add net-proxy/c-icap/c-icap, net-proxy/c-icap-modules and net-proxy/squid-opnsense-fetchacls

net-proxy/c-icap-modules/Manifest

@@ -0,0 +1,3 @@
+DIST C_ICAP_MODULES_0.5.7.tar.gz 94721 BLAKE2B bbb0a9af159ea49148fa42fc116420dea937ddf7945ad3c2d1a2623f9bbf255525e8b09ee91f16114a25a3481eace693e54119a6d5e77ee8ecb0a866b37bc8de SHA512 873c96b07b20b221a0a21d27829443aadfae8ab265602731f34bef24f4cf4ec4f5e821900ac2d5cd6ef1791bcf7a2ba1dc052500d4eff8ea50d860ce36ac16db
+EBUILD c-icap-modules-0.5.7.ebuild 1174 BLAKE2B 724877071c317997d5d6402e31fc1938d8ce961d70e1563155682045611c5eb7dddd2b6d77b45346937d6c1f675c90731075f17d88e1d04d38795db48e531e86 SHA512 b5ce10ce803ef78e73f55f8a1565d46e7035fb041b3dadfdeda02ba5cb74e3b0fb9b3f0da794d406f02af1c793e530b19f954209448d2b6c5298eea9e1cb9766
+MISC metadata.xml 553 BLAKE2B 594174429a36b8962e62b58e5671d96180c44cac534f1ffbd20ef4b030cebb01aa77271000a313a4516bdf44ce41b2cf606d5020ad86056f4f3dfdfa8ad72001 SHA512 8112a90215c9ad8a958b9f35a14db55a4a3c2e673625580b1adf57bae728b6415b7a9118eea446639b24d603393adbfef69229a56c1856e7c895c20d203df3d4

net-proxy/c-icap-modules/c-icap-modules-0.5.7.ebuild

@@ -0,0 +1,58 @@
+# Copyright 1999-2013 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit autotools flag-o-matic
+
+MY_PN=C_ICAP_MODULES
+MY_P=${MY_PN}_${PV}
+
+DESCRIPTION="URL blocklist and virus scanner for the C-ICAP server"
+HOMEPAGE="http://c-icap.sourceforge.net/"
+SRC_URI="https://github.com/c-icap/c-icap-modules/archive/refs/tags/${MY_P}.tar.gz"
+
+LICENSE="LGPL-2.1"
+SLOT="0"
+KEYWORDS="amd64 arm x86"
+IUSE="berkdb clamav"
+
+DEPEND="berkdb? ( sys-libs/db:5.3 )
+	clamav? ( app-antivirus/clamav )
+	net-proxy/c-icap
+	sys-libs/glibc
+	sys-libs/zlib"
+RDEPEND="${DEPEND}"
+
+S="${WORKDIR}/c-icap-modules-${MY_P}"
+
+src_prepare() {
+	eapply_user
+	eautoreconf
+}
+
+src_configure() {
+	# some void *** pointers get casted around and can be troublesome to
+	# fix properly.
+	append-flags -fno-strict-aliasing
+
+	econf --sysconfdir=/etc/c-icap \
+		--disable-dependency-tracking \
+		--disable-maintainer-mode \
+		--disable-static \
+		$(use_with berkdb bdb) \
+		$(use_with clamav)
+}
+
+src_compile() {
+	emake LOGDIR="/var/log"
+}
+
+src_install() {
+	dodir /etc/c-icap
+
+	emake 	LOGDIR="/var/log" \
+		DESTDIR="${D}" install
+
+	find "${ED}" -name '*.la' -delete || die
+}

net-proxy/c-icap-modules/metadata.xml

@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+  <maintainer type="person">
+    <email>c@roessner.co</email>
+    <name>Christian Rößner</name>
+  </maintainer>
+  <maintainer type="project">
+    <email>proxy-maint@gentoo.org</email>
+    <name>Proxy Maintainers</name>
+  </maintainer>
+  <longdescription>URL blocklist and virus scanner for the C-ICAP server</longdescription>
+    <upstream>
+      <remote-id type="sourceforge">c-icap</remote-id>
+    </upstream>
+</pkgmetadata>

net-proxy/c-icap/Manifest

@@ -0,0 +1,6 @@
+AUX c-icap.conf 359 BLAKE2B 028a2b8c7fb81005580085a7f3554e460c3f05950ca2696af234e035e9873aef12353450cd5a21fb2e8efeede43a0bced272e4515f4a5313f0088458b11bd4ec SHA512 2ccab04f6ddb1b76b41d9b26dfdcf3e43aa4acdaeeddc215f38e0f7f8b537687733c643d5cc2b0e06b95710a3cd76c8a67e33e8c8240b375d939fea649e86ba3
+AUX c-icap.init.3 693 BLAKE2B 09beb3ffad19455c0de6cd400f9078b147020477b468409273e5163b9ef1aaba75a0291536642053a6e1755f6bdf27266f6eeb2cd1bffa020e0f9bf594b9158d SHA512 9518ebdc57e69716717160fa11d2ade4648212ac4bbc65caeec0d0c7d2427cd0a8a70e1de36b6c81113c821ed9a11808f7d81595f8c1fc185013a1cd4ac93bdb
+AUX c-icap.logrotate 188 BLAKE2B abfc255d4b82a58ac7f94e76c1dcaa40fce2415ec5a0d760eba18f5843a1ffd0bdcfd3c238759032020249107a3a73b836db32052af44923ef855a69e46eaa51 SHA512 edc8dbbbaa06cf062b307e37ffee1dee9d566cc4b8a6947422125a22d956bcc639c483712ff6b6f6e9eb30852b4b0d5c293f1279463af89e8fc199828792a9e7
+DIST C_ICAP_0.6.3.tar.gz 372982 BLAKE2B 91227aaddef1f8773f814e306b2fb34de708f20f58c9a016d3e5a4a60b35268f39141c3120d9438d86253d2a1393d34f9e6f15a71c5329e01735f0945e056638 SHA512 e146ec083794731504c97d52e6a53ac34a78aa4f9f867de0eb2e4d17db404b49a5c4a33a3e81d3198fad557d9653b69195108573185ce0e3a5ce444a27baa894
+EBUILD c-icap-0.6.3.ebuild 2859 BLAKE2B c4c1a80a06a34f676a81891f28ad5ca5e4691b9dd724d400d95efb63ea221a7f34fb7f1cc9d7a689582609d163c2067e959ed26008f6cf082a6bd9c71983517b SHA512 e580a421d61be4616c4f1c8f0b86485f23fce8bcde9a3b466a6e37b61f3c20f50e4b2406b7697db5973e625de4b01586a3bdd3c079d91930686644080237893a
+MISC metadata.xml 456 BLAKE2B e79e4bf28d909f591b3aba186533e7c8598f0d65c5ffe7afb1bb3acf07ca22546ee34a1468758b2ee61d3c936899396db286a17fe68ad80e6118147f31f0035e SHA512 acbaab7eac55e821c7e97b16dcd9fc30acdbef887cce7df84ca07c52e34347a746e341384eaf1cddfa96a68cb66197cad837fdfcc81e9405ee29b13aafe5c519

net-proxy/c-icap/c-icap-0.6.3.ebuild

@@ -0,0 +1,113 @@
+# Copyright 1999-2013 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="8"
+
+inherit autotools flag-o-matic
+
+MY_PN=C_ICAP
+MY_P="${MY_PN}_${PV}"
+
+DESCRIPTION="C Implementation of an ICAP server"
+HOMEPAGE="http://c-icap.sourceforge.net/"
+SRC_URI="https://github.com/c-icap/c-icap-server/archive/refs/tags/${MY_P}.tar.gz"
+
+LICENSE="LGPL-2.1"
+SLOT="0"
+KEYWORDS="amd64 arm x86"
+IUSE="berkdb ipv6 ldap"
+
+RDEPEND="berkdb? ( sys-libs/db:5.3 )
+	ldap? ( net-nds/openldap )
+	sys-libs/zlib"
+
+DEPEND="${RDEPEND}"
+RDEPEND="${RDEPEND}"
+
+S="${WORKDIR}/c-icap-server-${MY_P}"
+
+src_prepare() {
+	eapply_user
+	eautoreconf
+}
+
+src_configure() {
+	# some void *** pointers get casted around and can be troublesome to
+	# fix properly.
+	append-flags -fno-strict-aliasing
+
+	econf \
+		--sysconfdir=/etc/${PN} \
+		--disable-dependency-tracking \
+		--disable-maintainer-mode \
+		--disable-static \
+		--enable-large-files \
+		$(use_enable ipv6) \
+		$(use_with berkdb bdb) \
+		$(use_with ldap)
+}
+
+src_compile() {
+	emake LOGDIR="/var/log"
+}
+
+src_install() {
+	emake \
+		LOGDIR="/var/log" \
+		DESTDIR="${D}" install
+
+	find "${D}" -name '*.la' -delete || die
+
+	# Move the daemon out of the way
+	dodir /usr/libexec
+	mv "${D}"/usr/bin/c-icap "${D}"/usr/libexec || die
+
+	# Remove the default configuration files since we have etc-update to
+	# take care of it for us.
+	rm "${D}"/etc/${PN}/c-icap.*.default || die
+
+	# Fix the configuration file; for some reason it's a bit messy
+	# around.
+	sed -i \
+		-e 's:/usr/var/:/var/:g' \
+		-e 's:/var/log/:/var/log/c-icap/:g' \
+		-e 's:/usr/etc/:/etc/c-icap/:g' \
+		-e 's:/usr/local/c-icap/etc/:/etc/c-icap/:g' \
+		-e 's:/usr/lib/:/usr/'$(get_libdir)'/:g' \
+		"${D}"/etc/${PN}/c-icap.conf \
+		|| die
+
+	dodoc AUTHORS README TODO ChangeLog
+
+	newinitd "${FILESDIR}/${PN}.init.3" ${PN}
+	newconfd "${FILESDIR}/${PN}.conf" ${PN}
+	keepdir /var/log/c-icap
+
+	insopts -m0644
+	insinto /etc/logrotate.d
+	newins "${FILESDIR}"/${PN}.logrotate ${PN}
+
+	# avoid triggering portage's symlink protection; this is handled by
+	# the init script anyway.
+	rm -rf "${D}"/var/run
+}
+
+pkg_postinst() {
+	elog "To enable Squid to call the ICAP modules from a local server you should set"
+	elog "the following in your squid.conf:"
+	elog ""
+	elog "    icap_enable on"
+	elog ""
+	elog "    # not strictly needed, but some modules might make use of these"
+	elog "    icap_send_client_ip on"
+	elog "    icap_send_client_username on"
+	elog ""
+	elog "    icap_service service_req reqmod_precache bypass=1 icap://localhost:1344/service"
+	elog "    adaptation_access service_req allow all"
+	elog ""
+	elog "    icap_service service_resp respmod_precache bypass=0 icap://localhost:1344/service"
+	elog "    adaptation_access service_resp allow all"
+	elog ""
+	elog "You obviously will have to replace \"service\" with the actual ICAP service to"
+	elog "use."
+}

net-proxy/c-icap/files/c-icap.conf

@@ -0,0 +1,11 @@
+# Use this to change the configuration file to use for c-icap.
+configfile=/etc/c-icap/c-icap.conf
+
+# Use this to set any extra option for the daemon. Do not use the -f
+# option here.
+EXTRA_OPTS=""
+
+# If you enabled LDAP support, and you'd like to access tables stored
+# in the local LDAP instance, you want to uncomment the following
+# line.
+#rc_need="slapd"

net-proxy/c-icap/files/c-icap.init.3

@@ -0,0 +1,26 @@
+#!/sbin/openrc-run
+# Copyright 1999-2012 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+: ${configfile:=/etc/c-icap/c-icap.conf}
+
+get_config() {
+    local value=$(awk '$1 == "'$1'" { print $2 }' ${configfile})
+    echo ${value:-$2}
+}
+
+command="/usr/libexec/c-icap"
+command_arguments="${EXTRA_OPTS} -f ${configfile}"
+pidfile=$(get_config PidFile /var/run/c-icap/c-icap.pid)
+
+depend() {
+	need localmount
+	config ${configfile}
+	[ "$(get_config Logger file_logger)" = "sys_logger" ] && use logger
+}
+
+start_pre() {
+	local cmdsocket=$(get_config CommandsSocket /var/run/c-icap/c-icap.ctl)
+
+	checkpath -d "$(dirname "${cmdsocket}")" "$(dirname "${pidfile}")"
+}

net-proxy/c-icap/files/c-icap.logrotate

@@ -0,0 +1,13 @@
+/var/log/c-icap/access.log {
+	missingok
+	postrotate
+		/etc/init.d/c-icap restart
+	endscript
+}
+
+/var/log/cicap-server.log {
+	missingok
+	postrotate
+		/etc/init.d/c-icap restart
+	endscript
+}

net-proxy/c-icap/metadata.xml

@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+  <maintainer type="person">
+    <email>c@roessner.co</email>
+    <name>Christian Rößner</name>
+  </maintainer>
+  <maintainer type="project">
+    <email>proxy-maint@gentoo.org</email>
+    <name>Proxy Maintainers</name>
+  </maintainer>
+  <upstream>
+    <remote-id type="sourceforge">c-icap</remote-id>
+  </upstream>
+</pkgmetadata>

net-proxy/squid-opnsense-fetchacls/Manifest

@@ -0,0 +1,8 @@
+AUX externalACLs.conf 167 BLAKE2B 53e5447dc37ab8b37b24e5089dbb39193ccb68334ac24835066c26279120ff9c56db135024c44e5460cd35f1e81db7c0862415b8c36e61398e2ce379fe278480 SHA512 8ee725709e497ff4f6651718e5d955268a50f98b992f04db2021f48029d41946503e7d1adc4e7e4cb543405105490523f6ab3bcffd9c700ffe3a96025a7af7dd
+AUX fetchACLs.service 153 BLAKE2B cff1dff12195aa0ae2b9681278c5a71f851654395cfef46ca5830a719a0417ce0dda52479a08b6a151c6aa51bbfc0edd580cbcdc649ca0e6ad167b4585747df4 SHA512 95e5762e65af8c057e1927808e79f22edd7e1608509fd50201468a38cbd0efd676e30d2089321d7615f5a590aae0cd3c15f4fb1165122061c4d538176e3072dd
+AUX fetchACLs.timer 210 BLAKE2B a1906ec839d41d858d64b17ef05c52581d3bf8e4d1c7b228b3c902bd52b669da6c3d28afdfbcd073cc379b83dcb9b279e787ddc99e070c2743804bb9b37dadf6 SHA512 7ea76d32892c85dffcb156f2ba04a83b9f2c7683729ba9884badbeec9d7b977f9eb759cbf6835768b23826ae09602d24b2d43443ad461c85c8f5d5b804e284c0
+AUX squid.conf.NoBumping 3864 BLAKE2B f4579d23289288b29381597fae87eacd0879bb8ef9ac2e856ff5a2e0128da15d4839195b6533a1f36fffb8da1c528fddcc6ce5896cf1597fbb1edeb6917fd921 SHA512 7bb25ab02652ce9ba19ba99d2d7b2c39e54e92a044dd24fb7f1d1bdce806005d57fc5e6fe5efa8669bf7f0ce1007514c88af5ee51bc5ce4282cddaf4ca037e8c
+AUX squid.conf.SSLBump 4261 BLAKE2B 4e75f2d997f49d2e67ad1b6d0c9de12087bcba01b1a7504f63ed8862b3774855a060a01ef23e87bb0581c092e09e3d4f6a58cbd14b4b60092d94dad19676a341 SHA512 6d0aacc392dc581addd35052d16daa215ededb2421b4873695aad1f291fa44b8397b899dd478e5e374b1c20fdd3998ee313c65c1797eaa60a4d9b4ab5f20415c
+AUX squid.conf.Transparent 3645 BLAKE2B 3485c37e8cd4ff4b3cc55a8d188877cafea5ed178f7a5e7cb488d98849ec67f9b58b49100a13eae2294136dddc219f93e32d3a69209abeeb0292149d2df46c80 SHA512 e60b502b6e1e49ae77d9ef9d1c5b979cc7c708d6517261be984acbf9c4a63465346b813b3cb87224f9764c1d478b5433e900dbbdf1323241710e2de5b28f0865
+DIST squid-opnsense-fetchacls-24.7.12.py 16231 BLAKE2B 391fa8a5808b2fd3100a8ba52d1a70105819329ee6bc7ee31dcc9717934d7ac0fea64bed73b0288931fc26697dd3b5c95275ea83e21863c898a090a824129d15 SHA512 104ee310add5f61e58afe5324db7677d113e25e6d20b6d1a5c0f185c1b358ce6a805346a6f8080c028ae2671a83a4e35a0f9f2dcd00bfb4c3b9ea0813489544e
+EBUILD squid-opnsense-fetchacls-24.7.12.ebuild 1131 BLAKE2B 6816347d7936e51dece3a019efd785d6fd2c07dd681216e7f5899ef0d898b9f8677895e54ae1df095a1b8548392b7e11cb5159f6545b1ea4c8174b1b29531581 SHA512 30873af4e5f345ab606722e6e8959f2862770f8a59e84aac3055a4f0ea4e729421f535754d1c4285e6b8eaf30aa2c7c6638b7ec4349c372e6b16a279ffb6d1ce

net-proxy/squid-opnsense-fetchacls/files/externalACLs.conf

@@ -0,0 +1,4 @@
+[URL]
+enabled = 1
+url = ftp://ftp.ut-capitole.fr/pub/reseau/cache/squidguard_contrib/blacklists.tar.gz
+filter = adult,dangerous_material,doh,malware,shortener,gambling

net-proxy/squid-opnsense-fetchacls/files/fetchACLs.service

@@ -0,0 +1,8 @@
+[Unit]
+Description=fetch url list and build squid acl
+RefuseManualStart=no
+RefuseManualStop=yes
+ 
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/fetchACLs.py

net-proxy/squid-opnsense-fetchacls/files/fetchACLs.timer

@@ -0,0 +1,12 @@
+[Unit]
+Description=fetch url list and build squid acl
+RefuseManualStart=no
+RefuseManualStop=no
+ 
+[Timer]
+Persistent=false
+OnCalendar=Sun *-*-* 03:19:00
+Unit=fetchACLs.service
+ 
+[Install]
+WantedBy=timers.target

net-proxy/squid-opnsense-fetchacls/files/squid.conf.NoBumping

@@ -0,0 +1,106 @@
+# Example expliciet proxy with url filter, without ssl bump
+
+# Setup regular listeners configuration
+http_port 3128 cert=/etc/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
+
+sslcrtd_program /usr/libexec/squid/security_file_certgen -s /var/squid/ssl_crtd -M 10MB
+sslcrtd_children 5
+
+tls_outgoing_options options=NO_TLSv1 cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
+
+sslproxy_cert_error deny all
+
+# Example rule allowing access from your local networks.
+# Adapt to list your (internal) IP networks from where browsing
+# should be allowed
+acl localnet src 0.0.0.1-0.255.255.255	# RFC 1122 "this" network (LAN)
+acl localnet src 10.0.0.0/8		# RFC 1918 local private network (LAN)
+acl localnet src 100.64.0.0/10		# RFC 6598 shared address space (CGN)
+acl localnet src 169.254.0.0/16 	# RFC 3927 link-local (directly plugged) machines
+acl localnet src 172.16.0.0/12		# RFC 1918 local private network (LAN)
+acl localnet src 192.168.0.0/16		# RFC 1918 local private network (LAN)
+acl localnet src fc00::/7       	# RFC 4193 local private network range
+acl localnet src fe80::/10      	# RFC 4291 link-local (directly plugged) machines
+
+# ACL - Allow localhost for PURGE cache if enabled
+acl PURGE method PURGE
+http_access allow localhost PURGE
+http_access deny PURGE
+
+# ACL lists
+# ACL - Remote fetched Blacklist (remoteblacklist)
+acl remoteblacklist_ut1 dstdomain "/var/lib/squid/acl/URL"
+
+# ACL - SSL ports, default are configured in config.xml
+acl SSL_ports port 443 # https
+acl SSL_ports port 8443 # special https
+
+# Default Safe ports are now defined in config.xml
+# ACL - Safe_ports
+acl Safe_ports port 80 # http
+acl Safe_ports port 21 # ftp
+acl Safe_ports port 443 # https
+acl Safe_ports port 70 # gopher
+acl Safe_ports port 210 # wais
+acl Safe_ports port 1025-65535 # unregistered ports
+acl Safe_ports port 280 # http-mgmt
+acl Safe_ports port 488 # gss-http
+acl Safe_ports port 591 # filemaker
+acl Safe_ports port 777 # multiling http
+acl CONNECT method CONNECT
+
+# ACL list (Deny) remoteblacklist_ut1
+adaptation_access response_mod deny remoteblacklist_ut1
+adaptation_access request_mod deny remoteblacklist_ut1
+http_access deny remoteblacklist_ut1
+
+# Deny requests to certain unsafe ports
+adaptation_access response_mod deny !Safe_ports 
+adaptation_access request_mod deny !Safe_ports 
+http_access deny !Safe_ports 
+# Deny CONNECT to other than secure SSL ports
+adaptation_access response_mod deny CONNECT !SSL_ports 
+adaptation_access request_mod deny CONNECT !SSL_ports 
+http_access deny CONNECT !SSL_ports 
+
+# Only allow cachemgr access from localhost
+http_access allow localhost manager
+http_access deny manager
+
+# We strongly recommend the following be uncommented to protect innocent
+# web applications running on the proxy server who think the only
+# one who can access services on "localhost" is a local user
+adaptation_access response_mod deny to_localhost
+adaptation_access request_mod deny to_localhost
+http_access deny to_localhost
+
+#
+# ACL - localnet - default these include ranges from selected interfaces (Allow local subnets)
+adaptation_access response_mod allow localnet
+adaptation_access request_mod allow localnet
+http_access allow localnet
+
+# ACL - localhost
+adaptation_access response_mod allow localhost
+adaptation_access request_mod allow localhost
+http_access allow localhost
+
+# Deny all other access to this proxy
+adaptation_access response_mod deny all
+adaptation_access request_mod deny all
+http_access deny all
+
+# Caching settings
+cache_mem 512 MB
+cache_dir ufs /var/cache/squid 100 16 256
+
+# Leave coredumps in the first cache dir
+coredump_dir /var/cache/squid
+
+#
+# Add any of your own refresh_pattern entries above these.
+#
+refresh_pattern ^ftp:		1440	20%	10080
+refresh_pattern ^gopher:	1440	0%	1440
+refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
+refresh_pattern .		0	20%	4320

net-proxy/squid-opnsense-fetchacls/files/squid.conf.SSLBump

@@ -0,0 +1,119 @@
+# Example expliciet proxy with url filter, with ssl bump
+
+# Setup regular listeners configuration
+http_port 3128 ssl-bump cert=/etc/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
+
+# setup ssl re-cert
+sslcrtd_program /usr/libexec/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 10MB
+sslcrtd_children 5
+
+tls_outgoing_options options=NO_TLSv1 cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
+
+# setup ssl bump acl's
+acl bump_step1 at_step SslBump1
+acl bump_step2 at_step SslBump2
+acl bump_step3 at_step SslBump3
+acl bump_nobumpsites ssl::server_name "/usr/local/etc/squid/nobumpsites.acl"
+
+# configure bump
+ssl_bump peek bump_step1 all
+ssl_bump peek bump_step2 bump_nobumpsites
+ssl_bump splice bump_step3 bump_nobumpsites
+ssl_bump stare bump_step2
+ssl_bump bump bump_step3
+
+sslproxy_cert_error deny all
+
+# Example rule allowing access from your local networks.
+# Adapt to list your (internal) IP networks from where browsing
+# should be allowed
+acl localnet src 0.0.0.1-0.255.255.255	# RFC 1122 "this" network (LAN)
+acl localnet src 10.0.0.0/8		# RFC 1918 local private network (LAN)
+acl localnet src 100.64.0.0/10		# RFC 6598 shared address space (CGN)
+acl localnet src 169.254.0.0/16 	# RFC 3927 link-local (directly plugged) machines
+acl localnet src 172.16.0.0/12		# RFC 1918 local private network (LAN)
+acl localnet src 192.168.0.0/16		# RFC 1918 local private network (LAN)
+acl localnet src fc00::/7       	# RFC 4193 local private network range
+acl localnet src fe80::/10      	# RFC 4291 link-local (directly plugged) machines
+
+# ACL - Allow localhost for PURGE cache if enabled
+acl PURGE method PURGE
+http_access allow localhost PURGE
+http_access deny PURGE
+
+# ACL - Remote fetched Blacklist (remoteblacklist)
+acl remoteblacklist_ut1 dstdomain "/var/lib/squid/acl/URL"
+
+# ACL - SSL ports, default are configured in config.xml
+acl SSL_ports port 443 # https
+acl SSL_ports port 8443 # special https
+
+# Default Safe ports are now defined in config.xml
+# ACL - Safe_ports
+acl Safe_ports port 80 # http
+acl Safe_ports port 21 # ftp
+acl Safe_ports port 443 # https
+acl Safe_ports port 70 # gopher
+acl Safe_ports port 210 # wais
+acl Safe_ports port 1025-65535 # unregistered ports
+acl Safe_ports port 280 # http-mgmt
+acl Safe_ports port 488 # gss-http
+acl Safe_ports port 591 # filemaker
+acl Safe_ports port 777 # multiling http
+acl CONNECT method CONNECT
+
+# ACL list (Deny) remoteblacklist_ut1
+adaptation_access response_mod deny remoteblacklist_ut1
+adaptation_access request_mod deny remoteblacklist_ut1
+http_access deny remoteblacklist_ut1
+
+# Deny requests to certain unsafe ports
+adaptation_access response_mod deny !Safe_ports 
+adaptation_access request_mod deny !Safe_ports 
+http_access deny !Safe_ports 
+# Deny CONNECT to other than secure SSL ports
+adaptation_access response_mod deny CONNECT !SSL_ports 
+adaptation_access request_mod deny CONNECT !SSL_ports 
+http_access deny CONNECT !SSL_ports 
+
+# Only allow cachemgr access from localhost
+http_access allow localhost manager
+http_access deny manager
+
+# We strongly recommend the following be uncommented to protect innocent
+# web applications running on the proxy server who think the only
+# one who can access services on "localhost" is a local user
+adaptation_access response_mod deny to_localhost
+adaptation_access request_mod deny to_localhost
+http_access deny to_localhost
+
+#
+# ACL - localnet - default these include ranges from selected interfaces (Allow local subnets)
+adaptation_access response_mod allow localnet
+adaptation_access request_mod allow localnet
+http_access allow localnet
+
+# ACL - localhost
+adaptation_access response_mod allow localhost
+adaptation_access request_mod allow localhost
+http_access allow localhost
+
+# Deny all other access to this proxy
+adaptation_access response_mod deny all
+adaptation_access request_mod deny all
+http_access deny all
+
+# Caching settings
+cache_mem 512 MB
+cache_dir ufs /var/cache/squid 100 16 256
+
+# Leave coredumps in the first cache dir
+coredump_dir /var/cache/squid
+
+#
+# Add any of your own refresh_pattern entries above these.
+#
+refresh_pattern ^ftp:		1440	20%	10080
+refresh_pattern ^gopher:	1440	0%	1440
+refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
+refresh_pattern .		0	20%	4320

net-proxy/squid-opnsense-fetchacls/files/squid.conf.Transparent

@@ -0,0 +1,102 @@
+# Example transparent proxy with url filter
+
+# Setup transparent mode listeners on loopback interfaces
+http_port 127.0.0.1:3128 intercept 
+http_port [::1]:3128 intercept 
+
+# Setup regular listeners configuration
+##http_port <ip address>:3128  
+
+# Example rule allowing access from your local networks.
+# Adapt to list your (internal) IP networks from where browsing
+# should be allowed
+acl localnet src 0.0.0.1-0.255.255.255	# RFC 1122 "this" network (LAN)
+acl localnet src 10.0.0.0/8		# RFC 1918 local private network (LAN)
+acl localnet src 100.64.0.0/10		# RFC 6598 shared address space (CGN)
+acl localnet src 169.254.0.0/16 	# RFC 3927 link-local (directly plugged) machines
+acl localnet src 172.16.0.0/12		# RFC 1918 local private network (LAN)
+acl localnet src 192.168.0.0/16		# RFC 1918 local private network (LAN)
+acl localnet src fc00::/7       	# RFC 4193 local private network range
+acl localnet src fe80::/10      	# RFC 4291 link-local (directly plugged) machines
+
+# ACL - Allow localhost for PURGE cache if enabled
+acl PURGE method PURGE
+http_access allow localhost PURGE
+http_access deny PURGE
+
+# ACL - Remote fetched Blacklist (remoteblacklist)
+acl remoteblacklist_ut1 dstdomain "/usr/local/etc/squid/acl/URL"
+
+# ACL - SSL ports, default are configured in config.xml
+acl SSL_ports port 443 # https
+acl SSL_ports port 8443 # special https
+
+# Default Safe ports are now defined in config.xml
+# ACL - Safe_ports
+acl Safe_ports port 80 # http
+acl Safe_ports port 21 # ftp
+acl Safe_ports port 443 # https
+acl Safe_ports port 70 # gopher
+acl Safe_ports port 210 # wais
+acl Safe_ports port 1025-65535 # unregistered ports
+acl Safe_ports port 280 # http-mgmt
+acl Safe_ports port 488 # gss-http
+acl Safe_ports port 591 # filemaker
+acl Safe_ports port 777 # multiling http
+acl CONNECT method CONNECT
+
+# ACL list (Deny) remoteblacklist_ut1
+adaptation_access response_mod deny remoteblacklist_ut1
+adaptation_access request_mod deny remoteblacklist_ut1
+http_access deny remoteblacklist_ut1
+
+# Deny requests to certain unsafe ports
+adaptation_access response_mod deny !Safe_ports 
+adaptation_access request_mod deny !Safe_ports 
+http_access deny !Safe_ports 
+# Deny CONNECT to other than secure SSL ports
+adaptation_access response_mod deny CONNECT !SSL_ports 
+adaptation_access request_mod deny CONNECT !SSL_ports 
+http_access deny CONNECT !SSL_ports 
+
+# Only allow cachemgr access from localhost
+http_access allow localhost manager
+http_access deny manager
+
+# We strongly recommend the following be uncommented to protect innocent
+# web applications running on the proxy server who think the only
+# one who can access services on "localhost" is a local user
+adaptation_access response_mod deny to_localhost
+adaptation_access request_mod deny to_localhost
+http_access deny to_localhost
+
+#
+# ACL - localnet - default these include ranges from selected interfaces (Allow local subnets)
+adaptation_access response_mod allow localnet
+adaptation_access request_mod allow localnet
+http_access allow localnet
+
+# ACL - localhost
+adaptation_access response_mod allow localhost
+adaptation_access request_mod allow localhost
+http_access allow localhost
+
+# Deny all other access to this proxy
+adaptation_access response_mod deny all
+adaptation_access request_mod deny all
+http_access deny all
+
+# Caching settings
+cache_mem 512 MB
+cache_dir ufs /var/cache/squid 100 16 256
+
+# Leave coredumps in the first cache dir
+coredump_dir /var/cache/squid
+
+#
+# Add any of your own refresh_pattern entries above these.
+#
+refresh_pattern ^ftp:		1440	20%	10080
+refresh_pattern ^gopher:	1440	0%	1440
+refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
+refresh_pattern .		0	20%	4320

net-proxy/squid-opnsense-fetchacls/squid-opnsense-fetchacls-24.7.12.ebuild

@@ -0,0 +1,47 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+PYTHON_COMPAT=( python3_{9..12} )
+
+inherit python-r1 systemd
+
+DESCRIPTION="fetch url list and build squid acl"
+HOMEPAGE="https://opnsense.org/"
+SRC_URI="https://raw.githubusercontent.com/opnsense/plugins/refs/tags/${PV}/www/squid/src/opnsense/scripts/proxy/fetchACLs.py -> ${P}.py"
+S=${WORKDIR}
+
+LICENSE="BSD-2"
+SLOT="0"
+KEYWORDS="amd64"
+
+REQUIRED_USE="${PYTHON_REQUIRED_USE}"
+
+RDEPEND="net-proxy/squid
+	${PYTHON_DEPS}
+	dev-python/requests[${PYTHON_USEDEP}]
+	dev-python/urllib3[${PYTHON_USEDEP}]"
+
+src_unpack() {
+	cp ${DISTDIR}/${P}.py ${WORKDIR}/
+}
+
+src_prepare() {
+	sed -i \
+		-e 's|/usr/local/etc/squid/externalACLs.conf|/etc/squid/externalACLs.conf|' \
+		-e 's|/usr/local/etc/squid/acl|/var/lib/squid/acl|' \
+		${P}.py || die
+
+	eapply_user
+}
+
+
+src_install() {
+	newbin ${P}.py fetchACLs.py
+	python_replicate_script "${D}"/usr/bin/fetchACLs.py
+	systemd_dounit "${FILESDIR}"/fetchACLs.{service,timer}
+	insinto /etc/squid
+	doins "${FILESDIR}"/externalACLs.conf "${FILESDIR}"/squid.conf.*
+	keepdir /var/lib/squid/acl
+}