squid.conf 23 KB
Newer Older
1
#
2 3
# Automatic generated configuration for Squid.
# Do not edit this file manually.
4

5
{# wrap http_port ssl bump configuration for reuse #}
Ad Schellevis's avatar
Ad Schellevis committed
6
{% macro sslbump_httpsconfig(network, tags='') -%}
7
  {% if helpers.exists('OPNsense.proxy.forward.sslbump') and OPNsense.proxy.forward.sslbump == '1' %}
Ad Schellevis's avatar
Ad Schellevis committed
8
https_port {{network}}:{{OPNsense.proxy.forward.sslbumpport|default('3129')}} {{tags}} ssl-bump cert=/var/squid/ssl/ca.pem  dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
9 10 11
  {% endif %}
{%- endmacro %}

12
{% if helpers.exists('OPNsense.proxy.forward.transparentMode') and OPNsense.proxy.forward.transparentMode == '1' %}
13
# transparent mode, listen on localhost
Ad Schellevis's avatar
Ad Schellevis committed
14 15 16 17
http_port 127.0.0.1:{{ OPNsense.proxy.forward.port }} intercept
{{ sslbump_httpsconfig('127.0.0.1', 'intercept') }}
http_port [::1]:{{ OPNsense.proxy.forward.port }} intercept
{{ sslbump_httpsconfig('[::1]', 'intercept') }}
18 19
{% endif %}

20
# Setup listen configuration
21 22
{% if helpers.exists('OPNsense.proxy.forward.interfaces') %}
{%   for interface in OPNsense.proxy.forward.interfaces.split(",") %}
Jos Schellevis's avatar
Jos Schellevis committed
23 24
{%      for intf_key,intf_item in interfaces.iteritems() %}
{%          if intf_key == interface and intf_item.ipaddr != 'dhcp' %}
Ad Schellevis's avatar
Ad Schellevis committed
25
http_port {{intf_item.ipaddr}}:{{ OPNsense.proxy.forward.port }}
Jos Schellevis's avatar
Jos Schellevis committed
26 27
{%          endif %}
{%      endfor %}
28
{# virtual ip's #}
Jos Schellevis's avatar
Jos Schellevis committed
29 30 31
{%      if helpers.exists('virtualip') %}
{%          for intf_key,intf_item in virtualip.iteritems() %}
{%              if intf_item.interface == interface and intf_item.mode == 'ipalias' %}
Ad Schellevis's avatar
Ad Schellevis committed
32
http_port {{intf_item.subnet}}:{{ OPNsense.proxy.forward.port }}
Jos Schellevis's avatar
Jos Schellevis committed
33 34 35 36
{%              endif %}
{%          endfor %}
{%      endif %}
{%   endfor %}
37 38
{% endif %}

39 40
{% if helpers.exists('OPNsense.proxy.forward.sslbump') and OPNsense.proxy.forward.sslbump == '1' %}
# setup ssl re-cert
41 42
sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /var/squid/ssl_crtd -M {{ OPNsense.proxy.forward.ssl_crtd_storage_max_size|default('4') }}MB
sslcrtd_children {{ OPNsense.proxy.forward.sslcrtd_children|default('5') }}
43 44 45 46
# setup ssl bump acl's
acl bump_step1 at_step SslBump1
acl bump_step2 at_step SslBump2
acl bump_step3 at_step SslBump3
47
acl bump_nobumpsites ssl::server_name "/usr/local/etc/squid/nobumpsites.acl"
48 49 50

# configure bump
ssl_bump peek bump_step1 all
51 52 53
ssl_bump splice bump_nobumpsites
ssl_bump peek bump_step2 bump_nobumpsites
ssl_bump splice bump_step3 bump_nobumpsites
54
ssl_bump bump
Ad Schellevis's avatar
Ad Schellevis committed
55 56

sslproxy_cert_error deny all
57 58
{% endif %}

59 60 61 62 63 64
acl ftp proto FTP
http_access allow ftp

{% if helpers.exists('OPNsense.proxy.forward.ftpTransparentMode') and OPNsense.proxy.forward.ftpTransparentMode == '1' %}
# transparent mode, listen on localhost
ftp_port 127.0.0.1:{{ OPNsense.proxy.forward.ftpPort }} intercept
65
ftp_port [::1]:{{ OPNsense.proxy.forward.ftpPort }} intercept
66 67
{% endif %}

68 69 70 71 72
# Setup ftp proxy
{% if helpers.exists('OPNsense.proxy.forward.ftpInterfaces') %}
{%   for interface in OPNsense.proxy.forward.ftpInterfaces.split(",") %}
{%      for intf_key,intf_item in interfaces.iteritems() %}
{%          if intf_key == interface and intf_item.ipaddr != 'dhcp' %}
73
ftp_port {{intf_item.ipaddr}}:{{ OPNsense.proxy.forward.ftpPort }} accel ftp-track-dirs protocol=HTTP
74 75 76 77 78 79
{%          endif %}
{%      endfor %}
{# virtual ip's #}
{%      if helpers.exists('virtualip') %}
{%          for intf_key,intf_item in virtualip.iteritems() %}
{%              if intf_item.interface == interface and intf_item.mode == 'ipalias' %}
80
ftp_port {{intf_item.subnet}}:{{ OPNsense.proxy.forward.ftpPort }} accel ftp-track-dirs protocol=HTTP
81 82 83 84 85 86
{%              endif %}
{%          endfor %}
{%      endif %}
{%   endfor %}
{% endif %}

87 88 89
# Rules allowing access from your local networks.
# Generated list of (internal) IP networks from where browsing
# should be allowed. (Allow interface subnets).
90 91 92 93 94 95
{% if helpers.exists('OPNsense.proxy.forward.interfaces') %}
{%  if helpers.exists('OPNsense.proxy.forward.addACLforInterfaceSubnets') %}
{%      if OPNsense.proxy.forward.addACLforInterfaceSubnets == '1' %}
{%      for interface in OPNsense.proxy.forward.interfaces.split(",") %}
{%          for intf_key,intf_item in interfaces.iteritems() %}
{%              if intf_key == interface and intf_item.ipaddr != 'dhcp' %}
96
acl localnet src {{intf_item.ipaddr.split(".")[0:3]|join(".")}}.0/{{intf_item.subnet}} # Possible internal network
97 98
{%              endif %}
{%          endfor %}
99 100 101 102 103 104 105 106
{%          if helpers.exists('virtualip') %}
{%              for intf_key,intf_item in virtualip.iteritems() %}
{%                  if intf_item.interface == interface and intf_item.mode == 'ipalias' %}
acl localnet src {{intf_item.subnet}}/{{intf_item.subnet}} # Possible internal network
{%                  endif %}
{%              endfor %}
{%          endif %}
{%      endfor %}
107 108 109
{%      endif %}
{%  endif %}
{% endif %}
110 111 112 113 114 115
# Default allow for local-link and private networks
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

# ACL lists
{% if helpers.exists('OPNsense.proxy.forward.acl.allowedSubnets') %}
116

117 118 119 120 121 122
# ACL - Allow Subnets - User defined (subnets)
{%  for network in OPNsense.proxy.forward.acl.allowedSubnets.split(",") %}
acl subnets src {{network}}
{%  endfor %}
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}
123

124 125 126 127 128 129
# ACL - Unrestricted IPs - User defined (unrestricted)
{%  for ip in OPNsense.proxy.forward.acl.unrestricted.split(",") %}
acl unrestricted src {{ip}}
{%  endfor %}
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.bannedHosts') %}
130

131 132 133 134 135 136
# ACL - Banned Hosts - User defined (bannedHosts)
{%  for ip in OPNsense.proxy.forward.acl.bannedHosts.split(",") %}
acl bannedHosts src {{ip}}
{%  endfor %}
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.whiteList') %}
137
# ACL - Whitelist - User defined (whiteList)
138
{%  for element in OPNsense.proxy.forward.acl.whiteList.split(",") %}
139
{%      if '^' in element or '\\' in element or '$' in element or '[' in element %}
140 141
acl whiteList url_regex {{element}}
{%      else %}
142
acl whiteList url_regex {{element|replace(".","\.")}}
143 144 145 146
{%      endif %}
{%  endfor %}
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.blackList') %}
147

148
# ACL - Blacklist - User defined (blackList)
149
{%  for element in OPNsense.proxy.forward.acl.blackList.split(",") %}
150
{%      if '^' in element or '\\' in element or '$' in element or '[' in element %}
151
acl blackList url_regex {{element}}
152
{%      else %}
153
acl blackList url_regex {{element|replace(".","\.")}}
154 155 156
{%      endif %}
{%  endfor %}
{% endif %}
157 158 159 160 161

# ACL - Remote fetched Blacklist (remoteblacklist)
{% if helpers.exists('OPNsense.proxy.forward.acl.remoteACLs.blacklists') %}
{%   for blacklist in helpers.toList('OPNsense.proxy.forward.acl.remoteACLs.blacklists.blacklist') %}
{%      if blacklist.enabled=='1' %}
162
acl remoteblacklist_{{blacklist.filename}} dstdomain "/usr/local/etc/squid/acl/{{blacklist.filename}}"
163 164 165
{%      endif %}
{%   endfor %}
{% endif %}
166

167
# ACL - Block browser/user-agent - User defined (browser)
168
{% if helpers.exists('OPNsense.proxy.forward.acl.browser') %}
169 170 171 172 173
{%  for element in OPNsense.proxy.forward.acl.browser.split(",") %}
acl blockuseragents browser {{element}}
{%  endfor %}
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.mimeType') %}
174

175
# ACL - Block MIME types - User defined (mimetype)
176 177
{%  for element in OPNsense.proxy.forward.acl.mimeType.split(",") %}
acl blockmimetypes rep_mime_type {{element}}
178
acl blockmimetypes_requests req_mime_type {{element}}
179 180 181 182 183 184 185 186 187 188 189 190 191 192
{%  endfor %}
{% endif %}

# ACL - SSL ports, default are configured in config.xml
# Configured SSL ports (if defaults are not listed, then they have been removed from the configuration!):
{% if helpers.exists('OPNsense.proxy.forward.acl.sslPorts') %}
{%  for element in OPNsense.proxy.forward.acl.sslPorts.split(",") %}
acl SSL_ports port {{element.split(":")[0]}} # {{element.split(":")[1]|default('unknown')}}
{%  endfor %}
{% endif %}

# Default Safe ports are now defined in config.xml
# Configured Safe ports (if defaults are not listed, then they have been removed from the configuration!):
{% if helpers.exists('OPNsense.proxy.forward.acl.safePorts') %}
193
# ACL - Safe_ports
194 195 196 197
{%  for element in OPNsense.proxy.forward.acl.safePorts.split(",") %}
acl Safe_ports port {{element.split(":")[0]}} # {{element.split(":")[1]|default('unknown')}}
{%  endfor %}
{% endif %}
198 199
acl CONNECT method CONNECT

200 201 202 203
# ICAP SETTINGS
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
# enable icap
icap_enable on
204
{%   if helpers.exists('OPNsense.proxy.forward.icap.OptionsTTL') %}
205
icap_default_options_ttl {{OPNsense.proxy.forward.icap.OptionsTTL}}
206
{%   endif %}
207 208

# send user information to the icap server
209
{%   if helpers.exists('OPNsense.proxy.forward.icap.SendClientIP') and OPNsense.proxy.forward.icap.SendClientIP == '1' %}
210
adaptation_send_client_ip on
211
{%   else %}
212
adaptation_send_client_ip off
213 214
{%   endif %}
{%   if helpers.exists('OPNsense.proxy.forward.icap.SendUsername') and OPNsense.proxy.forward.icap.SendUsername == '1' %}
215
adaptation_send_username on
216
{%   else %}
217
adaptation_send_username off
218 219
{%   endif %}
{%   if helpers.exists('OPNsense.proxy.forward.icap.EncodeUsername') and OPNsense.proxy.forward.icap.EncodeUsername == '1' %}
220
icap_client_username_encode on
221
{%   else %}
222
icap_client_username_encode off
223
{%   endif %}
224 225

# preview
226
{%   if helpers.exists('OPNsense.proxy.forward.icap.EnablePreview') and OPNsense.proxy.forward.icap.EnablePreview == '1' %}
227
icap_preview_enable on
228
{%   else %}
229
icap_preview_enable off
230
{%   endif %}
231 232
{% if helpers.exists('OPNsense.proxy.forward.icap.PreviewSize') %}
icap_preview_size {{OPNsense.proxy.forward.icap.PreviewSize}}
233
{%   endif %}
234 235

# add the servers
236
{%   if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %}
237
icap_service response_mod respmod_precache {{OPNsense.proxy.forward.icap.ResponseURL}}
238 239
{%   endif %}
{%   if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %}
240
icap_service request_mod reqmod_precache {{OPNsense.proxy.forward.icap.RequestURL}}
241
{%   endif %}
242 243 244 245 246 247

{% else %}
# disable icap
icap_enable off
{% endif %}

248
# Authentication Settings
249
{% if helpers.exists('OPNsense.proxy.forward.authentication.method') and  OPNsense.proxy.forward.authentication.method != '' %}
250
# Configure Local User Authentication helper
251
auth_param basic program /usr/local/etc/inc/squid.auth-user.php
252 253 254 255 256 257 258 259 260 261 262 263 264 265
{% if helpers.exists('OPNsense.proxy.forward.authentication.realm') %}
auth_param basic realm {{OPNsense.proxy.forward.authentication.realm}}
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.authentication.credentialsttl') %}
auth_param basic credentialsttl {{OPNsense.proxy.forward.authentication.credentialsttl}} hours
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.authentication.children') %}
auth_param basic children {{OPNsense.proxy.forward.authentication.children}}
{% endif %}
# ACL - Local Authorized Users - local_auth
acl local_auth proxy_auth REQUIRED
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}

266
# ALLOW UNRESTRICTED
267
# ACL list (Allow) unrestricted
268 269 270 271
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod allow unrestricted
adaptation_access request_mod allow unrestricted
{% endif %}
272 273
http_access allow unrestricted
{% endif %}
274 275 276 277

{% if helpers.exists('OPNsense.proxy.forward.acl.whiteList') %}

# ACL list (Allow) whitelist
278 279 280 281
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod allow whiteList
adaptation_access request_mod allow whiteList
{% endif %}
282 283 284
http_access allow whiteList
{% endif %}

285
{% if helpers.exists('OPNsense.proxy.forward.acl.blackList') %}
286

287
#
288
# ACL list (Deny) blacklist
289 290 291 292
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod deny blackList
adaptation_access request_mod deny blackList
{% endif %}
293
http_access deny blackList
294
{% endif %}
295

296
{% if helpers.exists('OPNsense.proxy.forward.acl.remoteACLs.blacklists') %}
297
{%   for blacklist in helpers.toList('OPNsense.proxy.forward.acl.remoteACLs.blacklists.blacklist') if blacklist.enabled=='1' %}
298
# ACL list (Deny) remoteblacklist_{{blacklist.filename}}
299
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
300 301
adaptation_access response_mod deny remoteblacklist_{{blacklist.filename}}
adaptation_access request_mod deny remoteblacklist_{{blacklist.filename}}
302
{% endif %}
303
http_access deny remoteblacklist_{{blacklist.filename}}
304
{%   endfor %}
305
{% endif %}
306

307 308 309
{% if helpers.exists('OPNsense.proxy.forward.acl.browser') %}

# ACL list (Deny) blockuseragent
310 311 312 313
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod deny blockuseragents
adaptation_access request_mod deny blockuseragents
{% endif %}
314 315 316 317 318 319
http_access deny blockuseragents
{% endif %}

{% if helpers.exists('OPNsense.proxy.forward.acl.mimeType') %}

# ACL list (Deny) blockmimetypes
320 321 322 323 324 325
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod deny blockmimetypes {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
adaptation_access request_mod deny blockmimetypes {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
adaptation_access response_mod deny blockmimetypes_requests {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
adaptation_access request_mod deny blockmimetypes_requests {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
{% endif %}
326 327 328 329
http_reply_access deny blockmimetypes {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}

http_access deny blockmimetypes_requests {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}

330 331 332
{% endif %}

# Deny requests to certain unsafe ports
333 334
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod deny !Safe_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
335

336 337
adaptation_access request_mod deny !Safe_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
{% endif %}
338

339
http_access deny !Safe_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
340

341 342
# Deny CONNECT to other than secure SSL ports
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
343
adaptation_access response_mod deny CONNECT !SSL_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
344

345 346
adaptation_access request_mod deny CONNECT !SSL_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
{% endif %}
347

348
http_access deny CONNECT !SSL_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
349

350
{% if helpers.exists('OPNsense.proxy.forward.acl.bannedHosts') %}
351 352 353 354
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod deny bannedHosts
adaptation_access request_mod deny bannedHosts
{% endif %}
355 356
http_access deny bannedHosts
{% endif %}
357 358

# Only allow cachemgr access from localhost
359 360 361 362 363 364
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod allow localhost manager
adaptation_access request_mod allow localhost manager
adaptation_access response_mod deny manager
adaptation_access request_mod deny manager
{% endif %}
365
http_access allow localhost manager
366
http_access deny manager
367 368 369 370

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
371 372 373 374
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod deny to_localhost
adaptation_access request_mod deny to_localhost
{% endif %}
375 376
http_access deny to_localhost

377
#
378
# Access Permission configuration:
379
#
380
# Deny request from unauthorized clients
381
{% if helpers.exists('OPNsense.proxy.forward.authentication.method') and  OPNsense.proxy.forward.authentication.method != '' %}
382 383 384 385
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod allow local_auth
adaptation_access request_mod allow local_auth
{% endif %}
386 387
http_access allow local_auth
{% endif %}
388

389 390
#
# ACL - localnet - default these include ranges from selected interfaces (Allow local subnets)
391 392 393 394
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod allow localnet
adaptation_access request_mod allow localnet
{% endif %}
395
http_access allow localnet
396 397

# ACL - localhost
398 399 400 401
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod allow localhost
adaptation_access request_mod allow localhost
{% endif %}
402
http_access allow localhost
403 404 405
{% if helpers.exists('OPNsense.proxy.forward.acl.allowedSubnets') %}

# ACL list (Allow) subnets
406
{%   if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
407 408
adaptation_access response_mod allow subnets
adaptation_access request_mod allow subnets
409
{%   endif %}
410
http_access allow subnets
411 412
{% endif %}

413 414
# Deny all other access to this proxy
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
415 416 417
adaptation_access response_mod deny all
adaptation_access request_mod deny all
{% endif %}
418 419
http_access deny all

420
{% if helpers.exists('OPNsense.proxy.general.cache.local')  %}
421 422 423 424 425 426 427
cache_mem {{ OPNsense.proxy.general.cache.local.cache_mem|default('256') }} MB
{%   if OPNsense.proxy.general.cache.local.maximum_object_size|default('') != '' %}
maximum_object_size {{OPNsense.proxy.general.cache.local.maximum_object_size}} MB
{%      if OPNsense.proxy.general.cache.local.maximum_object_size|int > 4 %}
cache_replacement_policy heap LFUDA
{%      endif %}
{%   endif %}
428
{%  if OPNsense.proxy.general.cache.local.enabled == '1' %}
429
# Uncomment and adjust the following to add a disk cache directory.
430 431 432
cache_dir ufs {{OPNsense.proxy.general.cache.local.directory}} {{OPNsense.proxy.general.cache.local.size}} {{OPNsense.proxy.general.cache.local.l1}} {{OPNsense.proxy.general.cache.local.l2}}
{%  endif %}
{% endif %}
433 434 435 436 437 438 439 440 441 442 443

# Leave coredumps in the first cache dir
coredump_dir /var/squid/cache

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
refresh_pattern .		0	20%	4320
444 445 446 447 448 449 450 451

# Squid Options
{% if helpers.exists('OPNsense.proxy.general.dnsV4First') %}
{%      if OPNsense.proxy.general.dnsV4First == '1' %}
# dns_v4_first reverses the order of preference to make Squid contact dual-stack websites over IPv4 first
dns_v4_first on
{%      endif %}
{% endif %}
452

453 454 455 456
{% if helpers.exists('OPNsense.proxy.general.logging.enable.accessLog') %}
{%      if OPNsense.proxy.general.logging.enable.accessLog == '0' %}
# Disable access logging
access_log none
457 458 459 460
{%      elif OPNsense.proxy.general.logging.ignoreLogACL|default('') != '' %}
# ignore source hosts from access.log
acl accesslog_ignore src {{ OPNsense.proxy.general.logging.ignoreLogACL.replace(',', ' ') }}
access_log /var/log/squid/access.log squid !accesslog_ignore
461 462
{%      endif %}
{% endif %}
463

464 465 466 467
{% if helpers.exists('OPNsense.proxy.general.logging.enable.storeLog') %}
{%      if OPNsense.proxy.general.logging.enable.storeLog == '0' %}
# Disable cache store log
cache_store_log none
468 469
{%      else %}
cache_store_log /var/log/squid/store.log
470 471 472 473 474 475
{%      endif %}
{% endif %}
{% if helpers.exists('OPNsense.proxy.general.alternateDNSservers' ) %}
{%   for dns in OPNsense.proxy.general.alternateDNSservers.split(",") %}
dns_nameservers {{dns}}
{%   endfor %}
476 477 478 479 480 481 482 483 484 485 486 487
{% endif %}
{% if helpers.exists('OPNsense.proxy.general.useViaHeader') %}
{%      if OPNsense.proxy.general.useViaHeader == '0' %}
# Disable via Header
via off
{%      endif %}
{% endif %}
{% if helpers.exists('OPNsense.proxy.general.suppressVersion') %}
{%      if OPNsense.proxy.general.suppressVersion == '1' %}
# Suppres http version string (default=off)
httpd_suppress_version_string on
{%      endif %}
488 489 490 491 492
{% endif %}
{% if helpers.exists('OPNsense.proxy.general.icpPort') %}
{%      if OPNsense.proxy.general.icpPort != '' %}
icp_port {{OPNsense.proxy.general.icpPort}}
{%      endif %}
493
{% endif %}
494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530
{% if helpers.exists('OPNsense.proxy.general.uriWhitespaceHandling') %}
# URI hanlding with Whitespaces (default=strip)
uri_whitespace {{OPNsense.proxy.general.uriWhitespaceHandling}}
{% endif %}
{% if helpers.exists('OPNsense.proxy.general.forwardedForHandling') %}
# X-Forwarded header handling (default=on)
forwarded_for {{OPNsense.proxy.general.forwardedForHandling}}
{% endif %}
{% if helpers.exists('OPNsense.proxy.general.traffic.enabled') and OPNsense.proxy.general.traffic.enabled == '1' %}
{%  if helpers.exists('OPNsense.proxy.general.traffic.maxDownloadSize') %}
# Define max download size
reply_body_max_size {{OPNsense.proxy.general.traffic.maxDownloadSize}} KB
{%  endif %}
{%  if helpers.exists('OPNsense.proxy.general.traffic.maxUploadSize') %}
# Define max upload size
request_body_max_size {{OPNsense.proxy.general.traffic.maxUploadSize}} KB
{%  endif %}
{%  if helpers.exists('OPNsense.proxy.general.traffic.perHostTrotteling') %}
delay_pools 1
delay_class 1 3
delay_access 1 allow all
{%      if helpers.exists('OPNsense.proxy.general.traffic.OverallBandwidthTrotteling') %}
# Define PerHost and Overall Bandwith Trotteling
delay_parameters 1 {{OPNsense.proxy.general.traffic.OverallBandwidthTrotteling|int // 8 * 1000}}/{{OPNsense.proxy.general.traffic.OverallBandwidthTrotteling|int // 8 * 1000}} -1/-1 {{OPNsense.proxy.general.traffic.perHostTrotteling|int // 8 * 1000}}/{{OPNsense.proxy.general.traffic.OverallBandwidthTrotteling|int // 8 * 1000}}
{%      else %}
# Define PerHost Trotteling
delay_parameters -1/-1 {{OPNsense.proxy.general.traffic.perHostTrotteling|int // 8 * 1000}}/{{OPNsense.proxy.general.traffic.perHostTrotteling|int // 8 * 1000}}
{%      endif %}
{%  endif %}
{%  if helpers.exists('OPNsense.proxy.general.traffic.OverallBandwidthTrotteling') and not helpers.exists('OPNsense.proxy.general.traffic.perHostTrotteling') %}
# Define Overall Bandwidth Trotteling
delay_pools 1
delay_class 1 1
delay_access 1 allow all
delay_parameters 1 {{OPNsense.proxy.general.traffic.OverallBandwidthTrotteling|int // 8 * 1000}}/{{OPNsense.proxy.general.traffic.OverallBandwidthTrotteling|int // 8 * 1000}}
{%  endif %}
{% endif %}
531
# Disable squid logfile rotate to use system defaults
532
logfile_rotate 0
533
{% if helpers.exists('OPNsense.proxy.general.VisibleHostname') %}
534 535
# Define visible hostname
visible_hostname {{OPNsense.proxy.general.VisibleHostname}}
536 537
{% endif %}
{% if helpers.exists('OPNsense.proxy.general.VisibleEmail') %}
538 539
# Define visible email
cache_mgr {{OPNsense.proxy.general.VisibleEmail}}
540
{% endif %}