summaryrefslogtreecommitdiff
path: root/data/templates
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2020-12-12 14:03:54 +0100
committerChristian Poessinger <christian@poessinger.com>2020-12-28 19:42:50 +0100
commita8a019c4f318ba6ad2f83b9b4f605de3830c7b28 (patch)
tree32a2388a9366912167906585b73db2eb92fbfdbd /data/templates
parentc1fcbba9cb45f981e5bd8decf3ebbc1e17d9fbd9 (diff)
downloadvyos-1x-a8a019c4f318ba6ad2f83b9b4f605de3830c7b28.tar.gz
vyos-1x-a8a019c4f318ba6ad2f83b9b4f605de3830c7b28.zip
webproxy: T563: migrate from old Perl code to XML and get_config_dict()
Basic proxy functionality is working but the squidguard smoketest still fails as this is yet not implemented.
Diffstat (limited to 'data/templates')
-rw-r--r--data/templates/squid/squid.conf.tmpl128
1 files changed, 128 insertions, 0 deletions
diff --git a/data/templates/squid/squid.conf.tmpl b/data/templates/squid/squid.conf.tmpl
new file mode 100644
index 000000000..1876146dd
--- /dev/null
+++ b/data/templates/squid/squid.conf.tmpl
@@ -0,0 +1,128 @@
+### generated by service_webproxy.py ###
+
+acl localhost src 127.0.0.1/32
+acl to_localhost dst 127.0.0.0/8
+acl net src all
+acl SSL_ports port 443
+acl Safe_ports port 80 # http
+acl Safe_ports port 21 # ftp
+acl Safe_ports port 443 # https
+acl Safe_ports port 873 # rsync
+acl Safe_ports port 70 # gopher
+acl Safe_ports port 210 # wais
+acl Safe_ports port 1025-65535 # unregistered ports
+acl Safe_ports port 280 # http-mgmt
+acl Safe_ports port 488 # gss-http
+acl Safe_ports port 591 # filemaker
+acl Safe_ports port 777 # multiling http
+acl CONNECT method CONNECT
+
+{% if authentication is defined and authentication is not none %}
+{% if authentication.children is defined and authentication.children is not none %}
+auth_param basic children {{ authentication.children }}
+{% endif %}
+{% if authentication.credentials_ttl is defined and authentication.credentials_ttl is not none %}
+auth_param basic credentialsttl {{ authentication.credentials_ttl }} minute
+{% endif %}
+{% if authentication.realm is defined and authentication.realm is not none %}
+auth_param basic realm "{{ authentication.realm }}"
+{% endif %}
+{# LDAP based Authentication #}
+{% if authentication.method is defined and authentication.method is not none %}
+{% if authentication.ldap is defined and authentication.ldap is not none and authentication.method == 'ldap' %}
+auth_param basic program /usr/lib/squid/basic_ldap_auth -v {{ authentication.ldap.version }} -b "{{ authentication.ldap.base_dn }}" {{ '-D "' + authentication.ldap.bind_dn + '"' if authentication.ldap.bind_dn is defined }} {{ '-w "' + authentication.ldap.password + '"' if authentication.ldap.password is defined }} {{ '-f "' + authentication.ldap.filter_expression + '"' if authentication.ldap.filter_expression is defined }} {{ '-u "' + authentication.ldap.username_attribute + '"' if authentication.ldap.username_attribute is defined }} -p {{ authentication.ldap.port }} {{ '-ZZ' if authentication.ldap.use_ssl is defined }} -R -h "{{ authentication.ldap.server }}"
+{% endif %}
+acl auth proxy_auth REQUIRED
+http_access allow auth
+{% endif %}
+{% endif %}
+
+http_access allow manager localhost
+http_access deny manager
+http_access deny !Safe_ports
+http_access deny CONNECT !SSL_ports
+http_access allow localhost
+http_access allow net
+http_access deny all
+
+{% if reply_block_mime is defined and reply_block_mime is not none %}
+{% for mime_type in reply_block_mime %}
+acl BLOCK_MIME rep_mime_type {{ mime_type }}
+{% endfor %}
+http_reply_access deny BLOCK_MIME
+{% endif %}
+
+{% if cache_size is defined and cache_size is not none %}
+{% if cache_size | int > 0 %}
+cache_dir ufs /var/spool/squid {{ cache_size }} 16 256
+{% else %}
+# disabling disk cache
+{% endif %}
+{% endif %}
+{% if mem_cache_size is defined and mem_cache_size is not none %}
+cache_mem {{ mem_cache_size }} MB
+{% endif %}
+{% if disable_access_log is defined %}
+access_log none
+{% else %}
+access_log /var/log/squid/access.log squid
+{% endif %}
+
+{# by default we'll disable the store log #}
+cache_store_log none
+
+{% if append_domain is defined and append_domain is not none %}
+append_domain {{ append_domain }}
+{% endif %}
+{% if maximum_object_size is defined and maximum_object_size is not none %}
+maximum_object_size {{ maximum_object_size }} KB
+{% endif %}
+{% if minimum_object_size is defined and minimum_object_size is not none %}
+minimum_object_size {{ minimum_object_size }} KB
+{% endif %}
+{% if reply_body_max_size is defined and reply_body_max_size is not none %}
+reply_body_max_size {{ reply_body_max_size }} KB
+{% endif %}
+{% if outgoing_address is defined and outgoing_address is not none %}
+tcp_outgoing_address {{ outgoing_address }}
+{% endif %}
+
+
+{% if listen_address is defined and listen_address is not none %}
+{% for address, config in listen_address.items() %}
+http_port {{ address }}:{{ config.port if config.port is defined else default_port }} {{ 'intercept' if config.disable_transparent is not defined }}
+{% endfor %}
+{% endif %}
+http_port 127.0.0.1:{{ default_port }}
+
+{# NOT insert the client address in X-Forwarded-For header #}
+forwarded_for off
+
+{% if cache_peer is defined and cache_peer is not none %}
+{% for peer, config in cache_peer.items() %}
+{% if not 'type' in webproxy['cache-peer'][peer] %}
+{% set p_type = "parent" %}
+{% else %}
+{% set p_type = webproxy['cache-peer'][peer]['type'] %}
+{% endif %}
+
+{% if not 'http-port' in webproxy['cache-peer'][peer] %}
+{% set p_http_port = 3128 %}
+{% else %}
+{% set p_http_port = webproxy['cache-peer'][peer]['http-port'] %}
+{% endif %}
+
+{% if not 'icp-port' in webproxy['cache-peer'][peer] %}
+{% set p_icp_port = 0 %}
+{% else %}
+{% set p_icp_port = webproxy['cache-peer'][peer]['icp-port'] %}
+{% endif %}
+
+{% if not 'options' in webproxy['cache-peer'][peer] %}
+{% set p_options = "no-query default" %}
+{% else %}
+{% set p_options = webproxy['cache-peer'][peer]['options'] %}
+{% endif %}
+cache_peer {{ config.address }} {{p_type}} {{p_http_port}} {{p_icp_port}} {{p_options}}
+{% endfor %}
+{% endif %}