summaryrefslogtreecommitdiff
path: root/data/templates/squid/squidGuard.conf.tmpl
blob: 47bc8ee7587b11a31370dffbfabe2f003b3af62a (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
### generated by service_webproxy.py ###

{% macro sg_rule(category, rule, log, db_dir) %}
{% set domains = db_dir + '/' + category + '/domains' %}
{% set urls = db_dir + '/' + category + '/urls' %}
{% set expressions = db_dir + '/' + category + '/expressions' %}
dest {{ category }}-{{ rule }}{
{% if domains | is_file %}
        domainlist     {{ category }}/domains
{% endif %}
{% if urls | is_file %}
        urllist        {{ category }}/urls
{% endif %}
{% if expressions | is_file %}
        expressionlist {{ category }}/expressions
{% endif %}
{% if log is defined %}
        log            blacklist.log
{% endif %}
}
{% endmacro %}

{% if url_filtering is defined and url_filtering.disable is not defined %}
{%     if url_filtering.squidguard is defined and url_filtering.squidguard is not none %}
{%         set sg_config = url_filtering.squidguard %}
{%         set acl = namespace(value='') %}
{%         set acl.value = acl.value + ' !in-addr' if sg_config.allow_ipaddr_url is not defined else acl.value %}
{%         set ruleacls = {} %}
dbhome {{ squidguard_db_dir }}
logdir /var/log/squid

rewrite safesearch {
        s@(.*\.google\..*/(custom|search|images|groups|news)?.*q=.*)@\1\&safe=active@i
        s@(.*\..*/yandsearch?.*text=.*)@\1\&fyandex=1@i
        s@(.*\.yahoo\..*/search.*p=.*)@\1\&vm=r@i
        s@(.*\.live\..*/.*q=.*)@\1\&adlt=strict@i
        s@(.*\.msn\..*/.*q=.*)@\1\&adlt=strict@i
        s@(.*\.bing\..*/search.*q=.*)@\1\&adlt=strict@i
        log     rewrite.log
}

{%         if sg_config.local_ok is defined and sg_config.local_ok is not none %}
{%             set acl.value = acl.value + ' local-ok-default' %}
dest local-ok-default {
        domainlist     local-ok-default/domains
}
{%         endif %}

{%         if sg_config.local_ok_url is defined and sg_config.local_ok_url is not none %}
{%             set acl.value = acl.value + ' local-ok-url-default' %}
dest local-ok-url-default {
        urllist        local-ok-url-default/urls
}
{%         endif %}

{%         if sg_config.local_block is defined and sg_config.local_block is not none %}
{%             set acl.value = acl.value + ' !local-block-default' %}
dest local-block-default {
        domainlist     local-block-default/domains
}
{%         endif %}

{%         if sg_config.local_block_url is defined and sg_config.local_block_url is not none %}
{%             set acl.value = acl.value + ' !local-block-url-default' %}
dest local-block-url-default {
        urllist        local-block-url-default/urls
}
{%         endif %}

{%         if sg_config.local_block_keyword is defined and sg_config.local_block_keyword is not none %}
{%             set acl.value = acl.value + ' !local-block-keyword-default' %}
dest local-block-keyword-default {
        expressionlist local-block-keyword-default/expressions
}
{%         endif %}

{%         if sg_config.block_category is defined and sg_config.block_category is not none %}
{%             for category in sg_config.block_category %}
{{ sg_rule(category, 'default', sg_config.log, squidguard_db_dir) }}
{%                 set acl.value = acl.value + ' !' + category + '-default' %}
{%             endfor %}
{%         endif %}
{%         if sg_config.allow_category is defined and sg_config.allow_category is not none %}
{%             for category in sg_config.allow_category %}
{{ sg_rule(category, 'default', False, squidguard_db_dir) }}
{%                 set acl.value = acl.value + ' ' + category + '-default' %}
{%             endfor %}
{%         endif %}


{%         if sg_config.rule is defined and sg_config.rule is not none %}
{%             for rule, rule_config in sg_config.rule.items() %}
{%                 if rule_config.local_ok is defined and rule_config.local_ok is not none %}
{%                     if rule in ruleacls %}
{%                         set _dummy = ruleacls.update({rule: ruleacls[rule] + ' local-ok-' + rule}) %}
{%                     else %}
{%                         set _dummy = ruleacls.update({rule:'local-ok-' + rule}) %}
{%                     endif %}
dest local-ok-{{ rule }} {
    domainlist     local-ok-{{ rule }}/domains
}
{%                 endif %}

{%                 if rule_config.local_ok_url is defined and rule_config.local_ok_url is not none %}
{%                     if rule in ruleacls %}
{%                         set _dummy = ruleacls.update({rule: ruleacls[rule] + ' local-ok-url-' + rule}) %}
{%                     else    %}
{%                         set _dummy = ruleacls.update({rule:'local-ok-url-' + rule}) %}
{%                     endif   %}
dest local-ok-url-{{ rule }} {
    urllist     local-ok-url-{{ rule }}/urls
}
{%                 endif %}

{%                 if rule_config.local_block is defined and rule_config.local_block is not none %}
{%                     if rule in ruleacls %}
{%                         set _dummy = ruleacls.update({rule: ruleacls[rule] + ' !local-block-' + rule}) %}
{%                     else    %}
{%                         set _dummy = ruleacls.update({rule:'!local-block-' + rule}) %}
{%                     endif   %}
dest local-block-{{ rule }} {
    domainlist     local-block-{{ rule }}/domains
}
{%                 endif %}

{%                 if rule_config.local_block_url is defined and rule_config.local_block_url is not none %}
{%                     if rule in ruleacls %}
{%                         set _dummy = ruleacls.update({rule: ruleacls[rule] + ' !local-block-url-' + rule}) %}
{%                     else    %}
{%                         set _dummy = ruleacls.update({rule:'!ocal-block-url-' + rule}) %}
{%                     endif   %}
dest local-block-url-{{ rule }} {
    urllist     local-block-url-{{ rule }}/urls
}
{%                 endif %}

{%                 if rule_config.local_block_keyword is defined and rule_config.local_block_keyword is not none %}
{%                     if rule in ruleacls %}
{%                         set _dummy = ruleacls.update({rule: ruleacls[rule] + ' !local-block-keyword-' + rule}) %}
{%                     else    %}
{%                         set _dummy = ruleacls.update({rule:'!local-block-keyword-' + rule}) %}
{%                     endif   %}
dest local-block-keyword-{{ rule }} {
    expressionlist     local-block-keyword-{{ rule }}/expressions
}
{%                 endif %}

{%                 if rule_config.block_category is defined and rule_config.block_category is not none %}
{%                     for b_category in rule_config.block_category %}
{%                         if rule in ruleacls %}
{%                             set _dummy = ruleacls.update({rule: ruleacls[rule] + ' !' + b_category + '-' + rule}) %}
{%                         else    %}
{%                             set _dummy = ruleacls.update({rule:'!' + b_category + '-' + rule}) %}
{%                         endif   %}
{{ sg_rule(b_category, rule, sg_config.log, squidguard_db_dir) }}
{%                     endfor %}
{%                 endif   %}

{%                 if rule_config.allow_category is defined and rule_config.allow_category is not none %}
{%                     for a_category in rule_config.allow_category %}
{%                         if rule in ruleacls %}
{%                             set _dummy = ruleacls.update({rule: ruleacls[rule] + ' ' + a_category + '-' + rule}) %}
{%                         else    %}
{%                             set _dummy = ruleacls.update({rule:a_category + '-' + rule}) %}
{%                         endif   %}
{{ sg_rule(a_category, rule, sg_config.log, squidguard_db_dir) }}
{%                     endfor %}
{%                 endif   %}
{%             endfor %}
{%         endif %}


{%         if sg_config.source_group is defined and sg_config.source_group is not none %}
{%             for sgroup, sg_config in sg_config.source_group.items() %}
{%                 if sg_config.address is defined and sg_config.address is not none %}
src {{ sgroup }} {
{%                     for address in sg_config.address %}
        ip {{ address }}
{%                     endfor %}
}
{%                 endif %}
{%             endfor %}
{%         endif %}

acl {
{%         if sg_config.rule is defined and sg_config.rule is not none %}
{%             for rule, rule_config in sg_config.rule.items() %}
        {{ rule_config.source_group }} {
            pass {{ ruleacls[rule] }} {{ 'none' if rule_config.default_action is defined and rule_config.default_action == 'block' else 'any' }}
        }
{%             endfor %}
{%         endif %}

        default {
{%         if sg_config.enable_safe_search is defined and sg_config.enable_safe_search is not none %}
            rewrite safesearch
{%         endif %}
            pass {{ acl.value }} {{ 'none' if sg_config.default_action is defined and sg_config.default_action == 'block' else 'any' }}
            redirect 302:http://{{ sg_config.redirect_url }}
{%         if sg_config.log is defined and sg_config.log is not none %}
            log blacklist.log
{%         endif %}
        }
}
{%     endif %}
{% endif %}