diff --git a/op-mode-definitions/webproxy.xml.in b/op-mode-definitions/webproxy.xml.in index 4e555c3d9..57df44ff8 100644 --- a/op-mode-definitions/webproxy.xml.in +++ b/op-mode-definitions/webproxy.xml.in @@ -1,95 +1,106 @@ <?xml version="1.0"?> <interfaceDefinition> <node name="monitor"> <children> <node name="log"> <children> <node name="webproxy"> <properties> <help>Monitor last lines of Webproxy log</help> </properties> <command>journalctl --no-hostname --boot --follow --unit squid.service</command> <children> <leafNode name="access-log"> <properties> <help>Monitor the last lines of the Webproxy access log</help> </properties> <command>if [ -f /var/log/squid/access.log ]; then sudo tail --follow=name /var/log/squid/access.log; else echo "WebProxy access-log does not exist"; fi</command> </leafNode> <leafNode name="cache-log"> <properties> <help>Monitor the last lines of the Webproxy cache log</help> </properties> <command>if [ -f /var/log/squid/cache.log ]; then sudo tail --follow=name /var/log/squid/cache.log; else echo "WebProxy cache-log does not exist"; fi</command> </leafNode> </children> </node> </children> </node> </children> </node> <node name="restart"> <children> <node name="webproxy"> <properties> <help>Restart WebProxy service</help> </properties> <command>if cli-shell-api existsActive service webproxy; then sudo systemctl restart squid.service; else echo "Service WebProxy not configured"; fi</command> </node> </children> </node> <node name="show"> <children> <node name="webproxy"> <properties> <help>Show WebProxy information</help> </properties> <children> <!-- missing blacklist command --> <node name="blacklist"> <properties> <help>Show webproxy blacklist information</help> </properties> <children> <node name="categories"> <properties> <help>Show webproxy blacklist categories</help> </properties> <command>${vyos_completion_dir}/list_webproxy_category.sh</command> </node> </children> </node> <node name="log"> <properties> <help>Show contents of WebProxy access log</help> </properties> <command>if [ -e /var/log/squid/access.log ]; then sudo less $_vyatta_less_options --prompt="file %i of %m, page %dt of %D" -- `printf "%s\n" /var/log/squid/access.log* | sort -nr`; else echo "No WebProxy log"; fi</command> </node> <node name="update-log"> <properties> <help>Show update log for url-filter database</help> </properties> <command>if [ -e /opt/vyatta/etc/config/url-filtering/squidguard/updatestatus ]; then cat /opt/vyatta/etc/config/url-filtering/squidguard/updatestatus; else echo "Update log not found"; fi</command> </node> </children> </node> </children> </node> <node name="update"> <children> <node name="webproxy"> <properties> <help>Update WebProxy</help> </properties> <children> <node name="blacklists"> <properties> <help>Update the webproxy blacklist database</help> </properties> <command>sudo ${vyos_op_scripts_dir}/webproxy_update_blacklist.sh --update-blacklist</command> + <children> + <tagNode name="vrf"> + <properties> + <help>Update webproxy blacklist database via specified VRF</help> + <completionHelp> + <path>vrf name</path> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/webproxy_update_blacklist.sh --update-blacklist --vrf "${5}" </command> + </tagNode> + </children> </node> </children> </node> </children> </node> </interfaceDefinition> diff --git a/src/op_mode/webproxy_update_blacklist.sh b/src/op_mode/webproxy_update_blacklist.sh index 4fb9a54c6..05ea86f9e 100755 --- a/src/op_mode/webproxy_update_blacklist.sh +++ b/src/op_mode/webproxy_update_blacklist.sh @@ -1,131 +1,138 @@ #!/bin/sh # # Copyright (C) 2020 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as # published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. blacklist_url='ftp://ftp.univ-tlse1.fr/pub/reseau/cache/squidguard_contrib/blacklists.tar.gz' data_dir="/opt/vyatta/etc/config/url-filtering" archive="${data_dir}/squidguard/archive" db_dir="${data_dir}/squidguard/db" conf_file="/etc/squidguard/squidGuard.conf" tmp_conf_file="/tmp/sg_update_db.conf" #$1-category #$2-type #$3-list create_sg_db () { FILE=$db_dir/$1/$2 if test -f "$FILE"; then rm -f ${tmp_conf_file} printf "dbhome $db_dir\ndest $1 {\n $3 $1/$2\n}\nacl {\n default {\n pass any\n }\n}" >> ${tmp_conf_file} /usr/bin/squidGuard -b -c ${tmp_conf_file} -C $FILE rm -f ${tmp_conf_file} fi } while [ $# -gt 0 ] do case $1 in --update-blacklist) update="yes" ;; --auto-update-blacklist) auto="yes" ;; + --vrf) + vrf="yes" + ;; (-*) echo "$0: error - unrecognized option $1" 1>&2; exit 1;; (*) break;; esac shift done if [ ! -d ${db_dir} ]; then mkdir -p ${db_dir} getent passwd proxy 2> /dev/null if [ $? -ne 0 ]; then echo "proxy system user does not exist" exit 1 fi getent group proxy 2> /dev/null if [ $? -ne 0 ]; then echo "proxy system group does not exist" exit 1 fi chown proxy:proxy ${db_dir} fi free_space=$(expr $(df ${db_dir} | grep -v Filesystem | awk '{print $4}') \* 1024) mb_size="100" required_space=$(expr $mb_size \* 1024 \* 1024) # 100 MB if [ ${free_space} -le ${required_space} ]; then echo "Error: not enough disk space, required ${mb_size} MiB" exit 1 fi if [[ -n $update ]] && [[ $update -eq "yes" ]]; then tmp_blacklists='/tmp/blacklists.gz' - curl -o $tmp_blacklists $blacklist_url + if [[ -n $vrf ]] && [[ $vrf -eq "yes" ]]; then + sudo ip vrf exec $1 curl -o $tmp_blacklists $blacklist_url + else + curl -o $tmp_blacklists $blacklist_url + fi if [ $? -ne 0 ]; then echo "Unable to download [$blacklist_url]!" exit 1 fi echo "Uncompressing blacklist..." tar --directory /tmp -xf $tmp_blacklists if [ $? -ne 0 ]; then echo "Unable to uncompress [$blacklist_url]!" fi if [ ! -d ${archive} ]; then mkdir -p ${archive} fi rm -rf ${archive}/* count_before=$(find ${db_dir} -type f \( -name domains -o -name urls \) | xargs wc -l | tail -n 1 | awk '{print $1}') mv ${db_dir}/* ${archive} 2> /dev/null mv /tmp/blacklists/* ${db_dir} if [ $? -ne 0 ]; then echo "Unable to install [$blacklist_url]" exit 1 fi mv ${archive}/local-* ${db_dir} 2> /dev/null rm -rf /tmp/blacklists $tmp_blacklists 2> /dev/null count_after=$(find ${db_dir} -type f \( -name domains -o -name urls \) | xargs wc -l | tail -n 1 | awk '{print $1}') # fix permissions chown -R proxy:proxy ${db_dir} #create db category_list=(`find $db_dir -type d -exec basename {} \; `) for category in ${category_list[@]} do create_sg_db $category "domains" "domainlist" create_sg_db $category "urls" "urllist" create_sg_db $category "expressions" "expressionlist" done chown -R proxy:proxy ${db_dir} chmod 755 ${db_dir} logger --priority WARNING "webproxy blacklist entries updated (${count_before}/${count_after})" else echo "SquidGuard blacklist updater" echo "" echo "Usage:" echo "--update-blacklist Download latest version of the SquidGuard blacklist" echo "--auto-update-blacklist Automatically update" echo "" exit 1 fi