diff options
Diffstat (limited to 'data')
-rw-r--r-- | data/templates/squid/sg_acl.conf.tmpl | 18 | ||||
-rw-r--r-- | data/templates/squid/squid.conf.tmpl | 115 | ||||
-rw-r--r-- | data/templates/squid/squidGuard.conf.tmpl | 91 |
3 files changed, 224 insertions, 0 deletions
diff --git a/data/templates/squid/sg_acl.conf.tmpl b/data/templates/squid/sg_acl.conf.tmpl new file mode 100644 index 000000000..cb1c3ccb0 --- /dev/null +++ b/data/templates/squid/sg_acl.conf.tmpl @@ -0,0 +1,18 @@ +### generated by service_webproxy.py ###
+dbhome {{ squidguard_db_dir }}
+
+dest {{ category }}-{{ rule }} {
+{% if list_type == 'domains' %}
+ domainlist {{ category }}/domains
+{% elif list_type == 'urls' %}
+ urllist {{ category }}/urls
+{% elif list_type == 'expressions' %}
+ expressionlist {{ category }}/expressions
+{% endif %}
+}
+
+acl {
+ default {
+ pass all
+ }
+}
diff --git a/data/templates/squid/squid.conf.tmpl b/data/templates/squid/squid.conf.tmpl new file mode 100644 index 000000000..8754e762d --- /dev/null +++ b/data/templates/squid/squid.conf.tmpl @@ -0,0 +1,115 @@ +### generated by service_webproxy.py ### + +acl localhost src 127.0.0.1/32 +acl to_localhost dst 127.0.0.0/8 +acl net src all +acl SSL_ports port 443 +acl Safe_ports port 80 # http +acl Safe_ports port 21 # ftp +acl Safe_ports port 443 # https +acl Safe_ports port 873 # rsync +acl Safe_ports port 70 # gopher +acl Safe_ports port 210 # wais +acl Safe_ports port 1025-65535 # unregistered ports +acl Safe_ports port 280 # http-mgmt +acl Safe_ports port 488 # gss-http +acl Safe_ports port 591 # filemaker +acl Safe_ports port 777 # multiling http +acl CONNECT method CONNECT + +{% if authentication is defined and authentication is not none %} +{% if authentication.children is defined and authentication.children is not none %} +auth_param basic children {{ authentication.children }} +{% endif %} +{% if authentication.credentials_ttl is defined and authentication.credentials_ttl is not none %} +auth_param basic credentialsttl {{ authentication.credentials_ttl }} minute +{% endif %} +{% if authentication.realm is defined and authentication.realm is not none %} +auth_param basic realm "{{ authentication.realm }}" +{% endif %} +{# LDAP based Authentication #} +{% if authentication.method is defined and authentication.method is not none %} +{% if authentication.ldap is defined and authentication.ldap is not none and authentication.method == 'ldap' %} +auth_param basic program /usr/lib/squid/basic_ldap_auth -v {{ authentication.ldap.version }} -b "{{ authentication.ldap.base_dn }}" {{ '-D "' + authentication.ldap.bind_dn + '"' if authentication.ldap.bind_dn is defined }} {{ '-w "' + authentication.ldap.password + '"' if authentication.ldap.password is defined }} {{ '-f "' + authentication.ldap.filter_expression + '"' if authentication.ldap.filter_expression is defined }} {{ '-u "' + authentication.ldap.username_attribute + '"' if authentication.ldap.username_attribute is defined }} -p {{ authentication.ldap.port }} {{ '-ZZ' if authentication.ldap.use_ssl is defined }} -R -h "{{ authentication.ldap.server }}" +{% endif %} +acl auth proxy_auth REQUIRED +http_access allow auth +{% endif %} +{% endif %} + +http_access allow manager localhost +http_access deny manager +http_access deny !Safe_ports +http_access deny CONNECT !SSL_ports +http_access allow localhost +http_access allow net +http_access deny all + +{% if reply_block_mime is defined and reply_block_mime is not none %} +{% for mime_type in reply_block_mime %} +acl BLOCK_MIME rep_mime_type {{ mime_type }} +{% endfor %} +http_reply_access deny BLOCK_MIME +{% endif %} + +{% if cache_size is defined and cache_size is not none %} +{% if cache_size | int > 0 %} +cache_dir ufs /var/spool/squid {{ cache_size }} 16 256 +{% else %} +# disabling disk cache +{% endif %} +{% endif %} +{% if mem_cache_size is defined and mem_cache_size is not none %} +cache_mem {{ mem_cache_size }} MB +{% endif %} +{% if disable_access_log is defined %} +access_log none +{% else %} +access_log /var/log/squid/access.log squid +{% endif %} + +{# by default we'll disable the store log #} +cache_store_log none + +{% if append_domain is defined and append_domain is not none %} +append_domain {{ append_domain }} +{% endif %} +{% if maximum_object_size is defined and maximum_object_size is not none %} +maximum_object_size {{ maximum_object_size }} KB +{% endif %} +{% if minimum_object_size is defined and minimum_object_size is not none %} +minimum_object_size {{ minimum_object_size }} KB +{% endif %} +{% if reply_body_max_size is defined and reply_body_max_size is not none %} +reply_body_max_size {{ reply_body_max_size }} KB +{% endif %} +{% if outgoing_address is defined and outgoing_address is not none %} +tcp_outgoing_address {{ outgoing_address }} +{% endif %} + + +{% if listen_address is defined and listen_address is not none %} +{% for address, config in listen_address.items() %} +http_port {{ address }}:{{ config.port if config.port is defined else default_port }} {{ 'intercept' if config.disable_transparent is not defined }} +{% endfor %} +{% endif %} +http_port 127.0.0.1:{{ default_port }} + +{# NOT insert the client address in X-Forwarded-For header #} +forwarded_for off + +{# SquidGuard #} +{% if url_filtering is defined and url_filtering.disable is not defined %} +{% if url_filtering.squidguard is defined and url_filtering.squidguard is not none %} +redirect_program /usr/bin/squidGuard -c {{ squidguard_conf }} +redirect_children 8 +redirector_bypass on +{% endif %} +{% endif %} + +{% if cache_peer is defined and cache_peer is not none %} +{% for peer, config in cache_peer.items() %} +cache_peer {{ config.address }} {{ config.type }} {{ config.http_port }} {{ config.icp_port }} {{ config.options }} +{% endfor %} +never_direct allow all +{% endif %} diff --git a/data/templates/squid/squidGuard.conf.tmpl b/data/templates/squid/squidGuard.conf.tmpl new file mode 100644 index 000000000..74de3a651 --- /dev/null +++ b/data/templates/squid/squidGuard.conf.tmpl @@ -0,0 +1,91 @@ +### generated by service_webproxy.py ###
+
+{% macro sg_rule(category, log, db_dir) %}
+{% set expressions = db_dir + '/' + category + '/expressions' %}
+dest {{ category }}-default {
+ domainlist {{ category }}/domains
+ urllist {{ category }}/urls
+{% if expressions | is_file %}
+ expressionlist {{ category }}/expressions
+{% endif %}
+{% if log is defined %}
+ log blacklist.log
+{% endif %}
+}
+{% endmacro %}
+
+{% if url_filtering is defined and url_filtering.disable is not defined %}
+{% if url_filtering.squidguard is defined and url_filtering.squidguard is not none %}
+{% set sg_config = url_filtering.squidguard %}
+{% set acl = namespace(value='local-ok-default') %}
+{% set acl.value = acl.value + ' !in-addr' if sg_config.allow_ipaddr_url is not defined else acl.value %}
+dbhome {{ squidguard_db_dir }}
+logdir /var/log/squid
+
+rewrite safesearch {
+ s@(.*\.google\..*/(custom|search|images|groups|news)?.*q=.*)@\1\&safe=active@i
+ s@(.*\..*/yandsearch?.*text=.*)@\1\&fyandex=1@i
+ s@(.*\.yahoo\..*/search.*p=.*)@\1\&vm=r@i
+ s@(.*\.live\..*/.*q=.*)@\1\&adlt=strict@i
+ s@(.*\.msn\..*/.*q=.*)@\1\&adlt=strict@i
+ s@(.*\.bing\..*/search.*q=.*)@\1\&adlt=strict@i
+ log rewrite.log
+}
+
+{% if sg_config.local_ok is defined and sg_config.local_ok is not none %}
+{% set acl.value = acl.value + ' local-ok-default' %}
+dest local-ok-default {
+ domainlist local-ok-default/domains
+}
+{% endif %}
+{% if sg_config.local_ok_url is defined and sg_config.local_ok_url is not none %}
+{% set acl.value = acl.value + ' local-ok-url-default' %}
+dest local-ok-url-default {
+ urllist local-ok-url-default/urls
+}
+{% endif %}
+{% if sg_config.local_block is defined and sg_config.local_block is not none %}
+{% set acl.value = acl.value + ' !local-block-default' %}
+dest local-block-default {
+ domainlist local-block-default/domains
+}
+{% endif %}
+{% if sg_config.local_block_url is defined and sg_config.local_block_url is not none %}
+{% set acl.value = acl.value + ' !local-block-url-default' %}
+dest local-block-url-default {
+ urllist local-block-url-default/urls
+}
+{% endif %}
+{% if sg_config.local_block_keyword is defined and sg_config.local_block_keyword is not none %}
+{% set acl.value = acl.value + ' !local-block-keyword-default' %}
+dest local-block-keyword-default {
+ expressionlist local-block-keyword-default/expressions
+}
+{% endif %}
+
+{% if sg_config.block_category is defined and sg_config.block_category is not none %}
+{% for category in sg_config.block_category %}
+{{ sg_rule(category, sg_config.log, squidguard_db_dir) }}
+{% set acl.value = acl.value + ' !' + category + '-default' %}
+{% endfor %}
+{% endif %}
+{% if sg_config.allow_category is defined and sg_config.allow_category is not none %}
+{% for category in sg_config.allow_category %}
+{{ sg_rule(category, False, squidguard_db_dir) }}
+{% set acl.value = acl.value + ' ' + category + '-default' %}
+{% endfor %}
+{% endif %}
+acl {
+ default {
+{% if sg_config.enable_safe_search is defined %}
+ rewrite safesearch
+{% endif %}
+ pass {{ acl.value }} {{ 'none' if sg_config.default_action is defined and sg_config.default_action == 'block' else 'allow' }}
+ redirect 302:http://{{ sg_config.redirect_url }}
+{% if sg_config.log is defined and sg_config.log is not none %}
+ log blacklist.log
+{% endif %}
+ }
+}
+{% endif %}
+{% endif %}
|