Commit dfe12a46 authored by Ad Schellevis's avatar Ad Schellevis

(proxy) add transparant proxy option to squid including a template for the...

(proxy) add transparant proxy option to squid including a template for the firewall_nat rules to forward traffic to it
parent 7c806d04
...@@ -179,14 +179,17 @@ ...@@ -179,14 +179,17 @@
<type>text</type> <type>text</type>
<help><![CDATA[The port the proxy service will listen to.]]></help> <help><![CDATA[The port the proxy service will listen to.]]></help>
</field> </field>
<!--
<field> <field>
<id>proxy.forward.transparentMode</id> <id>proxy.forward.transparentMode</id>
<label>Enable Transparent HTTP proxy</label> <label>Enable Transparent HTTP proxy</label>
<type>checkbox</type> <type>checkbox</type>
<help><![CDATA[Enable transparent proxy mode to forward all requests for destination port 80 to the proxy server without any additional configuration.]]></help> <help><![CDATA[
Enable transparent proxy mode. You will need a firewall rule to forward traffic from the firewall to the proxy server.
You may leave the proxy interfaces empty, but remember to set a valid ACL in that case.
<br/>
<a href="/firewall_nat_edit.php?template=transparant_proxy"> add a new firewall rule </a>
]]></help>
</field> </field>
-->
<field> <field>
<id>proxy.forward.addACLforInterfaceSubnets</id> <id>proxy.forward.addACLforInterfaceSubnets</id>
<label>Allow interface subnets</label> <label>Allow interface subnets</label>
......
...@@ -7,5 +7,5 @@ for SQUID_DIR in ${SQUID_DIRS}; do ...@@ -7,5 +7,5 @@ for SQUID_DIR in ${SQUID_DIRS}; do
chown -R squid:squid ${SQUID_DIR} chown -R squid:squid ${SQUID_DIR}
chmod -R 750 ${SQUID_DIR} chmod -R 750 ${SQUID_DIR}
done done
/usr/sbin/pw groupmod proxy -m squid
/usr/local/sbin/squid -z /usr/local/sbin/squid -z
squid_enable={% if OPNsense.proxy.general.enabled|default("0") == "1" %}YES{% else %}NO{% endif %} squid_enable={% if OPNsense.proxy.general.enabled|default("0") == "1" %}YES{% else %}NO{% endif %}
squid_opnsense_bootup_run="/usr/local/opnsense/scripts/proxy/setup.sh"
...@@ -3,11 +3,16 @@ ...@@ -3,11 +3,16 @@
# Do not edit this file manually. # Do not edit this file manually.
# setup listen configuration # setup listen configuration
{%if OPNsense.proxy.forward.transparentMode == '1' %}
# transparant mode, listen on localhost
http_port 127.0.0.1:{{ OPNsense.proxy.forward.port }} intercept
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.interfaces') %} {% if helpers.exists('OPNsense.proxy.forward.interfaces') %}
{% for interface in OPNsense.proxy.forward.interfaces.split(",") %} {% for interface in OPNsense.proxy.forward.interfaces.split(",") %}
{% for intf_key,intf_item in interfaces.iteritems() %} {% for intf_key,intf_item in interfaces.iteritems() %}
{% if intf_key == interface and intf_item.ipaddr != 'dhcp' %} {% if intf_key == interface and intf_item.ipaddr != 'dhcp' %}
http_port {{intf_item.ipaddr}}:{{ OPNsense.proxy.forward.port }} {%if OPNsense.proxy.forward.transparentMode == '1' %}intercept{% endif %} http_port {{intf_item.ipaddr}}:{{ OPNsense.proxy.forward.port }}
{% endif %} {% endif %}
{% endfor %} {% endfor %}
...@@ -15,7 +20,7 @@ http_port {{intf_item.ipaddr}}:{{ OPNsense.proxy.forward.port }} {%if OPNsense. ...@@ -15,7 +20,7 @@ http_port {{intf_item.ipaddr}}:{{ OPNsense.proxy.forward.port }} {%if OPNsense.
{% if helpers.exists('virtualip') %} {% if helpers.exists('virtualip') %}
{% for intf_key,intf_item in virtualip.iteritems() %} {% for intf_key,intf_item in virtualip.iteritems() %}
{% if intf_item.interface == interface and intf_item.mode == 'ipalias' %} {% if intf_item.interface == interface and intf_item.mode == 'ipalias' %}
http_port {{intf_item.subnet}}:{{ OPNsense.proxy.forward.port }} {%if OPNsense.proxy.forward.transparentMode == '1' %}intercept{% endif %} http_port {{intf_item.subnet}}:{{ OPNsense.proxy.forward.port }}
{% endif %} {% endif %}
{% endfor %} {% endfor %}
......
...@@ -154,12 +154,35 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { ...@@ -154,12 +154,35 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
if (!$pconfig['interface']) if (!$pconfig['interface'])
$pconfig['interface'] = "wan"; $pconfig['interface'] = "wan";
} else {
if (isset($_GET['template']) && $_GET['template'] == 'transparant_proxy') {
// new rule for transparant proxy reflection, to use as sample
$pconfig['interface'] = "lan";
$pconfig['src'] = "lan";
$pconfig['srcbeginport'] = 'any';
$pconfig['srcendport'] = 'any';
$pconfig['dst'] = "any";
$pconfig['dstbeginport'] = 80 ;
$pconfig['dstendport'] = 80 ;
$pconfig['localip'] = '127.0.0.1';
// try to read the proxy configuration to determine the current port
// this has some disadvantages in case of dependencies, but there isn't
// a much better solution available at the moment.
if (isset($config['OPNsense']['proxy']['forward']['port'])) {
$pconfig['localbeginport'] = $config['OPNsense']['proxy']['forward']['port'];
} else {
$pconfig['localbeginport'] = 3128;
}
$pconfig['natreflection'] = 'enable';
$pconfig['descr'] = "redirect traffic to proxy";
} else { } else {
$pconfig['interface'] = "wan"; $pconfig['interface'] = "wan";
$pconfig['src'] = "any"; $pconfig['src'] = "any";
$pconfig['srcbeginport'] = "any"; $pconfig['srcbeginport'] = "any";
$pconfig['srcendport'] = "any"; $pconfig['srcendport'] = "any";
} }
}
} elseif ($_SERVER['REQUEST_METHOD'] === 'POST') { } elseif ($_SERVER['REQUEST_METHOD'] === 'POST') {
// save form data // save form data
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment