#
# Automatic generated configuration for Squid.
# Do not edit this file manually.

# setup listen configuration
{%if OPNsense.proxy.forward.transparentMode == '1' %}
# transparant mode, listen on localhost
http_port 127.0.0.1:{{  OPNsense.proxy.forward.port }} intercept
{% endif %}

{% if helpers.exists('OPNsense.proxy.forward.interfaces') %}
{%   for interface in OPNsense.proxy.forward.interfaces.split(",") %}
{%      for intf_key,intf_item in interfaces.iteritems() %}
{%          if intf_key == interface and intf_item.ipaddr != 'dhcp' %}
http_port {{intf_item.ipaddr}}:{{  OPNsense.proxy.forward.port }}

{%          endif %}
{%      endfor %}
{# virtual ip's #}
{%      if helpers.exists('virtualip') %}
{%          for intf_key,intf_item in virtualip.iteritems() %}
{%              if intf_item.interface == interface and intf_item.mode == 'ipalias' %}
http_port {{intf_item.subnet}}:{{  OPNsense.proxy.forward.port }}

{%              endif %}
{%          endfor %}
{%      endif %}
{%   endfor %}
{% endif %}

# Setup ftp proxy
{% if helpers.exists('OPNsense.proxy.forward.ftpInterfaces') %}
{%   for interface in OPNsense.proxy.forward.ftpInterfaces.split(",") %}
{%      for intf_key,intf_item in interfaces.iteritems() %}
{%          if intf_key == interface and intf_item.ipaddr != 'dhcp' %}
ftp_port {{intf_item.ipaddr}}:{{  OPNsense.proxy.forward.ftpPort }} {%if OPNsense.proxy.forward.ftpTransparentMode == '1' %}intercept{% else %}accel ftp-track-dirs protocol=HTTP{% endif %}

{%          endif %}
{%      endfor %}
{# virtual ip's #}
{%      if helpers.exists('virtualip') %}
{%          for intf_key,intf_item in virtualip.iteritems() %}
{%              if intf_item.interface == interface and intf_item.mode == 'ipalias' %}
ftp_port {{intf_item.subnet}}:{{  OPNsense.proxy.forward.ftpPort }} {%if OPNsense.proxy.forward.ftpTransparentMode == '1' %}intercept{% else %}accel ftp-track-dirs protocol=HTTP{% endif %}

{%              endif %}
{%          endfor %}
{%      endif %}
{%   endfor %}
{% endif %}

# Rules allowing access from your local networks.
# Generated list of (internal) IP networks from where browsing
# should be allowed. (Allow interface subnets).
{% if helpers.exists('OPNsense.proxy.forward.interfaces') %}
{%  if helpers.exists('OPNsense.proxy.forward.addACLforInterfaceSubnets') %}
{%      if OPNsense.proxy.forward.addACLforInterfaceSubnets == '1' %}
{%      for interface in OPNsense.proxy.forward.interfaces.split(",") %}
{%          for intf_key,intf_item in interfaces.iteritems() %}
{%              if intf_key == interface and intf_item.ipaddr != 'dhcp' %}
acl localnet src {{intf_item.ipaddr.split(".")[0:3]|join(".")}}.0/{{intf_item.subnet}} # Possible internal network
{%              endif %}
{%          endfor %}
{%          if helpers.exists('virtualip') %}
{%              for intf_key,intf_item in virtualip.iteritems() %}
{%                  if intf_item.interface == interface and intf_item.mode == 'ipalias' %}
acl localnet src {{intf_item.subnet}}/{{intf_item.subnet}} # Possible internal network
{%                  endif %}
{%              endfor %}
{%          endif %}
{%      endfor %}
{%      endif %}
{%  endif %}
{% endif %}
# Default allow for local-link and private networks
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

# Default localhost and to_localhost acl's
#acl localhost src 127.0.0.1/32 ::1
#acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

# ACL lists
{% if helpers.exists('OPNsense.proxy.forward.acl.allowedSubnets') %}

# ACL - Allow Subnets - User defined (subnets)
{%  for network in OPNsense.proxy.forward.acl.allowedSubnets.split(",") %}
acl subnets src {{network}}
{%  endfor %}
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}

# ACL - Unrestricted IPs - User defined (unrestricted)
{%  for ip in OPNsense.proxy.forward.acl.unrestricted.split(",") %}
acl unrestricted src {{ip}}
{%  endfor %}
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.bannedHosts') %}

# ACL - Banned Hosts - User defined (bannedHosts)
{%  for ip in OPNsense.proxy.forward.acl.bannedHosts.split(",") %}
acl bannedHosts src {{ip}}
{%  endfor %}
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.whiteList') %}
# ALC - Whitelist - User defined (whiteList)
{%  for element in OPNsense.proxy.forward.acl.whiteList.split(",") %}
{%      if '^' in element or '\\' in element or '$' in element or '[' in element %}
acl whiteList url_regex {{element}}
{%      else %}
acl whiteList url_regex {{element|replace(".","\.")}}
{%      endif %}
{%  endfor %}
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.blackList') %}

# ACL - Blacklist - User defined (blackList)
{%  for element in OPNsense.proxy.forward.acl.blackList.split(",") %}
{%      if '^' in element or '\\' in element or '$' in element or '[' in element %}
acl blackList url_regex {{element}}
{%      else %}
acl blackList url_regex {{element|replace(".","\.")}}
{%      endif %}
{%  endfor %}
{% endif %}

# ACL - Remote fetched Blacklist (remoteblacklist)
{% if helpers.exists('OPNsense.proxy.forward.acl.remoteACLs.blacklists') %}
{%   for blacklist in helpers.toList('OPNsense.proxy.forward.acl.remoteACLs.blacklists.blacklist') %}
{%      if blacklist.enabled=='1' %}
acl remoteblacklist dstdom_regex "/usr/local/etc/squid/acl/{{blacklist.filename}}"
{%      endif %}
{%   endfor %}
{% endif %}

# ALC - Block browser/user-agent - User defined (browser)
{% if helpers.exists('OPNsense.proxy.forward.acl.browser') %}
{%  for element in OPNsense.proxy.forward.acl.browser.split(",") %}
acl blockuseragents browser {{element}}
{%  endfor %}
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.mimeType') %}

# ALC - Block MIME types - User defined (mimetype)
{%  for element in OPNsense.proxy.forward.acl.mimeType.split(",") %}
acl blockmimetypes rep_mime_type {{element}}
acl blockmimetypes_requests req_mime_type {{element}}
{%  endfor %}
{% endif %}

# ACL - SSL ports, default are configured in config.xml
# Configured SSL ports (if defaults are not listed, then they have been removed from the configuration!):
{% if helpers.exists('OPNsense.proxy.forward.acl.sslPorts') %}
{%  for element in OPNsense.proxy.forward.acl.sslPorts.split(",") %}
acl SSL_ports port {{element.split(":")[0]}} # {{element.split(":")[1]|default('unknown')}}
{%  endfor %}
{% endif %}

# Default Safe ports are now defined in config.xml
# Configured Safe ports (if defaults are not listed, then they have been removed from the configuration!):
{% if helpers.exists('OPNsense.proxy.forward.acl.safePorts') %}
# ALC - Safe_ports
{%  for element in OPNsense.proxy.forward.acl.safePorts.split(",") %}
acl Safe_ports port {{element.split(":")[0]}} # {{element.split(":")[1]|default('unknown')}}
{%  endfor %}
{% endif %}
acl CONNECT method CONNECT

# Authentication Settings
{% if helpers.exists('OPNsense.proxy.forward.authentication.method') and  OPNsense.proxy.forward.authentication.method=='local' %}
# Configure Local User Authentication helper
auth_param basic program /usr/local/etc/inc/squid.auth-user.php
{% if helpers.exists('OPNsense.proxy.forward.authentication.realm') %}
auth_param basic realm {{OPNsense.proxy.forward.authentication.realm}}
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.authentication.credentialsttl') %}
auth_param basic credentialsttl {{OPNsense.proxy.forward.authentication.credentialsttl}} hours
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.authentication.children') %}
auth_param basic children {{OPNsense.proxy.forward.authentication.children}}
{% endif %}
# ACL - Local Authorized Users - local_auth
acl local_auth proxy_auth REQUIRED
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}

# ALLOW UNRESTRICTED
# ACL list (Allow) unrestricted
http_access allow unrestricted
{% endif %}

{% if helpers.exists('OPNsense.proxy.forward.acl.whiteList') %}

# ACL list (Allow) whitelist
http_access allow whiteList
{% endif %}

{% if helpers.exists('OPNsense.proxy.forward.acl.blackList') %}

#
# ACL list (Deny) blacklist
http_access deny blackList

{% endif %}

{% if helpers.exists('OPNsense.proxy.forward.acl.remoteACLs.blacklists') %}
{%   for blacklist in helpers.toList('OPNsense.proxy.forward.acl.remoteACLs.blacklists.blacklist') if blacklist.enabled=='1' %}
{% if loop.first %}
# ACL list (Deny) remoteblacklist
http_access deny remoteblacklist
{% endif %}
{%   endfor %}
{% endif %}

{% if helpers.exists('OPNsense.proxy.forward.acl.browser') %}

# ACL list (Deny) blockuseragent
http_access deny blockuseragents
{% endif %}

{% if helpers.exists('OPNsense.proxy.forward.acl.mimeType') %}

# ACL list (Deny) blockmimetypes
http_reply_access deny blockmimetypes {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}

http_access deny blockmimetypes_requests {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}

{% endif %}

# Deny requests to certain unsafe ports
http_access deny !Safe_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}

{% if helpers.exists('OPNsense.proxy.forward.acl.bannedHosts') %}
http_access deny bannedHosts
{% endif %}

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
http_access deny to_localhost

#
# Access Permission configuration:
#
# Deny request from unauthorized clients
{% if helpers.exists('OPNsense.proxy.forward.authentication.method') and  OPNsense.proxy.forward.authentication.method=='local' %}
http_access allow local_auth
{% endif %}

#
# ACL - localnet - default these include ranges from selected interfaces (Allow local subnets)
http_access allow localnet

# ACL - localhost
http_access allow localhost
{% if helpers.exists('OPNsense.proxy.forward.acl.allowedSubnets') %}

# ACL list (Allow) subnets
http_access allow subnets
{% endif %}

# Deny all other access to this proxy
http_access deny all

{% if helpers.exists('OPNsense.proxy.general.cache.local')  %}
{%  if OPNsense.proxy.general.cache.local.enabled == '1' %}
# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs {{OPNsense.proxy.general.cache.local.directory}} {{OPNsense.proxy.general.cache.local.size}} {{OPNsense.proxy.general.cache.local.l1}} {{OPNsense.proxy.general.cache.local.l2}}
{%  endif %}
{% endif %}

# Leave coredumps in the first cache dir
coredump_dir /var/squid/cache

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
refresh_pattern .		0	20%	4320

# Squid Options
{% if helpers.exists('OPNsense.proxy.general.dnsV4First') %}
{%      if OPNsense.proxy.general.dnsV4First == '1' %}
# dns_v4_first reverses the order of preference to make Squid contact dual-stack websites over IPv4 first
dns_v4_first on
{%      endif %}
{% endif %}

{% if helpers.exists('OPNsense.proxy.general.logging.enable.accessLog') %}
{%      if OPNsense.proxy.general.logging.enable.accessLog == '0' %}
# Disable access logging
access_log none
{%      elif OPNsense.proxy.general.logging.ignoreLogACL|default('') != '' %}
# ignore source hosts from access.log
acl accesslog_ignore src {{ OPNsense.proxy.general.logging.ignoreLogACL.replace(',', ' ') }}
access_log /var/log/squid/access.log squid !accesslog_ignore
{%      endif %}
{% endif %}

{% if helpers.exists('OPNsense.proxy.general.logging.enable.storeLog') %}
{%      if OPNsense.proxy.general.logging.enable.storeLog == '0' %}
# Disable cache store log
cache_store_log none
{%      endif %}
{% endif %}
{% if helpers.exists('OPNsense.proxy.general.alternateDNSservers' ) %}
{%   for dns in OPNsense.proxy.general.alternateDNSservers.split(",") %}
dns_nameservers {{dns}}
{%   endfor %}
{% endif %}
{% if helpers.exists('OPNsense.proxy.general.useViaHeader') %}
{%      if OPNsense.proxy.general.useViaHeader == '0' %}
# Disable via Header
via off
{%      endif %}
{% endif %}
{% if helpers.exists('OPNsense.proxy.general.suppressVersion') %}
{%      if OPNsense.proxy.general.suppressVersion == '1' %}
# Suppres http version string (default=off)
httpd_suppress_version_string on
{%      endif %}
{% endif %}
{% if helpers.exists('OPNsense.proxy.general.icpPort') %}
{%      if OPNsense.proxy.general.icpPort != '' %}
icp_port {{OPNsense.proxy.general.icpPort}}
{%      endif %}
{% endif %}
{% if helpers.exists('OPNsense.proxy.general.uriWhitespaceHandling') %}
# URI hanlding with Whitespaces (default=strip)
uri_whitespace {{OPNsense.proxy.general.uriWhitespaceHandling}}
{% endif %}
{% if helpers.exists('OPNsense.proxy.general.forwardedForHandling') %}
# X-Forwarded header handling (default=on)
forwarded_for {{OPNsense.proxy.general.forwardedForHandling}}
{% endif %}
{% if helpers.exists('OPNsense.proxy.general.traffic.enabled') and OPNsense.proxy.general.traffic.enabled == '1' %}
{%  if helpers.exists('OPNsense.proxy.general.traffic.maxDownloadSize') %}
# Define max download size
reply_body_max_size {{OPNsense.proxy.general.traffic.maxDownloadSize}} KB
{%  endif %}
{%  if helpers.exists('OPNsense.proxy.general.traffic.maxUploadSize') %}
# Define max upload size
request_body_max_size {{OPNsense.proxy.general.traffic.maxUploadSize}} KB
{%  endif %}
{%  if helpers.exists('OPNsense.proxy.general.traffic.perHostTrotteling') %}
delay_pools 1
delay_class 1 3
delay_access 1 allow all
{%      if helpers.exists('OPNsense.proxy.general.traffic.OverallBandwidthTrotteling') %}
# Define PerHost and Overall Bandwith Trotteling
delay_parameters 1 {{OPNsense.proxy.general.traffic.OverallBandwidthTrotteling|int // 8 * 1000}}/{{OPNsense.proxy.general.traffic.OverallBandwidthTrotteling|int // 8 * 1000}} -1/-1 {{OPNsense.proxy.general.traffic.perHostTrotteling|int // 8 * 1000}}/{{OPNsense.proxy.general.traffic.OverallBandwidthTrotteling|int // 8 * 1000}}
{%      else %}
# Define PerHost Trotteling
delay_parameters -1/-1 {{OPNsense.proxy.general.traffic.perHostTrotteling|int // 8 * 1000}}/{{OPNsense.proxy.general.traffic.perHostTrotteling|int // 8 * 1000}}
{%      endif %}
{%  endif %}
{%  if helpers.exists('OPNsense.proxy.general.traffic.OverallBandwidthTrotteling') and not helpers.exists('OPNsense.proxy.general.traffic.perHostTrotteling') %}
# Define Overall Bandwidth Trotteling
delay_pools 1
delay_class 1 1
delay_access 1 allow all
delay_parameters 1 {{OPNsense.proxy.general.traffic.OverallBandwidthTrotteling|int // 8 * 1000}}/{{OPNsense.proxy.general.traffic.OverallBandwidthTrotteling|int // 8 * 1000}}
{%  endif %}
{% endif %}
# Disable squid logfile rotate to use system defaults
logfile_rotate 0