Commit 95da336d authored by Jos Schellevis's avatar Jos Schellevis

Proxy work in progress, added Authentication, updated ACLs and added dropdown...

Proxy work in progress, added Authentication, updated ACLs and added dropdown option to default form template
parent ae835980
......@@ -82,7 +82,47 @@
<blackList type="CSVListField">
<Required>N</Required>
</blackList>
<browser type="CSVListField">
<Required>N</Required>
</browser>
<mimeType type="CSVListField">
<Required>N</Required>
</mimeType>
<safePorts type="CSVListField">
<default>80:http,21:ftp,443:https,70:gopher,210:wais,1025-65535:unregistered ports,280:http-mgmt,488:gss-http,591:filemaker,777:multiling http</default>
<Required>N</Required>
</safePorts>
<sslPorts type="CSVListField">
<default>443:https</default>
<Required>N</Required>
</sslPorts>
</acl>
<authentication>
<method type="OptionField">
<default>none</default>
<Required>N</Required>
<OptionValues>
<none>No Authentication</none>
<local>Local User Authentication</local>
</OptionValues>
</method>
<realm type="TextField">
<default>OPNsense proxy authentication</default>
<Required>N</Required>
</realm>
<credentialsttl type="IntegerField">
<default>2</default>
<MinimumValue>1</MinimumValue>
<ValidationMessage>"Credentials TTL needs to be an integer value above 0"</ValidationMessage>
<Required>N</Required>
</credentialsttl>
<children type="IntegerField">
<default>5</default>
<MinimumValue>1</MinimumValue>
<ValidationMessage>"Number of children needs to be an integer value above 0"</ValidationMessage>
<Required>N</Required>
</children>
</authentication>
</forward>
</items>
</model>
......@@ -247,13 +247,6 @@ maxheight: define max height of select box, default=170px to hold 5 items
'type':'checkbox',
'help':'Enable or disable the proxy service.'
]}
],
[ 'proxy-general-remote-cache','Remote Cache Settings',
{['id': 'proxy.general.enabled',
'label':'Enable proxy',
'type':'checkbox',
'help':'Enable or disable the proxy service.'
]}
]}
],
['proxy-forward','Forward Proxy','subtabs': {
......@@ -321,7 +314,7 @@ maxheight: define max height of select box, default=170px to hold 5 items
<b class="text-primary">\\.+[0-9]+\.gif$</b> -> matches on <b>\123.gif</b> but not on <b class="text-danger">\test.gif</b><br/>
</div>
<div class="text-info"><b>TIP: </b>You can also paste a comma separated list into this field.</div>',
'hint':'Example ',
'hint':'Regular expressions are allowed. ',
'allownew':'true'
],
['id': 'proxy.forward.acl.blackList',
......@@ -338,8 +331,83 @@ maxheight: define max height of select box, default=170px to hold 5 items
<b class="text-primary">\\.+[0-9]+\.gif$</b> -> matches on <b>\123.gif</b> but not on <b class="text-danger">\test.gif</b><br/>
</div>
<div class="text-info"><b>TIP: </b>You can also paste a comma separated list into this field.</div>',
'hint':'Example ',
'hint':'Regular expressions are allowed.',
'allownew':'true'
],
['id': 'proxy.forward.acl.browser',
'label':'Block browser/user-agents',
'type':'select_multiple',
'style':'tokenize',
'help':'Block user-agents.<br/>
You may use a regular expression, use a comma or press Enter for new item.<br/>
<div class="alert alert-info">
<b>Examples:</b><br/>
<b class="text-primary">^(.)+Macintosh(.)+Firefox/37\.0</b> -> matches on <b>Macintosh version of Firefox revision 37.0</b><br/>
<b class="text-primary">^Mozilla</b> -> matches on <b>all Mozilla based browsers</b><br/>
</div>
<div class="text-info"><b>TIP: </b>You can also paste a comma separated list into this field.</div>',
'hint':'Regular expressions are allowed.',
'allownew':'true',
'advanced':'true'
],
['id': 'proxy.forward.acl.mimeType',
'label':'Block specific MIME type reply',
'type':'select_multiple',
'style':'tokenize',
'help':'Block specific MIME type reply.<br/>
You may use a regular expression, use a comma or press Enter for new item.<br/>
<div class="alert alert-info">
<b>Examples:</b><br/>
<b class="text-primary">video/flv</b> -> matches on <b>Flash Video</b><br/>
<b class="text-primary">application/x-javascript</b> -> matches on <b>javascripts</b><br/>
</div>
<div class="text-info"><b>TIP: </b>You can also paste a comma separated list into this field.</div>',
'hint':'Regular expressions are allowed.',
'allownew':'true',
'advanced':'true'
],
['id': 'proxy.forward.acl.safePorts',
'label':'Allowed destination TCP port',
'type':'select_multiple',
'style':'tokenize',
'help':'Allowed destination TCP ports, you may use ranges (ex. 222-226) and add comments with collon (ex. 22:ssh).<br/>
<div class="text-info"><b>TIP: </b>You can also paste a comma separated list into this field.</div>',
'hint':'Type port number or range.',
'allownew':'true',
'advanced':'true'
],
['id': 'proxy.forward.acl.sslPorts',
'label':'Allowed SSL ports',
'type':'select_multiple',
'style':'tokenize',
'help':'Allowed destination SSL ports, you may use ranges (ex. 222-226) and add comments with collon (ex. 22:ssh).<br/>
<div class="text-info"><b>TIP: </b>You can also paste a comma separated list into this field.</div>',
'hint':'Type port number or range.',
'allownew':'true',
'advanced':'true'
]}
],
[ 'proxy-general-authentication', 'Athentication Settings',
{['id':'proxy.forward.authentication.method',
'label':'Authentication method',
'type':'dropdown',
'help':'Select Authentication method'
],
['id': 'proxy.forward.authentication.realm',
'label':'Authentication Prompt',
'type':'text',
'help':'The prompt will be displayed in the autherntication request window.'
],
['id': 'proxy.forward.authentication.credentialsttl',
'label':'Authentication TTL (hours)',
'type':'text',
'help':'This specifies for how long (in hours) the proxy server assumes an externally validated username and password combination is valid (Time To Live).<br/>
When the TTL expires, the user will be prompted for credentials again. '
],
['id': 'proxy.forward.authentication.children',
'label':'Authentication processes',
'type':'text',
'help':'The total number of authenticator processes to spawn.'
]}
]}
]
......
......@@ -45,6 +45,8 @@ POSSIBILITY OF SUCH DAMAGE.
{% elseif type == "select_multiple" %}
<select multiple="multiple" {% if size|default(false) %}size="{{size}}"{% endif %} id="{{ id }}" {% if style|default(false) %}class="{{style}}" {% endif %} {% if hint|default(false) %}data-hint="{{hint}}"{% endif %} {% if maxheight|default(false) %}data-maxheight="{{maxheight}}"{% endif %} data-width="{{width|default("348px")}}" data-allownew="{{allownew|default("false")}}"></select>
<br/><a href="#" class="text-danger" id="clear-options" for="{{id}}"><i class="fa fa-times-circle"></i></a><small> Clear All</small>
{% elseif type == "dropdown" %}
<select {% if size|default(false) %}size="{{size}}"{% endif %} id="{{ id }}" class="{{style|default('selectpicker')}}" data-width="{{width|default("348px")}}"></select>
{% endif %}
{% if help|default(false) %}
......
......@@ -48,6 +48,10 @@ acl localnet src {{intf_item.subnet}}/{{intf_item.subnet}} # Possible internal n
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
# Default localhost and to_localhost acl's
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
# ACL lists
{% if helpers.exists('OPNsense.proxy.forward.acl.allowedSubnets') %}
# ACL - Allow Subnets - User defined (subnets)
......@@ -92,75 +96,125 @@ acl blackList dstdomain {{element}}
{% endfor %}
{% endif %}
# Default Safe ports
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
{% if helpers.exists('OPNsense.proxy.forward.acl.browser') %}
# ALC - Block browser/user-agent - User defined (browser)
{% for element in OPNsense.proxy.forward.acl.browser.split(",") %}
acl blockuseragents browser {{element}}
{% endfor %}
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.mimeType') %}
# ALC - Block MIME types - User defined (mimetype)
{% for element in OPNsense.proxy.forward.acl.mimeType.split(",") %}
acl blockmimetypes rep_mime_type {{element}}
{% endfor %}
{% endif %}
# ACL - SSL ports, default are configured in config.xml
# Configured SSL ports (if defaults are not listed, then they have been removed from the configuration!):
{% if helpers.exists('OPNsense.proxy.forward.acl.sslPorts') %}
{% for element in OPNsense.proxy.forward.acl.sslPorts.split(",") %}
acl SSL_ports port {{element.split(":")[0]}} # {{element.split(":")[1]|default('unknown')}}
{% endfor %}
{% endif %}
# Default Safe ports are now defined in config.xml
# Configured Safe ports (if defaults are not listed, then they have been removed from the configuration!):
{% if helpers.exists('OPNsense.proxy.forward.acl.safePorts') %}
# ALC - Safe_ports
{% for element in OPNsense.proxy.forward.acl.safePorts.split(",") %}
acl Safe_ports port {{element.split(":")[0]}} # {{element.split(":")[1]|default('unknown')}}
{% endfor %}
{% endif %}
acl CONNECT method CONNECT
# Authentication Settings
{% if helpers.exists('OPNsense.proxy.forward.authentication.method') and OPNsense.proxy.forward.authentication.method=='local' %}
# Configure Local User Authentication helper
auth_param basic program /usr/local/etc/inc/squid_auth
{% if helpers.exists('OPNsense.proxy.forward.authentication.realm') %}
auth_param basic realm {{OPNsense.proxy.forward.authentication.realm}}
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.authentication.credentialsttl') %}
auth_param basic credentialsttl {{OPNsense.proxy.forward.authentication.credentialsttl}} hours
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.authentication.children') %}
auth_param basic children {{OPNsense.proxy.forward.authentication.children}}
{% endif %}
# ACL - Local Authorized Users - local_auth
acl local_auth proxy_auth REQUIRED
{% endif %}
# ALLOW UNRESTRICTED
{% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}
# ACL list (Allow) unrestricted
http_access allow unrestricted
{% endif %}
#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.blackList') %}
# ACL list (Deny) blacklist
http_access deny blackList
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.browser') %}
# ACL list (Deny) blockuseragent
http_access deny blockuseragents
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.mimeType') %}
# ACL list (Deny) blockmimetypes
http_access deny blockmimetypes
{% endif %}
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
http_access deny CONNECT !SSL_ports
{% if helpers.exists('OPNsense.proxy.forward.acl.bannedHosts') %}
http_access deny bannedHosts
{% endif %}
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
http_access deny manager
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
http_access deny to_localhost {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
http_access deny to_localhost
{% if helpers.exists('OPNsense.proxy.forward.acl.whiteList') %}
# ACL list (Allow) whitelist
http_access allow whiteList
{% endif %}
#
# RULE(S) TO ALLOW ACCESS FROM CLIENTS
# Access Permission configuration:
#
# ACL - localnet - default these include ranges from selected interfaces (Allow local subnets)
http_access allow localnet {% if helpers.exists('OPNsense.proxy.forward.acl.bannedHosts') %}!bannedHosts{% endif %}
# Deny request from unauthorized clients
{% if helpers.exists('OPNsense.proxy.forward.authentication.method') and OPNsense.proxy.forward.authentication.method=='local' %}
http_access allow local_auth
{% endif %}
#
# ACL - localnet - default these include ranges from selected interfaces (Allow local subnets)
http_access allow localnet
# ACL - localhost
http_access allow localhost
{% if helpers.exists('OPNsense.proxy.forward.acl.allowedSubnets') %}
# ACL list (Allow) subnets
http_access allow subnets {% if helpers.exists('OPNsense.proxy.forward.acl.bannedHosts') %}!bannedHosts{% endif %}
http_access allow subnets
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}
# ACL list (Allow) unrestricted
http_access allow unrestricted
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.whiteList') %}
# ACL list (Allow) whitelist
http_access allow whiteList {% if helpers.exists('OPNsense.proxy.forward.acl.blackList') %}!blackList{% endif %}
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.blackList') %}
# ACL list (Deny) blacklist
http_access deny blackList {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
{% endif %}
# Deny all other access to this proxy
http_access deny all
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment