From 590aabbac75aec65aaf6cfe8d93325ed5c2b77d1 Mon Sep 17 00:00:00 2001 From: Franco Fichtner Date: Tue, 30 Jul 2024 11:51:39 +0200 Subject: [PATCH] www/squid: patch up squid wanting ACL definitions out of the box (cherry picked from commit 3ab6e06aaab1056d9561326205fe63ba2b103a48) (cherry picked from commit b560bdb92b676aa1d53a3795ea12744c67b86ba5) (cherry picked from commit 13a9db5d5f103cc943458feeefc5c46be7ebbd7b) (cherry picked from commit 548909f5cc213c935701b1484a2f1d8d2fef96d7) --- www/squid/Makefile | 2 +- www/squid/pkg-descr | 1 + .../mvc/app/models/OPNsense/Proxy/Proxy.xml | 6 +++++- .../service/templates/OPNsense/Proxy/squid.conf | 14 ++++---------- 4 files changed, 11 insertions(+), 12 deletions(-) diff --git a/www/squid/Makefile b/www/squid/Makefile index cfc272dd5..7da743138 100644 --- a/www/squid/Makefile +++ b/www/squid/Makefile @@ -1,6 +1,6 @@ PLUGIN_NAME= squid PLUGIN_VERSION= 1.0 -PLUGIN_REVISION= 2 +PLUGIN_REVISION= 3 PLUGIN_COMMENT= Squid is a caching proxy for the web PLUGIN_DEPENDS= squid squid-langpack PLUGIN_TIER= 2 diff --git a/www/squid/pkg-descr b/www/squid/pkg-descr index 2840d1808..f2e5e9c85 100644 --- a/www/squid/pkg-descr +++ b/www/squid/pkg-descr @@ -10,3 +10,4 @@ Plugin Changelog * Initial version based on the OPNsense 23.7.12 core code * Workaround for segmentation faults using OpenSSL legacy provider * Correct migration to Python ipaddress library use +* Set default ACL values vor Safe_ports and SSL_ports diff --git a/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml b/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml index d7d2ed578..7c4f59ab5 100644 --- a/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml +++ b/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml @@ -1,6 +1,6 @@ //OPNsense/proxy - 1.0.6 + 1.0.7 Squid web proxy settings @@ -362,10 +362,14 @@ + 80:http,21:ftp,443:https,70:gopher,210:wais,1025-65535:unregistered ports,280:http-mgmt,488:gss-http,591:filemaker,777:multiling http /^([ \-0-9a-zA-Z:,])*/u + Y + 443:https /^([ \-0-9a-zA-Z:,])*/u + Y diff --git a/www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.conf b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.conf index 6c7369393..b5e8e9194 100644 --- a/www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.conf +++ b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.conf @@ -219,21 +219,15 @@ acl blockmimetypes_requests req_mime_type {{element}} {% endif %} # ACL - SSL ports, default are configured in config.xml -# Configured SSL ports (if defaults are not listed, then they have been removed from the configuration!): -{% if helpers.exists('OPNsense.proxy.forward.acl.sslPorts') %} -{% for element in OPNsense.proxy.forward.acl.sslPorts.split(",") %} +{% for element in OPNsense.proxy.forward.acl.sslPorts.split(",") %} acl SSL_ports port {{element.split(":")[0]}} # {{element.split(":")[1]|default('unknown')}} -{% endfor %} -{% endif %} +{% endfor %} # Default Safe ports are now defined in config.xml -# Configured Safe ports (if defaults are not listed, then they have been removed from the configuration!): -{% if helpers.exists('OPNsense.proxy.forward.acl.safePorts') %} # ACL - Safe_ports -{% for element in OPNsense.proxy.forward.acl.safePorts.split(",") %} +{% for element in OPNsense.proxy.forward.acl.safePorts.split(",") %} acl Safe_ports port {{element.split(":")[0]}} # {{element.split(":")[1]|default('unknown')}} -{% endfor %} -{% endif %} +{% endfor %} acl CONNECT method CONNECT # ICAP SETTINGS