From eeb78e842423319169b036d16601e73227dbffdd Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Sun, 27 Dec 2020 11:43:27 +0100
Subject: webproxy: T563: squidguard: support default ruleset

---
 data/templates/squid/sg_acl.conf.tmpl     | 18 ++++++++
 data/templates/squid/squidGuard.conf.tmpl | 75 ++++++++++++++++++++++++++++++-
 2 files changed, 92 insertions(+), 1 deletion(-)
 create mode 100644 data/templates/squid/sg_acl.conf.tmpl

(limited to 'data')

diff --git a/data/templates/squid/sg_acl.conf.tmpl b/data/templates/squid/sg_acl.conf.tmpl
new file mode 100644
index 000000000..cb1c3ccb0
--- /dev/null
+++ b/data/templates/squid/sg_acl.conf.tmpl
@@ -0,0 +1,18 @@
+### generated by service_webproxy.py ###
+dbhome {{ squidguard_db_dir }}
+
+dest {{ category }}-{{ rule }} {
+{% if list_type == 'domains' %}
+    domainlist      {{ category }}/domains
+{% elif list_type == 'urls' %}
+    urllist         {{ category }}/urls
+{% elif list_type == 'expressions' %}
+    expressionlist  {{ category }}/expressions
+{% endif %}
+}
+
+acl {
+    default {
+        pass all
+    }
+}
diff --git a/data/templates/squid/squidGuard.conf.tmpl b/data/templates/squid/squidGuard.conf.tmpl
index 907043614..74de3a651 100644
--- a/data/templates/squid/squidGuard.conf.tmpl
+++ b/data/templates/squid/squidGuard.conf.tmpl
@@ -1,7 +1,25 @@
 ### generated by service_webproxy.py ###
+
+{% macro sg_rule(category, log, db_dir) %}
+{%   set expressions = db_dir + '/' + category + '/expressions' %}
+dest {{ category }}-default {
+        domainlist     {{ category }}/domains
+        urllist        {{ category }}/urls
+{%   if expressions | is_file %}
+        expressionlist {{ category }}/expressions
+{%   endif %}
+{%   if log is defined %}
+        log            blacklist.log
+{%   endif %}
+}
+{% endmacro %}
+
 {% if url_filtering is defined and url_filtering.disable is not defined %}
 {%   if url_filtering.squidguard is defined and url_filtering.squidguard is not none %}
-dbhome /opt/vyatta/etc/config/url-filtering/squidguard/db
+{%     set sg_config = url_filtering.squidguard %}
+{%     set acl = namespace(value='local-ok-default') %}
+{%     set acl.value = acl.value + ' !in-addr' if sg_config.allow_ipaddr_url is not defined else acl.value %}
+dbhome {{ squidguard_db_dir }}
 logdir /var/log/squid
 
 rewrite safesearch {
@@ -14,5 +32,60 @@ rewrite safesearch {
         log     rewrite.log
 }
 
+{%     if sg_config.local_ok is defined and sg_config.local_ok is not none %}
+{%       set acl.value = acl.value + ' local-ok-default' %}
+dest local-ok-default {
+        domainlist     local-ok-default/domains
+}
+{% endif %}
+{%     if sg_config.local_ok_url is defined and sg_config.local_ok_url is not none %}
+{%       set acl.value = acl.value + ' local-ok-url-default' %}
+dest local-ok-url-default {
+        urllist        local-ok-url-default/urls
+}
+{% endif %}
+{%     if sg_config.local_block is defined and sg_config.local_block is not none %}
+{%       set acl.value = acl.value + ' !local-block-default' %}
+dest local-block-default {
+        domainlist     local-block-default/domains
+}
+{% endif %}
+{%     if sg_config.local_block_url is defined and sg_config.local_block_url is not none %}
+{%       set acl.value = acl.value + ' !local-block-url-default' %}
+dest local-block-url-default {
+        urllist        local-block-url-default/urls
+}
+{% endif %}
+{%     if sg_config.local_block_keyword is defined and sg_config.local_block_keyword is not none %}
+{%       set acl.value = acl.value + ' !local-block-keyword-default' %}
+dest local-block-keyword-default {
+        expressionlist local-block-keyword-default/expressions
+}
+{% endif %}
+
+{%     if sg_config.block_category is defined and sg_config.block_category is not none %}
+{%       for category in sg_config.block_category %}
+{{ sg_rule(category, sg_config.log, squidguard_db_dir) }}
+{%         set acl.value = acl.value + ' !' + category + '-default' %}
+{%       endfor %}
+{%     endif %}
+{%     if sg_config.allow_category is defined and sg_config.allow_category is not none %}
+{%       for category in sg_config.allow_category %}
+{{ sg_rule(category, False, squidguard_db_dir) }}
+{%         set acl.value = acl.value + ' ' + category + '-default' %}
+{%       endfor %}
+{%     endif %}
+acl {
+    default {
+{%     if sg_config.enable_safe_search is defined %}
+        rewrite safesearch
+{%     endif %}
+        pass {{ acl.value }} {{ 'none' if sg_config.default_action is defined and sg_config.default_action == 'block' else 'allow' }}
+        redirect 302:http://{{ sg_config.redirect_url }}
+{%     if sg_config.log is defined and sg_config.log is not none %}
+        log blacklist.log
+{%     endif %}
+    }
+}
 {%   endif %}
 {% endif %}
-- 
cgit v1.2.3