Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
O
OpnSense
Project
Project
Details
Activity
Releases
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Kulya
OpnSense
Commits
dc0b729b
Commit
dc0b729b
authored
Apr 24, 2015
by
Jos Schellevis
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Proxy work in progress, added traffic magement and few other options.
parent
a97af932
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
206 additions
and
29 deletions
+206
-29
Proxy.xml
src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
+77
-0
index.volt
src/opnsense/mvc/app/views/OPNsense/Proxy/index.volt
+65
-4
squid.conf
src/opnsense/service/templates/OPNsense/Proxy/squid.conf
+64
-25
No files found.
src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
View file @
dc0b729b
...
...
@@ -35,8 +35,25 @@
<Required>
Y
</Required>
</dnsV4First>
<forwardedForHandling
type=
"OptionField"
>
<default>
on
</default>
<Required>
N
</Required>
<OptionValues>
<on>
Append client's IP (on)
</on>
<off>
Set forward header to unknown (off)
</off>
<transparent>
Do not alter forward header (transparent)
</transparent>
<truncate>
Replace all with client's IP (truncate)
</truncate>
</OptionValues>
</forwardedForHandling>
<uriWhitespaceHandling
type=
"OptionField"
>
<default>
strip
</default>
<Required>
N
</Required>
<OptionValues>
<strip>
Strip whitespaces
</strip>
<deny>
Deny request
</deny>
<allow>
Allow whitespaces
</allow>
<encode>
Encode whitespaces (RFC1738)
</encode>
<chop>
Chop URI at first whitespace
</chop>
</OptionValues>
</uriWhitespaceHandling>
<useViaHeader
type=
"BooleanField"
>
<default>
1
</default>
...
...
@@ -46,6 +63,66 @@
<default>
0
</default>
<Required>
N
</Required>
</suppressVersion>
<cache>
<local>
<enabled
type=
"BooleanField"
>
<default>
0
</default>
<Required>
Y
</Required>
</enabled>
<directory
type=
"TextField"
>
<default>
/var/squid/cache
</default>
<Required>
Y
</Required>
</directory>
<size
type=
"IntegerField"
>
<default>
100
</default>
<MinimumValue>
1
</MinimumValue>
<ValidationMessage>
"Specify a positive cache size. (number of MB's)"
</ValidationMessage>
<Required>
Y
</Required>
</size>
<l1
type=
"IntegerField"
>
<default>
16
</default>
<MinimumValue>
1
</MinimumValue>
<ValidationMessage>
"Specify a positive number of first-level subdirectories."
</ValidationMessage>
<Required>
Y
</Required>
</l1>
<l2
type=
"IntegerField"
>
<default>
256
</default>
<MinimumValue>
1
</MinimumValue>
<ValidationMessage>
"Specify a positive number of second-level subdirectories."
</ValidationMessage>
<Required>
Y
</Required>
</l2>
</local>
</cache>
<traffic>
<enabled
type=
"BooleanField"
>
<default>
0
</default>
<Required>
Y
</Required>
</enabled>
<maxDownloadSize
type=
"IntegerField"
>
<default>
2048
</default>
<MinimumValue>
1
</MinimumValue>
<ValidationMessage>
"Specify the maximum download size. (number of KB's)"
</ValidationMessage>
<Required>
N
</Required>
</maxDownloadSize>
<maxUploadSize
type=
"IntegerField"
>
<default>
1024
</default>
<MinimumValue>
1
</MinimumValue>
<ValidationMessage>
"Specify the maximum upload size. (number of KB's)"
</ValidationMessage>
<Required>
N
</Required>
</maxUploadSize>
<OverallBandwidthTrotteling
type=
"IntegerField"
>
<default>
1024
</default>
<MinimumValue>
1
</MinimumValue>
<ValidationMessage>
"Specify the overall bandwidth for downloads in kilobits per second."
</ValidationMessage>
<Required>
N
</Required>
</OverallBandwidthTrotteling>
<perHostTrotteling
type=
"IntegerField"
>
<default>
256
</default>
<MinimumValue>
1
</MinimumValue>
<ValidationMessage>
"Specify the per host bandwidth for downloads in kilobits per second."
</ValidationMessage>
<Required>
N
</Required>
</perHostTrotteling>
</traffic>
</general>
<forward>
<interfaces
type=
"CSVListField"
>
...
...
src/opnsense/mvc/app/views/OPNsense/Proxy/index.volt
View file @
dc0b729b
...
...
@@ -234,19 +234,80 @@ maxheight: define max height of select box, default=170px to hold 5 items
replies as required by RFC2616.',
'advanced':'true'
],
['id':'proxy.general.forwardedForHandling',
'label':'X-Forwarded for header handling',
'type':'dropdown',
'help':'Select what to do with X-Forwarded for header.',
'advanced':'true'
],
['id': 'proxy.general.suppressVersion',
'label':'Suppress version string',
'type':'checkbox',
'help':'Suppress Squid version string info in HTTP headers and HTML error pages.',
'advanced':'true'
],
['id':'proxy.general.uriWhitespaceHandling',
'label':'Whitespace handling of URI',
'type':'dropdown',
'help':'Select what to do with URI that contain whitespaces.<br/>
<div class="text-info"><b>NOTE:</b> the current Squid implementation of encode and chop violates
RFC2616 by not using a 301 redirect after altering the URL.</div>',
'advanced':'true'
]}
],
[ 'proxy-general-cache','Local Cache Settings',
{['id': 'proxy.general.enabled',
'label':'Enable
proxy
',
[ 'proxy-general-cache
-local
','Local Cache Settings',
{['id': 'proxy.general.
cache.local.
enabled',
'label':'Enable
local cache.
',
'type':'checkbox',
'help':'Enable or disable the proxy service.'
'help':'Enable or disable the local cache.<br/>
Curently only ufs directory cache type is supported.<br/>
<b class="text-danger">Do not enable on embedded systems with SD or CF cards as this may break your drive.</b>'
],
['id': 'proxy.general.cache.local.size',
'label':'Cache size in Megabytes',
'type':'text',
'help':'Enter the storage size for the local cache (default is 100).',
'advanced':'true'
],
['id': 'proxy.general.cache.local.l1',
'label':'Number of first-level subdirectories',
'type':'text',
'help':'Enter the number of first-level subdirectories for the local cache (default is 16).',
'advanced':'true'
],
['id': 'proxy.general.cache.local.l2',
'label':'Number of second-level subdirectories',
'type':'text',
'help':'Enter the number of first-level subdirectories for the local cache (default is 256).',
'advanced':'true'
]}
],
[ 'proxy-general-traffic','Traffic Management Settings',
{['id': 'proxy.general.traffic.enabled',
'label':'Enable traffic management.',
'type':'checkbox',
'help':'Enable or disable traffic management.'
],
['id': 'proxy.general.traffic.maxDownloadSize',
'label':'Maximum download size (Kb)',
'type':'text',
'help':'Enter the maxium size for downloads in kilobytes (leave empty to disable).'
],
['id': 'proxy.general.traffic.maxUploadSize',
'label':'Maximum upload size (Kb)',
'type':'text',
'help':'Enter the maxium size for uploads in kilobytes (leave empty to disable).'
],
['id': 'proxy.general.traffic.OverallBandwidthTrotteling',
'label':'Overall bandwidth throtteling (Kbps)',
'type':'text',
'help':'Enter the allowed overall bandtwith in kilobits per second (leave empty to disable).'
],
['id': 'proxy.general.traffic.perHostTrotteling',
'label':'Per host bandwidth throtteling (Kbps)',
'type':'text',
'help':'Enter the allowed per host bandtwith in kilobits per second (leave empty to disable).'
]}
]}
],
['proxy-forward','Forward Proxy','subtabs': {
...
...
src/opnsense/service/templates/OPNsense/Proxy/squid.conf
View file @
dc0b729b
...
...
@@ -8,7 +8,6 @@
{%
for
intf_key
,
intf_item
in
interfaces
.
iteritems
() %}
{%
if
intf_key
==
interface
and
intf_item
.
ipaddr
!=
'dhcp'
%}
http_port
{{
intf_item
.
ipaddr
}}:{{
OPNsense
.
proxy
.
forward
.
port
}} {%
if
OPNsense
.
proxy
.
forward
.
transparentMode
==
'1'
%}
tproxy
{%
endif
%}
{%
endif
%}
{%
endfor
%}
{
# virtual ip's #}
...
...
@@ -25,25 +24,26 @@ http_port {{intf_item.subnet}}:{{ OPNsense.proxy.forward.port }}
# Rules allowing access from your local networks.
# Generated list of (internal) IP networks from where browsing
# should be allowed. (Allow interface subnets).
{%
if
helpers
.
exists
(
'OPNsense.proxy.forward.addACLforInterfaceSubnets'
) %}
{%
if
OPNsense
.
proxy
.
forward
.
addACLforInterfaceSubnets
==
'1'
%}
{%
for
interface
in
OPNsense
.
proxy
.
forward
.
interfaces
.
split
(
","
) %}
{%
for
intf_key
,
intf_item
in
interfaces
.
iteritems
() %}
{%
if
intf_key
==
interface
and
intf_item
.
ipaddr
!=
'dhcp'
%}
{%
if
helpers
.
exists
(
'OPNsense.proxy.forward.interfaces'
) %}
{%
if
helpers
.
exists
(
'OPNsense.proxy.forward.addACLforInterfaceSubnets'
) %}
{%
if
OPNsense
.
proxy
.
forward
.
addACLforInterfaceSubnets
==
'1'
%}
{%
for
interface
in
OPNsense
.
proxy
.
forward
.
interfaces
.
split
(
","
) %}
{%
for
intf_key
,
intf_item
in
interfaces
.
iteritems
() %}
{%
if
intf_key
==
interface
and
intf_item
.
ipaddr
!=
'dhcp'
%}
acl
localnet
src
{{
intf_item
.
ipaddr
}}/{{
intf_item
.
subnet
}}
# Possible internal network
{%
endif
%}
{%
endfor
%}
{%
if
helpers
.
exists
(
'virtualip'
) %}
{%
for
intf_key
,
intf_item
in
virtualip
.
iteritems
() %}
{%
if
intf_item
.
interface
==
interface
and
intf_item
.
mode
==
'ipalias'
%}
acl
localnet
src
{{
intf_item
.
subnet
}}/{{
intf_item
.
subnet
}}
# Possible internal network
{%
endif
%}
{%
endfor
%}
{%
if
helpers
.
exists
(
'virtualip'
) %}
{%
for
intf_key
,
intf_item
in
virtualip
.
iteritems
() %}
{%
if
intf_item
.
interface
==
interface
and
intf_item
.
mode
==
'ipalias'
%}
acl
localnet
src
{{
intf_item
.
subnet
}}/{{
intf_item
.
subnet
}}
# Possible internal network
{%
endif
%}
{%
endfor
%}
{%
endif
%}
{%
endfor
%}
{%
endif
%}
{%
endfor
%}
{%
endif
%}
{%
endif
%}
# Default allow for local-link and private networks
acl
localnet
src
fc00
::/
7
# RFC 4193 local private network range
acl
localnet
src
fe80
::/
10
# RFC 4291 link-local (directly plugged) machines
...
...
@@ -54,26 +54,26 @@ acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
# ACL lists
{%
if
helpers
.
exists
(
'OPNsense.proxy.forward.acl.allowedSubnets'
) %}
# ACL - Allow Subnets - User defined (subnets)
{%
for
network
in
OPNsense
.
proxy
.
forward
.
acl
.
allowedSubnets
.
split
(
","
) %}
acl
subnets
src
{{
network
}}
{%
endfor
%}
{%
endif
%}
{%
if
helpers
.
exists
(
'OPNsense.proxy.forward.acl.unrestricted'
) %}
# ACL - Unrestricted IPs - User defined (unrestricted)
{%
for
ip
in
OPNsense
.
proxy
.
forward
.
acl
.
unrestricted
.
split
(
","
) %}
acl
unrestricted
src
{{
ip
}}
{%
endfor
%}
{%
endif
%}
{%
if
helpers
.
exists
(
'OPNsense.proxy.forward.acl.bannedHosts'
) %}
# ACL - Banned Hosts - User defined (bannedHosts)
{%
for
ip
in
OPNsense
.
proxy
.
forward
.
acl
.
bannedHosts
.
split
(
","
) %}
acl
bannedHosts
src
{{
ip
}}
{%
endfor
%}
{%
endif
%}
{%
if
helpers
.
exists
(
'OPNsense.proxy.forward.acl.whiteList'
) %}
# ALC - Whitelist - User defined (whiteList)
{%
for
element
in
OPNsense
.
proxy
.
forward
.
acl
.
whiteList
.
split
(
","
) %}
...
...
@@ -84,8 +84,8 @@ acl dstdomain {{element}}
{%
endif
%}
{%
endfor
%}
{%
endif
%}
{%
if
helpers
.
exists
(
'OPNsense.proxy.forward.acl.blackList'
) %}
# ALC - Blacklist - User defined (blackList)
{%
for
element
in
OPNsense
.
proxy
.
forward
.
acl
.
blackList
.
split
(
","
) %}
{%
if
'^'
or
'\\'
or
'$'
or
'['
in
element
%}
...
...
@@ -95,15 +95,15 @@ acl blackList dstdomain {{element}}
{%
endif
%}
{%
endfor
%}
{%
endif
%}
{%
if
helpers
.
exists
(
'OPNsense.proxy.forward.acl.browser'
) %}
# ALC - Block browser/user-agent - User defined (browser)
{%
for
element
in
OPNsense
.
proxy
.
forward
.
acl
.
browser
.
split
(
","
) %}
acl
blockuseragents
browser
{{
element
}}
{%
endfor
%}
{%
endif
%}
{%
if
helpers
.
exists
(
'OPNsense.proxy.forward.acl.mimeType'
) %}
# ALC - Block MIME types - User defined (mimetype)
{%
for
element
in
OPNsense
.
proxy
.
forward
.
acl
.
mimeType
.
split
(
","
) %}
acl
blockmimetypes
rep_mime_type
{{
element
}}
...
...
@@ -144,20 +144,18 @@ auth_param basic children {{OPNsense.proxy.forward.authentication.children}}
# ACL - Local Authorized Users - local_auth
acl
local_auth
proxy_auth
REQUIRED
{%
endif
%}
# ALLOW UNRESTRICTED
{%
if
helpers
.
exists
(
'OPNsense.proxy.forward.acl.unrestricted'
) %}
# ALLOW UNRESTRICTED
# ACL list (Allow) unrestricted
http_access
allow
unrestricted
{%
endif
%}
{%
if
helpers
.
exists
(
'OPNsense.proxy.forward.acl.blackList'
) %}
#
{%
if
helpers
.
exists
(
'OPNsense.proxy.forward.acl.blackList'
) %}
# ACL list (Deny) blacklist
http_access
deny
blackList
{%
endif
%}
{%
if
helpers
.
exists
(
'OPNsense.proxy.forward.acl.browser'
) %}
# ACL list (Deny) blockuseragent
...
...
@@ -218,8 +216,12 @@ http_access allow subnets
# Deny all other access to this proxy
http_access
deny
all
{%
if
helpers
.
exists
(
'OPNsense.proxy.general.cache.local'
) %}
{%
if
OPNsense
.
proxy
.
general
.
cache
.
local
.
enabled
==
'1'
%}
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/squid/cache 100 16 256
cache_dir
ufs
{{
OPNsense
.
proxy
.
general
.
cache
.
local
.
directory
}} {{
OPNsense
.
proxy
.
general
.
cache
.
local
.
size
}} {{
OPNsense
.
proxy
.
general
.
cache
.
local
.
l1
}} {{
OPNsense
.
proxy
.
general
.
cache
.
local
.
l2
}}
{%
endif
%}
{%
endif
%}
# Leave coredumps in the first cache dir
coredump_dir
/
var
/
squid
/
cache
...
...
@@ -273,3 +275,40 @@ httpd_suppress_version_string on
icp_port
{{
OPNsense
.
proxy
.
general
.
icpPort
}}
{%
endif
%}
{%
endif
%}
{%
if
helpers
.
exists
(
'OPNsense.proxy.general.uriWhitespaceHandling'
) %}
# URI hanlding with Whitespaces (default=strip)
uri_whitespace
{{
OPNsense
.
proxy
.
general
.
uriWhitespaceHandling
}}
{%
endif
%}
{%
if
helpers
.
exists
(
'OPNsense.proxy.general.forwardedForHandling'
) %}
# X-Forwarded header handling (default=on)
forwarded_for
{{
OPNsense
.
proxy
.
general
.
forwardedForHandling
}}
{%
endif
%}
{%
if
helpers
.
exists
(
'OPNsense.proxy.general.traffic.enabled'
)
and
OPNsense
.
proxy
.
general
.
traffic
.
enabled
==
'1'
%}
{%
if
helpers
.
exists
(
'OPNsense.proxy.general.traffic.maxDownloadSize'
) %}
# Define max download size
reply_body_max_size
{{
OPNsense
.
proxy
.
general
.
traffic
.
maxDownloadSize
}}
KB
{%
endif
%}
{%
if
helpers
.
exists
(
'OPNsense.proxy.general.traffic.maxUploadSize'
) %}
# Define max upload size
request_body_max_size
{{
OPNsense
.
proxy
.
general
.
traffic
.
maxUploadSize
}}
KB
{%
endif
%}
{%
if
helpers
.
exists
(
'OPNsense.proxy.general.traffic.perHostTrotteling'
) %}
delay_pools
1
delay_class
1
3
delay_access
1
allow
all
{%
if
helpers
.
exists
(
'OPNsense.proxy.general.traffic.OverallBandwidthTrotteling'
) %}
# Define PerHost and Overall Bandwith Trotteling
delay_parameters
1
{{
OPNsense
.
proxy
.
general
.
traffic
.
OverallBandwidthTrotteling
|
int
//
8
*
1000
}}/{{
OPNsense
.
proxy
.
general
.
traffic
.
OverallBandwidthTrotteling
|
int
//
8
*
1000
}} -
1
/-
1
{{
OPNsense
.
proxy
.
general
.
traffic
.
perHostTrotteling
|
int
//
8
*
1000
}}/{{
OPNsense
.
proxy
.
general
.
traffic
.
OverallBandwidthTrotteling
|
int
//
8
*
1000
}}
{%
else
%}
# Define PerHost Trotteling
delay_parameters
-
1
/-
1
{{
OPNsense
.
proxy
.
general
.
traffic
.
perHostTrotteling
|
int
//
8
*
1000
}}/{{
OPNsense
.
proxy
.
general
.
traffic
.
perHostTrotteling
|
int
//
8
*
1000
}}
{%
endif
%}
{%
endif
%}
{%
if
helpers
.
exists
(
'OPNsense.proxy.general.traffic.OverallBandwidthTrotteling'
)
and
not
helpers
.
exists
(
'OPNsense.proxy.general.traffic.perHostTrotteling'
) %}
# Define Overall Bandwidth Trotteling
delay_pools
1
delay_class
1
1
delay_access
1
allow
all
delay_parameters
1
{{
OPNsense
.
proxy
.
general
.
traffic
.
OverallBandwidthTrotteling
|
int
//
8
*
1000
}}/{{
OPNsense
.
proxy
.
general
.
traffic
.
OverallBandwidthTrotteling
|
int
//
8
*
1000
}}
{%
endif
%}
{%
endif
%}
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment