Proxy work in progress, added Authentication, updated ACLs and added dropdown...

Proxy work in progress, added Authentication, updated ACLs and added dropdown option to default form template

Proxy work in progress, added Authentication, updated ACLs and added dropdown...
Proxy work in progress, added Authentication, updated ACLs and added dropdown option to default form template
95da336d · Jos Schellevis · ae835980 · 95da336d · 95da336d · 95da336d
Commit 95da336d authored Apr 21, 2015 by Jos Schellevis
4 changed files
--- a/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
+++ b/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
@@ -82,7 +82,47 @@
                <blackList type="CSVListField">
                    <Required>N</Required>
                </blackList>
+                <browser type="CSVListField">
+                    <Required>N</Required>
+                </browser>
+                <mimeType type="CSVListField">
+                    <Required>N</Required>
+                </mimeType>
+                <safePorts type="CSVListField">
+                    <default>80:http,21:ftp,443:https,70:gopher,210:wais,1025-65535:unregistered ports,280:http-mgmt,488:gss-http,591:filemaker,777:multiling http</default>
+                    <Required>N</Required>
+                </safePorts>
+                <sslPorts type="CSVListField">
+                    <default>443:https</default>
+                    <Required>N</Required>
+                </sslPorts>
            </acl>
+            <authentication>
+                <method type="OptionField">
+                    <default>none</default>
+                    <Required>N</Required>
+                    <OptionValues>
+                        <none>No Authentication</none>
+                        <local>Local User Authentication</local>
+                    </OptionValues>
+                </method>
+                <realm type="TextField">
+                    <default>OPNsense proxy authentication</default>
+                    <Required>N</Required>
+                </realm>
+                <credentialsttl type="IntegerField">
+                    <default>2</default>
+                    <MinimumValue>1</MinimumValue>
+                    <ValidationMessage>"Credentials TTL needs to be an integer value above 0"</ValidationMessage>
+                    <Required>N</Required>
+                </credentialsttl>
+                <children type="IntegerField">
+                    <default>5</default>
+                    <MinimumValue>1</MinimumValue>
+                    <ValidationMessage>"Number of children needs to be an integer value above 0"</ValidationMessage>
+                    <Required>N</Required>
+                </children>
+            </authentication>
        </forward>
    </items>
 </model>
--- a/src/opnsense/mvc/app/views/OPNsense/Proxy/index.volt
+++ b/src/opnsense/mvc/app/views/OPNsense/Proxy/index.volt
@@ -247,13 +247,6 @@ maxheight: define max height of select box, default=170px to hold 5 items
                'type':'checkbox',
                'help':'Enable or disable the proxy service.'
                ]}
-            ],
-            [ 'proxy-general-remote-cache','Remote Cache Settings',
-                {['id': 'proxy.general.enabled',
-                'label':'Enable proxy',
-                'type':'checkbox',
-                'help':'Enable or disable the proxy service.'
-                ]}
            ]}
        ],
        ['proxy-forward','Forward Proxy','subtabs': {
@@ -321,7 +314,7 @@ maxheight: define max height of select box, default=170px to hold 5 items
                            <b class="text-primary">\\.+[0-9]+\.gif$</b> -> matches on <b>\123.gif</b> but not on <b class="text-danger">\test.gif</b><br/>
                        </div>
                        <div class="text-info"><b>TIP: </b>You can also paste a comma separated list into this field.</div>',
-                'hint':'Example ',
+                'hint':'Regular expressions are allowed. ',
                'allownew':'true'
                ],
                ['id': 'proxy.forward.acl.blackList',
@@ -338,8 +331,83 @@ maxheight: define max height of select box, default=170px to hold 5 items
                    <b class="text-primary">\\.+[0-9]+\.gif$</b> -> matches on <b>\123.gif</b> but not on <b class="text-danger">\test.gif</b><br/>
                </div>
                <div class="text-info"><b>TIP: </b>You can also paste a comma separated list into this field.</div>',
-                'hint':'Example ',
+                'hint':'Regular expressions are allowed.',
                'allownew':'true'
+                ],
+                ['id': 'proxy.forward.acl.browser',
+                'label':'Block browser/user-agents',
+                'type':'select_multiple',
+                'style':'tokenize',
+                'help':'Block user-agents.<br/>
+                You may use a regular expression, use a comma or press Enter for new item.<br/>
+                <div class="alert alert-info">
+                    <b>Examples:</b><br/>
+                    <b class="text-primary">^(.)+Macintosh(.)+Firefox/37\.0</b> -> matches on <b>Macintosh version of Firefox revision 37.0</b><br/>
+                    <b class="text-primary">^Mozilla</b> -> matches on <b>all Mozilla based browsers</b><br/>
+                </div>
+                <div class="text-info"><b>TIP: </b>You can also paste a comma separated list into this field.</div>',
+                'hint':'Regular expressions are allowed.',
+                'allownew':'true',
+                'advanced':'true'
+                ],
+                ['id': 'proxy.forward.acl.mimeType',
+                'label':'Block specific MIME type reply',
+                'type':'select_multiple',
+                'style':'tokenize',
+                'help':'Block specific MIME type reply.<br/>
+                You may use a regular expression, use a comma or press Enter for new item.<br/>
+                <div class="alert alert-info">
+                    <b>Examples:</b><br/>
+                    <b class="text-primary">video/flv</b> -> matches on <b>Flash Video</b><br/>
+                    <b class="text-primary">application/x-javascript</b> -> matches on <b>javascripts</b><br/>
+                </div>
+                <div class="text-info"><b>TIP: </b>You can also paste a comma separated list into this field.</div>',
+                'hint':'Regular expressions are allowed.',
+                'allownew':'true',
+                'advanced':'true'
+                ],
+                ['id': 'proxy.forward.acl.safePorts',
+                'label':'Allowed destination TCP port',
+                'type':'select_multiple',
+                'style':'tokenize',
+                'help':'Allowed destination TCP ports, you may use ranges (ex. 222-226) and add comments with collon (ex. 22:ssh).<br/>
+                        <div class="text-info"><b>TIP: </b>You can also paste a comma separated list into this field.</div>',
+                'hint':'Type port number or range.',
+                'allownew':'true',
+                'advanced':'true'
+                ],
+                ['id': 'proxy.forward.acl.sslPorts',
+                'label':'Allowed SSL ports',
+                'type':'select_multiple',
+                'style':'tokenize',
+                'help':'Allowed destination SSL ports, you may use ranges (ex. 222-226) and add comments with collon (ex. 22:ssh).<br/>
+                <div class="text-info"><b>TIP: </b>You can also paste a comma separated list into this field.</div>',
+                'hint':'Type port number or range.',
+                'allownew':'true',
+                'advanced':'true'
+                ]}
+            ],
+            [ 'proxy-general-authentication', 'Athentication Settings',
+                {['id':'proxy.forward.authentication.method',
+                'label':'Authentication method',
+                'type':'dropdown',
+                'help':'Select Authentication method'
+                ],
+                ['id': 'proxy.forward.authentication.realm',
+                'label':'Authentication Prompt',
+                'type':'text',
+                'help':'The prompt will be displayed in the autherntication request window.'
+                ],
+                ['id': 'proxy.forward.authentication.credentialsttl',
+                'label':'Authentication TTL (hours)',
+                'type':'text',
+                'help':'This specifies for how long (in hours) the proxy server assumes an externally validated username and password combination is valid (Time To Live).<br/>
+                        When the TTL expires, the user will be prompted for credentials again. '
+                ],
+                ['id': 'proxy.forward.authentication.children',
+                'label':'Authentication processes',
+                'type':'text',
+                'help':'The total number of authenticator processes to spawn.'
                ]}
            ]}
        ]

--- a/src/opnsense/mvc/app/views/layout_partials/form_input_tr.volt
+++ b/src/opnsense/mvc/app/views/layout_partials/form_input_tr.volt
@@ -45,6 +45,8 @@ POSSIBILITY OF SUCH DAMAGE.
        {% elseif type == "select_multiple" %}
            <select multiple="multiple" {% if size|default(false) %}size="{{size}}"{% endif %}  id="{{ id }}" {% if style|default(false) %}class="{{style}}" {% endif %}  {% if hint|default(false) %}data-hint="{{hint}}"{% endif %}  {% if maxheight|default(false) %}data-maxheight="{{maxheight}}"{% endif %} data-width="{{width|default("348px")}}" data-allownew="{{allownew|default("false")}}"></select>
            <br/><a href="#" class="text-danger" id="clear-options" for="{{id}}"><i class="fa fa-times-circle"></i></a><small> Clear All</small>
+        {% elseif type == "dropdown" %}
+            <select {% if size|default(false) %}size="{{size}}"{% endif %}  id="{{ id }}" class="{{style|default('selectpicker')}}"  data-width="{{width|default("348px")}}"></select>
        {% endif %}
        {% if help|default(false) %}

--- a/src/opnsense/service/templates/OPNsense/Proxy/squid.conf
+++ b/src/opnsense/service/templates/OPNsense/Proxy/squid.conf
@@ -48,6 +48,10 @@ acl localnet src {{intf_item.subnet}}/{{intf_item.subnet}} # Possible internal n
 acl localnet src fc00::/7       # RFC 4193 local private network range
 acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
+# Default localhost and to_localhost acl's
+acl localhost src 127.0.0.1/32 ::1
+acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
 # ACL lists
 {% if helpers.exists('OPNsense.proxy.forward.acl.allowedSubnets') %}
 # ACL - Allow Subnets - User defined (subnets)
@@ -92,75 +96,125 @@ acl blackList dstdomain {{element}}
 {%  endfor %}
 {% endif %}
-# Default Safe ports
+{% if helpers.exists('OPNsense.proxy.forward.acl.browser') %}
-acl Safe_ports port 80		# http
+# ALC - Block browser/user-agent - User defined (browser)
-acl Safe_ports port 21		# ftp
+{%  for element in OPNsense.proxy.forward.acl.browser.split(",") %}
-acl Safe_ports port 443		# https
+acl blockuseragents browser {{element}}
-acl Safe_ports port 70		# gopher
+{%  endfor %}
-acl Safe_ports port 210		# wais
+{% endif %}
-acl Safe_ports port 1025-65535	# unregistered ports
-acl Safe_ports port 280		# http-mgmt
+{% if helpers.exists('OPNsense.proxy.forward.acl.mimeType') %}
-acl Safe_ports port 488		# gss-http
+# ALC - Block MIME types - User defined (mimetype)
-acl Safe_ports port 591		# filemaker
+{%  for element in OPNsense.proxy.forward.acl.mimeType.split(",") %}
-acl Safe_ports port 777		# multiling http
+acl blockmimetypes rep_mime_type {{element}}
+{%  endfor %}
+{% endif %}
+# ACL - SSL ports, default are configured in config.xml
+# Configured SSL ports (if defaults are not listed, then they have been removed from the configuration!):
+{% if helpers.exists('OPNsense.proxy.forward.acl.sslPorts') %}
+{%  for element in OPNsense.proxy.forward.acl.sslPorts.split(",") %}
+acl SSL_ports port {{element.split(":")[0]}} # {{element.split(":")[1]|default('unknown')}}
+{%  endfor %}
+{% endif %}
+# Default Safe ports are now defined in config.xml
+# Configured Safe ports (if defaults are not listed, then they have been removed from the configuration!):
+{% if helpers.exists('OPNsense.proxy.forward.acl.safePorts') %}
+# ALC - Safe_ports
+{%  for element in OPNsense.proxy.forward.acl.safePorts.split(",") %}
+acl Safe_ports port {{element.split(":")[0]}} # {{element.split(":")[1]|default('unknown')}}
+{%  endfor %}
+{% endif %}
 acl CONNECT method CONNECT
+# Authentication Settings
+{% if helpers.exists('OPNsense.proxy.forward.authentication.method') and  OPNsense.proxy.forward.authentication.method=='local' %}
+# Configure Local User Authentication helper
+auth_param basic program /usr/local/etc/inc/squid_auth
+{% if helpers.exists('OPNsense.proxy.forward.authentication.realm') %}
+auth_param basic realm {{OPNsense.proxy.forward.authentication.realm}}
+{% endif %}
+{% if helpers.exists('OPNsense.proxy.forward.authentication.credentialsttl') %}
+auth_param basic credentialsttl {{OPNsense.proxy.forward.authentication.credentialsttl}} hours
+{% endif %}
+{% if helpers.exists('OPNsense.proxy.forward.authentication.children') %}
+auth_param basic children {{OPNsense.proxy.forward.authentication.children}}
+{% endif %}
+# ACL - Local Authorized Users - local_auth
+acl local_auth proxy_auth REQUIRED
+{% endif %}
+# ALLOW UNRESTRICTED
+{% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}
+# ACL list (Allow) unrestricted
+http_access allow unrestricted
+{% endif %}
 #
-# Recommended minimum Access Permission configuration:
+{% if helpers.exists('OPNsense.proxy.forward.acl.blackList') %}
-#
+# ACL list (Deny) blacklist
-# Deny requests to certain unsafe ports
+http_access deny blackList
-http_access deny !Safe_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
+{% endif %}
+{% if helpers.exists('OPNsense.proxy.forward.acl.browser') %}
+# ACL list (Deny) blockuseragent
+http_access deny blockuseragents
+{% endif %}
+{% if helpers.exists('OPNsense.proxy.forward.acl.mimeType') %}
+# ACL list (Deny) blockmimetypes
+http_access deny blockmimetypes
+{% endif %}
+# Deny requests to certain unsafe ports
+http_access deny !Safe_ports
 # Deny CONNECT to other than secure SSL ports
-http_access deny CONNECT !SSL_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
+http_access deny CONNECT !SSL_ports
+{% if helpers.exists('OPNsense.proxy.forward.acl.bannedHosts') %}
+http_access deny bannedHosts
+{% endif %}
 # Only allow cachemgr access from localhost
 http_access allow localhost manager
-http_access deny manager {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
+http_access deny manager
 # We strongly recommend the following be uncommented to protect innocent
 # web applications running on the proxy server who think the only
 # one who can access services on "localhost" is a local user
-http_access deny to_localhost {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
+http_access deny to_localhost
+{% if helpers.exists('OPNsense.proxy.forward.acl.whiteList') %}
+# ACL list (Allow) whitelist
+http_access allow whiteList
+{% endif %}
 #
-# RULE(S) TO ALLOW ACCESS FROM CLIENTS
+# Access Permission configuration:
 #
-# ACL - localnet - default these include ranges from selected interfaces (Allow local subnets)
+# Deny request from unauthorized clients
-http_access allow localnet {% if helpers.exists('OPNsense.proxy.forward.acl.bannedHosts') %}!bannedHosts{% endif %}
+{% if helpers.exists('OPNsense.proxy.forward.authentication.method') and  OPNsense.proxy.forward.authentication.method=='local' %}
+http_access allow local_auth
+{% endif %}
+#
+# ACL - localnet - default these include ranges from selected interfaces (Allow local subnets)
+http_access allow localnet
 # ACL - localhost
 http_access allow localhost
 {% if helpers.exists('OPNsense.proxy.forward.acl.allowedSubnets') %}
 # ACL list (Allow) subnets
-http_access allow subnets {% if helpers.exists('OPNsense.proxy.forward.acl.bannedHosts') %}!bannedHosts{% endif %}
+http_access allow subnets
 {% endif %}
-{% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}
-# ACL list (Allow) unrestricted
-http_access allow unrestricted
-{% endif %}
-{% if helpers.exists('OPNsense.proxy.forward.acl.whiteList') %}
-# ACL list (Allow) whitelist
-http_access allow whiteList {% if helpers.exists('OPNsense.proxy.forward.acl.blackList') %}!blackList{% endif %}
-{% endif %}
-{% if helpers.exists('OPNsense.proxy.forward.acl.blackList') %}
-# ACL list (Deny) blacklist
-http_access deny blackList {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
-{% endif %}
 # Deny all other access to this proxy
 http_access deny all