diff options
author | Daniil Baturin <daniil@vyos.io> | 2022-08-03 14:53:02 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-08-03 14:53:02 +0100 |
commit | e199ae2dd5636f9177234bb05b77f4a0c9543428 (patch) | |
tree | 6bb352a1be574b5501a002d345a047c9e42728df | |
parent | 89890f5b07a3d59eefe5ce210a20715068c10e0e (diff) | |
parent | 3c97f09dcd77636217215e1aa406f00bfc3e5631 (diff) | |
download | vyos-1x-e199ae2dd5636f9177234bb05b77f4a0c9543428.tar.gz vyos-1x-e199ae2dd5636f9177234bb05b77f4a0c9543428.zip |
Merge pull request #1369 from nicolas-fort/T4480
T4480: webproxy: Add safe-ports and ssl-safe-ports for acl squid config
-rw-r--r-- | data/templates/squid/squid.conf.j2 | 10 | ||||
-rw-r--r-- | interface-definitions/service-webproxy.xml.in | 26 | ||||
-rwxr-xr-x | smoketest/scripts/cli/test_service_webproxy.py | 8 |
3 files changed, 44 insertions, 0 deletions
diff --git a/data/templates/squid/squid.conf.j2 b/data/templates/squid/squid.conf.j2 index a0fdeb20e..5781c883f 100644 --- a/data/templates/squid/squid.conf.j2 +++ b/data/templates/squid/squid.conf.j2 @@ -2,6 +2,11 @@ acl net src all acl SSL_ports port 443 +{% if ssl_safe_ports is vyos_defined %} +{% for port in ssl_safe_ports %} +acl SSL_ports port {{ port }} +{% endfor %} +{% endif %} acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https @@ -13,6 +18,11 @@ acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http +{% if safe_ports is vyos_defined %} +{% for port in safe_ports %} +acl Safe_ports port {{ port }} +{% endfor %} +{% endif %} acl CONNECT method CONNECT {% if authentication is vyos_defined %} diff --git a/interface-definitions/service-webproxy.xml.in b/interface-definitions/service-webproxy.xml.in index e4609b699..a315aa2ef 100644 --- a/interface-definitions/service-webproxy.xml.in +++ b/interface-definitions/service-webproxy.xml.in @@ -8,6 +8,32 @@ <priority>500</priority> </properties> <children> + <leafNode name="safe-ports"> + <properties> + <help>Safe port ACL</help> + <valueHelp> + <format>u32:1-1024</format> + <description>Port number. Ports included by default: 21,70,80,210,280,443,488,591,777,873,1025-65535</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-20 --range 22-69 --range 71-79 --range 81-209 --range 211-279 --range 281-442 --range 444-487 --range 489-590 --range 592-776 --range 778-872 --range 874-1024"/> + </constraint> + <multi/> + </properties> + </leafNode> + <leafNode name="ssl-safe-ports"> + <properties> + <help>SSL safe port</help> + <valueHelp> + <format>u32:1-65535</format> + <description>Port number. Ports included by default: 443</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-442 --range 444-65535"/> + </constraint> + <multi/> + </properties> + </leafNode> <leafNode name="append-domain"> <properties> <help>Default domain name</help> diff --git a/smoketest/scripts/cli/test_service_webproxy.py b/smoketest/scripts/cli/test_service_webproxy.py index 772d6ab16..fb9b46a06 100755 --- a/smoketest/scripts/cli/test_service_webproxy.py +++ b/smoketest/scripts/cli/test_service_webproxy.py @@ -87,6 +87,8 @@ class TestServiceWebProxy(VyOSUnitTestSHIM.TestCase): max_obj_size = '8192' block_mine = ['application/pdf', 'application/x-sh'] body_max_size = '4096' + safe_port = '88' + ssl_safe_port = '8443' self.cli_set(base_path + ['listen-address', listen_ip]) self.cli_set(base_path + ['append-domain', domain]) @@ -104,6 +106,9 @@ class TestServiceWebProxy(VyOSUnitTestSHIM.TestCase): self.cli_set(base_path + ['reply-body-max-size', body_max_size]) + self.cli_set(base_path + ['safe-ports', safe_port]) + self.cli_set(base_path + ['ssl-safe-ports', ssl_safe_port]) + # commit changes self.cli_commit() @@ -122,6 +127,9 @@ class TestServiceWebProxy(VyOSUnitTestSHIM.TestCase): self.assertIn(f'reply_body_max_size {body_max_size} KB', config) + self.assertIn(f'acl Safe_ports port {safe_port}', config) + self.assertIn(f'acl SSL_ports port {ssl_safe_port}', config) + # Check for running process self.assertTrue(process_named_running(PROCESS_NAME)) |