Merge pull request #643 from c-po/t563-webproxy

webproxy: T563: migrate from old Perl code to XML and get_config_dict()

3 files changed, 224 insertions, 0 deletions

diff --git a/data/templates/squid/sg_acl.conf.tmpl b/data/templates/squid/sg_acl.conf.tmpl
new file mode 100644
index 000000000..cb1c3ccb0
--- /dev/null
+++ b/data/templates/squid/sg_acl.conf.tmpl
@@ -0,0 +1,18 @@
+### generated by service_webproxy.py ###

+dbhome {{ squidguard_db_dir }}

+

+dest {{ category }}-{{ rule }} {

+{% if list_type == 'domains' %}

+    domainlist      {{ category }}/domains

+{% elif list_type == 'urls' %}

+    urllist         {{ category }}/urls

+{% elif list_type == 'expressions' %}

+    expressionlist  {{ category }}/expressions

+{% endif %}

+}

+

+acl {

+    default {

+        pass all

+    }

+}

diff --git a/data/templates/squid/squid.conf.tmpl b/data/templates/squid/squid.conf.tmpl
new file mode 100644
index 000000000..8754e762d
--- /dev/null
+++ b/data/templates/squid/squid.conf.tmpl
@@ -0,0 +1,115 @@
+### generated by service_webproxy.py ###
+
+acl localhost src 127.0.0.1/32
+acl to_localhost dst 127.0.0.0/8
+acl net src all
+acl SSL_ports port 443
+acl Safe_ports port 80          # http
+acl Safe_ports port 21          # ftp
+acl Safe_ports port 443         # https
+acl Safe_ports port 873         # rsync
+acl Safe_ports port 70          # gopher
+acl Safe_ports port 210         # wais
+acl Safe_ports port 1025-65535  # unregistered ports
+acl Safe_ports port 280         # http-mgmt
+acl Safe_ports port 488         # gss-http
+acl Safe_ports port 591         # filemaker
+acl Safe_ports port 777         # multiling http
+acl CONNECT method CONNECT
+
+{% if authentication is defined and authentication is not none %}
+{%   if authentication.children is defined and authentication.children is not none %}
+auth_param basic children {{ authentication.children }}
+{%   endif %}
+{%   if authentication.credentials_ttl is defined and authentication.credentials_ttl is not none %}
+auth_param basic credentialsttl {{ authentication.credentials_ttl }} minute
+{%   endif %}
+{%   if authentication.realm is defined and authentication.realm is not none %}
+auth_param basic realm "{{ authentication.realm }}"
+{%   endif %}
+{# LDAP based Authentication #}
+{%   if authentication.method is defined and authentication.method is not none  %}
+{%     if authentication.ldap is defined and authentication.ldap is not none and authentication.method == 'ldap' %}
+auth_param basic program /usr/lib/squid/basic_ldap_auth -v {{ authentication.ldap.version }} -b "{{ authentication.ldap.base_dn }}" {{ '-D "' + authentication.ldap.bind_dn + '"' if authentication.ldap.bind_dn is defined }} {{ '-w "' + authentication.ldap.password + '"' if authentication.ldap.password is defined }} {{ '-f "' + authentication.ldap.filter_expression + '"' if authentication.ldap.filter_expression is defined }} {{ '-u "' + authentication.ldap.username_attribute + '"' if authentication.ldap.username_attribute is defined }} -p {{ authentication.ldap.port }} {{ '-ZZ' if authentication.ldap.use_ssl is defined }} -R -h "{{ authentication.ldap.server }}"
+{%     endif %}
+acl auth proxy_auth REQUIRED
+http_access allow auth
+{%   endif %}
+{% endif %}
+
+http_access allow manager localhost
+http_access deny manager
+http_access deny !Safe_ports
+http_access deny CONNECT !SSL_ports
+http_access allow localhost
+http_access allow net
+http_access deny all
+
+{% if reply_block_mime is defined and reply_block_mime is not none %}
+{%   for mime_type in reply_block_mime %}
+acl BLOCK_MIME rep_mime_type {{ mime_type }}
+{%   endfor %}
+http_reply_access deny BLOCK_MIME
+{% endif %}
+
+{% if cache_size is defined and cache_size is not none %}
+{%   if cache_size | int > 0 %}
+cache_dir ufs /var/spool/squid {{ cache_size }} 16 256
+{%   else %}
+# disabling disk cache
+{%   endif %}
+{% endif %}
+{% if mem_cache_size is defined and mem_cache_size is not none %}
+cache_mem {{ mem_cache_size }} MB
+{% endif %}
+{% if disable_access_log is defined %}
+access_log none
+{% else %}
+access_log /var/log/squid/access.log squid
+{% endif %}
+
+{# by default we'll disable the store log #}
+cache_store_log none
+
+{% if append_domain is defined and append_domain is not none %}
+append_domain {{ append_domain }}
+{% endif %}
+{% if maximum_object_size is defined and maximum_object_size is not none %}
+maximum_object_size {{ maximum_object_size }} KB
+{% endif %}
+{% if minimum_object_size is defined and minimum_object_size is not none %}
+minimum_object_size {{ minimum_object_size }} KB
+{% endif %}
+{% if reply_body_max_size is defined and reply_body_max_size is not none %}
+reply_body_max_size {{ reply_body_max_size }} KB
+{% endif %}
+{% if outgoing_address is defined and outgoing_address is not none %}
+tcp_outgoing_address {{ outgoing_address }}
+{% endif %}
+
+
+{% if listen_address is defined and listen_address is not none %}
+{%   for address, config in listen_address.items() %}
+http_port {{ address }}:{{ config.port if config.port is defined else default_port }} {{ 'intercept' if config.disable_transparent is not defined }}
+{%   endfor %}
+{% endif %}
+http_port 127.0.0.1:{{ default_port }}
+
+{# NOT insert the client address in X-Forwarded-For header #}
+forwarded_for off
+
+{# SquidGuard #}
+{% if url_filtering is defined and url_filtering.disable is not defined %}
+{%   if url_filtering.squidguard is defined and url_filtering.squidguard is not none %}
+redirect_program /usr/bin/squidGuard -c {{ squidguard_conf }}
+redirect_children 8
+redirector_bypass on
+{%   endif %}
+{% endif %}
+
+{% if cache_peer is defined and cache_peer is not none %}
+{%   for peer, config in cache_peer.items() %}
+cache_peer {{ config.address }} {{ config.type }} {{ config.http_port }} {{ config.icp_port }} {{ config.options }}
+{%   endfor %}
+never_direct allow all
+{% endif %}
diff --git a/data/templates/squid/squidGuard.conf.tmpl b/data/templates/squid/squidGuard.conf.tmpl
new file mode 100644
index 000000000..74de3a651
--- /dev/null
+++ b/data/templates/squid/squidGuard.conf.tmpl
@@ -0,0 +1,91 @@
+### generated by service_webproxy.py ###

+

+{% macro sg_rule(category, log, db_dir) %}

+{%   set expressions = db_dir + '/' + category + '/expressions' %}

+dest {{ category }}-default {

+        domainlist     {{ category }}/domains

+        urllist        {{ category }}/urls

+{%   if expressions | is_file %}

+        expressionlist {{ category }}/expressions

+{%   endif %}

+{%   if log is defined %}

+        log            blacklist.log

+{%   endif %}

+}

+{% endmacro %}

+

+{% if url_filtering is defined and url_filtering.disable is not defined %}

+{%   if url_filtering.squidguard is defined and url_filtering.squidguard is not none %}

+{%     set sg_config = url_filtering.squidguard %}

+{%     set acl = namespace(value='local-ok-default') %}

+{%     set acl.value = acl.value + ' !in-addr' if sg_config.allow_ipaddr_url is not defined else acl.value %}

+dbhome {{ squidguard_db_dir }}

+logdir /var/log/squid

+

+rewrite safesearch {

+        s@(.*\.google\..*/(custom|search|images|groups|news)?.*q=.*)@\1\&safe=active@i

+        s@(.*\..*/yandsearch?.*text=.*)@\1\&fyandex=1@i

+        s@(.*\.yahoo\..*/search.*p=.*)@\1\&vm=r@i

+        s@(.*\.live\..*/.*q=.*)@\1\&adlt=strict@i

+        s@(.*\.msn\..*/.*q=.*)@\1\&adlt=strict@i

+        s@(.*\.bing\..*/search.*q=.*)@\1\&adlt=strict@i

+        log     rewrite.log

+}

+

+{%     if sg_config.local_ok is defined and sg_config.local_ok is not none %}

+{%       set acl.value = acl.value + ' local-ok-default' %}

+dest local-ok-default {

+        domainlist     local-ok-default/domains

+}

+{% endif %}

+{%     if sg_config.local_ok_url is defined and sg_config.local_ok_url is not none %}

+{%       set acl.value = acl.value + ' local-ok-url-default' %}

+dest local-ok-url-default {

+        urllist        local-ok-url-default/urls

+}

+{% endif %}

+{%     if sg_config.local_block is defined and sg_config.local_block is not none %}

+{%       set acl.value = acl.value + ' !local-block-default' %}

+dest local-block-default {

+        domainlist     local-block-default/domains

+}

+{% endif %}

+{%     if sg_config.local_block_url is defined and sg_config.local_block_url is not none %}

+{%       set acl.value = acl.value + ' !local-block-url-default' %}

+dest local-block-url-default {

+        urllist        local-block-url-default/urls

+}

+{% endif %}

+{%     if sg_config.local_block_keyword is defined and sg_config.local_block_keyword is not none %}

+{%       set acl.value = acl.value + ' !local-block-keyword-default' %}

+dest local-block-keyword-default {

+        expressionlist local-block-keyword-default/expressions

+}

+{% endif %}

+

+{%     if sg_config.block_category is defined and sg_config.block_category is not none %}

+{%       for category in sg_config.block_category %}

+{{ sg_rule(category, sg_config.log, squidguard_db_dir) }}

+{%         set acl.value = acl.value + ' !' + category + '-default' %}

+{%       endfor %}

+{%     endif %}

+{%     if sg_config.allow_category is defined and sg_config.allow_category is not none %}

+{%       for category in sg_config.allow_category %}

+{{ sg_rule(category, False, squidguard_db_dir) }}

+{%         set acl.value = acl.value + ' ' + category + '-default' %}

+{%       endfor %}

+{%     endif %}

+acl {

+    default {

+{%     if sg_config.enable_safe_search is defined %}

+        rewrite safesearch

+{%     endif %}

+        pass {{ acl.value }} {{ 'none' if sg_config.default_action is defined and sg_config.default_action == 'block' else 'allow' }}

+        redirect 302:http://{{ sg_config.redirect_url }}

+{%     if sg_config.log is defined and sg_config.log is not none %}

+        log blacklist.log

+{%     endif %}

+    }

+}

+{%   endif %}

+{% endif %}