Skip to content
Snippets Groups Projects
Commit 4489dc6e authored by Klas Arvidsson's avatar Klas Arvidsson
Browse files

Reworked squid-url-rewrite and added config

parent 1e3c9d5b
No related branches found
No related tags found
1 merge request!63Reworked squid-url-rewrite and added config
Pipeline #155073 passed
...@@ -17,6 +17,8 @@ filterlog = "/var/log/squid/filter.log" ...@@ -17,6 +17,8 @@ filterlog = "/var/log/squid/filter.log"
basedir = "/usr/libexec/squid/helpers" basedir = "/usr/libexec/squid/helpers"
hostname = socket.gethostname() hostname = socket.gethostname()
log = open(filterlog, 'a')
def block_response(url): def block_response(url):
quoted_url = urllib.parse.quote(url) quoted_url = urllib.parse.quote(url)
if re.match('.*\.s?html([#?].*)?', url) or re.match('.*/[^./]*', url): if re.match('.*\.s?html([#?].*)?', url) or re.match('.*/[^./]*', url):
...@@ -36,7 +38,7 @@ def modify_url(line, ruleset): ...@@ -36,7 +38,7 @@ def modify_url(line, ruleset):
### [channel-ID <SP>] URL <SP> client_ip "/" fqdn <SP> user <SP> method [<SP> kv-pairs]<NL> ### [channel-ID <SP>] URL <SP> client_ip "/" fqdn <SP> user <SP> method [<SP> kv-pairs]<NL>
list = line.split(' ') list = line.split(' ')
if list[0].isdigit(): if list[0].isdigit() and len(list) > 1:
url = list[1] url = list[1]
else: else:
url = list[0] url = list[0]
...@@ -73,63 +75,67 @@ def load_rules(ruleset, filename): ...@@ -73,63 +75,67 @@ def load_rules(ruleset, filename):
columns = line.strip().split() columns = line.strip().split()
ruleset.append( [ re.compile(columns[0]), columns[1].lower() == 'true' ] ) ruleset.append( [ re.compile(columns[0]), columns[1].lower() == 'true' ] )
def deny_all_ruleset():
def main():
ruleset = list() ruleset = list()
ruleset.append( [re.compile(emptyrex), True] )
ruleset.append( [re.compile(errorrex), True] )
ruleset.append( [re.compile("^.*"), False] )
return ruleset
block_all = basedir + "/../BLOCK_ALL" def load_ruleset():
if os.path.isfile(block_all):
ruleset.append( [re.compile(emptyrex), True] )
ruleset.append( [re.compile(errorrex), True] )
ruleset.append( [re.compile("^.*"), False] )
# Load all rules to a temporary ruleset and then add it to the rules
# Failure to load rules will then lead to complete denial of service and be noticed
tmpruleset = list()
try: try:
block_all = basedir + "/../BLOCK_ALL"
if os.path.isfile(block_all):
return deny_all_ruleset()
ruleset = list()
devel_rules = basedir + "/../devel.rules" devel_rules = basedir + "/../devel.rules"
if os.path.isfile(devel_rules): if os.path.isfile(devel_rules):
load_rules(tmpruleset, devel_rules) load_rules(ruleset, devel_rules)
# load opendsa first to let it override default rules # load opendsa first to let it override default rules
load_rules(tmpruleset, basedir + "/rules.d/opendsa.rules") load_rules(ruleset, basedir + "/rules.d/opendsa.rules")
load_rules(tmpruleset, basedir + "/rules.d/default.rules") load_rules(ruleset, basedir + "/rules.d/default.rules")
load_rules(tmpruleset, basedir + "/rules.d/rstudio.rules") load_rules(ruleset, basedir + "/rules.d/rstudio.rules")
load_rules(tmpruleset, basedir + "/rules.d/cplusplus.rules") load_rules(ruleset, basedir + "/rules.d/cplusplus.rules")
load_rules(tmpruleset, basedir + "/rules.d/python.rules") load_rules(ruleset, basedir + "/rules.d/python.rules")
load_rules(tmpruleset, basedir + "/rules.d/java.rules") load_rules(ruleset, basedir + "/rules.d/java.rules")
load_rules(tmpruleset, basedir + "/rules.d/ruby.rules") load_rules(ruleset, basedir + "/rules.d/ruby.rules")
load_rules(tmpruleset, basedir + "/rules.d/sas.rules") load_rules(ruleset, basedir + "/rules.d/sas.rules")
load_rules(tmpruleset, basedir + "/rules.d/translate.rules") load_rules(ruleset, basedir + "/rules.d/translate.rules")
load_rules(tmpruleset, basedir + "/rules.d/office.forms.rules") load_rules(ruleset, basedir + "/rules.d/office.forms.rules")
ruleset.extend(tmpruleset) return ruleset
except Exception as e: except Exception as e:
sys.stderr.write( str( e ) ) log.write( "load_ruleset: Error: {}\n".format(str(e)) )
sys.stderr.flush() log.flush()
with open(filterlog, 'a') as log: return deny_all_ruleset()
while True:
try:
line = sys.stdin.readline().strip()
log.write('{}: {}\n'.format(datetime.datetime.now().strftime("%Y-%m-%d_%H-%M"), line)) def main(debug=False):
try:
ruleset = load_ruleset()
while True:
line = sys.stdin.readline().strip()
new_url = modify_url(line, ruleset)
if ( debug ):
time = datetime.datetime.now().strftime("%Y-%m-%d_%H-%M-%S")
msg = '{}: {}\n'.format(time, line)
msg += 'From: {}\n'.format(line)
msg += 'To: {}\n'.format(new_url)
log.write(msg)
log.flush() log.flush()
log.write("From: " + line + "\n") sys.stdout.write(new_url + '\n')
log.flush() sys.stdout.flush()
new_url = modify_url(line, ruleset) except Exception as e:
log.write( "url_rewrite: Error: {}\n".format(str(e)) )
log.write("To: " + new_url + "\n") log.flush()
log.flush()
sys.stdout.write(new_url + '\n') main(True)
sys.stdout.flush()
except Exception as e:
sys.stderr.write( str( e ) )
sys.stderr.flush()
main() log.close()
...@@ -70,6 +70,7 @@ http_access deny to_localhost ...@@ -70,6 +70,7 @@ http_access deny to_localhost
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
# #
url_rewrite_program /usr/libexec/squid/helpers/squid-url-rewrite.py url_rewrite_program /usr/libexec/squid/helpers/squid-url-rewrite.py
url_rewrite_children 20 startup=0 idle=1 concurrency=0 on-persistent-overload=die
logfile_rotate 6 logfile_rotate 6
#auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth #auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment