diff options
| -rw-r--r-- | data/templates/squid/sg_acl.conf.j2 (renamed from data/templates/squid/sg_acl.conf.tmpl) | 0 | ||||
| -rw-r--r-- | data/templates/squid/squid.conf.j2 (renamed from data/templates/squid/squid.conf.tmpl) | 38 | ||||
| -rw-r--r-- | data/templates/squid/squidGuard.conf.j2 | 124 | ||||
| -rw-r--r-- | data/templates/squid/squidGuard.conf.tmpl | 124 | ||||
| -rwxr-xr-x | src/conf_mode/service_webproxy.py | 6 | 
5 files changed, 146 insertions, 146 deletions
| diff --git a/data/templates/squid/sg_acl.conf.tmpl b/data/templates/squid/sg_acl.conf.j2 index ce72b173a..ce72b173a 100644 --- a/data/templates/squid/sg_acl.conf.tmpl +++ b/data/templates/squid/sg_acl.conf.j2 diff --git a/data/templates/squid/squid.conf.tmpl b/data/templates/squid/squid.conf.j2 index e8627b022..a0fdeb20e 100644 --- a/data/templates/squid/squid.conf.tmpl +++ b/data/templates/squid/squid.conf.j2 @@ -16,23 +16,23 @@ acl Safe_ports port 777         # multiling http  acl CONNECT method CONNECT  {% if authentication is vyos_defined %} -{%   if authentication.children is vyos_defined %} +{%     if authentication.children is vyos_defined %}  auth_param basic children {{ authentication.children }} -{%   endif %} -{%   if authentication.credentials_ttl is vyos_defined %} +{%     endif %} +{%     if authentication.credentials_ttl is vyos_defined %}  auth_param basic credentialsttl {{ authentication.credentials_ttl }} minute -{%   endif %} -{%   if authentication.realm is vyos_defined %} +{%     endif %} +{%     if authentication.realm is vyos_defined %}  auth_param basic realm "{{ authentication.realm }}" -{%   endif %} +{%     endif %}  {# LDAP based Authentication #} -{%   if authentication.method is vyos_defined %} -{%     if authentication.ldap is vyos_defined and authentication.method is vyos_defined('ldap') %} +{%     if authentication.method is vyos_defined %} +{%         if authentication.ldap is vyos_defined and authentication.method is vyos_defined('ldap') %}  auth_param basic program /usr/lib/squid/basic_ldap_auth -v {{ authentication.ldap.version }} -b "{{ authentication.ldap.base_dn }}" {{ '-D "' ~ authentication.ldap.bind_dn ~ '"' if authentication.ldap.bind_dn is vyos_defined }} {{ '-w "' ~ authentication.ldap.password ~ '"' if authentication.ldap.password is vyos_defined }} {{ '-f "' ~ authentication.ldap.filter_expression ~ '"' if authentication.ldap.filter_expression is vyos_defined }} {{ '-u "' ~ authentication.ldap.username_attribute ~ '"' if authentication.ldap.username_attribute is vyos_defined }} -p {{ authentication.ldap.port }} {{ '-ZZ' if authentication.ldap.use_ssl is vyos_defined }} -R -h "{{ authentication.ldap.server }}" -{%     endif %} +{%         endif %}  acl auth proxy_auth REQUIRED  http_access allow auth -{%   endif %} +{%     endif %}  {% endif %}  http_access allow manager localhost @@ -44,18 +44,18 @@ http_access allow net  http_access deny all  {% if reply_block_mime is vyos_defined %} -{%   for mime_type in reply_block_mime %} +{%     for mime_type in reply_block_mime %}  acl BLOCK_MIME rep_mime_type {{ mime_type }} -{%   endfor %} +{%     endfor %}  http_reply_access deny BLOCK_MIME  {% endif %}  {% if cache_size is vyos_defined %} -{%   if cache_size | int > 0 %} +{%     if cache_size | int > 0 %}  cache_dir ufs /var/spool/squid {{ cache_size }} 16 256 -{%   else %} +{%     else %}  # disabling disk cache -{%   endif %} +{%     endif %}  {% endif %}  {% if mem_cache_size is vyos_defined %}  cache_mem {{ mem_cache_size }} MB @@ -87,9 +87,9 @@ tcp_outgoing_address {{ outgoing_address }}  {% if listen_address is vyos_defined %} -{%   for address, config in listen_address.items() %} +{%     for address, config in listen_address.items() %}  http_port {{ address | bracketize_ipv6 }}:{{ config.port if config.port is vyos_defined else default_port }} {{ 'intercept' if config.disable_transparent is not vyos_defined }} -{%   endfor %} +{%     endfor %}  {% endif %}  http_port 127.0.0.1:{{ default_port }} @@ -104,8 +104,8 @@ url_rewrite_bypass on  {% endif %}  {% if cache_peer is vyos_defined %} -{%   for peer, config in cache_peer.items() %} +{%     for peer, config in cache_peer.items() %}  cache_peer {{ config.address }} {{ config.type }} {{ config.http_port }} {{ config.icp_port }} {{ config.options }} -{%   endfor %} +{%     endfor %}  never_direct allow all  {% endif %} diff --git a/data/templates/squid/squidGuard.conf.j2 b/data/templates/squid/squidGuard.conf.j2 new file mode 100644 index 000000000..1bc4c984f --- /dev/null +++ b/data/templates/squid/squidGuard.conf.j2 @@ -0,0 +1,124 @@ +### generated by service_webproxy.py ### + +{% macro sg_rule(category, log, db_dir) %} +{% set expressions = db_dir + '/' + category + '/expressions' %} +dest {{ category }}-default { +        domainlist     {{ category }}/domains +        urllist        {{ category }}/urls +{% if expressions | is_file %} +        expressionlist {{ category }}/expressions +{% endif %} +{% if log is vyos_defined %} +        log            blacklist.log +{% endif %} +} +{% endmacro %} + +{% if url_filtering is vyos_defined and url_filtering.disable is not vyos_defined %} +{%     if url_filtering.squidguard is vyos_defined %} +{%         set sg_config = url_filtering.squidguard %} +{%         set acl = namespace(value='local-ok-default') %} +{%         set acl.value = acl.value + ' !in-addr' if sg_config.allow_ipaddr_url is not defined else acl.value %} +dbhome {{ squidguard_db_dir }} +logdir /var/log/squid + +rewrite safesearch { +        s@(.*\.google\..*/(custom|search|images|groups|news)?.*q=.*)@\1\&safe=active@i +        s@(.*\..*/yandsearch?.*text=.*)@\1\&fyandex=1@i +        s@(.*\.yahoo\..*/search.*p=.*)@\1\&vm=r@i +        s@(.*\.live\..*/.*q=.*)@\1\&adlt=strict@i +        s@(.*\.msn\..*/.*q=.*)@\1\&adlt=strict@i +        s@(.*\.bing\..*/search.*q=.*)@\1\&adlt=strict@i +        log     rewrite.log +} + +{%         if sg_config.local_ok is vyos_defined %} +{%             set acl.value = acl.value + ' local-ok-default' %} +dest local-ok-default { +        domainlist     local-ok-default/domains +} +{%         endif %} +{%         if sg_config.local_ok_url is vyos_defined %} +{%             set acl.value = acl.value + ' local-ok-url-default' %} +dest local-ok-url-default { +        urllist        local-ok-url-default/urls +} +{%         endif %} +{%         if sg_config.local_block is vyos_defined %} +{%             set acl.value = acl.value + ' !local-block-default' %} +dest local-block-default { +        domainlist     local-block-default/domains +} +{%         endif %} +{%         if sg_config.local_block_url is vyos_defined %} +{%             set acl.value = acl.value + ' !local-block-url-default' %} +dest local-block-url-default { +        urllist        local-block-url-default/urls +} +{%         endif %} +{%         if sg_config.local_block_keyword is vyos_defined %} +{%             set acl.value = acl.value + ' !local-block-keyword-default' %} +dest local-block-keyword-default { +        expressionlist local-block-keyword-default/expressions +} +{%         endif %} + +{%         if sg_config.block_category is vyos_defined %} +{%             for category in sg_config.block_category %} +{{ sg_rule(category, sg_config.log, squidguard_db_dir) }} +{%                 set acl.value = acl.value + ' !' + category + '-default' %} +{%             endfor %} +{%         endif %} +{%         if sg_config.allow_category is vyos_defined %} +{%             for category in sg_config.allow_category %} +{{ sg_rule(category, False, squidguard_db_dir) }} +{%                 set acl.value = acl.value + ' ' + category + '-default' %} +{%             endfor %} +{%         endif %} +{%         if sg_config.source_group is vyos_defined %} +{%             for sgroup, sg_config in sg_config.source_group.items() %} +{%                 if sg_config.address is vyos_defined %} +src {{ sgroup }} { +{%                     for address in sg_config.address %} +        ip {{ address }} +{%                     endfor %} +} + +{%                 endif %} +{%             endfor %} +{%         endif %} +{%         if sg_config.rule is vyos_defined %} +{%             for rule, rule_config in sg_config.rule.items() %} +{%                 for b_category in rule_config.block_category %} +dest {{ b_category }} { +        domainlist    {{ b_category }}/domains +        urllist       {{ b_category }}/urls +} +{%                 endfor %} + +{%             endfor %} +{%         endif %} +acl { +{%         if sg_config.rule is vyos_defined %} +{%             for rule, rule_config in sg_config.rule.items() %} +        {{ rule_config.source_group }} { +{%                 for b_category in rule_config.block_category %} +            pass local-ok-1 !in-addr !{{ b_category }} all +{%                 endfor %} +        } +{%             endfor %} +{%         endif %} + +        default { +{%         if sg_config.enable_safe_search is vyos_defined %} +            rewrite safesearch +{%         endif %} +            pass {{ acl.value }} {{ 'none' if sg_config.default_action is vyos_defined('block') else 'allow' }} +            redirect 302:http://{{ sg_config.redirect_url }} +{%         if sg_config.log is vyos_defined %} +            log blacklist.log +{%         endif %} +        } +} +{%     endif %} +{% endif %} diff --git a/data/templates/squid/squidGuard.conf.tmpl b/data/templates/squid/squidGuard.conf.tmpl deleted file mode 100644 index 5e877f01f..000000000 --- a/data/templates/squid/squidGuard.conf.tmpl +++ /dev/null @@ -1,124 +0,0 @@ -### generated by service_webproxy.py ### - -{% macro sg_rule(category, log, db_dir) %} -{%   set expressions = db_dir + '/' + category + '/expressions' %} -dest {{ category }}-default { -        domainlist     {{ category }}/domains -        urllist        {{ category }}/urls -{%   if expressions | is_file %} -        expressionlist {{ category }}/expressions -{%   endif %} -{%   if log is vyos_defined %} -        log            blacklist.log -{%   endif %} -} -{% endmacro %} - -{% if url_filtering is vyos_defined and url_filtering.disable is not vyos_defined %} -{%   if url_filtering.squidguard is vyos_defined %} -{%     set sg_config = url_filtering.squidguard %} -{%     set acl = namespace(value='local-ok-default') %} -{%     set acl.value = acl.value + ' !in-addr' if sg_config.allow_ipaddr_url is not defined else acl.value %} -dbhome {{ squidguard_db_dir }} -logdir /var/log/squid - -rewrite safesearch { -        s@(.*\.google\..*/(custom|search|images|groups|news)?.*q=.*)@\1\&safe=active@i -        s@(.*\..*/yandsearch?.*text=.*)@\1\&fyandex=1@i -        s@(.*\.yahoo\..*/search.*p=.*)@\1\&vm=r@i -        s@(.*\.live\..*/.*q=.*)@\1\&adlt=strict@i -        s@(.*\.msn\..*/.*q=.*)@\1\&adlt=strict@i -        s@(.*\.bing\..*/search.*q=.*)@\1\&adlt=strict@i -        log     rewrite.log -} - -{%     if sg_config.local_ok is vyos_defined %} -{%       set acl.value = acl.value + ' local-ok-default' %} -dest local-ok-default { -        domainlist     local-ok-default/domains -} -{% endif %} -{%     if sg_config.local_ok_url is vyos_defined %} -{%       set acl.value = acl.value + ' local-ok-url-default' %} -dest local-ok-url-default { -        urllist        local-ok-url-default/urls -} -{% endif %} -{%     if sg_config.local_block is vyos_defined %} -{%       set acl.value = acl.value + ' !local-block-default' %} -dest local-block-default { -        domainlist     local-block-default/domains -} -{% endif %} -{%     if sg_config.local_block_url is vyos_defined %} -{%       set acl.value = acl.value + ' !local-block-url-default' %} -dest local-block-url-default { -        urllist        local-block-url-default/urls -} -{% endif %} -{%     if sg_config.local_block_keyword is vyos_defined %} -{%       set acl.value = acl.value + ' !local-block-keyword-default' %} -dest local-block-keyword-default { -        expressionlist local-block-keyword-default/expressions -} -{% endif %} - -{%     if sg_config.block_category is vyos_defined %} -{%       for category in sg_config.block_category %} -{{ sg_rule(category, sg_config.log, squidguard_db_dir) }} -{%         set acl.value = acl.value + ' !' + category + '-default' %} -{%       endfor %} -{%     endif %} -{%     if sg_config.allow_category is vyos_defined %} -{%       for category in sg_config.allow_category %} -{{ sg_rule(category, False, squidguard_db_dir) }} -{%         set acl.value = acl.value + ' ' + category + '-default' %} -{%       endfor %} -{%     endif %} -{%     if sg_config.source_group is vyos_defined %} -{%       for sgroup, sg_config in sg_config.source_group.items() %} -{%         if sg_config.address is vyos_defined %} -src {{ sgroup }} { -{%           for address in sg_config.address %} -        ip {{ address }} -{%           endfor %} -} - -{%         endif %} -{%       endfor %} -{%     endif %} -{%     if sg_config.rule is vyos_defined %} -{%       for rule, rule_config in sg_config.rule.items() %} -{%         for b_category in rule_config.block_category%} -dest {{ b_category }} { -        domainlist    {{ b_category }}/domains -        urllist       {{ b_category }}/urls -} -{%         endfor %} - -{%       endfor %} -{%     endif %} -acl { -{%     if sg_config.rule is vyos_defined %} -{%       for rule, rule_config in sg_config.rule.items() %} -        {{ rule_config.source_group }} { -{%         for b_category in rule_config.block_category%} -            pass local-ok-1 !in-addr !{{ b_category }} all -{%         endfor %} -        } -{%       endfor %} -{%     endif %} - -        default { -{%     if sg_config.enable_safe_search is vyos_defined %} -            rewrite safesearch -{%     endif %} -            pass {{ acl.value }} {{ 'none' if sg_config.default_action is vyos_defined('block') else 'allow' }} -            redirect 302:http://{{ sg_config.redirect_url }} -{%     if sg_config.log is vyos_defined %} -            log blacklist.log -{%     endif %} -        } -} -{%   endif %} -{% endif %} diff --git a/src/conf_mode/service_webproxy.py b/src/conf_mode/service_webproxy.py index a16cc4aeb..32af31bde 100755 --- a/src/conf_mode/service_webproxy.py +++ b/src/conf_mode/service_webproxy.py @@ -61,7 +61,7 @@ def generate_sg_localdb(category, list_type, role, proxy):                     user=user_group, group=user_group)          # temporary config file, deleted after generation -        render(sg_tmp_file, 'squid/sg_acl.conf.tmpl', tmp, +        render(sg_tmp_file, 'squid/sg_acl.conf.j2', tmp,                 user=user_group, group=user_group)          call(f'su - {user_group} -c "squidGuard -d -c {sg_tmp_file} -C {db_file}"') @@ -166,8 +166,8 @@ def generate(proxy):      if not proxy:          return None -    render(squid_config_file, 'squid/squid.conf.tmpl', proxy) -    render(squidguard_config_file, 'squid/squidGuard.conf.tmpl', proxy) +    render(squid_config_file, 'squid/squid.conf.j2', proxy) +    render(squidguard_config_file, 'squid/squidGuard.conf.j2', proxy)      cat_dict = {          'local-block' : 'domains', | 
