lucaspalomodevelop/core
1
0
Fork 0
mirror of https://github.com/lucaspalomodevelop/core.git synced 2026-03-16 01:24:38 +00:00
Code Issues Packages Projects Releases Wiki Activity

web proxy: guard resp/req ACL #2449

Browse Source
This commit is contained in:
Franco Fichtner 2018-07-15 20:31:47 +02:00
parent d8c6c21f11
commit ea10cdb815
1 changed files with 76 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

76
src/opnsense/service/templates/OPNsense/Proxy/squid.acl.conf
View File

@ -4,8 +4,12 @@
# ALLOW UNRESTRICTED
# ACL list (Allow) unrestricted
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
{% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %}
adaptation_access response_mod allow unrestricted
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %}
adaptation_access request_mod allow unrestricted
{% endif %}
{% endif %}
http_access allow unrestricted
{% endif %}
@ -14,8 +18,12 @@ http_access allow unrestricted
# ACL list (Allow) whitelist
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
{% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %}
adaptation_access response_mod allow whiteList
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %}
adaptation_access request_mod allow whiteList
{% endif %}
{% endif %}
http_access allow whiteList
{% endif %}
@ -25,8 +33,12 @@ http_access allow whiteList
#
# ACL list (Deny) blacklist
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
{% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %}
adaptation_access response_mod deny blackList
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %}
adaptation_access request_mod deny blackList
{% endif %}
{% endif %}
http_access deny blackList
{% endif %}
@ -35,8 +47,12 @@ http_access deny blackList
{% for blacklist in helpers.toList('OPNsense.proxy.forward.acl.remoteACLs.blacklists.blacklist') if blacklist.enabled=='1' %}
# ACL list (Deny) remoteblacklist_{{blacklist.filename}}
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
{% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %}
adaptation_access response_mod deny remoteblacklist_{{blacklist.filename}}
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %}
adaptation_access request_mod deny remoteblacklist_{{blacklist.filename}}
{% endif %}
{% endif %}
http_access deny remoteblacklist_{{blacklist.filename}}
{% endfor %}
@ -46,8 +62,12 @@ http_access deny remoteblacklist_{{blacklist.filename}}
# ACL list (Deny) blockuseragent
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
{% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %}
adaptation_access response_mod deny blockuseragents
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %}
adaptation_access request_mod deny blockuseragents
{% endif %}
{% endif %}
http_access deny blockuseragents
{% endif %}
@ -56,13 +76,21 @@ http_access deny blockuseragents
# ACL list (Deny) blockmimetypes
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
{% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %}
adaptation_access response_mod deny blockmimetypes {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %}
adaptation_access request_mod deny blockmimetypes {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %}
adaptation_access response_mod deny blockmimetypes_requests {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %}
adaptation_access request_mod deny blockmimetypes_requests {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
{% endif %}
{% endif %}
http_reply_access deny blockmimetypes {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
@ -73,36 +101,56 @@ http_access deny blockmimetypes_requests {% if helpers.exists('OPNsense.proxy.fo
# Deny requests to certain unsafe ports
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
{% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %}
adaptation_access response_mod deny !Safe_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %}
adaptation_access request_mod deny !Safe_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
{% endif %}
{% endif %}
http_access deny !Safe_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
# Deny CONNECT to other than secure SSL ports
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
{% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %}
adaptation_access response_mod deny CONNECT !SSL_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %}
adaptation_access request_mod deny CONNECT !SSL_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
{% endif %}
{% endif %}
http_access deny CONNECT !SSL_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.bannedHosts') %}
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
{% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %}
adaptation_access response_mod deny bannedHosts
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %}
adaptation_access request_mod deny bannedHosts
{% endif %}
{% endif %}
http_access deny bannedHosts
{% endif %}
# Only allow cachemgr access from localhost
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
{% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %}
adaptation_access response_mod allow localhost manager
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %}
adaptation_access request_mod allow localhost manager
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %}
adaptation_access response_mod deny manager
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %}
adaptation_access request_mod deny manager
{% endif %}
{% endif %}
http_access allow localhost manager
http_access deny manager
@ -111,8 +159,12 @@ http_access deny manager
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
{% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %}
adaptation_access response_mod deny to_localhost
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %}
adaptation_access request_mod deny to_localhost
{% endif %}
{% endif %}
http_access deny to_localhost
@ -125,8 +177,12 @@ acl exclude_icap url_regex {{element|encode_idna}}
acl exclude_icap url_regex {{element|encode_idna|replace(".","\.")}}
{% endif %}
{% endfor %}
{% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %}
adaptation_access response_mod deny exclude_icap
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %}
adaptation_access request_mod deny exclude_icap
{% endif %}
{% endif %}
# Auth plugins
@ -138,8 +194,12 @@ include /usr/local/etc/squid/auth/*.conf
# Deny request from unauthorized clients
{% if helpers.exists('OPNsense.proxy.forward.authentication.method') and OPNsense.proxy.forward.authentication.method != '' %}
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
{% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %}
adaptation_access response_mod allow local_auth
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %}
adaptation_access request_mod allow local_auth
{% endif %}
{% endif %}
http_access allow local_auth
{% endif %}
@ -147,30 +207,46 @@ http_access allow local_auth
#
# ACL - localnet - default these include ranges from selected interfaces (Allow local subnets)
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
{% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %}
adaptation_access response_mod allow localnet
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %}
adaptation_access request_mod allow localnet
{% endif %}
{% endif %}
http_access allow localnet
# ACL - localhost
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
{% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %}
adaptation_access response_mod allow localhost
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %}
adaptation_access request_mod allow localhost
{% endif %}
{% endif %}
http_access allow localhost
{% if helpers.exists('OPNsense.proxy.forward.acl.allowedSubnets') %}
# ACL list (Allow) subnets
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
{% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %}
adaptation_access response_mod allow subnets
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %}
adaptation_access request_mod allow subnets
{% endif %}
{% endif %}
http_access allow subnets
{% endif %}
# Deny all other access to this proxy
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
{% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %}
adaptation_access response_mod deny all
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %}
adaptation_access request_mod deny all
{% endif %}
{% endif %}
http_access deny all