From dae2efeee144287349a737dc71a7796ef2620695 Mon Sep 17 00:00:00 2001
From: "Julio Cesar Camargo (JCC)" <julio@cloudfence.com.br>
Date: Tue, 17 Nov 2020 11:51:24 -0300
Subject: [PATCH] Add GSuite and Youtube filtering in proxy (#4425)

---
 .../app/controllers/OPNsense/Proxy/forms/main.xml | 15 +++++++++++++++
 .../mvc/app/models/OPNsense/Proxy/Proxy.xml       | 12 ++++++++++++
 .../templates/OPNsense/Proxy/squid.acl.conf       | 11 +++++++++++
 3 files changed, 38 insertions(+)

diff --git a/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml b/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
index d789d4b82..8af93fec5 100644
--- a/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
@@ -439,6 +439,21 @@
                 <allownew>true</allownew>
                 <advanced>true</advanced>
             </field>
+            <field>
+                <id>proxy.forward.acl.googleapps</id>
+                <label>Google GSuite restricted</label>
+                <type>text</type>
+                <advanced>true</advanced>
+                <help><![CDATA[Insert here the domain that will be allowed to use Google GSuite.
+                All accounts that are not in this domain will be blocked to use it.]]></help>
+            </field>
+            <field>
+                <id>proxy.forward.acl.youtube</id>
+                <label>YouTube Filter</label>
+                <type>dropdown</type>
+                <advanced>true</advanced>
+                <help><![CDATA[Select the Youtube filter level.]]></help>
+            </field>
             <field>
                 <id>proxy.forward.acl.safePorts</id>
                 <label>Allowed destination TCP port</label>
diff --git a/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml b/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
index 48ec671c3..f36604348 100644
--- a/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
+++ b/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
@@ -394,6 +394,18 @@
                 <mimeType type="CSVListField">
                     <Required>N</Required>
                 </mimeType>
+                <googleapps type="HostnameField">
+                    <Required>N</Required>
+                    <mask>/^([a-zA-Z0-9]){0,}\.([a-zA-Z0-9].){0,}/</mask>
+                    <ValidationMessage>Please enter a valid domain name here</ValidationMessage>
+                </googleapps>
+                <youtube type="OptionField">
+                    <Required>N</Required>
+                    <OptionValues>
+                        <strict>Strict</strict>
+                        <moderate>Moderate</moderate>
+                    </OptionValues>
+                </youtube>
                 <safePorts type="CSVListField">
                     <default>80:http,21:ftp,443:https,70:gopher,210:wais,1025-65535:unregistered ports,280:http-mgmt,488:gss-http,591:filemaker,777:multiling http</default>
                     <mask>/^([ \-0-9a-zA-Z:,])*/u</mask>
diff --git a/src/opnsense/service/templates/OPNsense/Proxy/squid.acl.conf b/src/opnsense/service/templates/OPNsense/Proxy/squid.acl.conf
index 405d91862..386bde00c 100644
--- a/src/opnsense/service/templates/OPNsense/Proxy/squid.acl.conf
+++ b/src/opnsense/service/templates/OPNsense/Proxy/squid.acl.conf
@@ -99,6 +99,17 @@ http_access deny blockmimetypes_requests {% if helpers.exists('OPNsense.proxy.fo
 
 {% endif %}
 
+# Google Suite Filter
+{% if not helpers.empty('OPNsense.proxy.forward.acl.googleapps') %}
+OPNsense.proxy.forward.acl.googleapps|default('') != '' %}
+request_header_add X-GoogApps-Allowed-Domains {{OPNsense.proxy.forward.acl.googleapps}}
+{%    endif %}
+
+# YouTube Filter
+{% if helpers.exists('OPNsense.proxy.forward.acl.youtube') and OPNsense.proxy.forward.acl.youtube|default('') != '' %}
+request_header_add YouTube-Restrict {{OPNsense.proxy.forward.acl.youtube}}
+{%    endif %}
+
 # Deny requests to certain unsafe ports
 {% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
 {%   if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %}