### generated by service_webproxy.py ### {% macro sg_rule(category, rule, log, db_dir) %} {% set domains = db_dir + '/' + category + '/domains' %} {% set urls = db_dir + '/' + category + '/urls' %} {% set expressions = db_dir + '/' + category + '/expressions' %} dest {{ category }}-{{ rule }}{ {% if domains | is_file %} domainlist {{ category }}/domains {% endif %} {% if urls | is_file %} urllist {{ category }}/urls {% endif %} {% if expressions | is_file %} expressionlist {{ category }}/expressions {% endif %} {% if log is vyos_defined %} log blacklist.log {% endif %} } {% endmacro %} {% if url_filtering is vyos_defined and url_filtering.disable is not vyos_defined %} {% if url_filtering.squidguard is vyos_defined %} {% set sg_config = url_filtering.squidguard %} {% set acl = namespace(value='') %} {% set acl.value = acl.value + ' !in-addr' if sg_config.allow_ipaddr_url is not defined else acl.value %} {% set ruleacls = {} %} dbhome {{ squidguard_db_dir }} logdir /var/log/squid rewrite safesearch { s@(.*\.google\..*/(custom|search|images|groups|news)?.*q=.*)@\1\&safe=active@i s@(.*\..*/yandsearch?.*text=.*)@\1\&fyandex=1@i s@(.*\.yahoo\..*/search.*p=.*)@\1\&vm=r@i s@(.*\.live\..*/.*q=.*)@\1\&adlt=strict@i s@(.*\.msn\..*/.*q=.*)@\1\&adlt=strict@i s@(.*\.bing\..*/search.*q=.*)@\1\&adlt=strict@i log rewrite.log } {% if sg_config.local_ok is vyos_defined %} {% set acl.value = acl.value + ' local-ok-default' %} dest local-ok-default { domainlist local-ok-default/domains } {% endif %} {% if sg_config.local_ok_url is vyos_defined %} {% set acl.value = acl.value + ' local-ok-url-default' %} dest local-ok-url-default { urllist local-ok-url-default/urls } {% endif %} {% if sg_config.local_block is vyos_defined %} {% set acl.value = acl.value + ' !local-block-default' %} dest local-block-default { domainlist local-block-default/domains } {% endif %} {% if sg_config.local_block_url is vyos_defined %} {% set acl.value = acl.value + ' !local-block-url-default' %} dest local-block-url-default { urllist local-block-url-default/urls } {% endif %} {% if sg_config.local_block_keyword is vyos_defined %} {% set acl.value = acl.value + ' !local-block-keyword-default' %} dest local-block-keyword-default { expressionlist local-block-keyword-default/expressions } {% endif %} {% if sg_config.block_category is vyos_defined %} {% for category in sg_config.block_category %} {{ sg_rule(category, 'default', sg_config.log, squidguard_db_dir) }} {% set acl.value = acl.value + ' !' + category + '-default' %} {% endfor %} {% endif %} {% if sg_config.allow_category is vyos_defined %} {% for category in sg_config.allow_category %} {{ sg_rule(category, 'default', False, squidguard_db_dir) }} {% set acl.value = acl.value + ' ' + category + '-default' %} {% endfor %} {% endif %} {% if sg_config.rule is vyos_defined %} {% for rule, rule_config in sg_config.rule.items() %} {% if rule_config.local_ok is vyos_defined %} {% if rule in ruleacls %} {% set _dummy = ruleacls.update({rule: ruleacls[rule] + ' local-ok-' + rule}) %} {% else %} {% set _dummy = ruleacls.update({rule:'local-ok-' + rule}) %} {% endif %} dest local-ok-{{ rule }} { domainlist local-ok-{{ rule }}/domains } {% endif %} {% if rule_config.local_ok_url is vyos_defined %} {% if rule in ruleacls %} {% set _dummy = ruleacls.update({rule: ruleacls[rule] + ' local-ok-url-' + rule}) %} {% else %} {% set _dummy = ruleacls.update({rule:'local-ok-url-' + rule}) %} {% endif %} dest local-ok-url-{{ rule }} { urllist local-ok-url-{{ rule }}/urls } {% endif %} {% if rule_config.local_block is vyos_defined %} {% if rule in ruleacls %} {% set _dummy = ruleacls.update({rule: ruleacls[rule] + ' !local-block-' + rule}) %} {% else %} {% set _dummy = ruleacls.update({rule:'!local-block-' + rule}) %} {% endif %} dest local-block-{{ rule }} { domainlist local-block-{{ rule }}/domains } {% endif %} {% if rule_config.local_block_url is vyos_defined %} {% if rule in ruleacls %} {% set _dummy = ruleacls.update({rule: ruleacls[rule] + ' !local-block-url-' + rule}) %} {% else %} {% set _dummy = ruleacls.update({rule:'!ocal-block-url-' + rule}) %} {% endif %} dest local-block-url-{{ rule }} { urllist local-block-url-{{ rule }}/urls } {% endif %} {% if rule_config.local_block_keyword is vyos_defined %} {% if rule in ruleacls %} {% set _dummy = ruleacls.update({rule: ruleacls[rule] + ' !local-block-keyword-' + rule}) %} {% else %} {% set _dummy = ruleacls.update({rule:'!local-block-keyword-' + rule}) %} {% endif %} dest local-block-keyword-{{ rule }} { expressionlist local-block-keyword-{{ rule }}/expressions } {% endif %} {% if rule_config.block_category is vyos_defined %} {% for b_category in rule_config.block_category %} {% if rule in ruleacls %} {% set _dummy = ruleacls.update({rule: ruleacls[rule] + ' !' + b_category + '-' + rule}) %} {% else %} {% set _dummy = ruleacls.update({rule:'!' + b_category + '-' + rule}) %} {% endif %} {{ sg_rule(b_category, rule, sg_config.log, squidguard_db_dir) }} {% endfor %} {% endif %} {% if rule_config.allow_category is vyos_defined %} {% for a_category in rule_config.allow_category %} {% if rule in ruleacls %} {% set _dummy = ruleacls.update({rule: ruleacls[rule] + ' ' + a_category + '-' + rule}) %} {% else %} {% set _dummy = ruleacls.update({rule:a_category + '-' + rule}) %} {% endif %} {{ sg_rule(a_category, rule, sg_config.log, squidguard_db_dir) }} {% endfor %} {% endif %} {% endfor %} {% endif %} {% if sg_config.source_group is vyos_defined %} {% for sgroup, sg_config in sg_config.source_group.items() %} {% if sg_config.address is vyos_defined %} src {{ sgroup }} { {% for address in sg_config.address %} ip {{ address }} {% endfor %} } {% endif %} {% endfor %} {% endif %} acl { {% if sg_config.rule is vyos_defined %} {% for rule, rule_config in sg_config.rule.items() %} {{ rule_config.source_group }} { pass {{ ruleacls[rule] }} {{ 'none' if rule_config.default_action is vyos_defined('block') else 'any' }} } {% endfor %} {% endif %} default { {% if sg_config.enable_safe_search is vyos_defined %} rewrite safesearch {% endif %} pass {{ acl.value }} {{ 'none' if sg_config.default_action is vyos_defined('block') else 'any' }} redirect 302:http://{{ sg_config.redirect_url }} {% if sg_config.log is vyos_defined %} log blacklist.log {% endif %} } } {% endif %} {% endif %}