1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
|
### generated by service_webproxy.py ###
{% macro sg_rule(category, rule, log, db_dir) %}
{% set domains = db_dir + '/' + category + '/domains' %}
{% set urls = db_dir + '/' + category + '/urls' %}
{% set expressions = db_dir + '/' + category + '/expressions' %}
dest {{ category }}-{{ rule }}{
{% if domains | is_file %}
domainlist {{ category }}/domains
{% endif %}
{% if urls | is_file %}
urllist {{ category }}/urls
{% endif %}
{% if expressions | is_file %}
expressionlist {{ category }}/expressions
{% endif %}
{% if log is vyos_defined %}
log blacklist.log
{% endif %}
}
{% endmacro %}
{% if url_filtering is vyos_defined and url_filtering.disable is not vyos_defined %}
{% if url_filtering.squidguard is vyos_defined %}
{% set sg_config = url_filtering.squidguard %}
{% set acl = namespace(value='') %}
{% set acl.value = acl.value + ' !in-addr' if sg_config.allow_ipaddr_url is not defined else acl.value %}
{% set ruleacls = {} %}
dbhome {{ squidguard_db_dir }}
logdir /var/log/squid
rewrite safesearch {
s@(.*\.google\..*/(custom|search|images|groups|news)?.*q=.*)@\1\&safe=active@i
s@(.*\..*/yandsearch?.*text=.*)@\1\&fyandex=1@i
s@(.*\.yahoo\..*/search.*p=.*)@\1\&vm=r@i
s@(.*\.live\..*/.*q=.*)@\1\&adlt=strict@i
s@(.*\.msn\..*/.*q=.*)@\1\&adlt=strict@i
s@(.*\.bing\..*/search.*q=.*)@\1\&adlt=strict@i
log rewrite.log
}
{% if sg_config.local_ok is vyos_defined %}
{% set acl.value = acl.value + ' local-ok-default' %}
dest local-ok-default {
domainlist local-ok-default/domains
}
{% endif %}
{% if sg_config.local_ok_url is vyos_defined %}
{% set acl.value = acl.value + ' local-ok-url-default' %}
dest local-ok-url-default {
urllist local-ok-url-default/urls
}
{% endif %}
{% if sg_config.local_block is vyos_defined %}
{% set acl.value = acl.value + ' !local-block-default' %}
dest local-block-default {
domainlist local-block-default/domains
}
{% endif %}
{% if sg_config.local_block_url is vyos_defined %}
{% set acl.value = acl.value + ' !local-block-url-default' %}
dest local-block-url-default {
urllist local-block-url-default/urls
}
{% endif %}
{% if sg_config.local_block_keyword is vyos_defined %}
{% set acl.value = acl.value + ' !local-block-keyword-default' %}
dest local-block-keyword-default {
expressionlist local-block-keyword-default/expressions
}
{% endif %}
{% if sg_config.block_category is vyos_defined %}
{% for category in sg_config.block_category %}
{{ sg_rule(category, 'default', sg_config.log, squidguard_db_dir) }}
{% set acl.value = acl.value + ' !' + category + '-default' %}
{% endfor %}
{% endif %}
{% if sg_config.allow_category is vyos_defined %}
{% for category in sg_config.allow_category %}
{{ sg_rule(category, 'default', False, squidguard_db_dir) }}
{% set acl.value = acl.value + ' ' + category + '-default' %}
{% endfor %}
{% endif %}
{% if sg_config.rule is vyos_defined %}
{% for rule, rule_config in sg_config.rule.items() %}
{% if rule_config.local_ok is vyos_defined %}
{% if rule in ruleacls %}
{% set _dummy = ruleacls.update({rule: ruleacls[rule] + ' local-ok-' + rule}) %}
{% else %}
{% set _dummy = ruleacls.update({rule:'local-ok-' + rule}) %}
{% endif %}
dest local-ok-{{ rule }} {
domainlist local-ok-{{ rule }}/domains
}
{% endif %}
{% if rule_config.local_ok_url is vyos_defined %}
{% if rule in ruleacls %}
{% set _dummy = ruleacls.update({rule: ruleacls[rule] + ' local-ok-url-' + rule}) %}
{% else %}
{% set _dummy = ruleacls.update({rule:'local-ok-url-' + rule}) %}
{% endif %}
dest local-ok-url-{{ rule }} {
urllist local-ok-url-{{ rule }}/urls
}
{% endif %}
{% if rule_config.local_block is vyos_defined %}
{% if rule in ruleacls %}
{% set _dummy = ruleacls.update({rule: ruleacls[rule] + ' !local-block-' + rule}) %}
{% else %}
{% set _dummy = ruleacls.update({rule:'!local-block-' + rule}) %}
{% endif %}
dest local-block-{{ rule }} {
domainlist local-block-{{ rule }}/domains
}
{% endif %}
{% if rule_config.local_block_url is vyos_defined %}
{% if rule in ruleacls %}
{% set _dummy = ruleacls.update({rule: ruleacls[rule] + ' !local-block-url-' + rule}) %}
{% else %}
{% set _dummy = ruleacls.update({rule:'!ocal-block-url-' + rule}) %}
{% endif %}
dest local-block-url-{{ rule }} {
urllist local-block-url-{{ rule }}/urls
}
{% endif %}
{% if rule_config.local_block_keyword is vyos_defined %}
{% if rule in ruleacls %}
{% set _dummy = ruleacls.update({rule: ruleacls[rule] + ' !local-block-keyword-' + rule}) %}
{% else %}
{% set _dummy = ruleacls.update({rule:'!local-block-keyword-' + rule}) %}
{% endif %}
dest local-block-keyword-{{ rule }} {
expressionlist local-block-keyword-{{ rule }}/expressions
}
{% endif %}
{% if rule_config.block_category is vyos_defined %}
{% for b_category in rule_config.block_category %}
{% if rule in ruleacls %}
{% set _dummy = ruleacls.update({rule: ruleacls[rule] + ' !' + b_category + '-' + rule}) %}
{% else %}
{% set _dummy = ruleacls.update({rule:'!' + b_category + '-' + rule}) %}
{% endif %}
{{ sg_rule(b_category, rule, sg_config.log, squidguard_db_dir) }}
{% endfor %}
{% endif %}
{% if rule_config.allow_category is vyos_defined %}
{% for a_category in rule_config.allow_category %}
{% if rule in ruleacls %}
{% set _dummy = ruleacls.update({rule: ruleacls[rule] + ' ' + a_category + '-' + rule}) %}
{% else %}
{% set _dummy = ruleacls.update({rule:a_category + '-' + rule}) %}
{% endif %}
{{ sg_rule(a_category, rule, sg_config.log, squidguard_db_dir) }}
{% endfor %}
{% endif %}
{% endfor %}
{% endif %}
{% if sg_config.source_group is vyos_defined %}
{% for sgroup, sg_config in sg_config.source_group.items() %}
{% if sg_config.address is vyos_defined %}
src {{ sgroup }} {
{% for address in sg_config.address %}
ip {{ address }}
{% endfor %}
}
{% endif %}
{% endfor %}
{% endif %}
acl {
{% if sg_config.rule is vyos_defined %}
{% for rule, rule_config in sg_config.rule.items() %}
{{ rule_config.source_group }} {
pass {{ ruleacls[rule] }} {{ 'none' if rule_config.default_action is vyos_defined('block') else 'any' }}
}
{% endfor %}
{% endif %}
default {
{% if sg_config.enable_safe_search is vyos_defined %}
rewrite safesearch
{% endif %}
pass {{ acl.value }} {{ 'none' if sg_config.default_action is vyos_defined('block') else 'any' }}
redirect 302:http://{{ sg_config.redirect_url }}
{% if sg_config.log is vyos_defined %}
log blacklist.log
{% endif %}
}
}
{% endif %}
{% endif %}
|
