From ea10cdb8156fa6deed1991a7b68d82ad0255e1e7 Mon Sep 17 00:00:00 2001 From: Franco Fichtner Date: Sun, 15 Jul 2018 20:31:47 +0200 Subject: [PATCH] web proxy: guard resp/req ACL #2449 --- .../templates/OPNsense/Proxy/squid.acl.conf | 76 +++++++++++++++++++ 1 file changed, 76 insertions(+) diff --git a/src/opnsense/service/templates/OPNsense/Proxy/squid.acl.conf b/src/opnsense/service/templates/OPNsense/Proxy/squid.acl.conf index 6e20bc397..6c70dc825 100644 --- a/src/opnsense/service/templates/OPNsense/Proxy/squid.acl.conf +++ b/src/opnsense/service/templates/OPNsense/Proxy/squid.acl.conf @@ -4,8 +4,12 @@ # ALLOW UNRESTRICTED # ACL list (Allow) unrestricted {% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %} +{% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %} adaptation_access response_mod allow unrestricted +{% endif %} +{% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %} adaptation_access request_mod allow unrestricted +{% endif %} {% endif %} http_access allow unrestricted {% endif %} @@ -14,8 +18,12 @@ http_access allow unrestricted # ACL list (Allow) whitelist {% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %} +{% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %} adaptation_access response_mod allow whiteList +{% endif %} +{% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %} adaptation_access request_mod allow whiteList +{% endif %} {% endif %} http_access allow whiteList {% endif %} @@ -25,8 +33,12 @@ http_access allow whiteList # # ACL list (Deny) blacklist {% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %} +{% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %} adaptation_access response_mod deny blackList +{% endif %} +{% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %} adaptation_access request_mod deny blackList +{% endif %} {% endif %} http_access deny blackList {% endif %} @@ -35,8 +47,12 @@ http_access deny blackList {% for blacklist in helpers.toList('OPNsense.proxy.forward.acl.remoteACLs.blacklists.blacklist') if blacklist.enabled=='1' %} # ACL list (Deny) remoteblacklist_{{blacklist.filename}} {% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %} +{% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %} adaptation_access response_mod deny remoteblacklist_{{blacklist.filename}} +{% endif %} +{% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %} adaptation_access request_mod deny remoteblacklist_{{blacklist.filename}} +{% endif %} {% endif %} http_access deny remoteblacklist_{{blacklist.filename}} {% endfor %} @@ -46,8 +62,12 @@ http_access deny remoteblacklist_{{blacklist.filename}} # ACL list (Deny) blockuseragent {% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %} +{% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %} adaptation_access response_mod deny blockuseragents +{% endif %} +{% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %} adaptation_access request_mod deny blockuseragents +{% endif %} {% endif %} http_access deny blockuseragents {% endif %} @@ -56,13 +76,21 @@ http_access deny blockuseragents # ACL list (Deny) blockmimetypes {% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %} +{% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %} adaptation_access response_mod deny blockmimetypes {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %} +{% endif %} +{% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %} adaptation_access request_mod deny blockmimetypes {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %} +{% endif %} +{% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %} adaptation_access response_mod deny blockmimetypes_requests {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %} +{% endif %} +{% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %} adaptation_access request_mod deny blockmimetypes_requests {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %} +{% endif %} {% endif %} http_reply_access deny blockmimetypes {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %} @@ -73,36 +101,56 @@ http_access deny blockmimetypes_requests {% if helpers.exists('OPNsense.proxy.fo # Deny requests to certain unsafe ports {% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %} +{% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %} adaptation_access response_mod deny !Safe_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %} +{% endif %} +{% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %} adaptation_access request_mod deny !Safe_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %} +{% endif %} {% endif %} http_access deny !Safe_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %} # Deny CONNECT to other than secure SSL ports {% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %} +{% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %} adaptation_access response_mod deny CONNECT !SSL_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %} +{% endif %} +{% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %} adaptation_access request_mod deny CONNECT !SSL_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %} +{% endif %} {% endif %} http_access deny CONNECT !SSL_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %} {% if helpers.exists('OPNsense.proxy.forward.acl.bannedHosts') %} {% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %} +{% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %} adaptation_access response_mod deny bannedHosts +{% endif %} +{% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %} adaptation_access request_mod deny bannedHosts +{% endif %} {% endif %} http_access deny bannedHosts {% endif %} # Only allow cachemgr access from localhost {% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %} +{% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %} adaptation_access response_mod allow localhost manager +{% endif %} +{% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %} adaptation_access request_mod allow localhost manager +{% endif %} +{% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %} adaptation_access response_mod deny manager +{% endif %} +{% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %} adaptation_access request_mod deny manager +{% endif %} {% endif %} http_access allow localhost manager http_access deny manager @@ -111,8 +159,12 @@ http_access deny manager # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user {% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %} +{% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %} adaptation_access response_mod deny to_localhost +{% endif %} +{% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %} adaptation_access request_mod deny to_localhost +{% endif %} {% endif %} http_access deny to_localhost @@ -125,8 +177,12 @@ acl exclude_icap url_regex {{element|encode_idna}} acl exclude_icap url_regex {{element|encode_idna|replace(".","\.")}} {% endif %} {% endfor %} +{% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %} adaptation_access response_mod deny exclude_icap +{% endif %} +{% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %} adaptation_access request_mod deny exclude_icap +{% endif %} {% endif %} # Auth plugins @@ -138,8 +194,12 @@ include /usr/local/etc/squid/auth/*.conf # Deny request from unauthorized clients {% if helpers.exists('OPNsense.proxy.forward.authentication.method') and OPNsense.proxy.forward.authentication.method != '' %} {% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %} +{% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %} adaptation_access response_mod allow local_auth +{% endif %} +{% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %} adaptation_access request_mod allow local_auth +{% endif %} {% endif %} http_access allow local_auth {% endif %} @@ -147,30 +207,46 @@ http_access allow local_auth # # ACL - localnet - default these include ranges from selected interfaces (Allow local subnets) {% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %} +{% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %} adaptation_access response_mod allow localnet +{% endif %} +{% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %} adaptation_access request_mod allow localnet +{% endif %} {% endif %} http_access allow localnet # ACL - localhost {% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %} +{% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %} adaptation_access response_mod allow localhost +{% endif %} +{% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %} adaptation_access request_mod allow localhost +{% endif %} {% endif %} http_access allow localhost {% if helpers.exists('OPNsense.proxy.forward.acl.allowedSubnets') %} # ACL list (Allow) subnets {% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %} +{% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %} adaptation_access response_mod allow subnets +{% endif %} +{% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %} adaptation_access request_mod allow subnets {% endif %} +{% endif %} http_access allow subnets {% endif %} # Deny all other access to this proxy {% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %} +{% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %} adaptation_access response_mod deny all +{% endif %} +{% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %} adaptation_access request_mod deny all +{% endif %} {% endif %} http_access deny all