mirror of
https://github.com/lucaspalomodevelop/core.git
synced 2026-03-17 01:54:49 +00:00
Proxy work in progress, added traffic magement and few other options.
This commit is contained in:
Jos Schellevis
parent
a97af9329b
commit
dc0b729bac
@ -35,8 +35,25 @@
|
||||
<Required>Y</Required>
|
||||
</dnsV4First>
|
||||
<forwardedForHandling type="OptionField">
|
||||
<default>on</default>
|
||||
<Required>N</Required>
|
||||
<OptionValues>
|
||||
<on>Append client's IP (on)</on>
|
||||
<off>Set forward header to unknown (off)</off>
|
||||
<transparent>Do not alter forward header (transparent)</transparent>
|
||||
<truncate>Replace all with client's IP (truncate)</truncate>
|
||||
</OptionValues>
|
||||
</forwardedForHandling>
|
||||
<uriWhitespaceHandling type="OptionField">
|
||||
<default>strip</default>
|
||||
<Required>N</Required>
|
||||
<OptionValues>
|
||||
<strip>Strip whitespaces</strip>
|
||||
<deny>Deny request</deny>
|
||||
<allow>Allow whitespaces</allow>
|
||||
<encode>Encode whitespaces (RFC1738)</encode>
|
||||
<chop>Chop URI at first whitespace</chop>
|
||||
</OptionValues>
|
||||
</uriWhitespaceHandling>
|
||||
<useViaHeader type="BooleanField">
|
||||
<default>1</default>
|
||||
@ -46,6 +63,66 @@
|
||||
<default>0</default>
|
||||
<Required>N</Required>
|
||||
</suppressVersion>
|
||||
<cache>
|
||||
<local>
|
||||
<enabled type="BooleanField">
|
||||
<default>0</default>
|
||||
<Required>Y</Required>
|
||||
</enabled>
|
||||
<directory type="TextField">
|
||||
<default>/var/squid/cache</default>
|
||||
<Required>Y</Required>
|
||||
</directory>
|
||||
<size type="IntegerField">
|
||||
<default>100</default>
|
||||
<MinimumValue>1</MinimumValue>
|
||||
<ValidationMessage>"Specify a positive cache size. (number of MB's)"</ValidationMessage>
|
||||
<Required>Y</Required>
|
||||
</size>
|
||||
<l1 type="IntegerField">
|
||||
<default>16</default>
|
||||
<MinimumValue>1</MinimumValue>
|
||||
<ValidationMessage>"Specify a positive number of first-level subdirectories."</ValidationMessage>
|
||||
<Required>Y</Required>
|
||||
</l1>
|
||||
<l2 type="IntegerField">
|
||||
<default>256</default>
|
||||
<MinimumValue>1</MinimumValue>
|
||||
<ValidationMessage>"Specify a positive number of second-level subdirectories."</ValidationMessage>
|
||||
<Required>Y</Required>
|
||||
</l2>
|
||||
</local>
|
||||
</cache>
|
||||
<traffic>
|
||||
<enabled type="BooleanField">
|
||||
<default>0</default>
|
||||
<Required>Y</Required>
|
||||
</enabled>
|
||||
<maxDownloadSize type="IntegerField">
|
||||
<default>2048</default>
|
||||
<MinimumValue>1</MinimumValue>
|
||||
<ValidationMessage>"Specify the maximum download size. (number of KB's)"</ValidationMessage>
|
||||
<Required>N</Required>
|
||||
</maxDownloadSize>
|
||||
<maxUploadSize type="IntegerField">
|
||||
<default>1024</default>
|
||||
<MinimumValue>1</MinimumValue>
|
||||
<ValidationMessage>"Specify the maximum upload size. (number of KB's)"</ValidationMessage>
|
||||
<Required>N</Required>
|
||||
</maxUploadSize>
|
||||
<OverallBandwidthTrotteling type="IntegerField">
|
||||
<default>1024</default>
|
||||
<MinimumValue>1</MinimumValue>
|
||||
<ValidationMessage>"Specify the overall bandwidth for downloads in kilobits per second."</ValidationMessage>
|
||||
<Required>N</Required>
|
||||
</OverallBandwidthTrotteling>
|
||||
<perHostTrotteling type="IntegerField">
|
||||
<default>256</default>
|
||||
<MinimumValue>1</MinimumValue>
|
||||
<ValidationMessage>"Specify the per host bandwidth for downloads in kilobits per second."</ValidationMessage>
|
||||
<Required>N</Required>
|
||||
</perHostTrotteling>
|
||||
</traffic>
|
||||
</general>
|
||||
<forward>
|
||||
<interfaces type="CSVListField">
|
||||
|
||||
@ -234,19 +234,80 @@ maxheight: define max height of select box, default=170px to hold 5 items
|
||||
replies as required by RFC2616.',
|
||||
'advanced':'true'
|
||||
],
|
||||
['id':'proxy.general.forwardedForHandling',
|
||||
'label':'X-Forwarded for header handling',
|
||||
'type':'dropdown',
|
||||
'help':'Select what to do with X-Forwarded for header.',
|
||||
'advanced':'true'
|
||||
],
|
||||
['id': 'proxy.general.suppressVersion',
|
||||
'label':'Suppress version string',
|
||||
'type':'checkbox',
|
||||
'help':'Suppress Squid version string info in HTTP headers and HTML error pages.',
|
||||
'advanced':'true'
|
||||
],
|
||||
['id':'proxy.general.uriWhitespaceHandling',
|
||||
'label':'Whitespace handling of URI',
|
||||
'type':'dropdown',
|
||||
'help':'Select what to do with URI that contain whitespaces.<br/>
|
||||
<div class="text-info"><b>NOTE:</b> the current Squid implementation of encode and chop violates
|
||||
RFC2616 by not using a 301 redirect after altering the URL.</div>',
|
||||
'advanced':'true'
|
||||
]}
|
||||
],
|
||||
[ 'proxy-general-cache','Local Cache Settings',
|
||||
{['id': 'proxy.general.enabled',
|
||||
'label':'Enable proxy',
|
||||
[ 'proxy-general-cache-local','Local Cache Settings',
|
||||
{['id': 'proxy.general.cache.local.enabled',
|
||||
'label':'Enable local cache.',
|
||||
'type':'checkbox',
|
||||
'help':'Enable or disable the proxy service.'
|
||||
'help':'Enable or disable the local cache.<br/>
|
||||
Curently only ufs directory cache type is supported.<br/>
|
||||
<b class="text-danger">Do not enable on embedded systems with SD or CF cards as this may break your drive.</b>'
|
||||
],
|
||||
['id': 'proxy.general.cache.local.size',
|
||||
'label':'Cache size in Megabytes',
|
||||
'type':'text',
|
||||
'help':'Enter the storage size for the local cache (default is 100).',
|
||||
'advanced':'true'
|
||||
],
|
||||
['id': 'proxy.general.cache.local.l1',
|
||||
'label':'Number of first-level subdirectories',
|
||||
'type':'text',
|
||||
'help':'Enter the number of first-level subdirectories for the local cache (default is 16).',
|
||||
'advanced':'true'
|
||||
],
|
||||
['id': 'proxy.general.cache.local.l2',
|
||||
'label':'Number of second-level subdirectories',
|
||||
'type':'text',
|
||||
'help':'Enter the number of first-level subdirectories for the local cache (default is 256).',
|
||||
'advanced':'true'
|
||||
]}
|
||||
],
|
||||
[ 'proxy-general-traffic','Traffic Management Settings',
|
||||
{['id': 'proxy.general.traffic.enabled',
|
||||
'label':'Enable traffic management.',
|
||||
'type':'checkbox',
|
||||
'help':'Enable or disable traffic management.'
|
||||
],
|
||||
['id': 'proxy.general.traffic.maxDownloadSize',
|
||||
'label':'Maximum download size (Kb)',
|
||||
'type':'text',
|
||||
'help':'Enter the maxium size for downloads in kilobytes (leave empty to disable).'
|
||||
],
|
||||
['id': 'proxy.general.traffic.maxUploadSize',
|
||||
'label':'Maximum upload size (Kb)',
|
||||
'type':'text',
|
||||
'help':'Enter the maxium size for uploads in kilobytes (leave empty to disable).'
|
||||
],
|
||||
['id': 'proxy.general.traffic.OverallBandwidthTrotteling',
|
||||
'label':'Overall bandwidth throtteling (Kbps)',
|
||||
'type':'text',
|
||||
'help':'Enter the allowed overall bandtwith in kilobits per second (leave empty to disable).'
|
||||
],
|
||||
['id': 'proxy.general.traffic.perHostTrotteling',
|
||||
'label':'Per host bandwidth throtteling (Kbps)',
|
||||
'type':'text',
|
||||
'help':'Enter the allowed per host bandtwith in kilobits per second (leave empty to disable).'
|
||||
]}
|
||||
]}
|
||||
],
|
||||
['proxy-forward','Forward Proxy','subtabs': {
|
||||
|
||||
@ -8,7 +8,6 @@
|
||||
{% for intf_key,intf_item in interfaces.iteritems() %}
|
||||
{% if intf_key == interface and intf_item.ipaddr != 'dhcp' %}
|
||||
http_port {{intf_item.ipaddr}}:{{ OPNsense.proxy.forward.port }} {%if OPNsense.proxy.forward.transparentMode == '1' %}tproxy{% endif %}
|
||||
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{# virtual ip's #}
|
||||
@ -25,25 +24,26 @@ http_port {{intf_item.subnet}}:{{ OPNsense.proxy.forward.port }}
|
||||
# Rules allowing access from your local networks.
|
||||
# Generated list of (internal) IP networks from where browsing
|
||||
# should be allowed. (Allow interface subnets).
|
||||
{% if helpers.exists('OPNsense.proxy.forward.addACLforInterfaceSubnets') %}
|
||||
{% if OPNsense.proxy.forward.addACLforInterfaceSubnets == '1' %}
|
||||
{% for interface in OPNsense.proxy.forward.interfaces.split(",") %}
|
||||
{% for intf_key,intf_item in interfaces.iteritems() %}
|
||||
{% if intf_key == interface and intf_item.ipaddr != 'dhcp' %}
|
||||
{% if helpers.exists('OPNsense.proxy.forward.interfaces') %}
|
||||
{% if helpers.exists('OPNsense.proxy.forward.addACLforInterfaceSubnets') %}
|
||||
{% if OPNsense.proxy.forward.addACLforInterfaceSubnets == '1' %}
|
||||
{% for interface in OPNsense.proxy.forward.interfaces.split(",") %}
|
||||
{% for intf_key,intf_item in interfaces.iteritems() %}
|
||||
{% if intf_key == interface and intf_item.ipaddr != 'dhcp' %}
|
||||
acl localnet src {{intf_item.ipaddr}}/{{intf_item.subnet}} # Possible internal network
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{% if helpers.exists('virtualip') %}
|
||||
{% for intf_key,intf_item in virtualip.iteritems() %}
|
||||
{% if intf_item.interface == interface and intf_item.mode == 'ipalias' %}
|
||||
acl localnet src {{intf_item.subnet}}/{{intf_item.subnet}} # Possible internal network
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{% if helpers.exists('virtualip') %}
|
||||
{% for intf_key,intf_item in virtualip.iteritems() %}
|
||||
{% if intf_item.interface == interface and intf_item.mode == 'ipalias' %}
|
||||
acl localnet src {{intf_item.subnet}}/{{intf_item.subnet}} # Possible internal network
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
# Default allow for local-link and private networks
|
||||
acl localnet src fc00::/7 # RFC 4193 local private network range
|
||||
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
|
||||
@ -54,26 +54,26 @@ acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
|
||||
|
||||
# ACL lists
|
||||
{% if helpers.exists('OPNsense.proxy.forward.acl.allowedSubnets') %}
|
||||
|
||||
# ACL - Allow Subnets - User defined (subnets)
|
||||
{% for network in OPNsense.proxy.forward.acl.allowedSubnets.split(",") %}
|
||||
acl subnets src {{network}}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}
|
||||
|
||||
# ACL - Unrestricted IPs - User defined (unrestricted)
|
||||
{% for ip in OPNsense.proxy.forward.acl.unrestricted.split(",") %}
|
||||
acl unrestricted src {{ip}}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if helpers.exists('OPNsense.proxy.forward.acl.bannedHosts') %}
|
||||
|
||||
# ACL - Banned Hosts - User defined (bannedHosts)
|
||||
{% for ip in OPNsense.proxy.forward.acl.bannedHosts.split(",") %}
|
||||
acl bannedHosts src {{ip}}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if helpers.exists('OPNsense.proxy.forward.acl.whiteList') %}
|
||||
# ALC - Whitelist - User defined (whiteList)
|
||||
{% for element in OPNsense.proxy.forward.acl.whiteList.split(",") %}
|
||||
@ -84,8 +84,8 @@ acl dstdomain {{element}}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if helpers.exists('OPNsense.proxy.forward.acl.blackList') %}
|
||||
|
||||
# ALC - Blacklist - User defined (blackList)
|
||||
{% for element in OPNsense.proxy.forward.acl.blackList.split(",") %}
|
||||
{% if '^' or '\\' or '$' or '[' in element %}
|
||||
@ -95,15 +95,15 @@ acl blackList dstdomain {{element}}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if helpers.exists('OPNsense.proxy.forward.acl.browser') %}
|
||||
|
||||
# ALC - Block browser/user-agent - User defined (browser)
|
||||
{% for element in OPNsense.proxy.forward.acl.browser.split(",") %}
|
||||
acl blockuseragents browser {{element}}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if helpers.exists('OPNsense.proxy.forward.acl.mimeType') %}
|
||||
|
||||
# ALC - Block MIME types - User defined (mimetype)
|
||||
{% for element in OPNsense.proxy.forward.acl.mimeType.split(",") %}
|
||||
acl blockmimetypes rep_mime_type {{element}}
|
||||
@ -144,20 +144,18 @@ auth_param basic children {{OPNsense.proxy.forward.authentication.children}}
|
||||
# ACL - Local Authorized Users - local_auth
|
||||
acl local_auth proxy_auth REQUIRED
|
||||
{% endif %}
|
||||
|
||||
# ALLOW UNRESTRICTED
|
||||
{% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}
|
||||
|
||||
# ALLOW UNRESTRICTED
|
||||
# ACL list (Allow) unrestricted
|
||||
http_access allow unrestricted
|
||||
{% endif %}
|
||||
{% if helpers.exists('OPNsense.proxy.forward.acl.blackList') %}
|
||||
|
||||
#
|
||||
{% if helpers.exists('OPNsense.proxy.forward.acl.blackList') %}
|
||||
# ACL list (Deny) blacklist
|
||||
http_access deny blackList
|
||||
{% endif %}
|
||||
|
||||
{% if helpers.exists('OPNsense.proxy.forward.acl.browser') %}
|
||||
|
||||
# ACL list (Deny) blockuseragent
|
||||
@ -218,8 +216,12 @@ http_access allow subnets
|
||||
# Deny all other access to this proxy
|
||||
http_access deny all
|
||||
|
||||
{% if helpers.exists('OPNsense.proxy.general.cache.local') %}
|
||||
{% if OPNsense.proxy.general.cache.local.enabled == '1' %}
|
||||
# Uncomment and adjust the following to add a disk cache directory.
|
||||
#cache_dir ufs /var/squid/cache 100 16 256
|
||||
cache_dir ufs {{OPNsense.proxy.general.cache.local.directory}} {{OPNsense.proxy.general.cache.local.size}} {{OPNsense.proxy.general.cache.local.l1}} {{OPNsense.proxy.general.cache.local.l2}}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
# Leave coredumps in the first cache dir
|
||||
coredump_dir /var/squid/cache
|
||||
@ -273,3 +275,40 @@ httpd_suppress_version_string on
|
||||
icp_port {{OPNsense.proxy.general.icpPort}}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% if helpers.exists('OPNsense.proxy.general.uriWhitespaceHandling') %}
|
||||
# URI hanlding with Whitespaces (default=strip)
|
||||
uri_whitespace {{OPNsense.proxy.general.uriWhitespaceHandling}}
|
||||
{% endif %}
|
||||
{% if helpers.exists('OPNsense.proxy.general.forwardedForHandling') %}
|
||||
# X-Forwarded header handling (default=on)
|
||||
forwarded_for {{OPNsense.proxy.general.forwardedForHandling}}
|
||||
{% endif %}
|
||||
{% if helpers.exists('OPNsense.proxy.general.traffic.enabled') and OPNsense.proxy.general.traffic.enabled == '1' %}
|
||||
{% if helpers.exists('OPNsense.proxy.general.traffic.maxDownloadSize') %}
|
||||
# Define max download size
|
||||
reply_body_max_size {{OPNsense.proxy.general.traffic.maxDownloadSize}} KB
|
||||
{% endif %}
|
||||
{% if helpers.exists('OPNsense.proxy.general.traffic.maxUploadSize') %}
|
||||
# Define max upload size
|
||||
request_body_max_size {{OPNsense.proxy.general.traffic.maxUploadSize}} KB
|
||||
{% endif %}
|
||||
{% if helpers.exists('OPNsense.proxy.general.traffic.perHostTrotteling') %}
|
||||
delay_pools 1
|
||||
delay_class 1 3
|
||||
delay_access 1 allow all
|
||||
{% if helpers.exists('OPNsense.proxy.general.traffic.OverallBandwidthTrotteling') %}
|
||||
# Define PerHost and Overall Bandwith Trotteling
|
||||
delay_parameters 1 {{OPNsense.proxy.general.traffic.OverallBandwidthTrotteling|int // 8 * 1000}}/{{OPNsense.proxy.general.traffic.OverallBandwidthTrotteling|int // 8 * 1000}} -1/-1 {{OPNsense.proxy.general.traffic.perHostTrotteling|int // 8 * 1000}}/{{OPNsense.proxy.general.traffic.OverallBandwidthTrotteling|int // 8 * 1000}}
|
||||
{% else %}
|
||||
# Define PerHost Trotteling
|
||||
delay_parameters -1/-1 {{OPNsense.proxy.general.traffic.perHostTrotteling|int // 8 * 1000}}/{{OPNsense.proxy.general.traffic.perHostTrotteling|int // 8 * 1000}}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% if helpers.exists('OPNsense.proxy.general.traffic.OverallBandwidthTrotteling') and not helpers.exists('OPNsense.proxy.general.traffic.perHostTrotteling') %}
|
||||
# Define Overall Bandwidth Trotteling
|
||||
delay_pools 1
|
||||
delay_class 1 1
|
||||
delay_access 1 allow all
|
||||
delay_parameters 1 {{OPNsense.proxy.general.traffic.OverallBandwidthTrotteling|int // 8 * 1000}}/{{OPNsense.proxy.general.traffic.OverallBandwidthTrotteling|int // 8 * 1000}}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user