From a8a019c4f318ba6ad2f83b9b4f605de3830c7b28 Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Sat, 12 Dec 2020 14:03:54 +0100
Subject: webproxy: T563: migrate from old Perl code to XML and
get_config_dict()
Basic proxy functionality is working but the squidguard smoketest still fails
as this is yet not implemented.
---
data/templates/squid/squid.conf.tmpl | 128 +++++++++++++++++++++++++++++++++++
1 file changed, 128 insertions(+)
create mode 100644 data/templates/squid/squid.conf.tmpl
(limited to 'data')
diff --git a/data/templates/squid/squid.conf.tmpl b/data/templates/squid/squid.conf.tmpl
new file mode 100644
index 000000000..1876146dd
--- /dev/null
+++ b/data/templates/squid/squid.conf.tmpl
@@ -0,0 +1,128 @@
+### generated by service_webproxy.py ###
+
+acl localhost src 127.0.0.1/32
+acl to_localhost dst 127.0.0.0/8
+acl net src all
+acl SSL_ports port 443
+acl Safe_ports port 80 # http
+acl Safe_ports port 21 # ftp
+acl Safe_ports port 443 # https
+acl Safe_ports port 873 # rsync
+acl Safe_ports port 70 # gopher
+acl Safe_ports port 210 # wais
+acl Safe_ports port 1025-65535 # unregistered ports
+acl Safe_ports port 280 # http-mgmt
+acl Safe_ports port 488 # gss-http
+acl Safe_ports port 591 # filemaker
+acl Safe_ports port 777 # multiling http
+acl CONNECT method CONNECT
+
+{% if authentication is defined and authentication is not none %}
+{% if authentication.children is defined and authentication.children is not none %}
+auth_param basic children {{ authentication.children }}
+{% endif %}
+{% if authentication.credentials_ttl is defined and authentication.credentials_ttl is not none %}
+auth_param basic credentialsttl {{ authentication.credentials_ttl }} minute
+{% endif %}
+{% if authentication.realm is defined and authentication.realm is not none %}
+auth_param basic realm "{{ authentication.realm }}"
+{% endif %}
+{# LDAP based Authentication #}
+{% if authentication.method is defined and authentication.method is not none %}
+{% if authentication.ldap is defined and authentication.ldap is not none and authentication.method == 'ldap' %}
+auth_param basic program /usr/lib/squid/basic_ldap_auth -v {{ authentication.ldap.version }} -b "{{ authentication.ldap.base_dn }}" {{ '-D "' + authentication.ldap.bind_dn + '"' if authentication.ldap.bind_dn is defined }} {{ '-w "' + authentication.ldap.password + '"' if authentication.ldap.password is defined }} {{ '-f "' + authentication.ldap.filter_expression + '"' if authentication.ldap.filter_expression is defined }} {{ '-u "' + authentication.ldap.username_attribute + '"' if authentication.ldap.username_attribute is defined }} -p {{ authentication.ldap.port }} {{ '-ZZ' if authentication.ldap.use_ssl is defined }} -R -h "{{ authentication.ldap.server }}"
+{% endif %}
+acl auth proxy_auth REQUIRED
+http_access allow auth
+{% endif %}
+{% endif %}
+
+http_access allow manager localhost
+http_access deny manager
+http_access deny !Safe_ports
+http_access deny CONNECT !SSL_ports
+http_access allow localhost
+http_access allow net
+http_access deny all
+
+{% if reply_block_mime is defined and reply_block_mime is not none %}
+{% for mime_type in reply_block_mime %}
+acl BLOCK_MIME rep_mime_type {{ mime_type }}
+{% endfor %}
+http_reply_access deny BLOCK_MIME
+{% endif %}
+
+{% if cache_size is defined and cache_size is not none %}
+{% if cache_size | int > 0 %}
+cache_dir ufs /var/spool/squid {{ cache_size }} 16 256
+{% else %}
+# disabling disk cache
+{% endif %}
+{% endif %}
+{% if mem_cache_size is defined and mem_cache_size is not none %}
+cache_mem {{ mem_cache_size }} MB
+{% endif %}
+{% if disable_access_log is defined %}
+access_log none
+{% else %}
+access_log /var/log/squid/access.log squid
+{% endif %}
+
+{# by default we'll disable the store log #}
+cache_store_log none
+
+{% if append_domain is defined and append_domain is not none %}
+append_domain {{ append_domain }}
+{% endif %}
+{% if maximum_object_size is defined and maximum_object_size is not none %}
+maximum_object_size {{ maximum_object_size }} KB
+{% endif %}
+{% if minimum_object_size is defined and minimum_object_size is not none %}
+minimum_object_size {{ minimum_object_size }} KB
+{% endif %}
+{% if reply_body_max_size is defined and reply_body_max_size is not none %}
+reply_body_max_size {{ reply_body_max_size }} KB
+{% endif %}
+{% if outgoing_address is defined and outgoing_address is not none %}
+tcp_outgoing_address {{ outgoing_address }}
+{% endif %}
+
+
+{% if listen_address is defined and listen_address is not none %}
+{% for address, config in listen_address.items() %}
+http_port {{ address }}:{{ config.port if config.port is defined else default_port }} {{ 'intercept' if config.disable_transparent is not defined }}
+{% endfor %}
+{% endif %}
+http_port 127.0.0.1:{{ default_port }}
+
+{# NOT insert the client address in X-Forwarded-For header #}
+forwarded_for off
+
+{% if cache_peer is defined and cache_peer is not none %}
+{% for peer, config in cache_peer.items() %}
+{% if not 'type' in webproxy['cache-peer'][peer] %}
+{% set p_type = "parent" %}
+{% else %}
+{% set p_type = webproxy['cache-peer'][peer]['type'] %}
+{% endif %}
+
+{% if not 'http-port' in webproxy['cache-peer'][peer] %}
+{% set p_http_port = 3128 %}
+{% else %}
+{% set p_http_port = webproxy['cache-peer'][peer]['http-port'] %}
+{% endif %}
+
+{% if not 'icp-port' in webproxy['cache-peer'][peer] %}
+{% set p_icp_port = 0 %}
+{% else %}
+{% set p_icp_port = webproxy['cache-peer'][peer]['icp-port'] %}
+{% endif %}
+
+{% if not 'options' in webproxy['cache-peer'][peer] %}
+{% set p_options = "no-query default" %}
+{% else %}
+{% set p_options = webproxy['cache-peer'][peer]['options'] %}
+{% endif %}
+cache_peer {{ config.address }} {{p_type}} {{p_http_port}} {{p_icp_port}} {{p_options}}
+{% endfor %}
+{% endif %}
--
cgit v1.2.3
From e7649f9cf4f6beda6adb50998db3e57964bd5010 Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Mon, 14 Dec 2020 16:47:37 +0100
Subject: webproxy: T563: improve handling of cache-peers
---
data/templates/squid/squid.conf.tmpl | 26 +-
.../include/webproxy-squidguard.xml.i | 115 ++++
interface-definitions/service-webproxy.xml.in | 533 -----------------
interface-definitions/service_webproxy.xml.in | 641 +++++++++++++++++++++
src/conf_mode/service_webproxy.py | 17 +-
5 files changed, 774 insertions(+), 558 deletions(-)
create mode 100644 interface-definitions/include/webproxy-squidguard.xml.i
delete mode 100644 interface-definitions/service-webproxy.xml.in
create mode 100644 interface-definitions/service_webproxy.xml.in
(limited to 'data')
diff --git a/data/templates/squid/squid.conf.tmpl b/data/templates/squid/squid.conf.tmpl
index 1876146dd..814f94aa7 100644
--- a/data/templates/squid/squid.conf.tmpl
+++ b/data/templates/squid/squid.conf.tmpl
@@ -100,29 +100,7 @@ forwarded_for off
{% if cache_peer is defined and cache_peer is not none %}
{% for peer, config in cache_peer.items() %}
-{% if not 'type' in webproxy['cache-peer'][peer] %}
-{% set p_type = "parent" %}
-{% else %}
-{% set p_type = webproxy['cache-peer'][peer]['type'] %}
-{% endif %}
-
-{% if not 'http-port' in webproxy['cache-peer'][peer] %}
-{% set p_http_port = 3128 %}
-{% else %}
-{% set p_http_port = webproxy['cache-peer'][peer]['http-port'] %}
-{% endif %}
-
-{% if not 'icp-port' in webproxy['cache-peer'][peer] %}
-{% set p_icp_port = 0 %}
-{% else %}
-{% set p_icp_port = webproxy['cache-peer'][peer]['icp-port'] %}
-{% endif %}
-
-{% if not 'options' in webproxy['cache-peer'][peer] %}
-{% set p_options = "no-query default" %}
-{% else %}
-{% set p_options = webproxy['cache-peer'][peer]['options'] %}
-{% endif %}
-cache_peer {{ config.address }} {{p_type}} {{p_http_port}} {{p_icp_port}} {{p_options}}
+cache_peer {{ config.address }} {{ config.type }} {{ config.http_port }} {{ config.icp_port }} {{ config.options }}
{% endfor %}
+never_direct allow all
{% endif %}
diff --git a/interface-definitions/include/webproxy-squidguard.xml.i b/interface-definitions/include/webproxy-squidguard.xml.i
new file mode 100644
index 000000000..23a2fee7a
--- /dev/null
+++ b/interface-definitions/include/webproxy-squidguard.xml.i
@@ -0,0 +1,115 @@
+<!-- included start from webproxy-squidguard.xml.i -->
+<leafNode name="allow-category">
+ <properties>
+ <help>Category to allow</help>
+ <multi/>
+ </properties>
+</leafNode>
+<leafNode name="allow-ipaddr-url">
+ <properties>
+ <help>Allow IP address URLs</help>
+ <valueless/>
+ </properties>
+</leafNode>
+<leafNode name="block-category">
+ <properties>
+ <help>Category to block</help>
+ <multi/>
+ </properties>
+</leafNode>
+<leafNode name="default-action">
+ <properties>
+ <help>Default action</help>
+ <completionHelp>
+ <list>allow block</list>
+ </completionHelp>
+ <valueHelp>
+ <format>allow</format>
+ <description>Default filter action to allow (default)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>block</format>
+ <description>Default filter action to allow (default)</description>
+ </valueHelp>
+ <constraint>
+ <regex>^(allow|block)$</regex>
+ </constraint>
+ </properties>
+</leafNode>
+<leafNode name="enable-safe-search">
+ <properties>
+ <help>Enable safe-mode search on popular search engines</help>
+ </properties>
+</leafNode>
+<leafNode name="local-block-keyword">
+ <properties>
+ <help>Local keyword to block</help>
+ <valueHelp>
+ <format>keyword</format>
+ <description>Keyword (or regex) to block</description>
+ </valueHelp>
+ <multi/>
+ </properties>
+</leafNode>
+<leafNode name="local-block-url">
+ <properties>
+ <help>Local URL to block</help>
+ <valueHelp>
+ <format>url</format>
+ <description>Local URL to block (without http:\/\/</description>
+ </valueHelp>
+ <constraint>
+ <regex>^(https?:\/\/)$</regex>
+ </constraint>
+ <multi/>
+ </properties>
+</leafNode>
+<leafNode name="local-block">
+ <properties>
+ <help>Local site to block</help>
+ <valueHelp>
+ <format>ipv4</format>
+ <description>IP address of site to block</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ipv4-prefix"/>
+ </constraint>
+ <multi/>
+ </properties>
+</leafNode>
+<leafNode name="local-ok-url">
+ <properties>
+ <help>Local URL to allow</help>
+ <valueHelp>
+ <format>url</format>
+ <description>Local URL to allow (without http:\/\/</description>
+ </valueHelp>
+ <constraint>
+ <regex>^(https?:\/\/)$</regex>
+ </constraint>
+ <multi/>
+ </properties>
+</leafNode>
+<leafNode name="local-ok">
+ <properties>
+ <help>Local site to allow</help>
+ <valueHelp>
+ <format>ipv4</format>
+ <description>IP address of site to allow</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ipv4-prefix"/>
+ </constraint>
+ <multi/>
+ </properties>
+</leafNode>
+<leafNode name="log">
+ <properties>
+ <help>Log block category</help>
+ <completionHelp>
+ <list>all</list>
+ </completionHelp>
+ <multi/>
+ </properties>
+</leafNode>
+<!-- included end -->
diff --git a/interface-definitions/service-webproxy.xml.in b/interface-definitions/service-webproxy.xml.in
deleted file mode 100644
index 5a329af78..000000000
--- a/interface-definitions/service-webproxy.xml.in
+++ /dev/null
@@ -1,533 +0,0 @@
-<?xml version="1.0"?>
-<interfaceDefinition>
- <node name="service">
- <children>
- <node name="webproxy" owner="${vyos_conf_scripts_dir}/service_webproxy.py">
- <properties>
- <help>Webproxy service settings</help>
- <priority>500</priority>
- </properties>
- <children>
- <leafNode name="append-domain">
- <properties>
- <help>Default domain name</help>
- <valueHelp>
- <format>domain</format>
- <description>Domain to use for urls that do not contain a '.'</description>
- </valueHelp>
- <constraint>
- <regex>^[\.][a-z0-9-][$]?</regex>
- </constraint>
- <constraintErrorMessage>Must start append-domain with a '.'</constraintErrorMessage>
- </properties>
- </leafNode>
- <node name="authentication">
- <properties>
- <help>Proxy Authentication Settings</help>
- </properties>
- <children>
- <leafNode name="children">
- <properties>
- <help>Number of authentication helper processes (default: 5)</help>
- <valueHelp>
- <format>n</format>
- <description>Number of authentication helper processes</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 1-500"/>
- </constraint>
- </properties>
- <defaultValue>5</defaultValue>
- </leafNode>
- <leafNode name="credentials-ttl">
- <properties>
- <help>Authenticated session time to live in minutes (default: 60)</help>
- <valueHelp>
- <format>n</format>
- <description>Authenticated session timeout</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 1-600"/>
- </constraint>
- </properties>
- <defaultValue>60</defaultValue>
- </leafNode>
- <node name="ldap">
- <properties>
- <help>LDAP authentication settings</help>
- </properties>
- <children>
- <leafNode name="base-dn">
- <properties>
- <help>LDAP Base DN to search</help>
- </properties>
- </leafNode>
- <leafNode name="bind-dn">
- <properties>
- <help>LDAP DN used to bind to server</help>
- </properties>
- </leafNode>
- <leafNode name="filter-expression">
- <properties>
- <help>Filter expression to perform LDAP search with</help>
- </properties>
- </leafNode>
- <leafNode name="password">
- <properties>
- <help>LDAP password to bind with</help>
- </properties>
- </leafNode>
- <leafNode name="persistent-connection">
- <properties>
- <help>Use persistent LDAP connection</help>
- <valueless/>
- </properties>
- </leafNode>
- <leafNode name="port">
- <properties>
- <help>LDAP server port to use (default: 389)</help>
- <valueHelp>
- <format>u32:1-65535</format>
- <description>Port number to use</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 1-65535"/>
- </constraint>
- </properties>
- <defaultValue>389</defaultValue>
- </leafNode>
- <leafNode name="server">
- <properties>
- <help>LDAP server to use</help>
- </properties>
- </leafNode>
- <leafNode name="use-ssl">
- <properties>
- <help>Use SSL/TLS for LDAP connection</help>
- <valueless/>
- </properties>
- </leafNode>
- <leafNode name="username-attribute">
- <properties>
- <help>LDAP username attribute</help>
- </properties>
- </leafNode>
- <leafNode name="version">
- <properties>
- <help>LDAP protocol version (default: 3)</help>
- <completionHelp>
- <list>2 3</list>
- </completionHelp>
- <valueHelp>
- <format>2</format>
- <description>LDAP protocol version 2</description>
- </valueHelp>
- <valueHelp>
- <format>3</format>
- <description>LDAP protocol version 2</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 2-3"/>
- </constraint>
- </properties>
- <defaultValue>3</defaultValue>
- </leafNode>
- </children>
- </node>
- <leafNode name="method">
- <properties>
- <help>Authentication Method</help>
- <completionHelp>
- <list>ldap</list>
- </completionHelp>
- <valueHelp>
- <format>ldap</format>
- <description>Lightweight Directory Access Protocol</description>
- </valueHelp>
- <constraint>
- <regex>^(ldap)$</regex>
- </constraint>
- <constraintErrorMessage>The only supported method currently is LDAP</constraintErrorMessage>
- </properties>
- </leafNode>
- <leafNode name="realm">
- <properties>
- <help>Name of authentication realm (e.g. "My Company proxy server")</help>
- </properties>
- </leafNode>
- </children>
- </node>
-
- <tagNode name="cache-peer">
- <properties>
- <help>cache-peer hostname</help>
- <valueHelp>
- <format>hostname</format>
- <description>Cache peers FQDN</description>
- </valueHelp>
- </properties>
- <children>
- <leafNode name="address">
- <properties>
- <help>IPv4 address of peer-cache</help>
- <valueHelp>
- <format>ipv4</format>
- <description>IPv4 address of the cache peer</description>
- </valueHelp>
- </properties>
- </leafNode>
- <leafNode name="http-port">
- <properties>
- <help>Cache peer http port (default 3128)</help>
- <valueHelp>
- <format>1-65535</format>
- <description>Cache peer http port (default 3128)</description>
- </valueHelp>
- </properties>
- </leafNode>
- <leafNode name="icp-port">
- <properties>
- <help>Cache peer icp port (default disabled)</help>
- <valueHelp>
- <format>1-65535</format>
- <description>Cache peer icp port (default disabled)</description>
- </valueHelp>
- </properties>
- </leafNode>
- <leafNode name="options">
- <properties>
- <help>Cache peer options</help>
- <valueHelp>
- <format>text</format>
- <description>Cache peer options</description>
- </valueHelp>
- </properties>
- </leafNode>
- <leafNode name="type">
- <properties>
- <help>Squid peer type (default parent)</help>
- <completionHelp>
- <list>parent sibling multicast</list>
- </completionHelp>
- <valueHelp>
- <format>parent</format>
- <description>Peer is a parent</description>
- </valueHelp>
- <valueHelp>
- <format>sibling</format>
- <description>Peer is a sibling</description>
- </valueHelp>
- <valueHelp>
- <format>multicast</format>
- <description>Peer is a member of a multicast group</description>
- </valueHelp>
- <constraint>
- <regex>^(parent|sibling|multicast)$</regex>
- </constraint>
- </properties>
- </leafNode>
- </children>
- </tagNode>
- <leafNode name="cache-size">
- <properties>
- <help>Disk cache size in MB (default: 100)</help>
- <valueHelp>
- <format>u32</format>
- <description>Disk cache size in MB</description>
- </valueHelp>
- <valueHelp>
- <format>0</format>
- <description>Disable disk caching</description>
- </valueHelp>
- </properties>
- <defaultValue>100</defaultValue>
- </leafNode>
- <leafNode name="default-port">
- <properties>
- <help>Default Proxy Port (default: 3128)</help>
- <valueHelp>
- <format>u32:1025-65535</format>
- <description>Default port number</description>
- </valueHelp>
- </properties>
- <defaultValue>3128</defaultValue>
- </leafNode>
- <leafNode name="disable-access-log">
- <properties>
- <help>Disable logging of HTTP accesses</help>
- <valueless/>
- </properties>
- </leafNode>
- <leafNode name="domain-block">
- <properties>
- <help>Domain name to block</help>
- <multi/>
- </properties>
- </leafNode>
- <leafNode name="domain-noncache">
- <properties>
- <help>Domain name to access without caching</help>
- <multi/>
- </properties>
- </leafNode>
- <tagNode name="listen-address">
- <properties>
- <help>IPv4 address for webproxy to listen on [REQUIRED]</help>
- <valueHelp>
- <format>ipv4</format>
- <description>IPv4 address listen on</description>
- </valueHelp>
- </properties>
- <children>
- <leafNode name="port">
- <properties>
- <help>Default Proxy Port (default: 3128)</help>
- <valueHelp>
- <format>u32:1025-65535</format>
- <description>Default port number</description>
- </valueHelp>
- </properties>
- </leafNode>
- <leafNode name="disable-transparent">
- <properties>
- <help>Disable transparent mode</help>
- <valueless/>
- </properties>
- </leafNode>
- </children>
- </tagNode>
- <leafNode name="maximum-object-size">
- <properties>
- <help>Maximum size of object to be stored in cache in kilobytes</help>
- <valueHelp>
- <format>u32</format>
- <description>Object size in KB</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 1-100000"/>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="mem-cache-size">
- <properties>
- <help>Memory cache size in MB</help>
- <valueHelp>
- <format>u32</format>
- <description>Memory cache size in MB </description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 1-100000"/>
- </constraint>
- </properties>
- <defaultValue>20</defaultValue>
- </leafNode>
- <leafNode name="minimum-object-size">
- <properties>
- <help>Maximum size of object to be stored in cache in kilobytes</help>
- <valueHelp>
- <format>u32</format>
- <description>Object size in KB</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 1-100000"/>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="outgoing-address">
- <properties>
- <help>Outgoing IP address for webproxy</help>
- </properties>
- </leafNode>
- <leafNode name="reply-block-mime">
- <properties>
- <help>MIME type to block</help>
- <completionHelp>
- <list>image/gif www/mime application/macbinary application/oda application/octet-stream application/pdf application/postscript application/postscript application/postscript text/rtf application/octet-stream application/octet-stream application/x-tar application/x-csh application/x-dvi application/x-hdf application/x-latex text/plain application/x-netcdf application/x-netcdf application/x-sh application/x-tcl application/x-tex application/x-texinfo application/x-texinfo application/x-troff application/x-troff application/x-troff application/x-troff-man application/x-troff-me application/x-troff-ms application/x-wais-source application/zip application/x-bcpio application/x-cpio application/x-gtar application/x-rpm application/x-shar application/x-sv4cpio application/x-sv4crc application/x-tar application/x-ustar audio/basic audio/basic audio/mpeg audio/mpeg audio/mpeg audio/x-aiff audio/x-aiff audio/x-aiff audio/x-wav image/bmp image/ief image/jpeg image/jpeg image/jpeg image/tiff image/tiff image/x-cmu-raster image/x-portable-anymap image/x-portable-bitmap image/x-portable-graymap image/x-portable-pixmap image/x-rgb image/x-xbitmap image/x-xpixmap image/x-xwindowdump text/html text/html text/css application/x-javascript text/plain text/plain text/plain text/plain text/plain text/plain text/plain text/plain text/plain text/richtext text/tab-separated-values text/x-setext video/mpeg video/mpeg video/mpeg video/quicktime video/quicktime video/x-msvideo video/x-sgi-movie application/mac-compactpro application/mac-binhex40 application/macwriteii application/msword application/msword application/vnd.ms-excel application/vnd.ms-powerpoint application/vnd.lotus-1-2-3 application/vnd.mif application/x-stuffit application/pict application/pict application/x-arj-compressed application/x-lha-compressed application/x-lha-compressed application/x-deflate text/plain application/octet-stream application/octet-stream image/png application/octet-stream application/x-xpinstall application/octet-stream text/plain application/x-director application/x-director application/x-director image/vnd.djvu image/vnd.djvu application/octet-stream application/octet-stream application/andrew-inset x-conference/x-cooltalk model/iges model/iges audio/midi audio/midi audio/midi model/mesh model/mesh video/vnd.mpegurl chemical/x-pdb application/x-chess-pgn audio/x-realaudio audio/x-pn-realaudio audio/x-pn-realaudio text/sgml text/sgml application/x-koan application/x-koan application/x-koan application/x-koan application/smil application/smil application/octet-stream application/x-futuresplash application/x-shockwave-flash application/x-cdlink model/vrml image/vnd.wap.wbmp application/vnd.wap.wbxml application/vnd.wap.wmlc application/vnd.wap.wmlscriptc application/vnd.wap.wmlscript application/xhtml application/xhtml text/xml text/xml chemical/x-xyz text/plain</list>
- </completionHelp>
- <constraint>
- <regex>^(image/gif|www/mime|application/macbinary|application/oda|application/octet-stream|application/pdf|application/postscript|application/postscript|application/postscript|text/rtf|application/octet-stream|application/octet-stream|application/x-tar|application/x-csh|application/x-dvi|application/x-hdf|application/x-latex|text/plain|application/x-netcdf|application/x-netcdf|application/x-sh|application/x-tcl|application/x-tex|application/x-texinfo|application/x-texinfo|application/x-troff|application/x-troff|application/x-troff|application/x-troff-man|application/x-troff-me|application/x-troff-ms|application/x-wais-source|application/zip|application/x-bcpio|application/x-cpio|application/x-gtar|application/x-rpm|application/x-shar|application/x-sv4cpio|application/x-sv4crc|application/x-tar|application/x-ustar|audio/basic|audio/basic|audio/mpeg|audio/mpeg|audio/mpeg|audio/x-aiff|audio/x-aiff|audio/x-aiff|audio/x-wav|image/bmp|image/ief|image/jpeg|image/jpeg|image/jpeg|image/tiff|image/tiff|image/x-cmu-raster|image/x-portable-anymap|image/x-portable-bitmap|image/x-portable-graymap|image/x-portable-pixmap|image/x-rgb|image/x-xbitmap|image/x-xpixmap|image/x-xwindowdump|text/html|text/html|text/css|application/x-javascript|text/plain|text/plain|text/plain|text/plain|text/plain|text/plain|text/plain|text/plain|text/plain|text/richtext|text/tab-separated-values|text/x-setext|video/mpeg|video/mpeg|video/mpeg|video/quicktime|video/quicktime|video/x-msvideo|video/x-sgi-movie|application/mac-compactpro|application/mac-binhex40|application/macwriteii|application/msword|application/msword|application/vnd.ms-excel|application/vnd.ms-powerpoint|application/vnd.lotus-1-2-3|application/vnd.mif|application/x-stuffit|application/pict|application/pict|application/x-arj-compressed|application/x-lha-compressed|application/x-lha-compressed|application/x-deflate|text/plain|application/octet-stream|application/octet-stream|image/png|application/octet-stream|application/x-xpinstall|application/octet-stream|text/plain|application/x-director|application/x-director|application/x-director|image/vnd.djvu|image/vnd.djvu|application/octet-stream|application/octet-stream|application/andrew-inset|x-conference/x-cooltalk|model/iges|model/iges|audio/midi|audio/midi|audio/midi|model/mesh|model/mesh|video/vnd.mpegurl|chemical/x-pdb|application/x-chess-pgn|audio/x-realaudio|audio/x-pn-realaudio|audio/x-pn-realaudio|text/sgml|text/sgml|application/x-koan|application/x-koan|application/x-koan|application/x-koan|application/smil|application/smil|application/octet-stream|application/x-futuresplash|application/x-shockwave-flash|application/x-cdlink|model/vrml|image/vnd.wap.wbmp|application/vnd.wap.wbxml|application/vnd.wap.wmlc|application/vnd.wap.wmlscriptc|application/vnd.wap.wmlscript|application/xhtml|application/xhtml|text/xml|text/xml|chemical/x-xyz|text/plain)$</regex>
- </constraint>
- <multi/>
- </properties>
- </leafNode>
- <leafNode name="reply-body-max-size">
- <properties>
- <help>Maximum reply body size in KB</help>
- <valueHelp>
- <format>u32</format>
- <description>Reply size in KB</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 1-100000"/>
- </constraint>
- </properties>
- </leafNode>
- <node name="url-filtering">
- <properties>
- <help>URL filtering settings</help>
- </properties>
- <children>
- <leafNode name="disable">
- <properties>
- <help>Disable URL filtering</help>
- <valueless/>
- </properties>
- </leafNode>
- <node name="squidguard">
- <properties>
- <help>URL filtering via squidGuard redirector</help>
- </properties>
- <children>
- <leafNode name="allow-category">
- <properties>
- <help>Category to allow</help>
- <multi/>
- </properties>
- </leafNode>
- <leafNode name="allow-ipaddr-url">
- <properties>
- <help>Allow IP address URLs</help>
- <valueless/>
- </properties>
- </leafNode>
- <node name="auto-update">
- <properties>
- <help>Auto update settings</help>
- </properties>
- <children>
- <leafNode name="update-hour">
- <properties>
- <help>Hour of day for database update [REQUIRED]</help>
- <valueHelp>
- <format>u32:0-23</format>
- <description>Hour for database update</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 0-23"/>
- </constraint>
- </properties>
- <defaultValue>0</defaultValue>
- </leafNode>
- </children>
- </node>
- <leafNode name="block-category">
- <properties>
- <help>Category to block</help>
- <multi/>
- </properties>
- </leafNode>
- <leafNode name="default-action">
- <properties>
- <help>Default action</help>
- <completionHelp>
- <list>allow block</list>
- </completionHelp>
- <valueHelp>
- <format>allow</format>
- <description>Default filter action to allow (default)</description>
- </valueHelp>
- <valueHelp>
- <format>block</format>
- <description>Default filter action to allow (default)</description>
- </valueHelp>
- <constraint>
- <regex>^(allow|block)$</regex>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="enable-safe-search">
- <properties>
- <help>Enable safe-mode search on popular search engines</help>
- </properties>
- </leafNode>
- <leafNode name="local-block-keyword">
- <properties>
- <help>Local keyword to block</help>
- <valueHelp>
- <format>keyword</format>
- <description>Keyword (or regex) to block</description>
- </valueHelp>
- <multi/>
- </properties>
- </leafNode>
- <leafNode name="local-block-url">
- <properties>
- <help>Local URL to block</help>
- <valueHelp>
- <format>url</format>
- <description>Local URL to block (without http:\/\/</description>
- </valueHelp>
- <constraint>
- <regex>^(https?:\/\/)$</regex>
- </constraint>
- <multi/>
- </properties>
- </leafNode>
- <leafNode name="local-block">
- <properties>
- <help>Local site to block</help>
- <valueHelp>
- <format>ipv4</format>
- <description>IP address of site to block</description>
- </valueHelp>
- <constraint>
- <validator name="ipv4-prefix"/>
- </constraint>
- <multi/>
- </properties>
- </leafNode>
- <leafNode name="local-ok-url">
- <properties>
- <help>Local URL to allow</help>
- <valueHelp>
- <format>url</format>
- <description>Local URL to allow (without http:\/\/</description>
- </valueHelp>
- <constraint>
- <regex>^(https?:\/\/)$</regex>
- </constraint>
- <multi/>
- </properties>
- </leafNode>
- <leafNode name="local-ok">
- <properties>
- <help>Local site to allow</help>
- <valueHelp>
- <format>ipv4</format>
- <description>IP address of site to allow</description>
- </valueHelp>
- <constraint>
- <validator name="ipv4-prefix"/>
- </constraint>
- <multi/>
- </properties>
- </leafNode>
- <leafNode name="log">
- <properties>
- <help>Log block category</help>
- <completionHelp>
- <list>all</list>
- </completionHelp>
- <multi/>
- </properties>
- </leafNode>
- <leafNode name="redirect-url">
- <properties>
- <help>Redirect URL for filtered websites (default: http:\/\/block.vyos.net)</help>
- <valueHelp>
- <format>url</format>
- <description>URL for redirect</description>
- </valueHelp>
- </properties>
- <defaultValue>http:\/\/block.vyos.net</defaultValue>
- </leafNode>
- <!-- not completed -->
- </children>
- </node>
- </children>
- </node>
- </children>
- </node>
- </children>
- </node>
-</interfaceDefinition>
diff --git a/interface-definitions/service_webproxy.xml.in b/interface-definitions/service_webproxy.xml.in
new file mode 100644
index 000000000..c2e8c4120
--- /dev/null
+++ b/interface-definitions/service_webproxy.xml.in
@@ -0,0 +1,641 @@
+<?xml version="1.0"?>
+<interfaceDefinition>
+ <node name="service">
+ <children>
+ <node name="webproxy" owner="${vyos_conf_scripts_dir}/service_webproxy.py">
+ <properties>
+ <help>Webproxy service settings</help>
+ <priority>500</priority>
+ </properties>
+ <children>
+ <leafNode name="append-domain">
+ <properties>
+ <help>Default domain name</help>
+ <valueHelp>
+ <format>domain</format>
+ <description>Domain to use for urls that do not contain a '.'</description>
+ </valueHelp>
+ <constraint>
+ <regex>^[\.][a-z0-9-][$]?</regex>
+ </constraint>
+ <constraintErrorMessage>Must start append-domain with a '.'</constraintErrorMessage>
+ </properties>
+ </leafNode>
+ <node name="authentication">
+ <properties>
+ <help>Proxy Authentication Settings</help>
+ </properties>
+ <children>
+ <leafNode name="children">
+ <properties>
+ <help>Number of authentication helper processes (default: 5)</help>
+ <valueHelp>
+ <format>n</format>
+ <description>Number of authentication helper processes</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-500"/>
+ </constraint>
+ </properties>
+ <defaultValue>5</defaultValue>
+ </leafNode>
+ <leafNode name="credentials-ttl">
+ <properties>
+ <help>Authenticated session time to live in minutes (default: 60)</help>
+ <valueHelp>
+ <format>n</format>
+ <description>Authenticated session timeout</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-600"/>
+ </constraint>
+ </properties>
+ <defaultValue>60</defaultValue>
+ </leafNode>
+ <node name="ldap">
+ <properties>
+ <help>LDAP authentication settings</help>
+ </properties>
+ <children>
+ <leafNode name="base-dn">
+ <properties>
+ <help>LDAP Base DN to search</help>
+ </properties>
+ </leafNode>
+ <leafNode name="bind-dn">
+ <properties>
+ <help>LDAP DN used to bind to server</help>
+ </properties>
+ </leafNode>
+ <leafNode name="filter-expression">
+ <properties>
+ <help>Filter expression to perform LDAP search with</help>
+ </properties>
+ </leafNode>
+ <leafNode name="password">
+ <properties>
+ <help>LDAP password to bind with</help>
+ </properties>
+ </leafNode>
+ <leafNode name="persistent-connection">
+ <properties>
+ <help>Use persistent LDAP connection</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="port">
+ <properties>
+ <help>LDAP server port to use (default: 389)</help>
+ <valueHelp>
+ <format>u32:1-65535</format>
+ <description>Port number to use</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-65535"/>
+ </constraint>
+ </properties>
+ <defaultValue>389</defaultValue>
+ </leafNode>
+ <leafNode name="server">
+ <properties>
+ <help>LDAP server to use</help>
+ </properties>
+ </leafNode>
+ <leafNode name="use-ssl">
+ <properties>
+ <help>Use SSL/TLS for LDAP connection</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="username-attribute">
+ <properties>
+ <help>LDAP username attribute</help>
+ </properties>
+ </leafNode>
+ <leafNode name="version">
+ <properties>
+ <help>LDAP protocol version (default: 3)</help>
+ <completionHelp>
+ <list>2 3</list>
+ </completionHelp>
+ <valueHelp>
+ <format>2</format>
+ <description>LDAP protocol version 2</description>
+ </valueHelp>
+ <valueHelp>
+ <format>3</format>
+ <description>LDAP protocol version 2</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 2-3"/>
+ </constraint>
+ </properties>
+ <defaultValue>3</defaultValue>
+ </leafNode>
+ </children>
+ </node>
+ <leafNode name="method">
+ <properties>
+ <help>Authentication Method</help>
+ <completionHelp>
+ <list>ldap</list>
+ </completionHelp>
+ <valueHelp>
+ <format>ldap</format>
+ <description>Lightweight Directory Access Protocol</description>
+ </valueHelp>
+ <constraint>
+ <regex>^(ldap)$</regex>
+ </constraint>
+ <constraintErrorMessage>The only supported method currently is LDAP</constraintErrorMessage>
+ </properties>
+ </leafNode>
+ <leafNode name="realm">
+ <properties>
+ <help>Name of authentication realm (e.g. "My Company proxy server")</help>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+ <tagNode name="cache-peer">
+ <properties>
+ <help>Specify other caches in a hierarchy</help>
+ <valueHelp>
+ <format>hostname</format>
+ <description>Cache peers FQDN</description>
+ </valueHelp>
+ </properties>
+ <children>
+ <leafNode name="address">
+ <properties>
+ <help>Hostname or IP address of peer</help>
+ <valueHelp>
+ <format>ipv4</format>
+ <description>Remote syslog server IPv4 address</description>
+ </valueHelp>
+ <valueHelp>
+ <format>hostname</format>
+ <description>Remote syslog server FQDN</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ip-address"/>
+ <validator name="fqdn"/>
+ </constraint>
+ <constraintErrorMessage>Invalid FQDN or IP address</constraintErrorMessage>
+ </properties>
+ </leafNode>
+ <leafNode name="http-port">
+ <properties>
+ <help>Default Proxy Port (default: 3128)</help>
+ <valueHelp>
+ <format>u32:1025-65535</format>
+ <description>Default port number</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1025-65535"/>
+ </constraint>
+ </properties>
+ <defaultValue>3128</defaultValue>
+ </leafNode>
+ <leafNode name="icp-port">
+ <properties>
+ <help>Cache peer ICP port (default: disabled)</help>
+ <valueHelp>
+ <format>u32:1-65535</format>
+ <description>Cache peer ICP port</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-65535"/>
+ </constraint>
+ </properties>
+ <defaultValue>0</defaultValue>
+ </leafNode>
+ <leafNode name="options">
+ <properties>
+ <help>Cache peer options (default: "no-query default")</help>
+ <valueHelp>
+ <format>text</format>
+ <description>Cache peer options</description>
+ </valueHelp>
+ </properties>
+ <defaultValue>no-query default</defaultValue>
+ </leafNode>
+ <leafNode name="type">
+ <properties>
+ <help>Squid peer type (default parent)</help>
+ <completionHelp>
+ <list>parent sibling multicast</list>
+ </completionHelp>
+ <valueHelp>
+ <format>parent</format>
+ <description>Peer is a parent</description>
+ </valueHelp>
+ <valueHelp>
+ <format>sibling</format>
+ <description>Peer is a sibling</description>
+ </valueHelp>
+ <valueHelp>
+ <format>multicast</format>
+ <description>Peer is a member of a multicast group</description>
+ </valueHelp>
+ <constraint>
+ <regex>^(parent|sibling|multicast)$</regex>
+ </constraint>
+ </properties>
+ <defaultValue>parent</defaultValue>
+ </leafNode>
+ </children>
+ </tagNode>
+ <leafNode name="cache-size">
+ <properties>
+ <help>Disk cache size in MB (default: 100)</help>
+ <valueHelp>
+ <format>u32</format>
+ <description>Disk cache size in MB</description>
+ </valueHelp>
+ <valueHelp>
+ <format>0</format>
+ <description>Disable disk caching</description>
+ </valueHelp>
+ </properties>
+ <defaultValue>100</defaultValue>
+ </leafNode>
+ <leafNode name="default-port">
+ <properties>
+ <help>Default Proxy Port (default: 3128)</help>
+ <valueHelp>
+ <format>u32:1025-65535</format>
+ <description>Default port number</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1025-65535"/>
+ </constraint>
+ </properties>
+ <defaultValue>3128</defaultValue>
+ </leafNode>
+ <leafNode name="disable-access-log">
+ <properties>
+ <help>Disable logging of HTTP accesses</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="domain-block">
+ <properties>
+ <help>Domain name to block</help>
+ <multi/>
+ </properties>
+ </leafNode>
+ <leafNode name="domain-noncache">
+ <properties>
+ <help>Domain name to access without caching</help>
+ <multi/>
+ </properties>
+ </leafNode>
+ <tagNode name="listen-address">
+ <properties>
+ <help>IPv4 address for webproxy to listen on [REQUIRED]</help>
+ <valueHelp>
+ <format>ipv4</format>
+ <description>IPv4 address listen on</description>
+ </valueHelp>
+ </properties>
+ <children>
+ <leafNode name="port">
+ <properties>
+ <help>Default Proxy Port (default: 3128)</help>
+ <valueHelp>
+ <format>u32:1025-65535</format>
+ <description>Default port number</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1025-65535"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="disable-transparent">
+ <properties>
+ <help>Disable transparent mode</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ </children>
+ </tagNode>
+ <leafNode name="maximum-object-size">
+ <properties>
+ <help>Maximum size of object to be stored in cache in kilobytes</help>
+ <valueHelp>
+ <format>u32</format>
+ <description>Object size in KB</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-100000"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="mem-cache-size">
+ <properties>
+ <help>Memory cache size in MB</help>
+ <valueHelp>
+ <format>u32</format>
+ <description>Memory cache size in MB </description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-100000"/>
+ </constraint>
+ </properties>
+ <defaultValue>20</defaultValue>
+ </leafNode>
+ <leafNode name="minimum-object-size">
+ <properties>
+ <help>Maximum size of object to be stored in cache in kilobytes</help>
+ <valueHelp>
+ <format>u32</format>
+ <description>Object size in KB</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-100000"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="outgoing-address">
+ <properties>
+ <help>Outgoing IP address for webproxy</help>
+ </properties>
+ </leafNode>
+ <leafNode name="reply-block-mime">
+ <properties>
+ <help>MIME type to block</help>
+ <completionHelp>
+ <list>image/gif www/mime application/macbinary application/oda application/octet-stream application/pdf application/postscript application/postscript application/postscript text/rtf application/octet-stream application/octet-stream application/x-tar application/x-csh application/x-dvi application/x-hdf application/x-latex text/plain application/x-netcdf application/x-netcdf application/x-sh application/x-tcl application/x-tex application/x-texinfo application/x-texinfo application/x-troff application/x-troff application/x-troff application/x-troff-man application/x-troff-me application/x-troff-ms application/x-wais-source application/zip application/x-bcpio application/x-cpio application/x-gtar application/x-rpm application/x-shar application/x-sv4cpio application/x-sv4crc application/x-tar application/x-ustar audio/basic audio/basic audio/mpeg audio/mpeg audio/mpeg audio/x-aiff audio/x-aiff audio/x-aiff audio/x-wav image/bmp image/ief image/jpeg image/jpeg image/jpeg image/tiff image/tiff image/x-cmu-raster image/x-portable-anymap image/x-portable-bitmap image/x-portable-graymap image/x-portable-pixmap image/x-rgb image/x-xbitmap image/x-xpixmap image/x-xwindowdump text/html text/html text/css application/x-javascript text/plain text/plain text/plain text/plain text/plain text/plain text/plain text/plain text/plain text/richtext text/tab-separated-values text/x-setext video/mpeg video/mpeg video/mpeg video/quicktime video/quicktime video/x-msvideo video/x-sgi-movie application/mac-compactpro application/mac-binhex40 application/macwriteii application/msword application/msword application/vnd.ms-excel application/vnd.ms-powerpoint application/vnd.lotus-1-2-3 application/vnd.mif application/x-stuffit application/pict application/pict application/x-arj-compressed application/x-lha-compressed application/x-lha-compressed application/x-deflate text/plain application/octet-stream application/octet-stream image/png application/octet-stream application/x-xpinstall application/octet-stream text/plain application/x-director application/x-director application/x-director image/vnd.djvu image/vnd.djvu application/octet-stream application/octet-stream application/andrew-inset x-conference/x-cooltalk model/iges model/iges audio/midi audio/midi audio/midi model/mesh model/mesh video/vnd.mpegurl chemical/x-pdb application/x-chess-pgn audio/x-realaudio audio/x-pn-realaudio audio/x-pn-realaudio text/sgml text/sgml application/x-koan application/x-koan application/x-koan application/x-koan application/smil application/smil application/octet-stream application/x-futuresplash application/x-shockwave-flash application/x-cdlink model/vrml image/vnd.wap.wbmp application/vnd.wap.wbxml application/vnd.wap.wmlc application/vnd.wap.wmlscriptc application/vnd.wap.wmlscript application/xhtml application/xhtml text/xml text/xml chemical/x-xyz text/plain</list>
+ </completionHelp>
+ <constraint>
+ <regex>^(image/gif|www/mime|application/macbinary|application/oda|application/octet-stream|application/pdf|application/postscript|application/postscript|application/postscript|text/rtf|application/octet-stream|application/octet-stream|application/x-tar|application/x-csh|application/x-dvi|application/x-hdf|application/x-latex|text/plain|application/x-netcdf|application/x-netcdf|application/x-sh|application/x-tcl|application/x-tex|application/x-texinfo|application/x-texinfo|application/x-troff|application/x-troff|application/x-troff|application/x-troff-man|application/x-troff-me|application/x-troff-ms|application/x-wais-source|application/zip|application/x-bcpio|application/x-cpio|application/x-gtar|application/x-rpm|application/x-shar|application/x-sv4cpio|application/x-sv4crc|application/x-tar|application/x-ustar|audio/basic|audio/basic|audio/mpeg|audio/mpeg|audio/mpeg|audio/x-aiff|audio/x-aiff|audio/x-aiff|audio/x-wav|image/bmp|image/ief|image/jpeg|image/jpeg|image/jpeg|image/tiff|image/tiff|image/x-cmu-raster|image/x-portable-anymap|image/x-portable-bitmap|image/x-portable-graymap|image/x-portable-pixmap|image/x-rgb|image/x-xbitmap|image/x-xpixmap|image/x-xwindowdump|text/html|text/html|text/css|application/x-javascript|text/plain|text/plain|text/plain|text/plain|text/plain|text/plain|text/plain|text/plain|text/plain|text/richtext|text/tab-separated-values|text/x-setext|video/mpeg|video/mpeg|video/mpeg|video/quicktime|video/quicktime|video/x-msvideo|video/x-sgi-movie|application/mac-compactpro|application/mac-binhex40|application/macwriteii|application/msword|application/msword|application/vnd.ms-excel|application/vnd.ms-powerpoint|application/vnd.lotus-1-2-3|application/vnd.mif|application/x-stuffit|application/pict|application/pict|application/x-arj-compressed|application/x-lha-compressed|application/x-lha-compressed|application/x-deflate|text/plain|application/octet-stream|application/octet-stream|image/png|application/octet-stream|application/x-xpinstall|application/octet-stream|text/plain|application/x-director|application/x-director|application/x-director|image/vnd.djvu|image/vnd.djvu|application/octet-stream|application/octet-stream|application/andrew-inset|x-conference/x-cooltalk|model/iges|model/iges|audio/midi|audio/midi|audio/midi|model/mesh|model/mesh|video/vnd.mpegurl|chemical/x-pdb|application/x-chess-pgn|audio/x-realaudio|audio/x-pn-realaudio|audio/x-pn-realaudio|text/sgml|text/sgml|application/x-koan|application/x-koan|application/x-koan|application/x-koan|application/smil|application/smil|application/octet-stream|application/x-futuresplash|application/x-shockwave-flash|application/x-cdlink|model/vrml|image/vnd.wap.wbmp|application/vnd.wap.wbxml|application/vnd.wap.wmlc|application/vnd.wap.wmlscriptc|application/vnd.wap.wmlscript|application/xhtml|application/xhtml|text/xml|text/xml|chemical/x-xyz|text/plain)$</regex>
+ </constraint>
+ <multi/>
+ </properties>
+ </leafNode>
+ <leafNode name="reply-body-max-size">
+ <properties>
+ <help>Maximum reply body size in KB</help>
+ <valueHelp>
+ <format>u32</format>
+ <description>Reply size in KB</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-100000"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <node name="url-filtering">
+ <properties>
+ <help>URL filtering settings</help>
+ </properties>
+ <children>
+ <leafNode name="disable">
+ <properties>
+ <help>Disable URL filtering</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <node name="squidguard">
+ <properties>
+ <help>URL filtering via squidGuard redirector</help>
+ </properties>
+ <children>
+ #include <include/webproxy-squidguard.xml.i>
+ <node name="auto-update">
+ <properties>
+ <help>Auto update settings</help>
+ </properties>
+ <children>
+ <leafNode name="update-hour">
+ <properties>
+ <help>Hour of day for database update [REQUIRED]</help>
+ <valueHelp>
+ <format>u32:0-23</format>
+ <description>Hour for database update</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 0-23"/>
+ </constraint>
+ </properties>
+ <defaultValue>0</defaultValue>
+ </leafNode>
+ </children>
+ </node>
+ <leafNode name="redirect-url">
+ <properties>
+ <help>Redirect URL for filtered websites (default: http:\/\/block.vyos.net)</help>
+ <valueHelp>
+ <format>url</format>
+ <description>URL for redirect</description>
+ </valueHelp>
+ </properties>
+ <defaultValue>http:\/\/block.vyos.net</defaultValue>
+ </leafNode>
+ <tagNode name="rule">
+ <properties>
+ <help>URL filter rule for a source-group</help>
+ <valueHelp>
+ <format>u32:1-1024</format>
+ <description>Rule Number</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-1024"/>
+ </constraint>
+ <constraintErrorMessage>SquidGuard rule must between 1-1024</constraintErrorMessage>
+ </properties>
+ <children>
+ #include <include/webproxy-squidguard.xml.i>
+ <leafNode name="redirect-url">
+ <properties>
+ <help>Redirect URL for filtered websites (default: http:\/\/block.vyos.net)</help>
+ <valueHelp>
+ <format>url</format>
+ <description>URL for redirect</description>
+ </valueHelp>
+ </properties>
+ </leafNode>
+ <leafNode name="source-group">
+ <properties>
+ <help>Source-group for this rule [REQUIRED]</help>
+ <valueHelp>
+ <format>group</format>
+ <description>Source group identifier for this rule</description>
+ </valueHelp>
+ <completionHelp>
+ <path>service webproxy url-filtering squidguard source-group</path>
+ </completionHelp>
+ </properties>
+ </leafNode>
+ <leafNode name="time-period">
+ <properties>
+ <help>Time-period for this rule</help>
+ <valueHelp>
+ <format>period</format>
+ <description>Time period for this rule</description>
+ </valueHelp>
+ <completionHelp>
+ <path>service webproxy url-filtering squidguard time-period</path>
+ </completionHelp>
+ </properties>
+ </leafNode>
+ </children>
+ </tagNode>
+ <tagNode name="source-group">
+ <properties>
+ <help>Source group name</help>
+ <valueHelp>
+ <format>name</format>
+ <description>Name of source group</description>
+ </valueHelp>
+ <constraint>
+ <regex>^[^0-9]</regex>
+ </constraint>
+ <constraintErrorMessage>URL-filter source-group cannot start with a number!</constraintErrorMessage>
+ </properties>
+ <children>
+ <leafNode name="address">
+ <properties>
+ <help>Address for source-group</help>
+ <valueHelp>
+ <format>ipv4</format>
+ <description>IPv4 address to match</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ipv4net</format>
+ <description>IPv4 prefix to match</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ipv4range</format>
+ <description>IPv4 address range to match</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ipv4-address"/>
+ <validator name="ipv4-prefix"/>
+ <validator name="ipv4-range"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="description">
+ <properties>
+ <help>Description for source-group</help>
+ </properties>
+ </leafNode>
+ <leafNode name="domain">
+ <properties>
+ <help>Domain for source-group</help>
+ <valueHelp>
+ <format>domain</format>
+ <description>Domain name for the source-group</description>
+ </valueHelp>
+ <multi/>
+ </properties>
+ </leafNode>
+ <leafNode name="ldap-ip-search">
+ <properties>
+ <help>LDAP search expression for an IP address list</help>
+ <multi/>
+ </properties>
+ </leafNode>
+ <leafNode name="ldap-user-search">
+ <properties>
+ <help>LDAP search expression for a user group</help>
+ <multi/>
+ </properties>
+ </leafNode>
+ <leafNode name="user">
+ <properties>
+ <help>List of user names</help>
+ </properties>
+ </leafNode>
+ </children>
+ </tagNode>
+ <tagNode name="time-period">
+ <properties>
+ <help>Time period name</help>
+ </properties>
+ <children>
+ <tagNode name="days">
+ <properties>
+ <help>Time-period days</help>
+ <completionHelp>
+ <list>Sun Mon Tue Wed Thu Fri Sat weekdays weekend all</list>
+ </completionHelp>
+ <valueHelp>
+ <format>Sun</format>
+ <description>Sunday</description>
+ </valueHelp>
+ <valueHelp>
+ <format>Mon</format>
+ <description>Monday</description>
+ </valueHelp>
+ <valueHelp>
+ <format>Tue</format>
+ <description>Tuesday</description>
+ </valueHelp>
+ <valueHelp>
+ <format>Wed</format>
+ <description>Wednesday</description>
+ </valueHelp>
+ <valueHelp>
+ <format>Thu</format>
+ <description>Thursday</description>
+ </valueHelp>
+ <valueHelp>
+ <format>Fri</format>
+ <description>Friday</description>
+ </valueHelp>
+ <valueHelp>
+ <format>Sat</format>
+ <description>Saturday</description>
+ </valueHelp>
+ <valueHelp>
+ <format>weekdays</format>
+ <description>Monday through Friday</description>
+ </valueHelp>
+ <valueHelp>
+ <format>weekend</format>
+ <description>Saturday and Sunday</description>
+ </valueHelp>
+ <valueHelp>
+ <format>all</format>
+ <description>All days of the week</description>
+ </valueHelp>
+ <constraint>
+ <regex>^(Sun|Mon|Tue|Wed|Thu|Fri|Sat|weekdays|weekend|all)$</regex>
+ </constraint>
+ </properties>
+ <children>
+ <leafNode name="time">
+ <properties>
+ <help>Time for time-period</help>
+ <valueHelp>
+ <format><hh:mm - hh:mm></format>
+ <description>Time range in 24hr time</description>
+ </valueHelp>
+ <constraint>
+ <!-- time range example: 12:00-13:00 -->
+ <regex>^(\d\d:\d\d)-(\d\d:\d\d)$</regex>
+ </constraint>
+ <constraintErrorMessage>Expected time format hh:mm - hh:mm in 24hr time</constraintErrorMessage>
+ </properties>
+ </leafNode>
+ </children>
+ </tagNode>
+ <leafNode name="description">
+ <properties>
+ <help>Time-period description</help>
+ </properties>
+ </leafNode>
+ </children>
+ </tagNode>
+ </children>
+ </node>
+ </children>
+ </node>
+ </children>
+ </node>
+ </children>
+ </node>
+</interfaceDefinition>
diff --git a/src/conf_mode/service_webproxy.py b/src/conf_mode/service_webproxy.py
index 128393e51..332e10329 100755
--- a/src/conf_mode/service_webproxy.py
+++ b/src/conf_mode/service_webproxy.py
@@ -44,16 +44,26 @@ def get_config(config=None):
# We have gathered the dict representation of the CLI, but there are default
# options which we need to update into the dictionary retrived.
default_values = defaults(base)
+
# if no authentication method is supplid, no need to add defaults
if not dict_search('authentication.method', proxy):
default_values.pop('authentication')
+
+ # XXX: T2665: blend in proper cache-peer default values later
+ default_values.pop('cache_peer')
proxy = dict_merge(default_values, proxy)
+ # XXX: T2665: blend in proper cache-peer default values
+ if 'cache_peer' in proxy:
+ default_values = defaults(base + ['cache-peer'])
+ for peer in proxy['cache_peer']:
+ proxy['cache_peer'][peer] = dict_merge(default_values,
+ proxy['cache_peer'][peer])
+
import pprint
pprint.pprint(proxy)
return proxy
-
def verify(proxy):
if not proxy:
return None
@@ -99,6 +109,11 @@ def verify(proxy):
if 'base_dn' not in ldap_config:
raise ConfigError('LDAP base-dn must be set!')
+ if 'cache_peer' in proxy:
+ for peer, config in proxy['cache_peer'].items():
+ if 'address' not in config:
+ raise ConfigError(f'Cache-peer "{peer}" address must be set!')
+
def generate(proxy):
if not proxy:
return None
--
cgit v1.2.3
From b9a2312f02e40b16d5b85454eadd84dc3cb7bea8 Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Sat, 26 Dec 2020 16:42:44 +0100
Subject: webproxy: T563: add squidguard body
---
data/templates/squid/squid.conf.tmpl | 9 +++++++++
data/templates/squid/squidGuard.conf.tmpl | 18 ++++++++++++++++++
interface-definitions/service_webproxy.xml.in | 6 +++---
src/conf_mode/service_webproxy.py | 23 ++++++++++++++++++-----
4 files changed, 48 insertions(+), 8 deletions(-)
create mode 100644 data/templates/squid/squidGuard.conf.tmpl
(limited to 'data')
diff --git a/data/templates/squid/squid.conf.tmpl b/data/templates/squid/squid.conf.tmpl
index 814f94aa7..8754e762d 100644
--- a/data/templates/squid/squid.conf.tmpl
+++ b/data/templates/squid/squid.conf.tmpl
@@ -98,6 +98,15 @@ http_port 127.0.0.1:{{ default_port }}
{# NOT insert the client address in X-Forwarded-For header #}
forwarded_for off
+{# SquidGuard #}
+{% if url_filtering is defined and url_filtering.disable is not defined %}
+{% if url_filtering.squidguard is defined and url_filtering.squidguard is not none %}
+redirect_program /usr/bin/squidGuard -c {{ squidguard_conf }}
+redirect_children 8
+redirector_bypass on
+{% endif %}
+{% endif %}
+
{% if cache_peer is defined and cache_peer is not none %}
{% for peer, config in cache_peer.items() %}
cache_peer {{ config.address }} {{ config.type }} {{ config.http_port }} {{ config.icp_port }} {{ config.options }}
diff --git a/data/templates/squid/squidGuard.conf.tmpl b/data/templates/squid/squidGuard.conf.tmpl
new file mode 100644
index 000000000..907043614
--- /dev/null
+++ b/data/templates/squid/squidGuard.conf.tmpl
@@ -0,0 +1,18 @@
+### generated by service_webproxy.py ###
+{% if url_filtering is defined and url_filtering.disable is not defined %}
+{% if url_filtering.squidguard is defined and url_filtering.squidguard is not none %}
+dbhome /opt/vyatta/etc/config/url-filtering/squidguard/db
+logdir /var/log/squid
+
+rewrite safesearch {
+ s@(.*\.google\..*/(custom|search|images|groups|news)?.*q=.*)@\1\&safe=active@i
+ s@(.*\..*/yandsearch?.*text=.*)@\1\&fyandex=1@i
+ s@(.*\.yahoo\..*/search.*p=.*)@\1\&vm=r@i
+ s@(.*\.live\..*/.*q=.*)@\1\&adlt=strict@i
+ s@(.*\.msn\..*/.*q=.*)@\1\&adlt=strict@i
+ s@(.*\.bing\..*/search.*q=.*)@\1\&adlt=strict@i
+ log rewrite.log
+}
+
+{% endif %}
+{% endif %}
diff --git a/interface-definitions/service_webproxy.xml.in b/interface-definitions/service_webproxy.xml.in
index c2e8c4120..ba33a30f4 100644
--- a/interface-definitions/service_webproxy.xml.in
+++ b/interface-definitions/service_webproxy.xml.in
@@ -425,13 +425,13 @@
</node>
<leafNode name="redirect-url">
<properties>
- <help>Redirect URL for filtered websites (default: http:\/\/block.vyos.net)</help>
+ <help>Redirect URL for filtered websites (default: block.vyos.net)</help>
<valueHelp>
<format>url</format>
<description>URL for redirect</description>
</valueHelp>
</properties>
- <defaultValue>http:\/\/block.vyos.net</defaultValue>
+ <defaultValue>block.vyos.net</defaultValue>
</leafNode>
<tagNode name="rule">
<properties>
@@ -449,7 +449,7 @@
#include <include/webproxy-squidguard.xml.i>
<leafNode name="redirect-url">
<properties>
- <help>Redirect URL for filtered websites (default: http:\/\/block.vyos.net)</help>
+ <help>Redirect URL for filtered websites</help>
<valueHelp>
<format>url</format>
<description>URL for redirect</description>
diff --git a/src/conf_mode/service_webproxy.py b/src/conf_mode/service_webproxy.py
index 332e10329..76b72ad48 100755
--- a/src/conf_mode/service_webproxy.py
+++ b/src/conf_mode/service_webproxy.py
@@ -29,7 +29,8 @@ from vyos import ConfigError
from vyos import airbag
airbag.enable()
-config_file = '/etc/squid/squid.conf'
+squid_config_file = '/etc/squid/squid.conf'
+squidguard_config_file = '/etc/squidguard/squidGuard.conf'
def get_config(config=None):
if config:
@@ -45,9 +46,15 @@ def get_config(config=None):
# options which we need to update into the dictionary retrived.
default_values = defaults(base)
- # if no authentication method is supplid, no need to add defaults
+ # if no authentication method is supplied, no need to add defaults
if not dict_search('authentication.method', proxy):
default_values.pop('authentication')
+ # if no url_filteringurl-filtering method is supplied, no need to add defaults
+ if 'url_filtering' not in proxy:
+ default_values.pop('url_filtering')
+ else:
+ # store path to squidGuard config, used when generating Squid config
+ proxy['squidguard_conf'] = squidguard_config_file
# XXX: T2665: blend in proper cache-peer default values later
default_values.pop('cache_peer')
@@ -118,15 +125,21 @@ def generate(proxy):
if not proxy:
return None
- render(config_file, 'squid/squid.conf.tmpl', proxy)
+ render(squid_config_file, 'squid/squid.conf.tmpl', proxy)
+ render(squidguard_config_file, 'squid/squidGuard.conf.tmpl', proxy)
+
return None
def apply(proxy):
if not proxy:
# proxy is removed in the commit
call('systemctl stop squid.service')
- if os.path.exists(config_file):
- os.unlink(config_file)
+
+ if os.path.exists(squid_config_file):
+ os.unlink(squid_config_file)
+ if os.path.exists(squidguard_config_file):
+ os.unlink(squidguard_config_file)
+
return None
call('systemctl restart squid.service')
--
cgit v1.2.3
From eeb78e842423319169b036d16601e73227dbffdd Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Sun, 27 Dec 2020 11:43:27 +0100
Subject: webproxy: T563: squidguard: support default ruleset
---
data/templates/squid/sg_acl.conf.tmpl | 18 +++
data/templates/squid/squidGuard.conf.tmpl | 75 ++++++++++++-
debian/vyos-1x.postinst | 3 +
.../include/webproxy-squidguard.xml.i | 122 ---------------------
.../include/webproxy-url-filtering.xml.i | 119 ++++++++++++++++++++
interface-definitions/service_webproxy.xml.in | 13 ++-
op-mode-definitions/webproxy.xml | 2 +-
python/vyos/template.py | 7 +-
python/vyos/util.py | 24 ++++
src/completion/list_webproxy_category.sh | 2 +-
src/conf_mode/service_webproxy.py | 57 +++++++++-
11 files changed, 309 insertions(+), 133 deletions(-)
create mode 100644 data/templates/squid/sg_acl.conf.tmpl
delete mode 100644 interface-definitions/include/webproxy-squidguard.xml.i
create mode 100644 interface-definitions/include/webproxy-url-filtering.xml.i
(limited to 'data')
diff --git a/data/templates/squid/sg_acl.conf.tmpl b/data/templates/squid/sg_acl.conf.tmpl
new file mode 100644
index 000000000..cb1c3ccb0
--- /dev/null
+++ b/data/templates/squid/sg_acl.conf.tmpl
@@ -0,0 +1,18 @@
+### generated by service_webproxy.py ###
+dbhome {{ squidguard_db_dir }}
+
+dest {{ category }}-{{ rule }} {
+{% if list_type == 'domains' %}
+ domainlist {{ category }}/domains
+{% elif list_type == 'urls' %}
+ urllist {{ category }}/urls
+{% elif list_type == 'expressions' %}
+ expressionlist {{ category }}/expressions
+{% endif %}
+}
+
+acl {
+ default {
+ pass all
+ }
+}
diff --git a/data/templates/squid/squidGuard.conf.tmpl b/data/templates/squid/squidGuard.conf.tmpl
index 907043614..74de3a651 100644
--- a/data/templates/squid/squidGuard.conf.tmpl
+++ b/data/templates/squid/squidGuard.conf.tmpl
@@ -1,7 +1,25 @@
### generated by service_webproxy.py ###
+
+{% macro sg_rule(category, log, db_dir) %}
+{% set expressions = db_dir + '/' + category + '/expressions' %}
+dest {{ category }}-default {
+ domainlist {{ category }}/domains
+ urllist {{ category }}/urls
+{% if expressions | is_file %}
+ expressionlist {{ category }}/expressions
+{% endif %}
+{% if log is defined %}
+ log blacklist.log
+{% endif %}
+}
+{% endmacro %}
+
{% if url_filtering is defined and url_filtering.disable is not defined %}
{% if url_filtering.squidguard is defined and url_filtering.squidguard is not none %}
-dbhome /opt/vyatta/etc/config/url-filtering/squidguard/db
+{% set sg_config = url_filtering.squidguard %}
+{% set acl = namespace(value='local-ok-default') %}
+{% set acl.value = acl.value + ' !in-addr' if sg_config.allow_ipaddr_url is not defined else acl.value %}
+dbhome {{ squidguard_db_dir }}
logdir /var/log/squid
rewrite safesearch {
@@ -14,5 +32,60 @@ rewrite safesearch {
log rewrite.log
}
+{% if sg_config.local_ok is defined and sg_config.local_ok is not none %}
+{% set acl.value = acl.value + ' local-ok-default' %}
+dest local-ok-default {
+ domainlist local-ok-default/domains
+}
+{% endif %}
+{% if sg_config.local_ok_url is defined and sg_config.local_ok_url is not none %}
+{% set acl.value = acl.value + ' local-ok-url-default' %}
+dest local-ok-url-default {
+ urllist local-ok-url-default/urls
+}
+{% endif %}
+{% if sg_config.local_block is defined and sg_config.local_block is not none %}
+{% set acl.value = acl.value + ' !local-block-default' %}
+dest local-block-default {
+ domainlist local-block-default/domains
+}
+{% endif %}
+{% if sg_config.local_block_url is defined and sg_config.local_block_url is not none %}
+{% set acl.value = acl.value + ' !local-block-url-default' %}
+dest local-block-url-default {
+ urllist local-block-url-default/urls
+}
+{% endif %}
+{% if sg_config.local_block_keyword is defined and sg_config.local_block_keyword is not none %}
+{% set acl.value = acl.value + ' !local-block-keyword-default' %}
+dest local-block-keyword-default {
+ expressionlist local-block-keyword-default/expressions
+}
+{% endif %}
+
+{% if sg_config.block_category is defined and sg_config.block_category is not none %}
+{% for category in sg_config.block_category %}
+{{ sg_rule(category, sg_config.log, squidguard_db_dir) }}
+{% set acl.value = acl.value + ' !' + category + '-default' %}
+{% endfor %}
+{% endif %}
+{% if sg_config.allow_category is defined and sg_config.allow_category is not none %}
+{% for category in sg_config.allow_category %}
+{{ sg_rule(category, False, squidguard_db_dir) }}
+{% set acl.value = acl.value + ' ' + category + '-default' %}
+{% endfor %}
+{% endif %}
+acl {
+ default {
+{% if sg_config.enable_safe_search is defined %}
+ rewrite safesearch
+{% endif %}
+ pass {{ acl.value }} {{ 'none' if sg_config.default_action is defined and sg_config.default_action == 'block' else 'allow' }}
+ redirect 302:http://{{ sg_config.redirect_url }}
+{% if sg_config.log is defined and sg_config.log is not none %}
+ log blacklist.log
+{% endif %}
+ }
+}
{% endif %}
{% endif %}
diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst
index dc129cb54..92948de12 100644
--- a/debian/vyos-1x.postinst
+++ b/debian/vyos-1x.postinst
@@ -30,3 +30,6 @@ if ! grep -q '^dhcpd' /etc/passwd; then
adduser --quiet --system --disabled-login --no-create-home --home /run/dhcp-server dhcpd
adduser --quiet dhcpd hostsd
fi
+
+# ensure hte proxy user has a proper shell
+chsh -s /bin/sh proxy
diff --git a/interface-definitions/include/webproxy-squidguard.xml.i b/interface-definitions/include/webproxy-squidguard.xml.i
deleted file mode 100644
index 6958056d4..000000000
--- a/interface-definitions/include/webproxy-squidguard.xml.i
+++ /dev/null
@@ -1,122 +0,0 @@
-<!-- included start from webproxy-squidguard.xml.i -->
-<leafNode name="allow-category">
- <properties>
- <help>Category to allow</help>
- <completionHelp>
- <script>${vyos_completion_dir}/list_webproxy_category.sh</script>
- </completionHelp>
- <multi/>
- </properties>
-</leafNode>
-<leafNode name="allow-ipaddr-url">
- <properties>
- <help>Allow IP address URLs</help>
- <valueless/>
- </properties>
-</leafNode>
-<leafNode name="block-category">
- <properties>
- <help>Category to block</help>
- <completionHelp>
- <script>${vyos_completion_dir}/list_webproxy_category.sh</script>
- </completionHelp>
- <multi/>
- </properties>
-</leafNode>
-<leafNode name="default-action">
- <properties>
- <help>Default action</help>
- <completionHelp>
- <list>allow block</list>
- </completionHelp>
- <valueHelp>
- <format>allow</format>
- <description>Default filter action to allow (default)</description>
- </valueHelp>
- <valueHelp>
- <format>block</format>
- <description>Default filter action to allow (default)</description>
- </valueHelp>
- <constraint>
- <regex>^(allow|block)$</regex>
- </constraint>
- </properties>
-</leafNode>
-<leafNode name="enable-safe-search">
- <properties>
- <help>Enable safe-mode search on popular search engines</help>
- </properties>
-</leafNode>
-<leafNode name="local-block-keyword">
- <properties>
- <help>Local keyword to block</help>
- <valueHelp>
- <format>keyword</format>
- <description>Keyword (or regex) to block</description>
- </valueHelp>
- <multi/>
- </properties>
-</leafNode>
-<leafNode name="local-block-url">
- <properties>
- <help>Local URL to block</help>
- <valueHelp>
- <format>url</format>
- <description>Local URL to block (without http:\/\/</description>
- </valueHelp>
- <constraint>
- <regex>^(https?:\/\/)$</regex>
- </constraint>
- <multi/>
- </properties>
-</leafNode>
-<leafNode name="local-block">
- <properties>
- <help>Local site to block</help>
- <valueHelp>
- <format>ipv4</format>
- <description>IP address of site to block</description>
- </valueHelp>
- <constraint>
- <validator name="ipv4-prefix"/>
- </constraint>
- <multi/>
- </properties>
-</leafNode>
-<leafNode name="local-ok-url">
- <properties>
- <help>Local URL to allow</help>
- <valueHelp>
- <format>url</format>
- <description>Local URL to allow (without http:\/\/</description>
- </valueHelp>
- <constraint>
- <regex>^(https?:\/\/)$</regex>
- </constraint>
- <multi/>
- </properties>
-</leafNode>
-<leafNode name="local-ok">
- <properties>
- <help>Local site to allow</help>
- <valueHelp>
- <format>ipv4</format>
- <description>IP address of site to allow</description>
- </valueHelp>
- <constraint>
- <validator name="ipv4-prefix"/>
- </constraint>
- <multi/>
- </properties>
-</leafNode>
-<leafNode name="log">
- <properties>
- <help>Log block category</help>
- <completionHelp>
- <script>${vyos_completion_dir}/list_webproxy_category.sh</script>
- <list>all</list>
- </completionHelp>
- <multi/>
- </properties>
-</leafNode>
-<!-- included end -->
diff --git a/interface-definitions/include/webproxy-url-filtering.xml.i b/interface-definitions/include/webproxy-url-filtering.xml.i
new file mode 100644
index 000000000..de6ebffde
--- /dev/null
+++ b/interface-definitions/include/webproxy-url-filtering.xml.i
@@ -0,0 +1,119 @@
+<!-- included start from webproxy-url-filtering.xml.i -->
+<leafNode name="allow-category">
+ <properties>
+ <help>Category to allow</help>
+ <completionHelp>
+ <script>${vyos_completion_dir}/list_webproxy_category.sh</script>
+ </completionHelp>
+ <multi/>
+ </properties>
+</leafNode>
+<leafNode name="allow-ipaddr-url">
+ <properties>
+ <help>Allow IP address URLs</help>
+ <valueless/>
+ </properties>
+</leafNode>
+<leafNode name="block-category">
+ <properties>
+ <help>Category to block</help>
+ <completionHelp>
+ <script>${vyos_completion_dir}/list_webproxy_category.sh</script>
+ </completionHelp>
+ <multi/>
+ </properties>
+</leafNode>
+<leafNode name="default-action">
+ <properties>
+ <help>Default action (default: allow)</help>
+ <completionHelp>
+ <list>allow block</list>
+ </completionHelp>
+ <valueHelp>
+ <format>allow</format>
+ <description>Default filter action is allow)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>block</format>
+ <description>Default filter action is block</description>
+ </valueHelp>
+ <constraint>
+ <regex>^(allow|block)$</regex>
+ </constraint>
+ </properties>
+</leafNode>
+<leafNode name="enable-safe-search">
+ <properties>
+ <help>Enable safe-mode search on popular search engines</help>
+ <valueless/>
+ </properties>
+</leafNode>
+<leafNode name="local-block-keyword">
+ <properties>
+ <help>Local keyword to block</help>
+ <valueHelp>
+ <format>keyword</format>
+ <description>Keyword (or regex) to block</description>
+ </valueHelp>
+ <multi/>
+ </properties>
+</leafNode>
+<leafNode name="local-block-url">
+ <properties>
+ <help>Local URL to block</help>
+ <valueHelp>
+ <format>url</format>
+ <description>Local URL to block (without "http://")</description>
+ </valueHelp>
+ <multi/>
+ </properties>
+</leafNode>
+<leafNode name="local-block">
+ <properties>
+ <help>Local site to block</help>
+ <valueHelp>
+ <format>ipv4</format>
+ <description>IP address of site to block</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ipv4-address"/>
+ <validator name="fqdn"/>
+ </constraint>
+ <multi/>
+ </properties>
+</leafNode>
+<leafNode name="local-ok-url">
+ <properties>
+ <help>Local URL to allow</help>
+ <valueHelp>
+ <format>url</format>
+ <description>Local URL to allow (without "http://")</description>
+ </valueHelp>
+ <multi/>
+ </properties>
+</leafNode>
+<leafNode name="local-ok">
+ <properties>
+ <help>Local site to allow</help>
+ <valueHelp>
+ <format>ipv4</format>
+ <description>IP address of site to allow</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ipv4-address"/>
+ <validator name="fqdn"/>
+ </constraint>
+ <multi/>
+ </properties>
+</leafNode>
+<leafNode name="log">
+ <properties>
+ <help>Log block category</help>
+ <completionHelp>
+ <script>${vyos_completion_dir}/list_webproxy_category.sh</script>
+ <list>all</list>
+ </completionHelp>
+ <multi/>
+ </properties>
+</leafNode>
+<!-- included end -->
diff --git a/interface-definitions/service_webproxy.xml.in b/interface-definitions/service_webproxy.xml.in
index ba33a30f4..4cd8138ec 100644
--- a/interface-definitions/service_webproxy.xml.in
+++ b/interface-definitions/service_webproxy.xml.in
@@ -171,11 +171,11 @@
<help>Hostname or IP address of peer</help>
<valueHelp>
<format>ipv4</format>
- <description>Remote syslog server IPv4 address</description>
+ <description>Squid cache-peer IPv4 address</description>
</valueHelp>
<valueHelp>
<format>hostname</format>
- <description>Remote syslog server FQDN</description>
+ <description>Squid cache-peer hostname</description>
</valueHelp>
<constraint>
<validator name="ip-address"/>
@@ -293,7 +293,10 @@
</leafNode>
<tagNode name="listen-address">
<properties>
- <help>IPv4 address for webproxy to listen on [REQUIRED]</help>
+ <help>IPv4 listen-address for WebProxy [REQUIRED]</help>
+ <completionHelp>
+ <script>${vyos_completion_dir}/list_local_ips.sh --ipv4</script>
+ </completionHelp>
<valueHelp>
<format>ipv4</format>
<description>IPv4 address listen on</description>
@@ -402,7 +405,7 @@
<help>URL filtering via squidGuard redirector</help>
</properties>
<children>
- #include <include/webproxy-squidguard.xml.i>
+ #include <include/webproxy-url-filtering.xml.i>
<node name="auto-update">
<properties>
<help>Auto update settings</help>
@@ -446,7 +449,7 @@
<constraintErrorMessage>SquidGuard rule must between 1-1024</constraintErrorMessage>
</properties>
<children>
- #include <include/webproxy-squidguard.xml.i>
+ #include <include/webproxy-url-filtering.xml.i>
<leafNode name="redirect-url">
<properties>
<help>Redirect URL for filtered websites</help>
diff --git a/op-mode-definitions/webproxy.xml b/op-mode-definitions/webproxy.xml
index 09cefb929..bccffd0b3 100644
--- a/op-mode-definitions/webproxy.xml
+++ b/op-mode-definitions/webproxy.xml
@@ -84,7 +84,7 @@
<properties>
<help>Show update log for url-filter database</help>
</properties>
- <command>if [ -e /config/url-filtering/squidguard/updatestatus ]; then cat /config/url-filtering/squidguard/updatestatus; else echo "Update log not found"; fi</command>
+ <command>if [ -e /opt/vyatta/etc/config/url-filtering/squidguard/updatestatus ]; then cat /opt/vyatta/etc/config/url-filtering/squidguard/updatestatus; else echo "Update log not found"; fi</command>
</node>
</children>
</node>
diff --git a/python/vyos/template.py b/python/vyos/template.py
index 63d400642..bf087c223 100644
--- a/python/vyos/template.py
+++ b/python/vyos/template.py
@@ -248,7 +248,6 @@ def dec_ip(address, decrement):
from ipaddress import ip_interface
return str(ip_interface(address).ip - int(decrement))
-
@register_filter('isc_static_route')
def isc_static_route(subnet, router):
# https://ercpe.de/blog/pushing-static-routes-with-isc-dhcp-server
@@ -270,3 +269,9 @@ def isc_static_route(subnet, router):
string += ','.join(router.split('.'))
return string
+
+@register_filter('is_file')
+def is_file(filename):
+ if os.path.exists(filename):
+ return os.path.isfile(filename)
+ return False
diff --git a/python/vyos/util.py b/python/vyos/util.py
index fc6915687..494c8155e 100644
--- a/python/vyos/util.py
+++ b/python/vyos/util.py
@@ -215,6 +215,30 @@ def read_file(fname, defaultonfailure=None):
return defaultonfailure
raise e
+def write_file(fname, data, defaultonfailure=None, user=None, group=None):
+ """
+ Write content of data to given fname, should defaultonfailure be not None,
+ it is returned on failure to read.
+
+ If directory of file is not present, it is auto-created.
+ """
+ dirname = os.path.dirname(fname)
+ if not os.path.isdir(dirname):
+ os.makedirs(dirname, mode=0o755, exist_ok=False)
+ chown(dirname, user, group)
+
+ try:
+ """ Write a file to string """
+ bytes = 0
+ with open(fname, 'w') as f:
+ bytes = f.write(data)
+ chown(fname, user, group)
+ return bytes
+ except Exception as e:
+ if defaultonfailure is not None:
+ return defaultonfailure
+ raise e
+
def read_json(fname, defaultonfailure=None):
"""
diff --git a/src/completion/list_webproxy_category.sh b/src/completion/list_webproxy_category.sh
index 19f26bf85..a5ad2398a 100755
--- a/src/completion/list_webproxy_category.sh
+++ b/src/completion/list_webproxy_category.sh
@@ -1,5 +1,5 @@
#!/bin/sh
-DB_DIR="/config/url-filtering/squidguard/db/"
+DB_DIR="/opt/vyatta/etc/config/url-filtering/squidguard/db/"
if [ -d ${DB_DIR} ]; then
ls -ald ${DB_DIR}/* | grep -E '^(d|l)' | awk '{print $9}' | sed s#${DB_DIR}/##
fi
diff --git a/src/conf_mode/service_webproxy.py b/src/conf_mode/service_webproxy.py
index 76b72ad48..8dfae348a 100755
--- a/src/conf_mode/service_webproxy.py
+++ b/src/conf_mode/service_webproxy.py
@@ -16,6 +16,7 @@
import os
+from shutil import rmtree
from sys import exit
from vyos.config import Config
@@ -23,6 +24,7 @@ from vyos.configdict import dict_merge
from vyos.template import render
from vyos.util import call
from vyos.util import dict_search
+from vyos.util import write_file
from vyos.validate import is_addr_assigned
from vyos.xml import defaults
from vyos import ConfigError
@@ -31,6 +33,47 @@ airbag.enable()
squid_config_file = '/etc/squid/squid.conf'
squidguard_config_file = '/etc/squidguard/squidGuard.conf'
+squidguard_db_dir = '/opt/vyatta/etc/config/url-filtering/squidguard/db'
+user_group = 'proxy'
+
+def generate_sg_localdb(category, list_type, role, proxy):
+ cat_ = category.replace('-', '_')
+ if isinstance(dict_search(f'url_filtering.squidguard.{cat_}', proxy),
+ list):
+
+ # local block databases must be generated "on-the-fly"
+ tmp = {
+ 'squidguard_db_dir' : squidguard_db_dir,
+ 'category' : f'{category}-default',
+ 'list_type' : list_type,
+ 'rule' : role
+ }
+ sg_tmp_file = '/tmp/sg.conf'
+ db_file = f'{category}-default/{list_type}'
+ domains = '\n'.join(dict_search(f'url_filtering.squidguard.{cat_}', proxy))
+
+ # local file
+ write_file(f'{squidguard_db_dir}/{category}-default/local', '',
+ user=user_group, group=user_group)
+ # database input file
+ write_file(f'{squidguard_db_dir}/{db_file}', domains,
+ user=user_group, group=user_group)
+
+ # temporary config file, deleted after generation
+ render(sg_tmp_file, 'squid/sg_acl.conf.tmpl', tmp,
+ user=user_group, group=user_group)
+
+ call(f'su - {user_group} -c "squidGuard -d -c {sg_tmp_file} -C {db_file}"')
+
+ if os.path.exists(sg_tmp_file):
+ os.unlink(sg_tmp_file)
+
+ else:
+ # if category is not part of our configuration, clean out the
+ # squidguard lists
+ tmp = f'{squidguard_db_dir}/{category}-default'
+ if os.path.exists(tmp):
+ rmtree(f'{squidguard_db_dir}/{category}-default')
def get_config(config=None):
if config:
@@ -55,6 +98,7 @@ def get_config(config=None):
else:
# store path to squidGuard config, used when generating Squid config
proxy['squidguard_conf'] = squidguard_config_file
+ proxy['squidguard_db_dir'] = squidguard_db_dir
# XXX: T2665: blend in proper cache-peer default values later
default_values.pop('cache_peer')
@@ -67,8 +111,6 @@ def get_config(config=None):
proxy['cache_peer'][peer] = dict_merge(default_values,
proxy['cache_peer'][peer])
- import pprint
- pprint.pprint(proxy)
return proxy
def verify(proxy):
@@ -121,6 +163,7 @@ def verify(proxy):
if 'address' not in config:
raise ConfigError(f'Cache-peer "{peer}" address must be set!')
+
def generate(proxy):
if not proxy:
return None
@@ -128,6 +171,16 @@ def generate(proxy):
render(squid_config_file, 'squid/squid.conf.tmpl', proxy)
render(squidguard_config_file, 'squid/squidGuard.conf.tmpl', proxy)
+ cat_dict = {
+ 'local-block' : 'domains',
+ 'local-block-keyword' : 'expressions',
+ 'local-block-url' : 'urls',
+ 'local-ok' : 'domains',
+ 'local-ok-url' : 'urls'
+ }
+ for category, list_type in cat_dict.items():
+ generate_sg_localdb(category, list_type, 'default', proxy)
+
return None
def apply(proxy):
--
cgit v1.2.3