Commit 53e4be27 authored by Mikhail Morev's avatar Mikhail Morev Committed by GitHub

Updated listeners generation

Slightly extended sslbump_httpsconfig macro to make usable in regular listener strings; renamed macro to listener_config.
parent c9e1423f
......@@ -3,46 +3,44 @@
# Do not edit this file manually.
#
{# wrap http_port ssl bump configuration for reuse #}
{% macro sslbump_httpsconfig(network, tags='') -%}
{% if helpers.exists('OPNsense.proxy.forward.sslbump') and OPNsense.proxy.forward.sslbump == '1' %}
https_port {{network}}:{{OPNsense.proxy.forward.sslbumpport|default('3129')}} {{tags}} ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
{% endif %}
{# wrap listener configuration for reuse #}
{% macro listener_config(network, port='3129', tags='', protocol='') -%}
{% if protocol == 'ssl' %}
{% set listener_type = 'https_port' %}
{% else %}
{% set listener_type = 'http_port' %}
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.sslbump') and OPNsense.proxy.forward.sslbump == '1' %}
{% set sslparams = 'ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on' %}
{% endif %}
{{listener_type}} {{network}}:{{port}} {{tags}} {{sslparams}}
{%- endmacro %}
{% if helpers.exists('OPNsense.proxy.forward.transparentMode') and OPNsense.proxy.forward.transparentMode == '1' %}
# transparent mode, listen on localhost
http_port 127.0.0.1:{{ OPNsense.proxy.forward.port }} intercept
{{ sslbump_httpsconfig('127.0.0.1', 'intercept') }}
http_port [::1]:{{ OPNsense.proxy.forward.port }} intercept
{{ sslbump_httpsconfig('[::1]', 'intercept') }}
# Setup transparent mode listeners on loopback interfaces
{{ listener_config('127.0.0.1', OPNsense.proxy.forward.port, 'intercept') }}
{{ listener_config('127.0.0.1', OPNsense.proxy.forward.sslbumpport, 'intercept', 'ssl') }}
{{ listener_config('[::1]', OPNsense.proxy.forward.port, 'intercept') }}
{{ listener_config('[::1]', OPNsense.proxy.forward.sslbumpport, 'intercept', 'ssl') }}
{% endif %}
# Setup listen configuration
# Setup regular listeners configuration
{% if helpers.exists('OPNsense.proxy.forward.interfaces') %}
{% for interface in OPNsense.proxy.forward.interfaces.split(",") %}
{% for intf_key,intf_item in interfaces.iteritems() %}
{% if intf_key == interface and intf_item.ipaddr != 'dhcp' %}
{% if helpers.exists('OPNsense.proxy.forward.sslbump') and OPNsense.proxy.forward.sslbump == '1' %}
http_port {{intf_item.ipaddr}}:{{ OPNsense.proxy.forward.port }} ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
{% else %}
http_port {{intf_item.ipaddr}}:{{ OPNsense.proxy.forward.port }}
{% endif %}
{% endif %}
{% endfor %}
{% for interface in OPNsense.proxy.forward.interfaces.split(",") %}
{% for intf_key,intf_item in interfaces.iteritems() %}
{% if intf_key == interface and intf_item.ipaddr != 'dhcp' %}
{{ listener_config(intf_item.ipaddr, OPNsense.proxy.forward.port) }}
{% endif %}
{% endfor %}
{# virtual ip's #}
{% if helpers.exists('virtualip') %}
{% for intf_key,intf_item in virtualip.iteritems() %}
{% if intf_item.interface == interface and intf_item.mode == 'ipalias' %}
{% if helpers.exists('OPNsense.proxy.forward.sslbump') and OPNsense.proxy.forward.sslbump == '1' %}
http_port {{intf_item.subnet}}:{{ OPNsense.proxy.forward.port }} ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
{% else %}
http_port {{intf_item.subnet}}:{{ OPNsense.proxy.forward.port }}
{% endif %}
{% endif %}
{% endfor %}
{% endif %}
{% endfor %}
{% if helpers.exists('virtualip') %}
{% for intf_key,intf_item in virtualip.iteritems() %}
{% if intf_item.interface == interface and intf_item.mode == 'ipalias' %}
{{ listener_config(intf_item.subnet, OPNsense.proxy.forward.port) }}
{% endif %}
{% endfor %}
{% endif %}
{% endfor %}
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.sslbump') and OPNsense.proxy.forward.sslbump == '1' %}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment