# # Automatic generated configuration for Squid. # Do not edit this file manually. # setup listen configuration {%if OPNsense.proxy.forward.transparentMode == '1' %} # transparant mode, listen on localhost http_port 127.0.0.1:{{ OPNsense.proxy.forward.port }} intercept {% endif %} {% if helpers.exists('OPNsense.proxy.forward.interfaces') %} {% for interface in OPNsense.proxy.forward.interfaces.split(",") %} {% for intf_key,intf_item in interfaces.iteritems() %} {% if intf_key == interface and intf_item.ipaddr != 'dhcp' %} http_port {{intf_item.ipaddr}}:{{ OPNsense.proxy.forward.port }} {% endif %} {% endfor %} {# virtual ip's #} {% if helpers.exists('virtualip') %} {% for intf_key,intf_item in virtualip.iteritems() %} {% if intf_item.interface == interface and intf_item.mode == 'ipalias' %} http_port {{intf_item.subnet}}:{{ OPNsense.proxy.forward.port }} {% endif %} {% endfor %} {% endif %} {% endfor %} {% endif %} # Setup ftp proxy {% if helpers.exists('OPNsense.proxy.forward.ftpInterfaces') %} {% for interface in OPNsense.proxy.forward.ftpInterfaces.split(",") %} {% for intf_key,intf_item in interfaces.iteritems() %} {% if intf_key == interface and intf_item.ipaddr != 'dhcp' %} ftp_port {{intf_item.ipaddr}}:{{ OPNsense.proxy.forward.ftpPort }} {%if OPNsense.proxy.forward.ftpTransparentMode == '1' %}intercept{% else %}accel ftp-track-dirs protocol=HTTP{% endif %} {% endif %} {% endfor %} {# virtual ip's #} {% if helpers.exists('virtualip') %} {% for intf_key,intf_item in virtualip.iteritems() %} {% if intf_item.interface == interface and intf_item.mode == 'ipalias' %} ftp_port {{intf_item.subnet}}:{{ OPNsense.proxy.forward.ftpPort }} {%if OPNsense.proxy.forward.ftpTransparentMode == '1' %}intercept{% else %}accel ftp-track-dirs protocol=HTTP{% endif %} {% endif %} {% endfor %} {% endif %} {% endfor %} {% endif %} # Rules allowing access from your local networks. # Generated list of (internal) IP networks from where browsing # should be allowed. (Allow interface subnets). {% if helpers.exists('OPNsense.proxy.forward.interfaces') %} {% if helpers.exists('OPNsense.proxy.forward.addACLforInterfaceSubnets') %} {% if OPNsense.proxy.forward.addACLforInterfaceSubnets == '1' %} {% for interface in OPNsense.proxy.forward.interfaces.split(",") %} {% for intf_key,intf_item in interfaces.iteritems() %} {% if intf_key == interface and intf_item.ipaddr != 'dhcp' %} acl localnet src {{intf_item.ipaddr.split(".")[0:3]|join(".")}}.0/{{intf_item.subnet}} # Possible internal network {% endif %} {% endfor %} {% if helpers.exists('virtualip') %} {% for intf_key,intf_item in virtualip.iteritems() %} {% if intf_item.interface == interface and intf_item.mode == 'ipalias' %} acl localnet src {{intf_item.subnet}}/{{intf_item.subnet}} # Possible internal network {% endif %} {% endfor %} {% endif %} {% endfor %} {% endif %} {% endif %} {% endif %} # Default allow for local-link and private networks acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines # Default localhost and to_localhost acl's #acl localhost src 127.0.0.1/32 ::1 #acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 # ACL lists {% if helpers.exists('OPNsense.proxy.forward.acl.allowedSubnets') %} # ACL - Allow Subnets - User defined (subnets) {% for network in OPNsense.proxy.forward.acl.allowedSubnets.split(",") %} acl subnets src {{network}} {% endfor %} {% endif %} {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %} # ACL - Unrestricted IPs - User defined (unrestricted) {% for ip in OPNsense.proxy.forward.acl.unrestricted.split(",") %} acl unrestricted src {{ip}} {% endfor %} {% endif %} {% if helpers.exists('OPNsense.proxy.forward.acl.bannedHosts') %} # ACL - Banned Hosts - User defined (bannedHosts) {% for ip in OPNsense.proxy.forward.acl.bannedHosts.split(",") %} acl bannedHosts src {{ip}} {% endfor %} {% endif %} {% if helpers.exists('OPNsense.proxy.forward.acl.whiteList') %} # ALC - Whitelist - User defined (whiteList) {% for element in OPNsense.proxy.forward.acl.whiteList.split(",") %} {% if '^' in element or '\\' in element or '$' in element or '[' in element %} acl whiteList url_regex {{element}} {% else %} acl whiteList url_regex {{element|replace(".","\.")}} {% endif %} {% endfor %} {% endif %} {% if helpers.exists('OPNsense.proxy.forward.acl.blackList') %} # ACL - Blacklist - User defined (blackList) {% for element in OPNsense.proxy.forward.acl.blackList.split(",") %} {% if '^' in element or '\\' in element or '$' in element or '[' in element %} acl blackList url_regex {{element}} {% else %} acl blackList url_regex {{element|replace(".","\.")}} {% endif %} {% endfor %} {% endif %} # ACL - Remote fetched Blacklist (remoteblacklist) {% if helpers.exists('OPNsense.proxy.forward.acl.remoteACLs.blacklists') %} {% for blacklist in helpers.toList('OPNsense.proxy.forward.acl.remoteACLs.blacklists.blacklist') %} {% if blacklist.enabled=='1' %} acl remoteblacklist dstdom_regex "/usr/local/etc/squid/acl/{{blacklist.filename}}" {% endif %} {% endfor %} {% endif %} # ALC - Block browser/user-agent - User defined (browser) {% if helpers.exists('OPNsense.proxy.forward.acl.browser') %} {% for element in OPNsense.proxy.forward.acl.browser.split(",") %} acl blockuseragents browser {{element}} {% endfor %} {% endif %} {% if helpers.exists('OPNsense.proxy.forward.acl.mimeType') %} # ALC - Block MIME types - User defined (mimetype) {% for element in OPNsense.proxy.forward.acl.mimeType.split(",") %} acl blockmimetypes rep_mime_type {{element}} acl blockmimetypes_requests req_mime_type {{element}} {% endfor %} {% endif %} # ACL - SSL ports, default are configured in config.xml # Configured SSL ports (if defaults are not listed, then they have been removed from the configuration!): {% if helpers.exists('OPNsense.proxy.forward.acl.sslPorts') %} {% for element in OPNsense.proxy.forward.acl.sslPorts.split(",") %} acl SSL_ports port {{element.split(":")[0]}} # {{element.split(":")[1]|default('unknown')}} {% endfor %} {% endif %} # Default Safe ports are now defined in config.xml # Configured Safe ports (if defaults are not listed, then they have been removed from the configuration!): {% if helpers.exists('OPNsense.proxy.forward.acl.safePorts') %} # ALC - Safe_ports {% for element in OPNsense.proxy.forward.acl.safePorts.split(",") %} acl Safe_ports port {{element.split(":")[0]}} # {{element.split(":")[1]|default('unknown')}} {% endfor %} {% endif %} acl CONNECT method CONNECT # Authentication Settings {% if helpers.exists('OPNsense.proxy.forward.authentication.method') and OPNsense.proxy.forward.authentication.method=='local' %} # Configure Local User Authentication helper auth_param basic program /usr/local/etc/inc/squid.auth-user.php {% if helpers.exists('OPNsense.proxy.forward.authentication.realm') %} auth_param basic realm {{OPNsense.proxy.forward.authentication.realm}} {% endif %} {% if helpers.exists('OPNsense.proxy.forward.authentication.credentialsttl') %} auth_param basic credentialsttl {{OPNsense.proxy.forward.authentication.credentialsttl}} hours {% endif %} {% if helpers.exists('OPNsense.proxy.forward.authentication.children') %} auth_param basic children {{OPNsense.proxy.forward.authentication.children}} {% endif %} # ACL - Local Authorized Users - local_auth acl local_auth proxy_auth REQUIRED {% endif %} {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %} # ALLOW UNRESTRICTED # ACL list (Allow) unrestricted http_access allow unrestricted {% endif %} {% if helpers.exists('OPNsense.proxy.forward.acl.whiteList') %} # ACL list (Allow) whitelist http_access allow whiteList {% endif %} {% if helpers.exists('OPNsense.proxy.forward.acl.blackList') %} # # ACL list (Deny) blacklist http_access deny blackList {% endif %} {% if helpers.exists('OPNsense.proxy.forward.acl.remoteACLs.blacklists') %} {% for blacklist in helpers.toList('OPNsense.proxy.forward.acl.remoteACLs.blacklists.blacklist') if blacklist.enabled=='1' %} {% if loop.first %} # ACL list (Deny) remoteblacklist http_access deny remoteblacklist {% endif %} {% endfor %} {% endif %} {% if helpers.exists('OPNsense.proxy.forward.acl.browser') %} # ACL list (Deny) blockuseragent http_access deny blockuseragents {% endif %} {% if helpers.exists('OPNsense.proxy.forward.acl.mimeType') %} # ACL list (Deny) blockmimetypes http_reply_access deny blockmimetypes {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %} http_access deny blockmimetypes_requests {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %} {% endif %} # Deny requests to certain unsafe ports http_access deny !Safe_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %} # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %} {% if helpers.exists('OPNsense.proxy.forward.acl.bannedHosts') %} http_access deny bannedHosts {% endif %} # Only allow cachemgr access from localhost http_access allow localhost manager http_access deny manager # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user http_access deny to_localhost # # Access Permission configuration: # # Deny request from unauthorized clients {% if helpers.exists('OPNsense.proxy.forward.authentication.method') and OPNsense.proxy.forward.authentication.method=='local' %} http_access allow local_auth {% endif %} # # ACL - localnet - default these include ranges from selected interfaces (Allow local subnets) http_access allow localnet # ACL - localhost http_access allow localhost {% if helpers.exists('OPNsense.proxy.forward.acl.allowedSubnets') %} # ACL list (Allow) subnets http_access allow subnets {% endif %} # Deny all other access to this proxy http_access deny all {% if helpers.exists('OPNsense.proxy.general.cache.local') %} {% if OPNsense.proxy.general.cache.local.enabled == '1' %} # Uncomment and adjust the following to add a disk cache directory. cache_dir ufs {{OPNsense.proxy.general.cache.local.directory}} {{OPNsense.proxy.general.cache.local.size}} {{OPNsense.proxy.general.cache.local.l1}} {{OPNsense.proxy.general.cache.local.l2}} {% endif %} {% endif %} # Leave coredumps in the first cache dir coredump_dir /var/squid/cache # # Add any of your own refresh_pattern entries above these. # refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 # Squid Options {% if helpers.exists('OPNsense.proxy.general.dnsV4First') %} {% if OPNsense.proxy.general.dnsV4First == '1' %} # dns_v4_first reverses the order of preference to make Squid contact dual-stack websites over IPv4 first dns_v4_first on {% endif %} {% endif %} {% if helpers.exists('OPNsense.proxy.general.logging.enable.accessLog') %} {% if OPNsense.proxy.general.logging.enable.accessLog == '0' %} # Disable access logging access_log none {% elif OPNsense.proxy.general.logging.ignoreLogACL|default('') != '' %} # ignore source hosts from access.log acl accesslog_ignore src {{ OPNsense.proxy.general.logging.ignoreLogACL.replace(',', ' ') }} access_log /var/log/squid/access.log squid !accesslog_ignore {% endif %} {% endif %} {% if helpers.exists('OPNsense.proxy.general.logging.enable.storeLog') %} {% if OPNsense.proxy.general.logging.enable.storeLog == '0' %} # Disable cache store log cache_store_log none {% endif %} {% endif %} {% if helpers.exists('OPNsense.proxy.general.alternateDNSservers' ) %} {% for dns in OPNsense.proxy.general.alternateDNSservers.split(",") %} dns_nameservers {{dns}} {% endfor %} {% endif %} {% if helpers.exists('OPNsense.proxy.general.useViaHeader') %} {% if OPNsense.proxy.general.useViaHeader == '0' %} # Disable via Header via off {% endif %} {% endif %} {% if helpers.exists('OPNsense.proxy.general.suppressVersion') %} {% if OPNsense.proxy.general.suppressVersion == '1' %} # Suppres http version string (default=off) httpd_suppress_version_string on {% endif %} {% endif %} {% if helpers.exists('OPNsense.proxy.general.icpPort') %} {% if OPNsense.proxy.general.icpPort != '' %} icp_port {{OPNsense.proxy.general.icpPort}} {% endif %} {% endif %} {% if helpers.exists('OPNsense.proxy.general.uriWhitespaceHandling') %} # URI hanlding with Whitespaces (default=strip) uri_whitespace {{OPNsense.proxy.general.uriWhitespaceHandling}} {% endif %} {% if helpers.exists('OPNsense.proxy.general.forwardedForHandling') %} # X-Forwarded header handling (default=on) forwarded_for {{OPNsense.proxy.general.forwardedForHandling}} {% endif %} {% if helpers.exists('OPNsense.proxy.general.traffic.enabled') and OPNsense.proxy.general.traffic.enabled == '1' %} {% if helpers.exists('OPNsense.proxy.general.traffic.maxDownloadSize') %} # Define max download size reply_body_max_size {{OPNsense.proxy.general.traffic.maxDownloadSize}} KB {% endif %} {% if helpers.exists('OPNsense.proxy.general.traffic.maxUploadSize') %} # Define max upload size request_body_max_size {{OPNsense.proxy.general.traffic.maxUploadSize}} KB {% endif %} {% if helpers.exists('OPNsense.proxy.general.traffic.perHostTrotteling') %} delay_pools 1 delay_class 1 3 delay_access 1 allow all {% if helpers.exists('OPNsense.proxy.general.traffic.OverallBandwidthTrotteling') %} # Define PerHost and Overall Bandwith Trotteling delay_parameters 1 {{OPNsense.proxy.general.traffic.OverallBandwidthTrotteling|int // 8 * 1000}}/{{OPNsense.proxy.general.traffic.OverallBandwidthTrotteling|int // 8 * 1000}} -1/-1 {{OPNsense.proxy.general.traffic.perHostTrotteling|int // 8 * 1000}}/{{OPNsense.proxy.general.traffic.OverallBandwidthTrotteling|int // 8 * 1000}} {% else %} # Define PerHost Trotteling delay_parameters -1/-1 {{OPNsense.proxy.general.traffic.perHostTrotteling|int // 8 * 1000}}/{{OPNsense.proxy.general.traffic.perHostTrotteling|int // 8 * 1000}} {% endif %} {% endif %} {% if helpers.exists('OPNsense.proxy.general.traffic.OverallBandwidthTrotteling') and not helpers.exists('OPNsense.proxy.general.traffic.perHostTrotteling') %} # Define Overall Bandwidth Trotteling delay_pools 1 delay_class 1 1 delay_access 1 allow all delay_parameters 1 {{OPNsense.proxy.general.traffic.OverallBandwidthTrotteling|int // 8 * 1000}}/{{OPNsense.proxy.general.traffic.OverallBandwidthTrotteling|int // 8 * 1000}} {% endif %} {% endif %} # Disable squid logfile rotate to use system defaults logfile_rotate 0