(proxy) add transparant proxy option to squid including a template for the firewall_nat rules to forward traffic to it

2026-03-15 17:14:46 +00:00 · 2015-07-30 16:30:21 +00:00 · 2015-07-30 16:30:21 +00:00 · dfe12a46d7
commit dfe12a46d7
parent 7c806d0432
5 changed files with 44 additions and 10 deletions
--- a/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
@ -179,14 +179,17 @@
                <type>text</type>
                <help><![CDATA[The port the proxy service will listen to.]]></help>
            </field>
-            <!--
            <field>
                    <id>proxy.forward.transparentMode</id>
                    <label>Enable Transparent HTTP proxy</label>
                    <type>checkbox</type>
-                    <help><![CDATA[Enable transparent proxy mode to forward all requests for destination port 80 to the proxy server without any additional configuration.]]></help>
+                    <help><![CDATA[
+                    	Enable transparent proxy mode. You will need a firewall rule to forward traffic from the firewall to the proxy server. 
+                    	You may leave the proxy interfaces empty, but remember to set a valid ACL in that case. 
+                    	<br/>
+                    	<a href="/firewall_nat_edit.php?template=transparant_proxy"> add a new firewall rule </a>
+                    ]]></help>
            </field>
-            -->
            <field>
                <id>proxy.forward.addACLforInterfaceSubnets</id>
                <label>Allow interface subnets</label>
--- a/src/opnsense/scripts/proxy/setup.sh
+++ b/src/opnsense/scripts/proxy/setup.sh
@ -7,5 +7,5 @@ for SQUID_DIR in ${SQUID_DIRS}; do
 	chown -R squid:squid ${SQUID_DIR}
 	chmod -R 750 ${SQUID_DIR}
 done
-
+/usr/sbin/pw groupmod proxy -m squid
 /usr/local/sbin/squid -z
--- a/src/opnsense/service/templates/OPNsense/Proxy/rc.conf.d
+++ b/src/opnsense/service/templates/OPNsense/Proxy/rc.conf.d
@ -1 +1,4 @@
 squid_enable={% if OPNsense.proxy.general.enabled|default("0") == "1" %}YES{% else %}NO{% endif %}
+
+squid_opnsense_bootup_run="/usr/local/opnsense/scripts/proxy/setup.sh"
+
--- a/src/opnsense/service/templates/OPNsense/Proxy/squid.conf
+++ b/src/opnsense/service/templates/OPNsense/Proxy/squid.conf
@ -3,11 +3,16 @@
 # Do not edit this file manually.

 # setup listen configuration
+{%if OPNsense.proxy.forward.transparentMode == '1' %}
+# transparant mode, listen on localhost
+http_port 127.0.0.1:{{  OPNsense.proxy.forward.port }} intercept
+{% endif %}
+
 {% if helpers.exists('OPNsense.proxy.forward.interfaces') %}
 {%   for interface in OPNsense.proxy.forward.interfaces.split(",") %}
 {%      for intf_key,intf_item in interfaces.iteritems() %}
 {%          if intf_key == interface and intf_item.ipaddr != 'dhcp' %}
-http_port {{intf_item.ipaddr}}:{{  OPNsense.proxy.forward.port }} {%if OPNsense.proxy.forward.transparentMode == '1' %}intercept{% endif %}
+http_port {{intf_item.ipaddr}}:{{  OPNsense.proxy.forward.port }} 

 {%          endif %}
 {%      endfor %}
@ -15,7 +20,7 @@ http_port {{intf_item.ipaddr}}:{{  OPNsense.proxy.forward.port }} {%if OPNsense.
 {%      if helpers.exists('virtualip') %}
 {%          for intf_key,intf_item in virtualip.iteritems() %}
 {%              if intf_item.interface == interface and intf_item.mode == 'ipalias' %}
-http_port {{intf_item.subnet}}:{{  OPNsense.proxy.forward.port }} {%if OPNsense.proxy.forward.transparentMode == '1' %}intercept{% endif %}
+http_port {{intf_item.subnet}}:{{  OPNsense.proxy.forward.port }}

 {%              endif %}
 {%          endfor %}
--- a/src/www/firewall_nat_edit.php
+++ b/src/www/firewall_nat_edit.php
@ -155,10 +155,33 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
 		if (!$pconfig['interface'])
 			$pconfig['interface'] = "wan";
 	} else {
-		$pconfig['interface'] = "wan";
-		$pconfig['src'] = "any";
-		$pconfig['srcbeginport'] = "any";
-		$pconfig['srcendport'] = "any";
+		if (isset($_GET['template']) && $_GET['template'] == 'transparant_proxy') {
+			// new rule for transparant proxy reflection, to use as sample
+			$pconfig['interface'] = "lan";
+			$pconfig['src'] = "lan";
+			$pconfig['srcbeginport'] = 'any';
+			$pconfig['srcendport'] = 'any';
+			$pconfig['dst'] = "any";
+			$pconfig['dstbeginport'] = 80 ;
+			$pconfig['dstendport'] = 80 ;
+			$pconfig['localip'] = '127.0.0.1';
+			// try to read the proxy configuration to determine the current port
+			// this has some disadvantages in case of dependencies, but there isn't
+			// a much better solution available at the moment.
+			if (isset($config['OPNsense']['proxy']['forward']['port'])) {
+				$pconfig['localbeginport'] = $config['OPNsense']['proxy']['forward']['port'];
+			} else {
+				$pconfig['localbeginport'] = 3128;
+			}
+			$pconfig['natreflection'] = 'enable';
+			$pconfig['descr'] = "redirect traffic to proxy";
+
+		} else {
+			$pconfig['interface'] = "wan";
+			$pconfig['src'] = "any";
+			$pconfig['srcbeginport'] = "any";
+			$pconfig['srcendport'] = "any";
+		}
 	}

 } elseif ($_SERVER['REQUEST_METHOD'] === 'POST') {