
{% do lang.dirs.append('/usr/local/share/squid-langpack/' + langdir[:2]) %}
{% endif %}
{% do lang.dirs.append('/usr/local/share/squid-langpack/en') %}
{% for langdir in lang.dirs %}
{% if not lang.done and helpers.file_exists(langdir) %}
{% set lang.done = true %}
error_directory {{ langdir }}
{% endif %}
{% endfor %}

5
src/opnsense/service/templates/OPNsense/Proxy/squid.pam
View File

@ -1,5 +0,0 @@
# auth
auth sufficient pam_opnsense.so
# account
account sufficient pam_opnsense.so

13
src/opnsense/service/templates/OPNsense/Proxy/squid.user.local_auth.conf
View File

@ -1,13 +0,0 @@
# Configure Local User Authentication helper
auth_param basic program /usr/local/libexec/squid/basic_pam_auth -o
{% if helpers.exists('OPNsense.proxy.forward.authentication.realm') %}
auth_param basic realm {{OPNsense.proxy.forward.authentication.realm}}
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.authentication.credentialsttl') %}
auth_param basic credentialsttl {{OPNsense.proxy.forward.authentication.credentialsttl}} hours
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.authentication.children') %}
auth_param basic children {{OPNsense.proxy.forward.authentication.children}}
{% endif %}
# ACL - Local Authorized Users - local_auth
acl local_auth proxy_auth REQUIRED

104
src/opnsense/service/templates/OPNsense/Proxy/wpad.dat
View File

@ -1,104 +0,0 @@
/*
PAC file created via OPNsense
To use this file you have to enter its URL into your browsers network settings.
*/
function FindProxyForURL(url, host) {
{% if helpers.exists('OPNsense.proxy.pac.rule') %}
{# define only if needed as because of performance issues #}
{% set data = {'dl' : '', 'dstip' : '', 'is_resolvable' : '' } %}
{% set dstip = '' %}
{% set is_resolvable = '' %}
{% for match in helpers.toList('OPNsense.proxy.pac.match') %}
{% if match.match_type == 'dns_domain_levels' %}
{% do data.update({ 'dl': 'var dl = dnsDomainLevels(host);'}) %}
{% endif %}
{% if match.match_type == 'dns_domain_levels' or match.match_type == 'destination_in_net' %}
{% do data.update({ 'dstip': 'var dstip = dnsResolve(host);'}) %}
{% endif %}
{% if match.match_type == 'is_resolvable' %}
{% do data.update({ 'is_resolvable': 'var is_resolvable = isResolvable(host);'}) %}
{% endif %}
{% endfor %}
{{ data.values()|join("\n") }}
{% if helpers.exists('OPNsense.proxy.pac.rule') %}
{% for rule in helpers.toList('OPNsense.proxy.pac.rule') %}
{% if not rule.enabled == '1' %}
{% continue %}
{% endif %}
{% set expression = [] %}
{# Join type is used to join the checks of the if statement #}
{% set join_type = ' && ' %}
{% if rule.join_type == 'or' %}
{% set join_type = ' || ' %}
{% endif %}
{% for match_uuid in rule.matches.split(',') %}
{% set match = helpers.getUUID(match_uuid) %}
{# be sure it has not been deleted yet #}
{% if match != None %}
{% set match_script = '(' %}
{% if match.negate == '1' %}
{% set match_script = match_script + '!' %}
{% endif %}
{% if match.match_type == 'url_matches' %}
{% set match_script = match_script + 'shExpMatch(url, "' + match.url + '")' %}
{% endif %}
{% if match.match_type == 'hostname_matches' %}
{% set match_script = match_script + 'shExpMatch(host, "' + match.hostname + '")' %}
{% endif %}
{% if match.match_type == 'dns_domain_is' %}
{% set match_script = match_script + 'dnsDomainIs(host, "' + match.hostname + '")' %}
{% endif %}
{% if match.match_type == 'destination_in_net' %}
{% set tmp_net = helpers.getIPNetwork(match.network) %}
{% set match_script = match_script + 'isInNet(dstip, "' + tmp_net.network.__str__() + '", "' + tmp_net.netmask.__str__() + '")' %}
{% endif %}
{% if match.match_type == 'my_ip_in_net' %}
{% set tmp_net = helpers.getIPNetwork(match.network) %}
{% set match_script = match_script + 'isInNet(myIpAddress(), "' + tmp_net.network.__str__() + '", "' + tmp_net.netmask.__str__() + '")' %}
{% endif %}
{% if match.match_type == 'plain_hostname' %}
{% set match_script = match_script + 'isPlainHostName(host)' %}
{% endif %}
{% if match.match_type == 'is_resolvable' %}
{% set match_script = match_script + 'is_resolvable' %}
{% endif %}
{% if match.match_type == 'dns_domain_levels' %}
{% set match_script = match_script + '(' + match.domain_level_from + ' <= dl) && (' + match.domain_level_to + ' >= dl)' %}
{% endif %}
{% if match.match_type == 'weekday_range' %}
{% set match_script = match_script + 'weekdayRange("' + match.weekday_from + '", "' + match.weekday_to + '")' %}
{% endif %}
{% if match.match_type == 'date_range' %}
{% set match_script = match_script + 'dateRange("' + match.date_from + '", "' + match.date_to + '")' %}
{% endif %}
{% if match.match_type == 'time_range' %}
{% set match_script = match_script + 'timeRange(' + match.time_from + ', ' + match.time_to + ')' %}
{% endif %}
{% set match_script = match_script + ')' %}
{% do expression.append(match_script) %}
{% endif %}
{% endfor %}
if ({% if rule.match_type == 'unless' %}!{% endif %}({{ expression|join(join_type) }})) {
{% set proxylist = [] %}
{% for proxy_uuid in rule.proxies.split(',') %}
{% set proxy = helpers.getUUID(proxy_uuid) %}
{% if proxy != None %}
{% if proxy.proxy_type == 'DIRECT' %}
{% do proxylist.append("DIRECT") %}
{% else %}
{% do proxylist.append(proxy.proxy_type + ' ' + proxy.url) %}
{% endif %}
{% endif %}
{% endfor %}
return "{{ proxylist|join(';') }}";
}
{% endfor %}
{% else %}
/* no rules active or defined*/
{% endif %}
{% endif %}
// If no rule exists - use a direct connection
return "DIRECT";
}

6
src/opnsense/service/templates/OPNsense/Syslog/local/squid_access.conf
View File

@ -1,6 +0,0 @@
###################################################################
# Local syslog-ng configuration filter definition [squid_access].
###################################################################
filter f_local_squid_access {
program("(squid-1)");
};