Commit 90f92ad1 authored by Ad Schellevis's avatar Ad Schellevis

Merge pull request #796 from fabianfrz/icap_support

Icap support
parents 6e0e9d98 25449ffd
......@@ -349,6 +349,108 @@
<advanced>true</advanced>
</field>
</subtab>
<subtab id="proxy-icap" description="ICAP Settings">
<field>
<id>proxy.forward.icap.enable</id>
<label>Enable ICAP</label>
<type>checkbox</type>
<style>tokenize</style>
<help><![CDATA[If this checkbox is checked, you can use an ICAP server to filter or replace content.]]></help>
<hint>Select if you want to use ICAP.</hint>
<allownew>true</allownew>
<advanced>false</advanced>
</field>
<field>
<id>proxy.forward.icap.RequestURL</id>
<label>Request Modify URL</label>
<type>text</type>
<style>tokenize</style>
<help><![CDATA[Enter the url where the reqmod requests should be sent to.]]></help>
<hint>Enter the url of the ICAP Server</hint>
<allownew>true</allownew>
<advanced>false</advanced>
</field>
<field>
<id>proxy.forward.icap.ResponseURL</id>
<label>Response Modify URL</label>
<type>text</type>
<style>tokenize</style>
<help><![CDATA[Enter the url where the respmod requests should be sent to.]]></help>
<hint>Enter the url of the ICAP Server</hint>
<allownew>true</allownew>
<advanced>false</advanced>
</field>
<field>
<id>proxy.forward.icap.OptionsTTL</id>
<label>Default Options TTL</label>
<type>text</type>
<style>tokenize</style>
<help><![CDATA[Default ttl]]></help>
<hint>Enter the default ttl.</hint>
<allownew>true</allownew>
<advanced>true</advanced>
</field>
<field>
<id>proxy.forward.icap.SendClientIP</id>
<label>Send Client IP</label>
<type>checkbox</type>
<style>tokenize</style>
<help><![CDATA[If you enable this option, the client IP address will be sent to the ICAP server. This can be useful if you want to filter traffic based on IP addresses.]]></help>
<hint>Send the client IP address to the ICAP server.</hint>
<allownew>true</allownew>
<advanced>true</advanced>
</field>
<field>
<id>proxy.forward.icap.SendUsername</id>
<label>Send Username</label>
<type>checkbox</type>
<style>tokenize</style>
<help><![CDATA[If you enable this option, the username of the client will be sent to the ICAP server. This can be useful if you want to filter traffic based on usernames addresses. Note, that authentication is required to use usernames.]]></help>
<hint>Check if the username should be sent to the ICAP server.</hint>
<allownew>true</allownew>
<advanced>true</advanced>
</field>
<field>
<id>proxy.forward.icap.EncodeUsername</id>
<label>Encode Username</label>
<type>checkbox</type>
<style>tokenize</style>
<help><![CDATA[Use this option if your usernames need to be encoded.]]></help>
<hint>Check if you want to encode the username using base64.</hint>
<allownew>true</allownew>
<advanced>true</advanced>
</field>
<field>
<id>proxy.forward.icap.UsernameHeader</id>
<label>Username Header</label>
<type>text</type>
<style>tokenize</style>
<help><![CDATA[The header which should be used to send the username to the ICAP server.]]></help>
<hint>Enter the name of the header.</hint>
<allownew>true</allownew>
<advanced>true</advanced>
</field>
<field>
<id>proxy.forward.icap.EnablePreview</id>
<label>Enable Preview</label>
<type>checkbox</type>
<style>tokenize</style>
<help><![CDATA[If you use previews, only a part of the data is sent to the ICAP server. Setting this option can improve the performance. ]]></help>
<hint>Enable if you want to use previews.</hint>
<allownew>true</allownew>
<advanced>true</advanced>
</field>
<field>
<id>proxy.forward.icap.PreviewSize</id>
<label>Preview Size</label>
<type>text</type>
<style>tokenize</style>
<help><![CDATA[Enter the size of the preview wich is sent to the ICAP server.]]></help>
<hint>Enter the size of the preview.</hint>
<allownew>true</allownew>
<advanced>true</advanced>
</field>
</subtab>
<subtab id="proxy-general-authentication" description="Authentication Settings">
<field>
<id>proxy.forward.authentication.method</id>
......
......@@ -266,6 +266,49 @@
</UpdateCron>
</remoteACLs>
</acl>
<icap>
<enable type="BooleanField">
<default>0</default>
<Required>Y</Required>
</enable>
<RequestURL type="TextField">
<Required>Y</Required>
<default>icap://127.0.0.1/reqmod</default>
</RequestURL>
<ResponseURL type="TextField">
<default>icap://127.0.0.1/respmod</default>
<Required>Y</Required>
</ResponseURL>
<SendClientIP type="BooleanField">
<Required>Y</Required>
<default>1</default>
</SendClientIP>
<SendUsername type="BooleanField">
<default>0</default>
<Required>Y</Required>
</SendUsername>
<EncodeUsername type="BooleanField">
<default>0</default>
<Required>Y</Required>
</EncodeUsername>
<UsernameHeader type="TextField">
<Required>Y</Required>
<default>X-Username</default>
<mask>/^([a-zA-Z-]+)$/</mask>
</UsernameHeader>
<EnablePreview type="BooleanField">
<default>1</default>
<Required>Y</Required>
</EnablePreview>
<PreviewSize type="IntegerField">
<default>1024</default>
<Required>Y</Required>
</PreviewSize>
<OptionsTTL type="IntegerField">
<default>60</default>
<Required>Y</Required>
</OptionsTTL>
</icap>
<authentication>
<method type="AuthenticationServerField">
<Required>N</Required>
......
......@@ -166,6 +166,54 @@ acl Safe_ports port {{element.split(":")[0]}} # {{element.split(":")[1]|default(
{% endif %}
acl CONNECT method CONNECT
# ICAP SETTINGS
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
# enable icap
icap_enable on
{% if helpers.exists('OPNsense.proxy.forward.icap.OptionsTTL') %}
icap_default_options_ttl {{OPNsense.proxy.forward.icap.OptionsTTL}}
{% endif %}
# send user information to the icap server
{% if helpers.exists('OPNsense.proxy.forward.icap.SendClientIP') and OPNsense.proxy.forward.icap.SendClientIP == '1' %}
adaptation_send_client_ip on
{% else %}
adaptation_send_client_ip off
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.icap.SendUsername') and OPNsense.proxy.forward.icap.SendUsername == '1' %}
adaptation_send_username on
{% else %}
adaptation_send_username off
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.icap.EncodeUsername') and OPNsense.proxy.forward.icap.EncodeUsername == '1' %}
icap_client_username_encode on
{% else %}
icap_client_username_encode off
{% endif %}
# preview
{% if helpers.exists('OPNsense.proxy.forward.icap.EnablePreview') and OPNsense.proxy.forward.icap.EnablePreview == '1' %}
icap_preview_enable on
{% else %}
icap_preview_enable off
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.icap.PreviewSize') %}
icap_preview_size {{OPNsense.proxy.forward.icap.PreviewSize}}
{% endif %}
# add the servers
{% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %}
icap_service response_mod respmod_precache {{OPNsense.proxy.forward.icap.ResponseURL}}
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %}
icap_service request_mod reqmod_precache {{OPNsense.proxy.forward.icap.RequestURL}}
{% endif %}
{% else %}
# disable icap
icap_enable off
{% endif %}
# Authentication Settings
{% if helpers.exists('OPNsense.proxy.forward.authentication.method') and OPNsense.proxy.forward.authentication.method != '' %}
# Configure Local User Authentication helper
......@@ -186,12 +234,20 @@ acl local_auth proxy_auth REQUIRED
# ALLOW UNRESTRICTED
# ACL list (Allow) unrestricted
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod allow unrestricted
adaptation_access request_mod allow unrestricted
{% endif %}
http_access allow unrestricted
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.whiteList') %}
# ACL list (Allow) whitelist
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod allow whiteList
adaptation_access request_mod allow whiteList
{% endif %}
http_access allow whiteList
{% endif %}
......@@ -199,14 +255,21 @@ http_access allow whiteList
#
# ACL list (Deny) blacklist
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod deny blackList
adaptation_access request_mod deny blackList
{% endif %}
http_access deny blackList
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.remoteACLs.blacklists') %}
{% for blacklist in helpers.toList('OPNsense.proxy.forward.acl.remoteACLs.blacklists.blacklist') if blacklist.enabled=='1' %}
{% if loop.first %}
# ACL list (Deny) remoteblacklist
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod deny remoteblacklist
adaptation_access request_mod deny remoteblacklist
{% endif %}
http_access deny remoteblacklist
{% endif %}
{% endfor %}
......@@ -215,12 +278,26 @@ http_access deny remoteblacklist
{% if helpers.exists('OPNsense.proxy.forward.acl.browser') %}
# ACL list (Deny) blockuseragent
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod deny blockuseragents
adaptation_access request_mod deny blockuseragents
{% endif %}
http_access deny blockuseragents
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.mimeType') %}
# ACL list (Deny) blockmimetypes
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod deny blockmimetypes {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
adaptation_access request_mod deny blockmimetypes {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
adaptation_access response_mod deny blockmimetypes_requests {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
adaptation_access request_mod deny blockmimetypes_requests {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
{% endif %}
http_reply_access deny blockmimetypes {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
http_access deny blockmimetypes_requests {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
......@@ -228,22 +305,48 @@ http_access deny blockmimetypes_requests {% if helpers.exists('OPNsense.proxy.fo
{% endif %}
# Deny requests to certain unsafe ports
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod deny !Safe_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
adaptation_access request_mod deny !Safe_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
{% endif %}
http_access deny !Safe_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
# Deny CONNECT to other than secure SSL ports
# Deny CONNECT to other than secure SSL ports{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod deny CONNECT !SSL_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
adaptation_access request_mod deny CONNECT !SSL_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
{% endif %}
http_access deny CONNECT !SSL_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.bannedHosts') %}
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod deny bannedHosts
adaptation_access request_mod deny bannedHosts
{% endif %}
http_access deny bannedHosts
{% endif %}
# Only allow cachemgr access from localhost
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod allow localhost manager
adaptation_access request_mod allow localhost manager
adaptation_access response_mod deny manager
adaptation_access request_mod deny manager
{% endif %}
http_access allow localhost manager
http_access deny manager
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod deny to_localhost
adaptation_access request_mod deny to_localhost
{% endif %}
http_access deny to_localhost
#
......@@ -251,22 +354,41 @@ http_access deny to_localhost
#
# Deny request from unauthorized clients
{% if helpers.exists('OPNsense.proxy.forward.authentication.method') and OPNsense.proxy.forward.authentication.method != '' %}
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod allow local_auth
adaptation_access request_mod allow local_auth
{% endif %}
http_access allow local_auth
{% endif %}
#
# ACL - localnet - default these include ranges from selected interfaces (Allow local subnets)
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod allow localnet
adaptation_access request_mod allow localnet
{% endif %}
http_access allow localnet
# ACL - localhost
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod allow localhost
adaptation_access request_mod allow localhost
{% endif %}
http_access allow localhost
{% if helpers.exists('OPNsense.proxy.forward.acl.allowedSubnets') %}
# ACL list (Allow) subnets
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod allow subnets
adaptation_access request_mod allow subnets
{% endif %}
http_access allow subnets
{% endif %}
# Deny all other access to this proxy
# Deny all other access to this proxy{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod deny all
adaptation_access request_mod deny all
{% endif %}
http_access deny all
{% if helpers.exists('OPNsense.proxy.general.cache.local') %}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment