URL Filter Only at HTTPS Proxy

(cherry picked from commit f56f7e86) (cherry picked from commit fb91e313) (cherry picked from commit 629ead66)

URL Filter Only at HTTPS Proxy
(cherry picked from commit f56f7e86) (cherry picked from commit fb91e313) (cherry picked from commit 629ead66)
8b2cf1c6 · Fabio Miguel Mello · Franco Fichtner · 92db0ffc · 8b2cf1c6 · 8b2cf1c6
Commit 8b2cf1c6 authored Aug 08, 2016 by Fabio Miguel Mello Committed by Franco Fichtner Aug 29, 2016
3 changed files
--- a/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
@@ -231,6 +231,12 @@
                  <a href="/firewall_nat_edit.php?template=transparant_proxy&https=1"> Add a new firewall rule </a>
                  ]]></help>
            </field>
+            <field>
+                <id>proxy.forward.sslurlonly</id>
+                <label>SSL Domain/IP only</label>
+                <type>checkbox</type>
+                <help>Do not filter content, only domains and addresses</help>
+            </field>
            <field>
                <id>proxy.forward.sslbumpport</id>
                <label>SSL Proxy port</label>

--- a/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
+++ b/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
@@ -188,6 +188,10 @@
                <default>0</default>
                <Required>Y</Required>
            </sslbump>
+            <sslurlonly type="BooleanField">
+            	<default>0</default>
+            	<Required>Y</Required>
+            </sslurlonly>
            <sslcertificate type="CertificateField">
                <Required>N</Required>
                <Type>ca</Type>

--- a/src/opnsense/service/templates/OPNsense/Proxy/squid.conf
+++ b/src/opnsense/service/templates/OPNsense/Proxy/squid.conf
@@ -40,6 +40,7 @@ http_port {{intf_item.subnet}}:{{ OPNsense.proxy.forward.port }}
 # setup ssl re-cert
 sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /var/squid/ssl_crtd -M {{ OPNsense.proxy.forward.ssl_crtd_storage_max_size|default('4') }}MB
 sslcrtd_children {{ OPNsense.proxy.forward.sslcrtd_children|default('5') }}
+
 # setup ssl bump acl's
 acl bump_step1 at_step SslBump1
 acl bump_step2 at_step SslBump2
@@ -48,9 +49,16 @@ acl bump_nobumpsites ssl::server_name "/usr/local/etc/squid/nobumpsites.acl"

 # configure bump
 ssl_bump peek bump_step1 all
+{% if helpers.exists('OPNsense.proxy.forward.sslurlonly') and OPNsense.proxy.forward.sslurlonly == '1' %}
+ssl_bump splice all
+ssl_bump peek bump_step2 all
+ssl_bump splice bump_step3 all
+
+{% else %}
 ssl_bump splice bump_nobumpsites
 ssl_bump peek bump_step2 bump_nobumpsites
 ssl_bump splice bump_step3 bump_nobumpsites
+{% endif %}
 ssl_bump bump

 sslproxy_cert_error deny all