Merge pull request #796 from fabianfrz/icap_support

Icap support

Merge pull request #796 from fabianfrz/icap_support
Icap support
90f92ad1 · Ad Schellevis · 6e0e9d98 · 25449ffd · 90f92ad1 · 90f92ad1
Commit 90f92ad1 authored Mar 01, 2016 by Ad Schellevis
3 changed files
--- a/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
@@ -349,6 +349,108 @@
                <advanced>true</advanced>
            </field>
        </subtab>
+        <subtab id="proxy-icap" description="ICAP Settings">
+            <field>
+                <id>proxy.forward.icap.enable</id>
+                <label>Enable ICAP</label>
+                <type>checkbox</type>
+                <style>tokenize</style>
+                <help><![CDATA[If this checkbox is checked, you can use an ICAP server to filter or replace content.]]></help>
+                <hint>Select if you want to use ICAP.</hint>
+                <allownew>true</allownew>
+                <advanced>false</advanced>
+            </field>
+            <field>
+                <id>proxy.forward.icap.RequestURL</id>
+                <label>Request Modify URL</label>
+                <type>text</type>
+                <style>tokenize</style>
+                <help><![CDATA[Enter the url where the reqmod requests should be sent to.]]></help>
+                <hint>Enter the url of the ICAP Server</hint>
+                <allownew>true</allownew>
+                <advanced>false</advanced>
+            </field>
+            <field>
+                <id>proxy.forward.icap.ResponseURL</id>
+                <label>Response Modify URL</label>
+                <type>text</type>
+                <style>tokenize</style>
+                <help><![CDATA[Enter the url where the respmod requests should be sent to.]]></help>
+                <hint>Enter the url of the ICAP Server</hint>
+                <allownew>true</allownew>
+                <advanced>false</advanced>
+            </field>
+            <field>
+                <id>proxy.forward.icap.OptionsTTL</id>
+                <label>Default Options TTL</label>
+                <type>text</type>
+                <style>tokenize</style>
+                <help><![CDATA[Default ttl]]></help>
+                <hint>Enter the default ttl.</hint>
+                <allownew>true</allownew>
+                <advanced>true</advanced>
+            </field>
+            <field>
+                <id>proxy.forward.icap.SendClientIP</id>
+                <label>Send Client IP</label>
+                <type>checkbox</type>
+                <style>tokenize</style>
+                <help><![CDATA[If you enable this option, the client IP address will be sent to the ICAP server. This can be useful if you want to filter traffic based on IP addresses.]]></help>
+                <hint>Send the client IP address to the ICAP server.</hint>
+                <allownew>true</allownew>
+                <advanced>true</advanced>
+            </field>
+            <field>
+                <id>proxy.forward.icap.SendUsername</id>
+                <label>Send Username</label>
+                <type>checkbox</type>
+                <style>tokenize</style>
+                <help><![CDATA[If you enable this option, the username of the client will be sent to the ICAP server. This can be useful if you want to filter traffic based on usernames addresses. Note, that authentication is required to use usernames.]]></help>
+                <hint>Check if the username should be sent to the ICAP server.</hint>
+                <allownew>true</allownew>
+                <advanced>true</advanced>
+            </field>
+            <field>
+                <id>proxy.forward.icap.EncodeUsername</id>
+                <label>Encode Username</label>
+                <type>checkbox</type>
+                <style>tokenize</style>
+                <help><![CDATA[Use this option if your usernames need to be encoded.]]></help>
+                <hint>Check if you want to encode the username using base64.</hint>
+                <allownew>true</allownew>
+                <advanced>true</advanced>
+            </field>
+            <field>
+                <id>proxy.forward.icap.UsernameHeader</id>
+                <label>Username Header</label>
+                <type>text</type>
+                <style>tokenize</style>
+                <help><![CDATA[The header which should be used to send the username to the ICAP server.]]></help>
+                <hint>Enter the name of the header.</hint>
+                <allownew>true</allownew>
+                <advanced>true</advanced>
+            </field>
+            <field>
+                <id>proxy.forward.icap.EnablePreview</id>
+                <label>Enable Preview</label>
+                <type>checkbox</type>
+                <style>tokenize</style>
+                <help><![CDATA[If you use previews, only a part of the data is sent to the ICAP server. Setting this option can improve the performance. ]]></help>
+                <hint>Enable if you want to use previews.</hint>
+                <allownew>true</allownew>
+                <advanced>true</advanced>
+            </field>
+            <field>
+                <id>proxy.forward.icap.PreviewSize</id>
+                <label>Preview Size</label>
+                <type>text</type>
+                <style>tokenize</style>
+                <help><![CDATA[Enter the size of the preview wich is sent to the ICAP server.]]></help>
+                <hint>Enter the size of the preview.</hint>
+                <allownew>true</allownew>
+                <advanced>true</advanced>
+            </field>
+        </subtab>
        <subtab id="proxy-general-authentication" description="Authentication Settings">
            <field>
                <id>proxy.forward.authentication.method</id>

--- a/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
+++ b/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
@@ -266,6 +266,49 @@
                    </UpdateCron>
                </remoteACLs>
            </acl>
+            <icap>
+                <enable type="BooleanField">
+                    <default>0</default>
+                    <Required>Y</Required>
+                </enable>
+                <RequestURL type="TextField">
+                    <Required>Y</Required>
+                    <default>icap://127.0.0.1/reqmod</default>
+                </RequestURL>
+                <ResponseURL type="TextField">
+                    <default>icap://127.0.0.1/respmod</default>
+                    <Required>Y</Required>
+                </ResponseURL>
+                <SendClientIP type="BooleanField">
+                    <Required>Y</Required>
+                    <default>1</default>
+                </SendClientIP>
+                <SendUsername type="BooleanField">
+                    <default>0</default>
+                    <Required>Y</Required>
+                </SendUsername>
+                <EncodeUsername type="BooleanField">
+                    <default>0</default>
+                    <Required>Y</Required>
+                </EncodeUsername>
+                <UsernameHeader type="TextField">
+                    <Required>Y</Required>
+                    <default>X-Username</default>
+                    <mask>/^([a-zA-Z-]+)$/</mask>
+                </UsernameHeader>
+                <EnablePreview type="BooleanField">
+                    <default>1</default>
+                    <Required>Y</Required>
+                </EnablePreview>
+                <PreviewSize type="IntegerField">
+                    <default>1024</default>
+                    <Required>Y</Required>
+                </PreviewSize>
+                <OptionsTTL type="IntegerField">
+                    <default>60</default>
+                    <Required>Y</Required>
+                </OptionsTTL>
+            </icap>
            <authentication>
                <method type="AuthenticationServerField">
                    <Required>N</Required>

--- a/src/opnsense/service/templates/OPNsense/Proxy/squid.conf
+++ b/src/opnsense/service/templates/OPNsense/Proxy/squid.conf
@@ -166,6 +166,54 @@ acl Safe_ports port {{element.split(":")[0]}} # {{element.split(":")[1]|default(
 {% endif %}
 acl CONNECT method CONNECT

+# ICAP SETTINGS
+{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
+# enable icap
+icap_enable on
+{% if helpers.exists('OPNsense.proxy.forward.icap.OptionsTTL') %}
+icap_default_options_ttl {{OPNsense.proxy.forward.icap.OptionsTTL}}
+{% endif %}
+
+# send user information to the icap server
+{% if helpers.exists('OPNsense.proxy.forward.icap.SendClientIP') and OPNsense.proxy.forward.icap.SendClientIP == '1' %}
+adaptation_send_client_ip on
+{% else %}
+adaptation_send_client_ip off
+{% endif %}
+{% if helpers.exists('OPNsense.proxy.forward.icap.SendUsername') and OPNsense.proxy.forward.icap.SendUsername == '1' %}
+adaptation_send_username on
+{% else %}
+adaptation_send_username off
+{% endif %}
+{% if helpers.exists('OPNsense.proxy.forward.icap.EncodeUsername') and OPNsense.proxy.forward.icap.EncodeUsername == '1' %}
+icap_client_username_encode on
+{% else %}
+icap_client_username_encode off
+{% endif %}
+
+# preview
+{% if helpers.exists('OPNsense.proxy.forward.icap.EnablePreview') and OPNsense.proxy.forward.icap.EnablePreview == '1' %}
+icap_preview_enable on
+{% else %}
+icap_preview_enable off
+{% endif %}
+{% if helpers.exists('OPNsense.proxy.forward.icap.PreviewSize') %}
+icap_preview_size {{OPNsense.proxy.forward.icap.PreviewSize}}
+{% endif %}
+
+# add the servers
+{% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %}
+icap_service response_mod respmod_precache {{OPNsense.proxy.forward.icap.ResponseURL}}
+{% endif %}
+{% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %}
+icap_service request_mod reqmod_precache {{OPNsense.proxy.forward.icap.RequestURL}}
+{% endif %}
+
+{% else %}
+# disable icap
+icap_enable off
+{% endif %}
+
 # Authentication Settings
 {% if helpers.exists('OPNsense.proxy.forward.authentication.method') and  OPNsense.proxy.forward.authentication.method != '' %}
 # Configure Local User Authentication helper
@@ -186,12 +234,20 @@ acl local_auth proxy_auth REQUIRED

 # ALLOW UNRESTRICTED
 # ACL list (Allow) unrestricted
+{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
+adaptation_access response_mod allow unrestricted
+adaptation_access request_mod allow unrestricted
+{% endif %}
 http_access allow unrestricted
 {% endif %}

 {% if helpers.exists('OPNsense.proxy.forward.acl.whiteList') %}

 # ACL list (Allow) whitelist
+{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
+adaptation_access response_mod allow whiteList
+adaptation_access request_mod allow whiteList
+{% endif %}
 http_access allow whiteList
 {% endif %}

@@ -199,14 +255,21 @@ http_access allow whiteList

 #
 # ACL list (Deny) blacklist
+{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
+adaptation_access response_mod deny blackList
+adaptation_access request_mod deny blackList
+{% endif %}
 http_access deny blackList
-
 {% endif %}

 {% if helpers.exists('OPNsense.proxy.forward.acl.remoteACLs.blacklists') %}
 {%   for blacklist in helpers.toList('OPNsense.proxy.forward.acl.remoteACLs.blacklists.blacklist') if blacklist.enabled=='1' %}
 {% if loop.first %}
 # ACL list (Deny) remoteblacklist
+{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
+adaptation_access response_mod deny remoteblacklist
+adaptation_access request_mod deny remoteblacklist
+{% endif %}
 http_access deny remoteblacklist
 {% endif %}
 {%   endfor %}
@@ -215,12 +278,26 @@ http_access deny remoteblacklist
 {% if helpers.exists('OPNsense.proxy.forward.acl.browser') %}

 # ACL list (Deny) blockuseragent
+{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
+adaptation_access response_mod deny blockuseragents
+adaptation_access request_mod deny blockuseragents
+{% endif %}
 http_access deny blockuseragents
 {% endif %}

 {% if helpers.exists('OPNsense.proxy.forward.acl.mimeType') %}

 # ACL list (Deny) blockmimetypes
+{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
+adaptation_access response_mod deny blockmimetypes {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
+
+adaptation_access request_mod deny blockmimetypes {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
+
+adaptation_access response_mod deny blockmimetypes_requests {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
+
+adaptation_access request_mod deny blockmimetypes_requests {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
+
+{% endif %}
 http_reply_access deny blockmimetypes {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}

 http_access deny blockmimetypes_requests {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
@@ -228,22 +305,48 @@ http_access deny blockmimetypes_requests {% if helpers.exists('OPNsense.proxy.fo
 {% endif %}

 # Deny requests to certain unsafe ports
+{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
+adaptation_access response_mod deny !Safe_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
+
+adaptation_access request_mod deny !Safe_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
+
+{% endif %}
 http_access deny !Safe_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}

-# Deny CONNECT to other than secure SSL ports
+# Deny CONNECT to other than secure SSL ports{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
+
+adaptation_access response_mod deny CONNECT !SSL_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
+
+adaptation_access request_mod deny CONNECT !SSL_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
+
+{% endif %}
 http_access deny CONNECT !SSL_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}

 {% if helpers.exists('OPNsense.proxy.forward.acl.bannedHosts') %}
+{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
+adaptation_access response_mod deny bannedHosts
+adaptation_access request_mod deny bannedHosts
+{% endif %}
 http_access deny bannedHosts
 {% endif %}

 # Only allow cachemgr access from localhost
+{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
+adaptation_access response_mod allow localhost manager
+adaptation_access request_mod allow localhost manager
+adaptation_access response_mod deny manager
+adaptation_access request_mod deny manager
+{% endif %}
 http_access allow localhost manager
 http_access deny manager

 # We strongly recommend the following be uncommented to protect innocent
 # web applications running on the proxy server who think the only
 # one who can access services on "localhost" is a local user
+{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
+adaptation_access response_mod deny to_localhost
+adaptation_access request_mod deny to_localhost
+{% endif %}
 http_access deny to_localhost

 #
@@ -251,22 +354,41 @@ http_access deny to_localhost
 #
 # Deny request from unauthorized clients
 {% if helpers.exists('OPNsense.proxy.forward.authentication.method') and  OPNsense.proxy.forward.authentication.method != '' %}
+{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
+adaptation_access response_mod allow local_auth
+adaptation_access request_mod allow local_auth
+{% endif %}
 http_access allow local_auth
 {% endif %}

 #
 # ACL - localnet - default these include ranges from selected interfaces (Allow local subnets)
+{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
+adaptation_access response_mod allow localnet
+adaptation_access request_mod allow localnet
+{% endif %}
 http_access allow localnet

 # ACL - localhost
+{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
+adaptation_access response_mod allow localhost
+adaptation_access request_mod allow localhost
+{% endif %}
 http_access allow localhost
 {% if helpers.exists('OPNsense.proxy.forward.acl.allowedSubnets') %}

 # ACL list (Allow) subnets
+{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
+adaptation_access response_mod allow subnets
+adaptation_access request_mod allow subnets
+{% endif %}
 http_access allow subnets
 {% endif %}

-# Deny all other access to this proxy
+# Deny all other access to this proxy{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
+adaptation_access response_mod deny all
+adaptation_access request_mod deny all
+{% endif %}
 http_access deny all

 {% if helpers.exists('OPNsense.proxy.general.cache.local')  %}