From c1e181c6739afe05191abebecc7bd04e1a5ebce5 Mon Sep 17 00:00:00 2001
From: Alexander Shursha <kekek2@ya.ru>
Date: Fri, 8 Sep 2017 09:15:33 +0300
Subject: [PATCH] Icap whitelist

---
 .../controllers/OPNsense/Proxy/forms/main.xml  | 18 ++++++++++++++++++
 .../mvc/app/models/OPNsense/Proxy/Proxy.xml    |  3 +++
 .../templates/OPNsense/Proxy/squid.acl.conf    | 13 +++++++++++++
 3 files changed, 34 insertions(+)

diff --git a/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml b/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
index 39ad8eb92..f3a5a05ab 100644
--- a/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
@@ -537,6 +537,24 @@
                 <allownew>true</allownew>
                 <advanced>true</advanced>
             </field>
+            <field>
+                <id>proxy.forward.icap.whiteList</id>
+                <label>Whitelist</label>
+                <type>select_multiple</type>
+                <style>tokenize</style>
+                <help><![CDATA[Whitelist destination domains.<br/>
+        You may use a regular expression, use a comma or press Enter for new item.<br/>
+        <div class="alert alert-info">
+            <b>Examples:</b><br/>
+            <b class="text-primary">mydomain.com</b> -> matches on <b>*.mydomain.com</b><br/>
+            <b class="text-primary">^https?:\/\/([a-zA-Z]+)\.mydomain\.</b> -> matches on <b>http(s)://textONLY.mydomain.*</b><br/>
+            <b class="text-primary">\.gif$</b> -> matches on <b>\*.gif</b> but not on <b class="text-danger">\*.gif\test</b><br/>
+            <b class="text-primary">\[0-9]+\.gif$</b> -> matches on <b>\123.gif</b> but not on <b class="text-danger">\test.gif</b><br/>
+        </div>
+        <div class="text-info"><b>TIP: </b>You can also paste a comma separated list into this field.</div>]]></help>
+                <hint>Regular expressions are allowed.</hint>
+                <allownew>true</allownew>
+            </field>
         </subtab>
         <subtab id="proxy-general-authentication" description="Authentication Settings">
             <field>
diff --git a/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml b/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
index ce89728cc..2e5fca510 100644
--- a/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
+++ b/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
@@ -399,6 +399,9 @@
                     <default>60</default>
                     <Required>Y</Required>
                 </OptionsTTL>
+                <whiteList type="CSVListField">
+                    <Required>N</Required>
+                </whiteList>
             </icap>
             <authentication>
                 <method type="AuthenticationServerField">
diff --git a/src/opnsense/service/templates/OPNsense/Proxy/squid.acl.conf b/src/opnsense/service/templates/OPNsense/Proxy/squid.acl.conf
index ff270d2c1..608f3c22b 100644
--- a/src/opnsense/service/templates/OPNsense/Proxy/squid.acl.conf
+++ b/src/opnsense/service/templates/OPNsense/Proxy/squid.acl.conf
@@ -116,6 +116,19 @@ adaptation_access request_mod deny to_localhost
 {% endif %}
 http_access deny to_localhost
 
+{% if helpers.exists('OPNsense.proxy.forward.icap.whiteList') %}
+# ACL - Whitelist - User defined (whiteList)
+{%  for element in OPNsense.proxy.forward.icap.whiteList.split(",") %}
+{%      if '^' in element or '\\' in element or '$' in element or '[' in element %}
+acl whiteList_icap url_regex {{element}}
+{%      else %}
+acl whiteList_icap url_regex {{element|replace(".","\.")}}
+{%      endif %}
+{%  endfor %}
+adaptation_access response_mod deny whiteList_icap
+adaptation_access request_mod deny whiteList_icap
+{% endif %}
+
 # Auth plugins
 include /usr/local/etc/squid/auth/*.conf