diff options
| author | kumvijaya <kumvijaya@gmail.com> | 2024-05-21 16:41:14 +0530 |
|---|---|---|
| committer | kumvijaya <kumvijaya@gmail.com> | 2024-05-21 16:41:14 +0530 |
| commit | cc86483fdf7a6bd988f485c06402fd07368dd26e (patch) | |
| tree | 9d892a9715106cc67bf1e57b15b999aa7e564057 /data/templates/squid | |
| parent | 704ca2322d0bebcb923f5136f0f69fb23651a484 (diff) | |
| download | vyos-workflow-test-temp-cc86483fdf7a6bd988f485c06402fd07368dd26e.tar.gz vyos-workflow-test-temp-cc86483fdf7a6bd988f485c06402fd07368dd26e.zip | |
T6357: create test repository to validate setup
Diffstat (limited to 'data/templates/squid')
| -rw-r--r-- | data/templates/squid/sg_acl.conf.j2 | 17 | ||||
| -rw-r--r-- | data/templates/squid/squid.conf.j2 | 126 | ||||
| -rw-r--r-- | data/templates/squid/squidGuard.conf.j2 | 206 |
3 files changed, 349 insertions, 0 deletions
diff --git a/data/templates/squid/sg_acl.conf.j2 b/data/templates/squid/sg_acl.conf.j2 new file mode 100644 index 0000000..78297a2 --- /dev/null +++ b/data/templates/squid/sg_acl.conf.j2 @@ -0,0 +1,17 @@ +### generated by service_webproxy.py ### +dbhome {{ squidguard_db_dir }} +dest {{ category }}-{{ rule }} { +{% if list_type == 'domains' %} + domainlist {{ category }}/domains +{% elif list_type == 'urls' %} + urllist {{ category }}/urls +{% elif list_type == 'expressions' %} + expressionlist {{ category }}/expressions +{% endif %} +} + +acl { + default { + pass all + } +} diff --git a/data/templates/squid/squid.conf.j2 b/data/templates/squid/squid.conf.j2 new file mode 100644 index 0000000..b953c8b --- /dev/null +++ b/data/templates/squid/squid.conf.j2 @@ -0,0 +1,126 @@ +### generated by service_webproxy.py ### + +acl net src all +acl SSL_ports port 443 +{% if ssl_safe_ports is vyos_defined %} +{% for port in ssl_safe_ports %} +acl SSL_ports port {{ port }} +{% endfor %} +{% endif %} +acl Safe_ports port 80 # http +acl Safe_ports port 21 # ftp +acl Safe_ports port 443 # https +acl Safe_ports port 873 # rsync +acl Safe_ports port 70 # gopher +acl Safe_ports port 210 # wais +acl Safe_ports port 1025-65535 # unregistered ports +acl Safe_ports port 280 # http-mgmt +acl Safe_ports port 488 # gss-http +acl Safe_ports port 591 # filemaker +acl Safe_ports port 777 # multiling http +{% if safe_ports is vyos_defined %} +{% for port in safe_ports %} +acl Safe_ports port {{ port }} +{% endfor %} +{% endif %} +acl CONNECT method CONNECT +{% if domain_block is vyos_defined %} +{% for domain in domain_block %} +acl BLOCKDOMAIN dstdomain {{ domain }} +{% endfor %} +http_access deny BLOCKDOMAIN +{% endif %} +{% if authentication is vyos_defined %} +{% if authentication.children is vyos_defined %} +auth_param basic children {{ authentication.children }} +{% endif %} +{% if authentication.credentials_ttl is vyos_defined %} +auth_param basic credentialsttl {{ authentication.credentials_ttl }} minute +{% endif %} +{% if authentication.realm is vyos_defined %} +auth_param basic realm "{{ authentication.realm }}" +{% endif %} +{# LDAP based Authentication #} +{% if authentication.method is vyos_defined %} +{% if authentication.ldap is vyos_defined and authentication.method is vyos_defined('ldap') %} +auth_param basic program /usr/lib/squid/basic_ldap_auth -v {{ authentication.ldap.version }} -b "{{ authentication.ldap.base_dn }}" {{ '-D "' ~ authentication.ldap.bind_dn ~ '"' if authentication.ldap.bind_dn is vyos_defined }} {{ '-w "' ~ authentication.ldap.password ~ '"' if authentication.ldap.password is vyos_defined }} {{ '-f "' ~ authentication.ldap.filter_expression ~ '"' if authentication.ldap.filter_expression is vyos_defined }} {{ '-u "' ~ authentication.ldap.username_attribute ~ '"' if authentication.ldap.username_attribute is vyos_defined }} -p {{ authentication.ldap.port }} {{ '-ZZ' if authentication.ldap.use_ssl is vyos_defined }} -R -h "{{ authentication.ldap.server }}" +{% endif %} +acl auth proxy_auth REQUIRED +http_access allow auth +{% endif %} +{% endif %} + +http_access allow manager localhost +http_access deny manager +http_access deny !Safe_ports +http_access deny CONNECT !SSL_ports +http_access allow localhost +http_access allow net +http_access deny all + +{% if reply_block_mime is vyos_defined %} +{% for mime_type in reply_block_mime %} +acl BLOCK_MIME rep_mime_type {{ mime_type }} +{% endfor %} +http_reply_access deny BLOCK_MIME +{% endif %} + +{% if cache_size is vyos_defined %} +{% if cache_size | int > 0 %} +cache_dir ufs /var/spool/squid {{ cache_size }} 16 256 +{% else %} +# disabling disk cache +{% endif %} +{% endif %} +{% if mem_cache_size is vyos_defined %} +cache_mem {{ mem_cache_size }} MB +{% endif %} +{% if disable_access_log is vyos_defined %} +access_log none +{% else %} +access_log /var/log/squid/access.log squid +{% endif %} + +{# by default we'll disable the store log #} +cache_store_log none + +{% if append_domain is vyos_defined %} +append_domain {{ append_domain }} +{% endif %} +{% if maximum_object_size is vyos_defined %} +maximum_object_size {{ maximum_object_size }} KB +{% endif %} +{% if minimum_object_size is vyos_defined %} +minimum_object_size {{ minimum_object_size }} KB +{% endif %} +{% if reply_body_max_size is vyos_defined %} +reply_body_max_size {{ reply_body_max_size }} KB +{% endif %} +{% if outgoing_address is vyos_defined %} +tcp_outgoing_address {{ outgoing_address }} +{% endif %} + + +{% if listen_address is vyos_defined %} +{% for address, config in listen_address.items() %} +http_port {{ address | bracketize_ipv6 }}:{{ config.port if config.port is vyos_defined else default_port }} {{ 'intercept' if config.disable_transparent is not vyos_defined }} +{% endfor %} +{% endif %} +http_port 127.0.0.1:{{ default_port }} + +{# NOT insert the client address in X-Forwarded-For header #} +forwarded_for off + +{# SquidGuard #} +{% if url_filtering.disable is not vyos_defined and url_filtering.squidguard is vyos_defined %} +url_rewrite_program /usr/bin/squidGuard -c {{ squidguard_conf }} +url_rewrite_children 8 +url_rewrite_bypass on +{% endif %} + +{% if cache_peer is vyos_defined %} +{% for peer, config in cache_peer.items() %} +cache_peer {{ config.address }} {{ config.type }} {{ config.http_port }} {{ config.icp_port }} {{ config.options }} +{% endfor %} +never_direct allow all +{% endif %} diff --git a/data/templates/squid/squidGuard.conf.j2 b/data/templates/squid/squidGuard.conf.j2 new file mode 100644 index 0000000..a93f878 --- /dev/null +++ b/data/templates/squid/squidGuard.conf.j2 @@ -0,0 +1,206 @@ +### generated by service_webproxy.py ### + +{% macro sg_rule(category, rule, log, db_dir) %} +{% set domains = db_dir + '/' + category + '/domains' %} +{% set urls = db_dir + '/' + category + '/urls' %} +{% set expressions = db_dir + '/' + category + '/expressions' %} +dest {{ category }}-{{ rule }}{ +{% if domains | is_file %} + domainlist {{ category }}/domains +{% endif %} +{% if urls | is_file %} + urllist {{ category }}/urls +{% endif %} +{% if expressions | is_file %} + expressionlist {{ category }}/expressions +{% endif %} +{% if log is vyos_defined %} + log blacklist.log +{% endif %} +} +{% endmacro %} + +{% if url_filtering is vyos_defined and url_filtering.disable is not vyos_defined %} +{% if url_filtering.squidguard is vyos_defined %} +{% set sg_config = url_filtering.squidguard %} +{% set acl = namespace(value='') %} +{% set acl.value = acl.value + ' !in-addr' if sg_config.allow_ipaddr_url is not defined else acl.value %} +{% set ruleacls = {} %} +dbhome {{ squidguard_db_dir }} +logdir /var/log/squid + +rewrite safesearch { + s@(.*\.google\..*/(custom|search|images|groups|news)?.*q=.*)@\1\&safe=active@i + s@(.*\..*/yandsearch?.*text=.*)@\1\&fyandex=1@i + s@(.*\.yahoo\..*/search.*p=.*)@\1\&vm=r@i + s@(.*\.live\..*/.*q=.*)@\1\&adlt=strict@i + s@(.*\.msn\..*/.*q=.*)@\1\&adlt=strict@i + s@(.*\.bing\..*/search.*q=.*)@\1\&adlt=strict@i + log rewrite.log +} + +{% if sg_config.local_ok is vyos_defined %} +{% set acl.value = acl.value + ' local-ok-default' %} +dest local-ok-default { + domainlist local-ok-default/domains +} +{% endif %} + +{% if sg_config.local_ok_url is vyos_defined %} +{% set acl.value = acl.value + ' local-ok-url-default' %} +dest local-ok-url-default { + urllist local-ok-url-default/urls +} +{% endif %} + +{% if sg_config.local_block is vyos_defined %} +{% set acl.value = acl.value + ' !local-block-default' %} +dest local-block-default { + domainlist local-block-default/domains +} +{% endif %} + +{% if sg_config.local_block_url is vyos_defined %} +{% set acl.value = acl.value + ' !local-block-url-default' %} +dest local-block-url-default { + urllist local-block-url-default/urls +} +{% endif %} + +{% if sg_config.local_block_keyword is vyos_defined %} +{% set acl.value = acl.value + ' !local-block-keyword-default' %} +dest local-block-keyword-default { + expressionlist local-block-keyword-default/expressions +} +{% endif %} + +{% if sg_config.block_category is vyos_defined %} +{% for category in sg_config.block_category %} +{{ sg_rule(category, 'default', sg_config.log, squidguard_db_dir) }} +{% set acl.value = acl.value + ' !' + category + '-default' %} +{% endfor %} +{% endif %} +{% if sg_config.allow_category is vyos_defined %} +{% for category in sg_config.allow_category %} +{{ sg_rule(category, 'default', False, squidguard_db_dir) }} +{% set acl.value = acl.value + ' ' + category + '-default' %} +{% endfor %} +{% endif %} + + +{% if sg_config.rule is vyos_defined %} +{% for rule, rule_config in sg_config.rule.items() %} +{% if rule_config.local_ok is vyos_defined %} +{% if rule in ruleacls %} +{% set _dummy = ruleacls.update({rule: ruleacls[rule] + ' local-ok-' + rule}) %} +{% else %} +{% set _dummy = ruleacls.update({rule:'local-ok-' + rule}) %} +{% endif %} +dest local-ok-{{ rule }} { + domainlist local-ok-{{ rule }}/domains +} +{% endif %} + +{% if rule_config.local_ok_url is vyos_defined %} +{% if rule in ruleacls %} +{% set _dummy = ruleacls.update({rule: ruleacls[rule] + ' local-ok-url-' + rule}) %} +{% else %} +{% set _dummy = ruleacls.update({rule:'local-ok-url-' + rule}) %} +{% endif %} +dest local-ok-url-{{ rule }} { + urllist local-ok-url-{{ rule }}/urls +} +{% endif %} + +{% if rule_config.local_block is vyos_defined %} +{% if rule in ruleacls %} +{% set _dummy = ruleacls.update({rule: ruleacls[rule] + ' !local-block-' + rule}) %} +{% else %} +{% set _dummy = ruleacls.update({rule:'!local-block-' + rule}) %} +{% endif %} +dest local-block-{{ rule }} { + domainlist local-block-{{ rule }}/domains +} +{% endif %} + +{% if rule_config.local_block_url is vyos_defined %} +{% if rule in ruleacls %} +{% set _dummy = ruleacls.update({rule: ruleacls[rule] + ' !local-block-url-' + rule}) %} +{% else %} +{% set _dummy = ruleacls.update({rule:'!ocal-block-url-' + rule}) %} +{% endif %} +dest local-block-url-{{ rule }} { + urllist local-block-url-{{ rule }}/urls +} +{% endif %} + +{% if rule_config.local_block_keyword is vyos_defined %} +{% if rule in ruleacls %} +{% set _dummy = ruleacls.update({rule: ruleacls[rule] + ' !local-block-keyword-' + rule}) %} +{% else %} +{% set _dummy = ruleacls.update({rule:'!local-block-keyword-' + rule}) %} +{% endif %} +dest local-block-keyword-{{ rule }} { + expressionlist local-block-keyword-{{ rule }}/expressions +} +{% endif %} + +{% if rule_config.block_category is vyos_defined %} +{% for b_category in rule_config.block_category %} +{% if rule in ruleacls %} +{% set _dummy = ruleacls.update({rule: ruleacls[rule] + ' !' + b_category + '-' + rule}) %} +{% else %} +{% set _dummy = ruleacls.update({rule:'!' + b_category + '-' + rule}) %} +{% endif %} +{{ sg_rule(b_category, rule, sg_config.log, squidguard_db_dir) }} +{% endfor %} +{% endif %} + +{% if rule_config.allow_category is vyos_defined %} +{% for a_category in rule_config.allow_category %} +{% if rule in ruleacls %} +{% set _dummy = ruleacls.update({rule: ruleacls[rule] + ' ' + a_category + '-' + rule}) %} +{% else %} +{% set _dummy = ruleacls.update({rule:a_category + '-' + rule}) %} +{% endif %} +{{ sg_rule(a_category, rule, sg_config.log, squidguard_db_dir) }} +{% endfor %} +{% endif %} +{% endfor %} +{% endif %} + + +{% if sg_config.source_group is vyos_defined %} +{% for sgroup, sg_config in sg_config.source_group.items() %} +{% if sg_config.address is vyos_defined %} +src {{ sgroup }} { +{% for address in sg_config.address %} + ip {{ address }} +{% endfor %} +} +{% endif %} +{% endfor %} +{% endif %} + +acl { +{% if sg_config.rule is vyos_defined %} +{% for rule, rule_config in sg_config.rule.items() %} + {{ rule_config.source_group }} { + pass {{ ruleacls[rule] }} {{ 'none' if rule_config.default_action is vyos_defined('block') else 'any' }} + } +{% endfor %} +{% endif %} + + default { +{% if sg_config.enable_safe_search is vyos_defined %} + rewrite safesearch +{% endif %} + pass {{ acl.value }} {{ 'none' if sg_config.default_action is vyos_defined('block') else 'any' }} + redirect 302:http://{{ sg_config.redirect_url }} +{% if sg_config.log is vyos_defined %} + log blacklist.log +{% endif %} + } +} +{% endif %} +{% endif %} |