blob: 4e3d702a849fe1d35a2e21e83d583da35f2c301b (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
|
### generated by service_webproxy.py ###
acl net src all
acl SSL_ports port 443
{% if ssl_safe_ports is vyos_defined %}
{% for port in ssl_safe_ports %}
acl SSL_ports port {{ port }}
{% endfor %}
{% endif %}
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 873 # rsync
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
{% if safe_ports is vyos_defined %}
{% for port in safe_ports %}
acl Safe_ports port {{ port }}
{% endfor %}
{% endif %}
acl CONNECT method CONNECT
{% if domain_block is vyos_defined %}
{% for domain in domain_block %}
acl BLOCKDOMAIN dstdomain {{ domain }}
{% endfor %}
http_access deny BLOCKDOMAIN
{% endif %}
{% if domain_noncache is vyos_defined %}
{% for domain in domain_noncache %}
acl NOCACHE dstdomain {{ domain }}
{% endfor %}
no_cache deny NOCACHE
{% endif %}
{% if authentication is vyos_defined %}
{% if authentication.children is vyos_defined %}
auth_param basic children {{ authentication.children }}
{% endif %}
{% if authentication.credentials_ttl is vyos_defined %}
auth_param basic credentialsttl {{ authentication.credentials_ttl }} minute
{% endif %}
{% if authentication.realm is vyos_defined %}
auth_param basic realm "{{ authentication.realm }}"
{% endif %}
{# LDAP based Authentication #}
{% if authentication.method is vyos_defined %}
{% if authentication.ldap is vyos_defined and authentication.method is vyos_defined('ldap') %}
auth_param basic program /usr/lib/squid/basic_ldap_auth -v {{ authentication.ldap.version }} -b "{{ authentication.ldap.base_dn }}" {{ '-D "' ~ authentication.ldap.bind_dn ~ '"' if authentication.ldap.bind_dn is vyos_defined }} {{ '-w "' ~ authentication.ldap.password ~ '"' if authentication.ldap.password is vyos_defined }} {{ '-f "' ~ authentication.ldap.filter_expression ~ '"' if authentication.ldap.filter_expression is vyos_defined }} {{ '-u "' ~ authentication.ldap.username_attribute ~ '"' if authentication.ldap.username_attribute is vyos_defined }} -p {{ authentication.ldap.port }} {{ '-ZZ' if authentication.ldap.use_ssl is vyos_defined }} -R -h "{{ authentication.ldap.server }}"
{% endif %}
acl auth proxy_auth REQUIRED
http_access allow auth
{% endif %}
{% endif %}
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow net
http_access deny all
{% if reply_block_mime is vyos_defined %}
{% for mime_type in reply_block_mime %}
acl BLOCK_MIME rep_mime_type {{ mime_type }}
{% endfor %}
http_reply_access deny BLOCK_MIME
{% endif %}
{% if cache_size is vyos_defined %}
{% if cache_size | int > 0 %}
cache_dir ufs /var/spool/squid {{ cache_size }} 16 256
{% else %}
# disabling disk cache
{% endif %}
{% endif %}
{% if mem_cache_size is vyos_defined %}
cache_mem {{ mem_cache_size }} MB
{% endif %}
{% if disable_access_log is vyos_defined %}
access_log none
{% else %}
access_log /var/log/squid/access.log squid
{% endif %}
{# by default we'll disable the store log #}
cache_store_log none
{% if append_domain is vyos_defined %}
append_domain {{ append_domain }}
{% endif %}
{% if maximum_object_size is vyos_defined %}
maximum_object_size {{ maximum_object_size }} KB
{% endif %}
{% if minimum_object_size is vyos_defined %}
minimum_object_size {{ minimum_object_size }} KB
{% endif %}
{% if reply_body_max_size is vyos_defined %}
reply_body_max_size {{ reply_body_max_size }} KB
{% endif %}
{% if outgoing_address is vyos_defined %}
tcp_outgoing_address {{ outgoing_address }}
{% endif %}
{% if listen_address is vyos_defined %}
{% for address, config in listen_address.items() %}
http_port {{ address | bracketize_ipv6 }}:{{ config.port if config.port is vyos_defined else default_port }} {{ 'intercept' if config.disable_transparent is not vyos_defined }}
{% endfor %}
{% endif %}
http_port 127.0.0.1:{{ default_port }}
{# NOT insert the client address in X-Forwarded-For header #}
forwarded_for off
{# SquidGuard #}
{% if url_filtering.disable is not vyos_defined and url_filtering.squidguard is vyos_defined %}
url_rewrite_program /usr/bin/squidGuard -c {{ squidguard_conf }}
url_rewrite_children 8
url_rewrite_bypass on
{% endif %}
{% if cache_peer is vyos_defined %}
{% for peer, config in cache_peer.items() %}
cache_peer {{ config.address }} {{ config.type }} {{ config.http_port }} {{ config.icp_port }} {{ config.options }}
{% endfor %}
never_direct allow all
{% endif %}
|
