blob: 1bc4c984f31e155c591e88efe54ee341eaca8b4c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
|
### generated by service_webproxy.py ###
{% macro sg_rule(category, log, db_dir) %}
{% set expressions = db_dir + '/' + category + '/expressions' %}
dest {{ category }}-default {
domainlist {{ category }}/domains
urllist {{ category }}/urls
{% if expressions | is_file %}
expressionlist {{ category }}/expressions
{% endif %}
{% if log is vyos_defined %}
log blacklist.log
{% endif %}
}
{% endmacro %}
{% if url_filtering is vyos_defined and url_filtering.disable is not vyos_defined %}
{% if url_filtering.squidguard is vyos_defined %}
{% set sg_config = url_filtering.squidguard %}
{% set acl = namespace(value='local-ok-default') %}
{% set acl.value = acl.value + ' !in-addr' if sg_config.allow_ipaddr_url is not defined else acl.value %}
dbhome {{ squidguard_db_dir }}
logdir /var/log/squid
rewrite safesearch {
s@(.*\.google\..*/(custom|search|images|groups|news)?.*q=.*)@\1\&safe=active@i
s@(.*\..*/yandsearch?.*text=.*)@\1\&fyandex=1@i
s@(.*\.yahoo\..*/search.*p=.*)@\1\&vm=r@i
s@(.*\.live\..*/.*q=.*)@\1\&adlt=strict@i
s@(.*\.msn\..*/.*q=.*)@\1\&adlt=strict@i
s@(.*\.bing\..*/search.*q=.*)@\1\&adlt=strict@i
log rewrite.log
}
{% if sg_config.local_ok is vyos_defined %}
{% set acl.value = acl.value + ' local-ok-default' %}
dest local-ok-default {
domainlist local-ok-default/domains
}
{% endif %}
{% if sg_config.local_ok_url is vyos_defined %}
{% set acl.value = acl.value + ' local-ok-url-default' %}
dest local-ok-url-default {
urllist local-ok-url-default/urls
}
{% endif %}
{% if sg_config.local_block is vyos_defined %}
{% set acl.value = acl.value + ' !local-block-default' %}
dest local-block-default {
domainlist local-block-default/domains
}
{% endif %}
{% if sg_config.local_block_url is vyos_defined %}
{% set acl.value = acl.value + ' !local-block-url-default' %}
dest local-block-url-default {
urllist local-block-url-default/urls
}
{% endif %}
{% if sg_config.local_block_keyword is vyos_defined %}
{% set acl.value = acl.value + ' !local-block-keyword-default' %}
dest local-block-keyword-default {
expressionlist local-block-keyword-default/expressions
}
{% endif %}
{% if sg_config.block_category is vyos_defined %}
{% for category in sg_config.block_category %}
{{ sg_rule(category, sg_config.log, squidguard_db_dir) }}
{% set acl.value = acl.value + ' !' + category + '-default' %}
{% endfor %}
{% endif %}
{% if sg_config.allow_category is vyos_defined %}
{% for category in sg_config.allow_category %}
{{ sg_rule(category, False, squidguard_db_dir) }}
{% set acl.value = acl.value + ' ' + category + '-default' %}
{% endfor %}
{% endif %}
{% if sg_config.source_group is vyos_defined %}
{% for sgroup, sg_config in sg_config.source_group.items() %}
{% if sg_config.address is vyos_defined %}
src {{ sgroup }} {
{% for address in sg_config.address %}
ip {{ address }}
{% endfor %}
}
{% endif %}
{% endfor %}
{% endif %}
{% if sg_config.rule is vyos_defined %}
{% for rule, rule_config in sg_config.rule.items() %}
{% for b_category in rule_config.block_category %}
dest {{ b_category }} {
domainlist {{ b_category }}/domains
urllist {{ b_category }}/urls
}
{% endfor %}
{% endfor %}
{% endif %}
acl {
{% if sg_config.rule is vyos_defined %}
{% for rule, rule_config in sg_config.rule.items() %}
{{ rule_config.source_group }} {
{% for b_category in rule_config.block_category %}
pass local-ok-1 !in-addr !{{ b_category }} all
{% endfor %}
}
{% endfor %}
{% endif %}
default {
{% if sg_config.enable_safe_search is vyos_defined %}
rewrite safesearch
{% endif %}
pass {{ acl.value }} {{ 'none' if sg_config.default_action is vyos_defined('block') else 'allow' }}
redirect 302:http://{{ sg_config.redirect_url }}
{% if sg_config.log is vyos_defined %}
log blacklist.log
{% endif %}
}
}
{% endif %}
{% endif %}
|