Commit dc0b729b authored by Jos Schellevis's avatar Jos Schellevis

Proxy work in progress, added traffic magement and few other options.

parent a97af932
......@@ -35,8 +35,25 @@
<Required>Y</Required>
</dnsV4First>
<forwardedForHandling type="OptionField">
<default>on</default>
<Required>N</Required>
<OptionValues>
<on>Append client's IP (on)</on>
<off>Set forward header to unknown (off)</off>
<transparent>Do not alter forward header (transparent)</transparent>
<truncate>Replace all with client's IP (truncate)</truncate>
</OptionValues>
</forwardedForHandling>
<uriWhitespaceHandling type="OptionField">
<default>strip</default>
<Required>N</Required>
<OptionValues>
<strip>Strip whitespaces</strip>
<deny>Deny request</deny>
<allow>Allow whitespaces</allow>
<encode>Encode whitespaces (RFC1738)</encode>
<chop>Chop URI at first whitespace</chop>
</OptionValues>
</uriWhitespaceHandling>
<useViaHeader type="BooleanField">
<default>1</default>
......@@ -46,6 +63,66 @@
<default>0</default>
<Required>N</Required>
</suppressVersion>
<cache>
<local>
<enabled type="BooleanField">
<default>0</default>
<Required>Y</Required>
</enabled>
<directory type="TextField">
<default>/var/squid/cache</default>
<Required>Y</Required>
</directory>
<size type="IntegerField">
<default>100</default>
<MinimumValue>1</MinimumValue>
<ValidationMessage>"Specify a positive cache size. (number of MB's)"</ValidationMessage>
<Required>Y</Required>
</size>
<l1 type="IntegerField">
<default>16</default>
<MinimumValue>1</MinimumValue>
<ValidationMessage>"Specify a positive number of first-level subdirectories."</ValidationMessage>
<Required>Y</Required>
</l1>
<l2 type="IntegerField">
<default>256</default>
<MinimumValue>1</MinimumValue>
<ValidationMessage>"Specify a positive number of second-level subdirectories."</ValidationMessage>
<Required>Y</Required>
</l2>
</local>
</cache>
<traffic>
<enabled type="BooleanField">
<default>0</default>
<Required>Y</Required>
</enabled>
<maxDownloadSize type="IntegerField">
<default>2048</default>
<MinimumValue>1</MinimumValue>
<ValidationMessage>"Specify the maximum download size. (number of KB's)"</ValidationMessage>
<Required>N</Required>
</maxDownloadSize>
<maxUploadSize type="IntegerField">
<default>1024</default>
<MinimumValue>1</MinimumValue>
<ValidationMessage>"Specify the maximum upload size. (number of KB's)"</ValidationMessage>
<Required>N</Required>
</maxUploadSize>
<OverallBandwidthTrotteling type="IntegerField">
<default>1024</default>
<MinimumValue>1</MinimumValue>
<ValidationMessage>"Specify the overall bandwidth for downloads in kilobits per second."</ValidationMessage>
<Required>N</Required>
</OverallBandwidthTrotteling>
<perHostTrotteling type="IntegerField">
<default>256</default>
<MinimumValue>1</MinimumValue>
<ValidationMessage>"Specify the per host bandwidth for downloads in kilobits per second."</ValidationMessage>
<Required>N</Required>
</perHostTrotteling>
</traffic>
</general>
<forward>
<interfaces type="CSVListField">
......
......@@ -234,19 +234,80 @@ maxheight: define max height of select box, default=170px to hold 5 items
replies as required by RFC2616.',
'advanced':'true'
],
['id':'proxy.general.forwardedForHandling',
'label':'X-Forwarded for header handling',
'type':'dropdown',
'help':'Select what to do with X-Forwarded for header.',
'advanced':'true'
],
['id': 'proxy.general.suppressVersion',
'label':'Suppress version string',
'type':'checkbox',
'help':'Suppress Squid version string info in HTTP headers and HTML error pages.',
'advanced':'true'
],
['id':'proxy.general.uriWhitespaceHandling',
'label':'Whitespace handling of URI',
'type':'dropdown',
'help':'Select what to do with URI that contain whitespaces.<br/>
<div class="text-info"><b>NOTE:</b> the current Squid implementation of encode and chop violates
RFC2616 by not using a 301 redirect after altering the URL.</div>',
'advanced':'true'
]}
],
[ 'proxy-general-cache','Local Cache Settings',
{['id': 'proxy.general.enabled',
'label':'Enable proxy',
[ 'proxy-general-cache-local','Local Cache Settings',
{['id': 'proxy.general.cache.local.enabled',
'label':'Enable local cache.',
'type':'checkbox',
'help':'Enable or disable the proxy service.'
'help':'Enable or disable the local cache.<br/>
Curently only ufs directory cache type is supported.<br/>
<b class="text-danger">Do not enable on embedded systems with SD or CF cards as this may break your drive.</b>'
],
['id': 'proxy.general.cache.local.size',
'label':'Cache size in Megabytes',
'type':'text',
'help':'Enter the storage size for the local cache (default is 100).',
'advanced':'true'
],
['id': 'proxy.general.cache.local.l1',
'label':'Number of first-level subdirectories',
'type':'text',
'help':'Enter the number of first-level subdirectories for the local cache (default is 16).',
'advanced':'true'
],
['id': 'proxy.general.cache.local.l2',
'label':'Number of second-level subdirectories',
'type':'text',
'help':'Enter the number of first-level subdirectories for the local cache (default is 256).',
'advanced':'true'
]}
],
[ 'proxy-general-traffic','Traffic Management Settings',
{['id': 'proxy.general.traffic.enabled',
'label':'Enable traffic management.',
'type':'checkbox',
'help':'Enable or disable traffic management.'
],
['id': 'proxy.general.traffic.maxDownloadSize',
'label':'Maximum download size (Kb)',
'type':'text',
'help':'Enter the maxium size for downloads in kilobytes (leave empty to disable).'
],
['id': 'proxy.general.traffic.maxUploadSize',
'label':'Maximum upload size (Kb)',
'type':'text',
'help':'Enter the maxium size for uploads in kilobytes (leave empty to disable).'
],
['id': 'proxy.general.traffic.OverallBandwidthTrotteling',
'label':'Overall bandwidth throtteling (Kbps)',
'type':'text',
'help':'Enter the allowed overall bandtwith in kilobits per second (leave empty to disable).'
],
['id': 'proxy.general.traffic.perHostTrotteling',
'label':'Per host bandwidth throtteling (Kbps)',
'type':'text',
'help':'Enter the allowed per host bandtwith in kilobits per second (leave empty to disable).'
]}
]}
],
['proxy-forward','Forward Proxy','subtabs': {
......
......@@ -8,7 +8,6 @@
{% for intf_key,intf_item in interfaces.iteritems() %}
{% if intf_key == interface and intf_item.ipaddr != 'dhcp' %}
http_port {{intf_item.ipaddr}}:{{ OPNsense.proxy.forward.port }} {%if OPNsense.proxy.forward.transparentMode == '1' %}tproxy{% endif %}
{% endif %}
{% endfor %}
{# virtual ip's #}
......@@ -25,25 +24,26 @@ http_port {{intf_item.subnet}}:{{ OPNsense.proxy.forward.port }}
# Rules allowing access from your local networks.
# Generated list of (internal) IP networks from where browsing
# should be allowed. (Allow interface subnets).
{% if helpers.exists('OPNsense.proxy.forward.addACLforInterfaceSubnets') %}
{% if OPNsense.proxy.forward.addACLforInterfaceSubnets == '1' %}
{% for interface in OPNsense.proxy.forward.interfaces.split(",") %}
{% for intf_key,intf_item in interfaces.iteritems() %}
{% if intf_key == interface and intf_item.ipaddr != 'dhcp' %}
{% if helpers.exists('OPNsense.proxy.forward.interfaces') %}
{% if helpers.exists('OPNsense.proxy.forward.addACLforInterfaceSubnets') %}
{% if OPNsense.proxy.forward.addACLforInterfaceSubnets == '1' %}
{% for interface in OPNsense.proxy.forward.interfaces.split(",") %}
{% for intf_key,intf_item in interfaces.iteritems() %}
{% if intf_key == interface and intf_item.ipaddr != 'dhcp' %}
acl localnet src {{intf_item.ipaddr}}/{{intf_item.subnet}} # Possible internal network
{% endif %}
{% endfor %}
{% if helpers.exists('virtualip') %}
{% for intf_key,intf_item in virtualip.iteritems() %}
{% if intf_item.interface == interface and intf_item.mode == 'ipalias' %}
acl localnet src {{intf_item.subnet}}/{{intf_item.subnet}} # Possible internal network
{% endif %}
{% endfor %}
{% if helpers.exists('virtualip') %}
{% for intf_key,intf_item in virtualip.iteritems() %}
{% if intf_item.interface == interface and intf_item.mode == 'ipalias' %}
acl localnet src {{intf_item.subnet}}/{{intf_item.subnet}} # Possible internal network
{% endif %}
{% endfor %}
{% endif %}
{% endfor %}
{% endif %}
{% endfor %}
{% endif %}
{% endif %}
# Default allow for local-link and private networks
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
......@@ -54,26 +54,26 @@ acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
# ACL lists
{% if helpers.exists('OPNsense.proxy.forward.acl.allowedSubnets') %}
# ACL - Allow Subnets - User defined (subnets)
{% for network in OPNsense.proxy.forward.acl.allowedSubnets.split(",") %}
acl subnets src {{network}}
{% endfor %}
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}
# ACL - Unrestricted IPs - User defined (unrestricted)
{% for ip in OPNsense.proxy.forward.acl.unrestricted.split(",") %}
acl unrestricted src {{ip}}
{% endfor %}
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.bannedHosts') %}
# ACL - Banned Hosts - User defined (bannedHosts)
{% for ip in OPNsense.proxy.forward.acl.bannedHosts.split(",") %}
acl bannedHosts src {{ip}}
{% endfor %}
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.whiteList') %}
# ALC - Whitelist - User defined (whiteList)
{% for element in OPNsense.proxy.forward.acl.whiteList.split(",") %}
......@@ -84,8 +84,8 @@ acl dstdomain {{element}}
{% endif %}
{% endfor %}
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.blackList') %}
# ALC - Blacklist - User defined (blackList)
{% for element in OPNsense.proxy.forward.acl.blackList.split(",") %}
{% if '^' or '\\' or '$' or '[' in element %}
......@@ -95,15 +95,15 @@ acl blackList dstdomain {{element}}
{% endif %}
{% endfor %}
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.browser') %}
# ALC - Block browser/user-agent - User defined (browser)
{% for element in OPNsense.proxy.forward.acl.browser.split(",") %}
acl blockuseragents browser {{element}}
{% endfor %}
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.mimeType') %}
# ALC - Block MIME types - User defined (mimetype)
{% for element in OPNsense.proxy.forward.acl.mimeType.split(",") %}
acl blockmimetypes rep_mime_type {{element}}
......@@ -144,20 +144,18 @@ auth_param basic children {{OPNsense.proxy.forward.authentication.children}}
# ACL - Local Authorized Users - local_auth
acl local_auth proxy_auth REQUIRED
{% endif %}
# ALLOW UNRESTRICTED
{% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}
# ALLOW UNRESTRICTED
# ACL list (Allow) unrestricted
http_access allow unrestricted
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.blackList') %}
#
{% if helpers.exists('OPNsense.proxy.forward.acl.blackList') %}
# ACL list (Deny) blacklist
http_access deny blackList
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.browser') %}
# ACL list (Deny) blockuseragent
......@@ -218,8 +216,12 @@ http_access allow subnets
# Deny all other access to this proxy
http_access deny all
{% if helpers.exists('OPNsense.proxy.general.cache.local') %}
{% if OPNsense.proxy.general.cache.local.enabled == '1' %}
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/squid/cache 100 16 256
cache_dir ufs {{OPNsense.proxy.general.cache.local.directory}} {{OPNsense.proxy.general.cache.local.size}} {{OPNsense.proxy.general.cache.local.l1}} {{OPNsense.proxy.general.cache.local.l2}}
{% endif %}
{% endif %}
# Leave coredumps in the first cache dir
coredump_dir /var/squid/cache
......@@ -273,3 +275,40 @@ httpd_suppress_version_string on
icp_port {{OPNsense.proxy.general.icpPort}}
{% endif %}
{% endif %}
{% if helpers.exists('OPNsense.proxy.general.uriWhitespaceHandling') %}
# URI hanlding with Whitespaces (default=strip)
uri_whitespace {{OPNsense.proxy.general.uriWhitespaceHandling}}
{% endif %}
{% if helpers.exists('OPNsense.proxy.general.forwardedForHandling') %}
# X-Forwarded header handling (default=on)
forwarded_for {{OPNsense.proxy.general.forwardedForHandling}}
{% endif %}
{% if helpers.exists('OPNsense.proxy.general.traffic.enabled') and OPNsense.proxy.general.traffic.enabled == '1' %}
{% if helpers.exists('OPNsense.proxy.general.traffic.maxDownloadSize') %}
# Define max download size
reply_body_max_size {{OPNsense.proxy.general.traffic.maxDownloadSize}} KB
{% endif %}
{% if helpers.exists('OPNsense.proxy.general.traffic.maxUploadSize') %}
# Define max upload size
request_body_max_size {{OPNsense.proxy.general.traffic.maxUploadSize}} KB
{% endif %}
{% if helpers.exists('OPNsense.proxy.general.traffic.perHostTrotteling') %}
delay_pools 1
delay_class 1 3
delay_access 1 allow all
{% if helpers.exists('OPNsense.proxy.general.traffic.OverallBandwidthTrotteling') %}
# Define PerHost and Overall Bandwith Trotteling
delay_parameters 1 {{OPNsense.proxy.general.traffic.OverallBandwidthTrotteling|int // 8 * 1000}}/{{OPNsense.proxy.general.traffic.OverallBandwidthTrotteling|int // 8 * 1000}} -1/-1 {{OPNsense.proxy.general.traffic.perHostTrotteling|int // 8 * 1000}}/{{OPNsense.proxy.general.traffic.OverallBandwidthTrotteling|int // 8 * 1000}}
{% else %}
# Define PerHost Trotteling
delay_parameters -1/-1 {{OPNsense.proxy.general.traffic.perHostTrotteling|int // 8 * 1000}}/{{OPNsense.proxy.general.traffic.perHostTrotteling|int // 8 * 1000}}
{% endif %}
{% endif %}
{% if helpers.exists('OPNsense.proxy.general.traffic.OverallBandwidthTrotteling') and not helpers.exists('OPNsense.proxy.general.traffic.perHostTrotteling') %}
# Define Overall Bandwidth Trotteling
delay_pools 1
delay_class 1 1
delay_access 1 allow all
delay_parameters 1 {{OPNsense.proxy.general.traffic.OverallBandwidthTrotteling|int // 8 * 1000}}/{{OPNsense.proxy.general.traffic.OverallBandwidthTrotteling|int // 8 * 1000}}
{% endif %}
{% endif %}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment