# # Automatic generated configuration for Squid. # Do not edit this file manually. # {# wrap listener configuration for reuse #} {% macro listener_config(network, port='3129', tags='', protocol='') -%} {% if protocol == 'ssl' %} {% set listener_type = 'https_port' %} {% else %} {% set listener_type = 'http_port' %} {% endif %} {% set sslparams = '' %} {% if helpers.exists('OPNsense.proxy.forward.sslbump') and OPNsense.proxy.forward.sslbump == '1' %} {% set sslparams = 'ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on' %} {% endif %} {{listener_type}} {{network}}:{{port}} {{tags}} {{sslparams}} {%- endmacro %} {% if helpers.exists('OPNsense.proxy.forward.transparentMode') and OPNsense.proxy.forward.transparentMode == '1' %} # Setup transparent mode listeners on loopback interfaces {{ listener_config('127.0.0.1', OPNsense.proxy.forward.port, 'intercept') }} {{ listener_config('[::1]', OPNsense.proxy.forward.port, 'intercept') }} {% if helpers.exists('OPNsense.proxy.forward.sslbump') and OPNsense.proxy.forward.sslbump == '1' %} {{ listener_config('127.0.0.1', OPNsense.proxy.forward.sslbumpport, 'intercept', 'ssl') }} {{ listener_config('[::1]', OPNsense.proxy.forward.sslbumpport, 'intercept', 'ssl') }} {% endif %} {% endif %} # Setup regular listeners configuration {% if helpers.exists('OPNsense.proxy.forward.interfaces') %} {% for interface in OPNsense.proxy.forward.interfaces.split(",") %} {% for intf_key,intf_item in interfaces.items() %} {% if intf_key == interface and intf_item.ipaddr and intf_item.ipaddr != 'dhcp' %} {{ listener_config(intf_item.ipaddr, OPNsense.proxy.forward.port) }} {% endif %} {% endfor %} {# virtual ip's #} {% if helpers.exists('virtualip') %} {% for intf_item in helpers.toList('virtualip.vip') %} {% if intf_item.interface == interface and intf_item.type == 'single' %} {% if intf_item.subnet.find(':') > -1 %} {{ listener_config('['+intf_item.subnet+']', OPNsense.proxy.forward.port) }} {% else %} {{ listener_config(intf_item.subnet, OPNsense.proxy.forward.port) }} {% endif %} {% endif %} {% endfor %} {% endif %} {% endfor %} {% endif %} {% if helpers.exists('OPNsense.proxy.forward.sslbump') and OPNsense.proxy.forward.sslbump == '1' %} # setup ssl re-cert sslcrtd_program /usr/local/libexec/squid/security_file_certgen -s /var/squid/ssl_crtd -M {{ OPNsense.proxy.forward.ssl_crtd_storage_max_size|default('4') }}MB sslcrtd_children {{ OPNsense.proxy.forward.sslcrtd_children|default('5') }} tls_outgoing_options options=NO_TLSv1 cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS # setup ssl bump acl's acl bump_step1 at_step SslBump1 acl bump_step2 at_step SslBump2 acl bump_step3 at_step SslBump3 acl bump_nobumpsites ssl::server_name "/usr/local/etc/squid/nobumpsites.acl" # configure bump {% if helpers.exists('OPNsense.proxy.forward.sslurlonly') and OPNsense.proxy.forward.sslurlonly == '1' %} ssl_bump peek bump_step1 all ssl_bump splice all ssl_bump peek bump_step2 all ssl_bump splice bump_step3 all ssl_bump bump {% else %} ssl_bump peek bump_step1 all ssl_bump peek bump_step2 bump_nobumpsites ssl_bump splice bump_step3 bump_nobumpsites ssl_bump stare bump_step2 ssl_bump bump bump_step3 {% endif %} sslproxy_cert_error deny all {% endif %} acl ftp proto FTP http_access allow ftp {% if helpers.exists('OPNsense.proxy.forward.ftpTransparentMode') and OPNsense.proxy.forward.ftpTransparentMode == '1' %} # transparent mode, listen on localhost ftp_port 127.0.0.1:{{ OPNsense.proxy.forward.ftpPort }} intercept ftp_port [::1]:{{ OPNsense.proxy.forward.ftpPort }} intercept {% endif %} # Setup ftp proxy {% if helpers.exists('OPNsense.proxy.forward.ftpInterfaces') %} {% for interface in OPNsense.proxy.forward.ftpInterfaces.split(",") %} {% for intf_key,intf_item in interfaces.items() %} {% if intf_key == interface and intf_item.ipaddr and intf_item.ipaddr != 'dhcp' %} ftp_port {{intf_item.ipaddr}}:{{ OPNsense.proxy.forward.ftpPort }} accel ftp-track-dirs protocol=HTTP {% endif %} {% endfor %} {# virtual ip's #} {% if helpers.exists('virtualip') %} {% for intf_key,intf_item in virtualip.items() %} {% if intf_item.interface == interface and intf_item.mode == 'ipalias' %} ftp_port {{intf_item.subnet}}:{{ OPNsense.proxy.forward.ftpPort }} accel ftp-track-dirs protocol=HTTP {% endif %} {% endfor %} {% endif %} {% endfor %} {% endif %} # Rules allowing access from your local networks. # Generated list of (internal) IP networks from where browsing # should be allowed. (Allow interface subnets). {% if helpers.exists('OPNsense.proxy.forward.interfaces') %} {% if helpers.exists('OPNsense.proxy.forward.addACLforInterfaceSubnets') %} {% if OPNsense.proxy.forward.addACLforInterfaceSubnets == '1' %} {% for interface in OPNsense.proxy.forward.interfaces.split(",") %} {% for intf_key,intf_item in interfaces.items() %} {% if intf_key == interface and intf_item.ipaddr and intf_item.ipaddr != 'dhcp' %} acl localnet src {{ helpers.getIPNetwork(intf_item.ipaddr+'/'+intf_item.subnet)[0].format() }}/{{intf_item.subnet}} # Possible internal network (interfaces v4) {% endif %} {% if intf_key == interface and intf_item.ipaddrv6 and intf_item.ipaddrv6.find(':') > -1 %} acl localnet src {{helpers.getIPNetwork(intf_item.ipaddrv6+'/'+intf_item.subnetv6)[0].format()}}/{{intf_item.subnetv6}} # Possible internal network (interfaces v6) {% endif %} {% endfor %} {% if helpers.exists('virtualip.vip') %} {% for intf_item in helpers.toList('virtualip.vip') %} {% if intf_item.interface == interface and intf_item.mode == 'ipalias' %} acl localnet src {{intf_item.subnet}}/{{intf_item.subnet_bits}} # Possible internal network (aliases) {% endif %} {% endfor %} {% endif %} {% endfor %} {% endif %} {% endif %} {% endif %} # Default allow for local-link and private networks acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines # ACL lists {% if helpers.exists('OPNsense.proxy.forward.acl.allowedSubnets') %} # ACL - Allow Subnets - User defined (subnets) {% for network in OPNsense.proxy.forward.acl.allowedSubnets.split(",") %} acl subnets src {{network}} {% endfor %} {% endif %} {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %} # ACL - Unrestricted IPs - User defined (unrestricted) {% for ip in OPNsense.proxy.forward.acl.unrestricted.split(",") %} acl unrestricted src {{ip}} {% endfor %} {% endif %} {% if helpers.exists('OPNsense.proxy.forward.acl.bannedHosts') %} # ACL - Banned Hosts - User defined (bannedHosts) {% for ip in OPNsense.proxy.forward.acl.bannedHosts.split(",") %} acl bannedHosts src {{ip}} {% endfor %} {% endif %} {% if helpers.exists('OPNsense.proxy.forward.acl.whiteList') %} # ACL - Whitelist - User defined (whiteList) {% for element in OPNsense.proxy.forward.acl.whiteList.split(",") %} {% if '^' in element or '\\' in element or '$' in element or '[' in element %} acl whiteList url_regex {{element|encode_idna}} {% else %} acl whiteList url_regex {{element|encode_idna|replace(".","\.")}} {% endif %} {% endfor %} {% endif %} {% if helpers.exists('OPNsense.proxy.forward.acl.blackList') %} # ACL - Blacklist - User defined (blackList) {% for element in OPNsense.proxy.forward.acl.blackList.split(",") %} {% if '^' in element or '\\' in element or '$' in element or '[' in element %} acl blackList url_regex {{element|encode_idna}} {% else %} acl blackList url_regex {{element|encode_idna|replace(".","\.")}} {% endif %} {% endfor %} {% endif %} # ACL - Remote fetched Blacklist (remoteblacklist) {% if helpers.exists('OPNsense.proxy.forward.acl.remoteACLs.blacklists') %} {% for blacklist in helpers.toList('OPNsense.proxy.forward.acl.remoteACLs.blacklists.blacklist') %} {% if blacklist.enabled=='1' %} acl remoteblacklist_{{blacklist.filename}} dstdomain "/usr/local/etc/squid/acl/{{blacklist.filename}}" {% endif %} {% endfor %} {% endif %} # ACL - Block browser/user-agent - User defined (browser) {% if helpers.exists('OPNsense.proxy.forward.acl.browser') %} {% for element in OPNsense.proxy.forward.acl.browser.split(",") %} acl blockuseragents browser {{element}} {% endfor %} {% endif %} {% if helpers.exists('OPNsense.proxy.forward.acl.mimeType') %} # ACL - Block MIME types - User defined (mimetype) {% for element in OPNsense.proxy.forward.acl.mimeType.split(",") %} acl blockmimetypes rep_mime_type {{element}} acl blockmimetypes_requests req_mime_type {{element}} {% endfor %} {% endif %} # ACL - SSL ports, default are configured in config.xml # Configured SSL ports (if defaults are not listed, then they have been removed from the configuration!): {% if helpers.exists('OPNsense.proxy.forward.acl.sslPorts') %} {% for element in OPNsense.proxy.forward.acl.sslPorts.split(",") %} acl SSL_ports port {{element.split(":")[0]}} # {{element.split(":")[1]|default('unknown')}} {% endfor %} {% endif %} # Default Safe ports are now defined in config.xml # Configured Safe ports (if defaults are not listed, then they have been removed from the configuration!): {% if helpers.exists('OPNsense.proxy.forward.acl.safePorts') %} # ACL - Safe_ports {% for element in OPNsense.proxy.forward.acl.safePorts.split(",") %} acl Safe_ports port {{element.split(":")[0]}} # {{element.split(":")[1]|default('unknown')}} {% endfor %} {% endif %} acl CONNECT method CONNECT # ICAP SETTINGS {% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %} # enable icap icap_enable on {% if helpers.exists('OPNsense.proxy.forward.icap.OptionsTTL') %} icap_default_options_ttl {{OPNsense.proxy.forward.icap.OptionsTTL}} {% endif %} # send user information to the icap server {% if helpers.exists('OPNsense.proxy.forward.icap.SendClientIP') and OPNsense.proxy.forward.icap.SendClientIP == '1' %} adaptation_send_client_ip on {% else %} adaptation_send_client_ip off {% endif %} {% if helpers.exists('OPNsense.proxy.forward.icap.SendUsername') and OPNsense.proxy.forward.icap.SendUsername == '1' %} adaptation_send_username on {% else %} adaptation_send_username off {% endif %} {% if helpers.exists('OPNsense.proxy.forward.icap.EncodeUsername') and OPNsense.proxy.forward.icap.EncodeUsername == '1' %} icap_client_username_encode on {% else %} icap_client_username_encode off {% endif %} {% if helpers.exists('OPNsense.proxy.forward.icap.UsernameHeader') and OPNsense.proxy.forward.icap.UsernameHeader != '' %} icap_client_username_header {{OPNsense.proxy.forward.icap.UsernameHeader}} {% endif %} # preview {% if helpers.exists('OPNsense.proxy.forward.icap.EnablePreview') and OPNsense.proxy.forward.icap.EnablePreview == '1' %} icap_preview_enable on {% else %} icap_preview_enable off {% endif %} {% if helpers.exists('OPNsense.proxy.forward.icap.PreviewSize') %} icap_preview_size {{OPNsense.proxy.forward.icap.PreviewSize}} {% endif %} # add the servers {% if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %} icap_service response_mod respmod_precache {{OPNsense.proxy.forward.icap.ResponseURL}} {% endif %} {% if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %} icap_service request_mod reqmod_precache {{OPNsense.proxy.forward.icap.RequestURL}} {% endif %} {% else %} # disable icap icap_enable off {% endif %} # Pre-auth plugins include /usr/local/etc/squid/pre-auth/*.conf # Authentication Settings {% if helpers.exists('OPNsense.proxy.forward.authentication.method') and OPNsense.proxy.forward.authentication.method != '' %} {% include ['OPNsense/Proxy/squid.user.alt_auth.conf', 'OPNsense/Proxy/squid.user.local_auth.conf'] %} {% endif %} {% include "OPNsense/Proxy/squid.acl.conf" ignore missing with context %} # Post-auth plugins include /usr/local/etc/squid/post-auth/*.conf # Caching settings {% if helpers.exists('OPNsense.proxy.general.cache.local') %} {% if OPNsense.proxy.general.cache.local.cache_mem|default('256')|int == 0 and OPNsense.proxy.general.cache.local.enabled == '0' %} cache deny all cache_mem 0 {% else %} cache_mem {{ OPNsense.proxy.general.cache.local.cache_mem|default('256') }} MB {% if OPNsense.proxy.general.cache.local.maximum_object_size|default('') != '' %} maximum_object_size {{OPNsense.proxy.general.cache.local.maximum_object_size}} MB {% if OPNsense.proxy.general.cache.local.maximum_object_size|int > 4 %} cache_replacement_policy heap LFUDA {% endif %} {% endif %} {% if OPNsense.proxy.general.cache.local.enabled == '1' %} cache_dir ufs {{OPNsense.proxy.general.cache.local.directory}} {{OPNsense.proxy.general.cache.local.size}} {{OPNsense.proxy.general.cache.local.l1}} {{OPNsense.proxy.general.cache.local.l2}} {% endif %} {% endif %} {% endif %} # Leave coredumps in the first cache dir coredump_dir /var/squid/cache # # Add any of your own refresh_pattern entries above these. # {% if helpers.exists('OPNsense.proxy.general.cache.local.cache_linux_packages') and OPNsense.proxy.general.cache.local.cache_linux_packages == '1' %} # Linux package cache: refresh_pattern pkg\.tar\.xz$ 0 20% 4320 refresh-ims refresh_pattern d?rpm$ 0 20% 4320 refresh-ims refresh_pattern deb$ 0 20% 4320 refresh-ims refresh_pattern udeb$ 0 20% 4320 refresh-ims refresh_pattern Packages\.bz2$ 0 20% 4320 refresh-ims refresh_pattern Sources\.bz2$ 0 20% 4320 refresh-ims refresh_pattern Release\.gpg$ 0 20% 4320 refresh-ims refresh_pattern Release$ 0 20% 4320 refresh-ims {% endif %} {% if helpers.exists('OPNsense.proxy.general.cache.local.cache_windows_updates') and OPNsense.proxy.general.cache.local.cache_windows_updates == '1' %} # http://wiki.squid-cache.org/SquidFaq/WindowsUpdate refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|esd) 4320 80% 129600 reload-into-ims refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|esd) 4320 80% 129600 reload-into-ims refresh_pattern -i windows.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|esd) 4320 80% 129600 reload-into-ims {% endif %} refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 # Squid Options {% if helpers.exists('OPNsense.proxy.general.dnsV4First') %} {% if OPNsense.proxy.general.dnsV4First == '1' %} # dns_v4_first reverses the order of preference to make Squid contact dual-stack websites over IPv4 first dns_v4_first on {% endif %} {% endif %} {% if helpers.exists('OPNsense.proxy.general.logging.enable.accessLog') %} {% if OPNsense.proxy.general.logging.enable.accessLog == '0' %} # Disable access logging access_log none {% else %} {% if OPNsense.proxy.general.logging.ignoreLogACL|default('') != '' %} # ignore source hosts from access.log acl accesslog_ignore src {{ OPNsense.proxy.general.logging.ignoreLogACL.replace(',', ' ') }} {% endif %} {% if OPNsense.proxy.general.logging.target|default('') == 'syslog' %} access_log syslog:local4.info {% if OPNsense.proxy.general.logging.ignoreLogACL|default('') %}!accesslog_ignore {% endif %} {% elif OPNsense.proxy.general.logging.target|default('') == 'file_extendend' %} logformat opnsense %>a %[ui %>eui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh access_log stdio:/var/log/squid/access.log opnsense {% if OPNsense.proxy.general.logging.ignoreLogACL|default('') %}!accesslog_ignore {% endif %} {% else %} access_log stdio:/var/log/squid/access.log squid {% if OPNsense.proxy.general.logging.ignoreLogACL|default('') %}!accesslog_ignore {% endif %} {% endif %} {% endif %} {% endif %} {% if helpers.exists('OPNsense.proxy.general.logging.enable.storeLog') %} {% if OPNsense.proxy.general.logging.enable.storeLog == '0' %} # Disable cache store log cache_store_log none {% else %} cache_store_log stdio:/var/log/squid/store.log {% endif %} {% endif %} {% if helpers.exists('OPNsense.proxy.general.alternateDNSservers' ) %} {% for dns in OPNsense.proxy.general.alternateDNSservers.split(",") %} dns_nameservers {{dns}} {% endfor %} {% endif %} {% if helpers.exists('OPNsense.proxy.general.useViaHeader') %} {% if OPNsense.proxy.general.useViaHeader == '0' %} # Disable via Header via off {% endif %} {% endif %} {% if helpers.exists('OPNsense.proxy.general.suppressVersion') %} {% if OPNsense.proxy.general.suppressVersion == '1' %} # Suppres http version string (default=off) httpd_suppress_version_string on {% endif %} {% endif %} {% if helpers.exists('OPNsense.proxy.general.icpPort') %} {% if OPNsense.proxy.general.icpPort != '' %} icp_port {{OPNsense.proxy.general.icpPort}} {% endif %} {% endif %} {% if helpers.exists('OPNsense.proxy.general.uriWhitespaceHandling') %} # URI hanlding with Whitespaces (default=strip) uri_whitespace {{OPNsense.proxy.general.uriWhitespaceHandling}} {% endif %} {% if helpers.exists('OPNsense.proxy.general.forwardedForHandling') %} # X-Forwarded header handling (default=on) forwarded_for {{OPNsense.proxy.general.forwardedForHandling}} {% endif %} {% if helpers.exists('OPNsense.proxy.general.traffic.enabled') and OPNsense.proxy.general.traffic.enabled == '1' %} {% if helpers.exists('OPNsense.proxy.general.traffic.maxDownloadSize') %} # Define max download size reply_body_max_size {{OPNsense.proxy.general.traffic.maxDownloadSize}} KB {% endif %} {% if helpers.exists('OPNsense.proxy.general.traffic.maxUploadSize') %} # Define max upload size request_body_max_size {{OPNsense.proxy.general.traffic.maxUploadSize}} KB {% endif %} {% if helpers.exists('OPNsense.proxy.general.traffic.perHostTrotteling') %} delay_pools 1 delay_class 1 3 delay_access 1 allow all {% if helpers.exists('OPNsense.proxy.general.traffic.OverallBandwidthTrotteling') %} # Define PerHost and Overall Bandwith Trotteling delay_parameters 1 {{OPNsense.proxy.general.traffic.OverallBandwidthTrotteling|int // 8 * 1000}}/{{OPNsense.proxy.general.traffic.OverallBandwidthTrotteling|int // 8 * 1000}} -1/-1 {{OPNsense.proxy.general.traffic.perHostTrotteling|int // 8 * 1000}}/{{OPNsense.proxy.general.traffic.OverallBandwidthTrotteling|int // 8 * 1000}} {% else %} # Define PerHost Trotteling delay_parameters -1/-1 {{OPNsense.proxy.general.traffic.perHostTrotteling|int // 8 * 1000}}/{{OPNsense.proxy.general.traffic.perHostTrotteling|int // 8 * 1000}} {% endif %} {% endif %} {% if helpers.exists('OPNsense.proxy.general.traffic.OverallBandwidthTrotteling') and not helpers.exists('OPNsense.proxy.general.traffic.perHostTrotteling') %} # Define Overall Bandwidth Trotteling delay_pools 1 delay_class 1 1 delay_access 1 allow all delay_parameters 1 {{OPNsense.proxy.general.traffic.OverallBandwidthTrotteling|int // 8 * 1000}}/{{OPNsense.proxy.general.traffic.OverallBandwidthTrotteling|int // 8 * 1000}} {% endif %} {% endif %} # Disable squid logfile rotate to use system defaults logfile_rotate 0 {% if helpers.exists('OPNsense.proxy.general.VisibleHostname') %} # Define visible hostname visible_hostname {{OPNsense.proxy.general.VisibleHostname}} {% endif %} {% if helpers.exists('OPNsense.proxy.general.VisibleEmail') %} # Define visible email cache_mgr {{OPNsense.proxy.general.VisibleEmail}} {% endif %} {% if helpers.exists('system.language') and system.language != "" %} error_directory /usr/local/etc/squid/errors/{{ system.language|lower|replace("_","-")}} {% endif %}