From dc0b729bacf7d8b9c510b49bf74b84abb7b264d9 Mon Sep 17 00:00:00 2001 From: Jos Schellevis Date: Fri, 24 Apr 2015 08:42:51 +0200 Subject: [PATCH] Proxy work in progress, added traffic magement and few other options. --- .../mvc/app/models/OPNsense/Proxy/Proxy.xml | 77 ++++++++++++++++ .../mvc/app/views/OPNsense/Proxy/index.volt | 69 +++++++++++++- .../templates/OPNsense/Proxy/squid.conf | 89 +++++++++++++------ 3 files changed, 206 insertions(+), 29 deletions(-) diff --git a/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml b/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml index d4199c933..33816fa5d 100644 --- a/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml +++ b/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml @@ -35,8 +35,25 @@ Y + on + N + + Append client's IP (on) + Set forward header to unknown (off) + Do not alter forward header (transparent) + Replace all with client's IP (truncate) + + strip + N + + Strip whitespaces + Deny request + Allow whitespaces + Encode whitespaces (RFC1738) + Chop URI at first whitespace + 1 @@ -46,6 +63,66 @@ 0 N + + + + 0 + Y + + + /var/squid/cache + Y + + + 100 + 1 + "Specify a positive cache size. (number of MB's)" + Y + + + 16 + 1 + "Specify a positive number of first-level subdirectories." + Y + + + 256 + 1 + "Specify a positive number of second-level subdirectories." + Y + + + + + + 0 + Y + + + 2048 + 1 + "Specify the maximum download size. (number of KB's)" + N + + + 1024 + 1 + "Specify the maximum upload size. (number of KB's)" + N + + + 1024 + 1 + "Specify the overall bandwidth for downloads in kilobits per second." + N + + + 256 + 1 + "Specify the per host bandwidth for downloads in kilobits per second." + N + + diff --git a/src/opnsense/mvc/app/views/OPNsense/Proxy/index.volt b/src/opnsense/mvc/app/views/OPNsense/Proxy/index.volt index 437eeed50..566291330 100644 --- a/src/opnsense/mvc/app/views/OPNsense/Proxy/index.volt +++ b/src/opnsense/mvc/app/views/OPNsense/Proxy/index.volt @@ -234,19 +234,80 @@ maxheight: define max height of select box, default=170px to hold 5 items replies as required by RFC2616.', 'advanced':'true' ], + ['id':'proxy.general.forwardedForHandling', + 'label':'X-Forwarded for header handling', + 'type':'dropdown', + 'help':'Select what to do with X-Forwarded for header.', + 'advanced':'true' + ], ['id': 'proxy.general.suppressVersion', 'label':'Suppress version string', 'type':'checkbox', 'help':'Suppress Squid version string info in HTTP headers and HTML error pages.', 'advanced':'true' + ], + ['id':'proxy.general.uriWhitespaceHandling', + 'label':'Whitespace handling of URI', + 'type':'dropdown', + 'help':'Select what to do with URI that contain whitespaces.
+
NOTE: the current Squid implementation of encode and chop violates + RFC2616 by not using a 301 redirect after altering the URL.
', + 'advanced':'true' ]} ], - [ 'proxy-general-cache','Local Cache Settings', - {['id': 'proxy.general.enabled', - 'label':'Enable proxy', + [ 'proxy-general-cache-local','Local Cache Settings', + {['id': 'proxy.general.cache.local.enabled', + 'label':'Enable local cache.', 'type':'checkbox', - 'help':'Enable or disable the proxy service.' + 'help':'Enable or disable the local cache.
+ Curently only ufs directory cache type is supported.
+ Do not enable on embedded systems with SD or CF cards as this may break your drive.' + ], + ['id': 'proxy.general.cache.local.size', + 'label':'Cache size in Megabytes', + 'type':'text', + 'help':'Enter the storage size for the local cache (default is 100).', + 'advanced':'true' + ], + ['id': 'proxy.general.cache.local.l1', + 'label':'Number of first-level subdirectories', + 'type':'text', + 'help':'Enter the number of first-level subdirectories for the local cache (default is 16).', + 'advanced':'true' + ], + ['id': 'proxy.general.cache.local.l2', + 'label':'Number of second-level subdirectories', + 'type':'text', + 'help':'Enter the number of first-level subdirectories for the local cache (default is 256).', + 'advanced':'true' ]} + ], + [ 'proxy-general-traffic','Traffic Management Settings', + {['id': 'proxy.general.traffic.enabled', + 'label':'Enable traffic management.', + 'type':'checkbox', + 'help':'Enable or disable traffic management.' + ], + ['id': 'proxy.general.traffic.maxDownloadSize', + 'label':'Maximum download size (Kb)', + 'type':'text', + 'help':'Enter the maxium size for downloads in kilobytes (leave empty to disable).' + ], + ['id': 'proxy.general.traffic.maxUploadSize', + 'label':'Maximum upload size (Kb)', + 'type':'text', + 'help':'Enter the maxium size for uploads in kilobytes (leave empty to disable).' + ], + ['id': 'proxy.general.traffic.OverallBandwidthTrotteling', + 'label':'Overall bandwidth throtteling (Kbps)', + 'type':'text', + 'help':'Enter the allowed overall bandtwith in kilobits per second (leave empty to disable).' + ], + ['id': 'proxy.general.traffic.perHostTrotteling', + 'label':'Per host bandwidth throtteling (Kbps)', + 'type':'text', + 'help':'Enter the allowed per host bandtwith in kilobits per second (leave empty to disable).' + ]} ]} ], ['proxy-forward','Forward Proxy','subtabs': { diff --git a/src/opnsense/service/templates/OPNsense/Proxy/squid.conf b/src/opnsense/service/templates/OPNsense/Proxy/squid.conf index fbb2503f1..763493782 100644 --- a/src/opnsense/service/templates/OPNsense/Proxy/squid.conf +++ b/src/opnsense/service/templates/OPNsense/Proxy/squid.conf @@ -8,7 +8,6 @@ {% for intf_key,intf_item in interfaces.iteritems() %} {% if intf_key == interface and intf_item.ipaddr != 'dhcp' %} http_port {{intf_item.ipaddr}}:{{ OPNsense.proxy.forward.port }} {%if OPNsense.proxy.forward.transparentMode == '1' %}tproxy{% endif %} - {% endif %} {% endfor %} {# virtual ip's #} @@ -25,25 +24,26 @@ http_port {{intf_item.subnet}}:{{ OPNsense.proxy.forward.port }} # Rules allowing access from your local networks. # Generated list of (internal) IP networks from where browsing # should be allowed. (Allow interface subnets). -{% if helpers.exists('OPNsense.proxy.forward.addACLforInterfaceSubnets') %} -{% if OPNsense.proxy.forward.addACLforInterfaceSubnets == '1' %} -{% for interface in OPNsense.proxy.forward.interfaces.split(",") %} -{% for intf_key,intf_item in interfaces.iteritems() %} -{% if intf_key == interface and intf_item.ipaddr != 'dhcp' %} +{% if helpers.exists('OPNsense.proxy.forward.interfaces') %} +{% if helpers.exists('OPNsense.proxy.forward.addACLforInterfaceSubnets') %} +{% if OPNsense.proxy.forward.addACLforInterfaceSubnets == '1' %} +{% for interface in OPNsense.proxy.forward.interfaces.split(",") %} +{% for intf_key,intf_item in interfaces.iteritems() %} +{% if intf_key == interface and intf_item.ipaddr != 'dhcp' %} acl localnet src {{intf_item.ipaddr}}/{{intf_item.subnet}} # Possible internal network -{% endif %} -{% endfor %} -{% if helpers.exists('virtualip') %} -{% for intf_key,intf_item in virtualip.iteritems() %} -{% if intf_item.interface == interface and intf_item.mode == 'ipalias' %} -acl localnet src {{intf_item.subnet}}/{{intf_item.subnet}} # Possible internal network {% endif %} {% endfor %} +{% if helpers.exists('virtualip') %} +{% for intf_key,intf_item in virtualip.iteritems() %} +{% if intf_item.interface == interface and intf_item.mode == 'ipalias' %} +acl localnet src {{intf_item.subnet}}/{{intf_item.subnet}} # Possible internal network +{% endif %} +{% endfor %} +{% endif %} +{% endfor %} {% endif %} -{% endfor %} {% endif %} {% endif %} - # Default allow for local-link and private networks acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines @@ -54,26 +54,26 @@ acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 # ACL lists {% if helpers.exists('OPNsense.proxy.forward.acl.allowedSubnets') %} + # ACL - Allow Subnets - User defined (subnets) {% for network in OPNsense.proxy.forward.acl.allowedSubnets.split(",") %} acl subnets src {{network}} {% endfor %} {% endif %} - {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %} + # ACL - Unrestricted IPs - User defined (unrestricted) {% for ip in OPNsense.proxy.forward.acl.unrestricted.split(",") %} acl unrestricted src {{ip}} {% endfor %} {% endif %} - {% if helpers.exists('OPNsense.proxy.forward.acl.bannedHosts') %} + # ACL - Banned Hosts - User defined (bannedHosts) {% for ip in OPNsense.proxy.forward.acl.bannedHosts.split(",") %} acl bannedHosts src {{ip}} {% endfor %} {% endif %} - {% if helpers.exists('OPNsense.proxy.forward.acl.whiteList') %} # ALC - Whitelist - User defined (whiteList) {% for element in OPNsense.proxy.forward.acl.whiteList.split(",") %} @@ -84,8 +84,8 @@ acl dstdomain {{element}} {% endif %} {% endfor %} {% endif %} - {% if helpers.exists('OPNsense.proxy.forward.acl.blackList') %} + # ALC - Blacklist - User defined (blackList) {% for element in OPNsense.proxy.forward.acl.blackList.split(",") %} {% if '^' or '\\' or '$' or '[' in element %} @@ -95,15 +95,15 @@ acl blackList dstdomain {{element}} {% endif %} {% endfor %} {% endif %} - {% if helpers.exists('OPNsense.proxy.forward.acl.browser') %} + # ALC - Block browser/user-agent - User defined (browser) {% for element in OPNsense.proxy.forward.acl.browser.split(",") %} acl blockuseragents browser {{element}} {% endfor %} {% endif %} - {% if helpers.exists('OPNsense.proxy.forward.acl.mimeType') %} + # ALC - Block MIME types - User defined (mimetype) {% for element in OPNsense.proxy.forward.acl.mimeType.split(",") %} acl blockmimetypes rep_mime_type {{element}} @@ -144,20 +144,18 @@ auth_param basic children {{OPNsense.proxy.forward.authentication.children}} # ACL - Local Authorized Users - local_auth acl local_auth proxy_auth REQUIRED {% endif %} - -# ALLOW UNRESTRICTED {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %} +# ALLOW UNRESTRICTED # ACL list (Allow) unrestricted http_access allow unrestricted {% endif %} +{% if helpers.exists('OPNsense.proxy.forward.acl.blackList') %} # -{% if helpers.exists('OPNsense.proxy.forward.acl.blackList') %} # ACL list (Deny) blacklist http_access deny blackList {% endif %} - {% if helpers.exists('OPNsense.proxy.forward.acl.browser') %} # ACL list (Deny) blockuseragent @@ -218,8 +216,12 @@ http_access allow subnets # Deny all other access to this proxy http_access deny all +{% if helpers.exists('OPNsense.proxy.general.cache.local') %} +{% if OPNsense.proxy.general.cache.local.enabled == '1' %} # Uncomment and adjust the following to add a disk cache directory. -#cache_dir ufs /var/squid/cache 100 16 256 +cache_dir ufs {{OPNsense.proxy.general.cache.local.directory}} {{OPNsense.proxy.general.cache.local.size}} {{OPNsense.proxy.general.cache.local.l1}} {{OPNsense.proxy.general.cache.local.l2}} +{% endif %} +{% endif %} # Leave coredumps in the first cache dir coredump_dir /var/squid/cache @@ -273,3 +275,40 @@ httpd_suppress_version_string on icp_port {{OPNsense.proxy.general.icpPort}} {% endif %} {% endif %} +{% if helpers.exists('OPNsense.proxy.general.uriWhitespaceHandling') %} +# URI hanlding with Whitespaces (default=strip) +uri_whitespace {{OPNsense.proxy.general.uriWhitespaceHandling}} +{% endif %} +{% if helpers.exists('OPNsense.proxy.general.forwardedForHandling') %} +# X-Forwarded header handling (default=on) +forwarded_for {{OPNsense.proxy.general.forwardedForHandling}} +{% endif %} +{% if helpers.exists('OPNsense.proxy.general.traffic.enabled') and OPNsense.proxy.general.traffic.enabled == '1' %} +{% if helpers.exists('OPNsense.proxy.general.traffic.maxDownloadSize') %} +# Define max download size +reply_body_max_size {{OPNsense.proxy.general.traffic.maxDownloadSize}} KB +{% endif %} +{% if helpers.exists('OPNsense.proxy.general.traffic.maxUploadSize') %} +# Define max upload size +request_body_max_size {{OPNsense.proxy.general.traffic.maxUploadSize}} KB +{% endif %} +{% if helpers.exists('OPNsense.proxy.general.traffic.perHostTrotteling') %} +delay_pools 1 +delay_class 1 3 +delay_access 1 allow all +{% if helpers.exists('OPNsense.proxy.general.traffic.OverallBandwidthTrotteling') %} +# Define PerHost and Overall Bandwith Trotteling +delay_parameters 1 {{OPNsense.proxy.general.traffic.OverallBandwidthTrotteling|int // 8 * 1000}}/{{OPNsense.proxy.general.traffic.OverallBandwidthTrotteling|int // 8 * 1000}} -1/-1 {{OPNsense.proxy.general.traffic.perHostTrotteling|int // 8 * 1000}}/{{OPNsense.proxy.general.traffic.OverallBandwidthTrotteling|int // 8 * 1000}} +{% else %} +# Define PerHost Trotteling +delay_parameters -1/-1 {{OPNsense.proxy.general.traffic.perHostTrotteling|int // 8 * 1000}}/{{OPNsense.proxy.general.traffic.perHostTrotteling|int // 8 * 1000}} +{% endif %} +{% endif %} +{% if helpers.exists('OPNsense.proxy.general.traffic.OverallBandwidthTrotteling') and not helpers.exists('OPNsense.proxy.general.traffic.perHostTrotteling') %} +# Define Overall Bandwidth Trotteling +delay_pools 1 +delay_class 1 1 +delay_access 1 allow all +delay_parameters 1 {{OPNsense.proxy.general.traffic.OverallBandwidthTrotteling|int // 8 * 1000}}/{{OPNsense.proxy.general.traffic.OverallBandwidthTrotteling|int // 8 * 1000}} +{% endif %} +{% endif %}