Commit 6b88fe1f authored by Ad Schellevis's avatar Ad Schellevis

(proxy) move acl part to separate file and add option for custom templates,...

(proxy) move acl part to separate file and add option for custom templates, closes https://github.com/opnsense/core/issues/802
parent 4d1a8eca
{% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}
# ALLOW UNRESTRICTED
# ACL list (Allow) unrestricted
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod allow unrestricted
adaptation_access request_mod allow unrestricted
{% endif %}
http_access allow unrestricted
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.whiteList') %}
# ACL list (Allow) whitelist
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod allow whiteList
adaptation_access request_mod allow whiteList
{% endif %}
http_access allow whiteList
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.blackList') %}
#
# ACL list (Deny) blacklist
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod deny blackList
adaptation_access request_mod deny blackList
{% endif %}
http_access deny blackList
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.remoteACLs.blacklists') %}
{% for blacklist in helpers.toList('OPNsense.proxy.forward.acl.remoteACLs.blacklists.blacklist') if blacklist.enabled=='1' %}
# ACL list (Deny) remoteblacklist_{{blacklist.filename}}
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod deny remoteblacklist_{{blacklist.filename}}
adaptation_access request_mod deny remoteblacklist_{{blacklist.filename}}
{% endif %}
http_access deny remoteblacklist_{{blacklist.filename}}
{% endfor %}
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.browser') %}
# ACL list (Deny) blockuseragent
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod deny blockuseragents
adaptation_access request_mod deny blockuseragents
{% endif %}
http_access deny blockuseragents
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.mimeType') %}
# ACL list (Deny) blockmimetypes
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod deny blockmimetypes {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
adaptation_access request_mod deny blockmimetypes {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
adaptation_access response_mod deny blockmimetypes_requests {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
adaptation_access request_mod deny blockmimetypes_requests {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
{% endif %}
http_reply_access deny blockmimetypes {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
http_access deny blockmimetypes_requests {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
{% endif %}
# Deny requests to certain unsafe ports
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod deny !Safe_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
adaptation_access request_mod deny !Safe_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
{% endif %}
http_access deny !Safe_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
# Deny CONNECT to other than secure SSL ports
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod deny CONNECT !SSL_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
adaptation_access request_mod deny CONNECT !SSL_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
{% endif %}
http_access deny CONNECT !SSL_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.bannedHosts') %}
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod deny bannedHosts
adaptation_access request_mod deny bannedHosts
{% endif %}
http_access deny bannedHosts
{% endif %}
# Only allow cachemgr access from localhost
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod allow localhost manager
adaptation_access request_mod allow localhost manager
adaptation_access response_mod deny manager
adaptation_access request_mod deny manager
{% endif %}
http_access allow localhost manager
http_access deny manager
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod deny to_localhost
adaptation_access request_mod deny to_localhost
{% endif %}
http_access deny to_localhost
#
# Access Permission configuration:
#
# Deny request from unauthorized clients
{% if helpers.exists('OPNsense.proxy.forward.authentication.method') and OPNsense.proxy.forward.authentication.method != '' %}
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod allow local_auth
adaptation_access request_mod allow local_auth
{% endif %}
http_access allow local_auth
{% endif %}
#
# ACL - localnet - default these include ranges from selected interfaces (Allow local subnets)
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod allow localnet
adaptation_access request_mod allow localnet
{% endif %}
http_access allow localnet
# ACL - localhost
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod allow localhost
adaptation_access request_mod allow localhost
{% endif %}
http_access allow localhost
{% if helpers.exists('OPNsense.proxy.forward.acl.allowedSubnets') %}
# ACL list (Allow) subnets
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod allow subnets
adaptation_access request_mod allow subnets
{% endif %}
http_access allow subnets
{% endif %}
# Deny all other access to this proxy
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod deny all
adaptation_access request_mod deny all
{% endif %}
http_access deny all
......@@ -261,161 +261,12 @@ auth_param basic children {{OPNsense.proxy.forward.authentication.children}}
# ACL - Local Authorized Users - local_auth
acl local_auth proxy_auth REQUIRED
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}
# ALLOW UNRESTRICTED
# ACL list (Allow) unrestricted
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod allow unrestricted
adaptation_access request_mod allow unrestricted
{% endif %}
http_access allow unrestricted
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.whiteList') %}
# ACL list (Allow) whitelist
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod allow whiteList
adaptation_access request_mod allow whiteList
{% endif %}
http_access allow whiteList
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.blackList') %}
#
# ACL list (Deny) blacklist
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod deny blackList
adaptation_access request_mod deny blackList
{% endif %}
http_access deny blackList
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.remoteACLs.blacklists') %}
{% for blacklist in helpers.toList('OPNsense.proxy.forward.acl.remoteACLs.blacklists.blacklist') if blacklist.enabled=='1' %}
# ACL list (Deny) remoteblacklist_{{blacklist.filename}}
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod deny remoteblacklist_{{blacklist.filename}}
adaptation_access request_mod deny remoteblacklist_{{blacklist.filename}}
{% endif %}
http_access deny remoteblacklist_{{blacklist.filename}}
{% endfor %}
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.browser') %}
# ACL list (Deny) blockuseragent
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod deny blockuseragents
adaptation_access request_mod deny blockuseragents
{% endif %}
http_access deny blockuseragents
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.mimeType') %}
# ACL list (Deny) blockmimetypes
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod deny blockmimetypes {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
adaptation_access request_mod deny blockmimetypes {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
adaptation_access response_mod deny blockmimetypes_requests {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
adaptation_access request_mod deny blockmimetypes_requests {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
{% endif %}
http_reply_access deny blockmimetypes {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
http_access deny blockmimetypes_requests {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
{% endif %}
# Deny requests to certain unsafe ports
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod deny !Safe_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
adaptation_access request_mod deny !Safe_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
{% endif %}
http_access deny !Safe_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
# Deny CONNECT to other than secure SSL ports
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod deny CONNECT !SSL_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
adaptation_access request_mod deny CONNECT !SSL_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
{% endif %}
http_access deny CONNECT !SSL_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.bannedHosts') %}
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod deny bannedHosts
adaptation_access request_mod deny bannedHosts
{% endif %}
http_access deny bannedHosts
{% endif %}
# Only allow cachemgr access from localhost
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod allow localhost manager
adaptation_access request_mod allow localhost manager
adaptation_access response_mod deny manager
adaptation_access request_mod deny manager
{% endif %}
http_access allow localhost manager
http_access deny manager
{% include "OPNsense/Proxy/squid.user.pre_auth.conf" ignore missing with context %}
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod deny to_localhost
adaptation_access request_mod deny to_localhost
{% endif %}
http_access deny to_localhost
{% include "OPNsense/Proxy/squid.acl.conf" ignore missing with context %}
#
# Access Permission configuration:
#
# Deny request from unauthorized clients
{% if helpers.exists('OPNsense.proxy.forward.authentication.method') and OPNsense.proxy.forward.authentication.method != '' %}
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod allow local_auth
adaptation_access request_mod allow local_auth
{% endif %}
http_access allow local_auth
{% endif %}
#
# ACL - localnet - default these include ranges from selected interfaces (Allow local subnets)
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod allow localnet
adaptation_access request_mod allow localnet
{% endif %}
http_access allow localnet
# ACL - localhost
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod allow localhost
adaptation_access request_mod allow localhost
{% endif %}
http_access allow localhost
{% if helpers.exists('OPNsense.proxy.forward.acl.allowedSubnets') %}
# ACL list (Allow) subnets
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod allow subnets
adaptation_access request_mod allow subnets
{% endif %}
http_access allow subnets
{% endif %}
# Deny all other access to this proxy
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod deny all
adaptation_access request_mod deny all
{% endif %}
http_access deny all
{% include "OPNsense/Proxy/squid.user.post_auth.conf" ignore missing with context %}
{% if helpers.exists('OPNsense.proxy.general.cache.local') %}
cache_mem {{ OPNsense.proxy.general.cache.local.cache_mem|default('256') }} MB
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment