{% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %} # ALLOW UNRESTRICTED # ACL list (Allow) unrestricted {% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %} {% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %} adaptation_access response_mod allow unrestricted {% endif %} {% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %} adaptation_access request_mod allow unrestricted {% endif %} {% endif %} http_access allow unrestricted {% endif %} {% if helpers.exists('OPNsense.proxy.forward.acl.whiteList') %} # ACL list (Allow) whitelist {% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %} {% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %} adaptation_access response_mod allow whiteList {% endif %} {% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %} adaptation_access request_mod allow whiteList {% endif %} {% endif %} http_access allow whiteList {% endif %} {% if helpers.exists('OPNsense.proxy.forward.acl.blackList') %} # # ACL list (Deny) blacklist {% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %} {% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %} adaptation_access response_mod deny blackList {% endif %} {% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %} adaptation_access request_mod deny blackList {% endif %} {% endif %} http_access deny blackList {% endif %} {% if helpers.exists('OPNsense.proxy.forward.acl.remoteACLs.blacklists') %} {% for blacklist in helpers.toList('OPNsense.proxy.forward.acl.remoteACLs.blacklists.blacklist') if blacklist.enabled=='1' %} # ACL list (Deny) remoteblacklist_{{blacklist.filename}} {% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %} {% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %} adaptation_access response_mod deny remoteblacklist_{{blacklist.filename}} {% endif %} {% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %} adaptation_access request_mod deny remoteblacklist_{{blacklist.filename}} {% endif %} {% endif %} http_access deny remoteblacklist_{{blacklist.filename}} {% endfor %} {% endif %} {% if helpers.exists('OPNsense.proxy.forward.acl.browser') %} # ACL list (Deny) blockuseragent {% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %} {% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %} adaptation_access response_mod deny blockuseragents {% endif %} {% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %} adaptation_access request_mod deny blockuseragents {% endif %} {% endif %} http_access deny blockuseragents {% endif %} {% if helpers.exists('OPNsense.proxy.forward.acl.mimeType') %} # ACL list (Deny) blockmimetypes {% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %} {% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %} adaptation_access response_mod deny blockmimetypes {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %} {% endif %} {% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %} adaptation_access request_mod deny blockmimetypes {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %} {% endif %} {% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %} adaptation_access response_mod deny blockmimetypes_requests {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %} {% endif %} {% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %} adaptation_access request_mod deny blockmimetypes_requests {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %} {% endif %} {% endif %} http_reply_access deny blockmimetypes {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %} http_access deny blockmimetypes_requests {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %} {% endif %} # Deny requests to certain unsafe ports {% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %} {% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %} adaptation_access response_mod deny !Safe_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %} {% endif %} {% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %} adaptation_access request_mod deny !Safe_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %} {% endif %} {% endif %} http_access deny !Safe_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %} # Deny CONNECT to other than secure SSL ports {% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %} {% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %} adaptation_access response_mod deny CONNECT !SSL_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %} {% endif %} {% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %} adaptation_access request_mod deny CONNECT !SSL_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %} {% endif %} {% endif %} http_access deny CONNECT !SSL_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %} {% if helpers.exists('OPNsense.proxy.forward.acl.bannedHosts') %} {% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %} {% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %} adaptation_access response_mod deny bannedHosts {% endif %} {% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %} adaptation_access request_mod deny bannedHosts {% endif %} {% endif %} http_access deny bannedHosts {% endif %} # Only allow cachemgr access from localhost {% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %} {% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %} adaptation_access response_mod allow localhost manager {% endif %} {% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %} adaptation_access request_mod allow localhost manager {% endif %} {% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %} adaptation_access response_mod deny manager {% endif %} {% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %} adaptation_access request_mod deny manager {% endif %} {% endif %} http_access allow localhost manager http_access deny manager # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user {% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %} {% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %} adaptation_access response_mod deny to_localhost {% endif %} {% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %} adaptation_access request_mod deny to_localhost {% endif %} {% endif %} http_access deny to_localhost {% if helpers.exists('OPNsense.proxy.forward.icap.exclude') %} # ACL - Whitelist - User defined (whiteList) {% for element in OPNsense.proxy.forward.icap.exclude.split(",") %} {% if '^' in element or '\\' in element or '$' in element or '[' in element %} acl exclude_icap url_regex {{element|encode_idna}} {% else %} acl exclude_icap url_regex {{element|encode_idna|replace(".","\.")}} {% endif %} {% endfor %} {% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %} adaptation_access response_mod deny exclude_icap {% endif %} {% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %} adaptation_access request_mod deny exclude_icap {% endif %} {% endif %} # Auth plugins include /usr/local/etc/squid/auth/*.conf # # Access Permission configuration: # # Deny request from unauthorized clients {% if helpers.exists('OPNsense.proxy.forward.authentication.method') and OPNsense.proxy.forward.authentication.method != '' %} {% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %} {% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %} adaptation_access response_mod allow local_auth {% endif %} {% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %} adaptation_access request_mod allow local_auth {% endif %} {% endif %} http_access allow local_auth {% endif %} # # ACL - localnet - default these include ranges from selected interfaces (Allow local subnets) {% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %} {% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %} adaptation_access response_mod allow localnet {% endif %} {% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %} adaptation_access request_mod allow localnet {% endif %} {% endif %} http_access allow localnet # ACL - localhost {% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %} {% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %} adaptation_access response_mod allow localhost {% endif %} {% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %} adaptation_access request_mod allow localhost {% endif %} {% endif %} http_access allow localhost {% if helpers.exists('OPNsense.proxy.forward.acl.allowedSubnets') %} # ACL list (Allow) subnets {% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %} {% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %} adaptation_access response_mod allow subnets {% endif %} {% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %} adaptation_access request_mod allow subnets {% endif %} {% endif %} http_access allow subnets {% endif %} # Deny all other access to this proxy {% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %} {% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %} adaptation_access response_mod deny all {% endif %} {% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %} adaptation_access request_mod deny all {% endif %} {% endif %} http_access deny all