From aa34ef3ef65776b722868b42b5dcb83df02f849b Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Tue, 10 Mar 2015 20:01:30 +0000
Subject: [PATCH] proxy templates (initial / test )

---
 .../service/templates/OPNsense/Proxy/+TARGETS |  1 +
 .../templates/OPNsense/Proxy/rc.conf.d        |  2 +-
 .../templates/OPNsense/Proxy/squid.conf       | 89 +++++++++++++++++++
 3 files changed, 91 insertions(+), 1 deletion(-)
 create mode 100644 src/opnsense/service/templates/OPNsense/Proxy/squid.conf

diff --git a/src/opnsense/service/templates/OPNsense/Proxy/+TARGETS b/src/opnsense/service/templates/OPNsense/Proxy/+TARGETS
index 0eeeafdf5..7b72b7561 100644
--- a/src/opnsense/service/templates/OPNsense/Proxy/+TARGETS
+++ b/src/opnsense/service/templates/OPNsense/Proxy/+TARGETS
@@ -1 +1,2 @@
 rc.conf.d:/etc/rc.conf.d/squid
+squid.conf:/usr/local/etc/squid/squid.conf
diff --git a/src/opnsense/service/templates/OPNsense/Proxy/rc.conf.d b/src/opnsense/service/templates/OPNsense/Proxy/rc.conf.d
index e71ed574d..1f9b7b856 100644
--- a/src/opnsense/service/templates/OPNsense/Proxy/rc.conf.d
+++ b/src/opnsense/service/templates/OPNsense/Proxy/rc.conf.d
@@ -1 +1 @@
-squid_enable=YES
+squid_enable={% if OPNsense.proxy.general.enabled|default("0") == "1" %}YES{% else %}NO{% endif %}
diff --git a/src/opnsense/service/templates/OPNsense/Proxy/squid.conf b/src/opnsense/service/templates/OPNsense/Proxy/squid.conf
new file mode 100644
index 000000000..58970517b
--- /dev/null
+++ b/src/opnsense/service/templates/OPNsense/Proxy/squid.conf
@@ -0,0 +1,89 @@
+#
+# Recommended minimum configuration:
+#
+
+# setup listen configuration
+{% if helpers.exists('OPNsense.proxy.general.port') %}
+{% for interface in OPNsense.proxy.general.interfaces.split(",") %}
+{% for intf_key,intf_item in interfaces.iteritems() %}
+{% if intf_key == interface and intf_item.ipaddr != 'dhcp' %}
+http_port {{intf_item.ipaddr}}:{{  OPNsense.proxy.general.port }}
+{% endif %}
+{% endfor %}
+{# virtual ip's #}
+{% for intf_key,intf_item in virtualip.iteritems() %}
+{% if intf_item.interface == interface and intf_item.mode == 'ipalias' %}
+http_port {{intf_item.subnet}}:{{  OPNsense.proxy.general.port }}
+{% endif %}
+{% endfor %}
+{% endfor %}
+{% endif %}
+
+
+
+# Example rule allowing access from your local networks.
+# Adapt to list your (internal) IP networks from where browsing
+# should be allowed
+acl localnet src 10.0.0.0/8	# RFC1918 possible internal network
+acl localnet src 172.16.0.0/12	# RFC1918 possible internal network
+acl localnet src 192.168.0.0/16	# RFC1918 possible internal network
+acl localnet src fc00::/7       # RFC 4193 local private network range
+acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
+
+acl SSL_ports port 443
+acl Safe_ports port 80		# http
+acl Safe_ports port 21		# ftp
+acl Safe_ports port 443		# https
+acl Safe_ports port 70		# gopher
+acl Safe_ports port 210		# wais
+acl Safe_ports port 1025-65535	# unregistered ports
+acl Safe_ports port 280		# http-mgmt
+acl Safe_ports port 488		# gss-http
+acl Safe_ports port 591		# filemaker
+acl Safe_ports port 777		# multiling http
+acl CONNECT method CONNECT
+
+#
+# Recommended minimum Access Permission configuration:
+#
+# Deny requests to certain unsafe ports
+http_access deny !Safe_ports
+
+# Deny CONNECT to other than secure SSL ports
+http_access deny CONNECT !SSL_ports
+
+# Only allow cachemgr access from localhost
+http_access allow localhost manager
+http_access deny manager
+
+# We strongly recommend the following be uncommented to protect innocent
+# web applications running on the proxy server who think the only
+# one who can access services on "localhost" is a local user
+#http_access deny to_localhost
+
+#
+# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
+#
+
+# Example rule allowing access from your local networks.
+# Adapt localnet in the ACL section to list your (internal) IP networks
+# from where browsing should be allowed
+http_access allow localnet
+http_access allow localhost
+
+# And finally deny all other access to this proxy
+http_access deny all
+
+# Uncomment and adjust the following to add a disk cache directory.
+#cache_dir ufs /var/squid/cache 100 16 256
+
+# Leave coredumps in the first cache dir
+coredump_dir /var/squid/cache
+
+#
+# Add any of your own refresh_pattern entries above these.
+#
+refresh_pattern ^ftp:		1440	20%	10080
+refresh_pattern ^gopher:	1440	0%	1440
+refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
+refresh_pattern .		0	20%	4320