logdir "/var/log/ufdbguard/"
dbhome "/var/ufdbguard/blacklists"
logall on
squid-version "3.5"
squid-uses-active-bumping off
url-lookup-result-during-database-reload allow
url-lookup-result-when-fatal-error deny
check-proxy-tunnels {{ squid_ufdb_deny_tunnels | ternary('queue-checks','log-only') }}
safe-search off
lookup-reverse-ip on
use-ipv6-on-wan off
upload-crash-reports off
max-logfile-size 200000000
youtube-edufilter off

source localhost {
  ipv4 127.0.0.1/32
}
source workstations {
{% for net in squid_workstations_ip %}
  ipv4 {{ net }}
{% endfor %}
}
source servers {
{% for net in squid_servers_ip %}
  ipv4 {{ net }}
{% endfor %}
}
source vip {
{% for net in squid_vip_ip %}
  ipv4 {{ net }}
{% endfor %}
}
source admins {
{% for net in squid_admins_ip %}
  ipv4 {{ net }}
{% endfor %}
}
source guests {
{% for net in squid_guests_ip %}
  ipv4 {{ net }}
{% endfor %}
}

{% for category in squid_ufdb_db.results %}
category {{ category.item }} {
  redirect        "302:{{ squid_ufdb_blocked_url }}"
{% if category.stat.exists %}
  domainlist      {{ category.item }}/domains
{% endif %}
{% if category.item == 'security' %}
  cacerts         "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"
  # TODO: options to turn on/off
  option          enforce-https-with-hostname off
  option          enforce-https-official-certificate off
  option          https-prohibit-insecure-sslv2 on
  option          https-prohibit-insecure-sslv3 off
  option          allow-aim-over-https on
  option          allow-gtalk-over-https on
  option          allow-skype-over-https on
  option          allow-yahoomsg-over-https on
  option          allow-fb-chat-over-https on
  option          allow-citrixonline-over-https on
  option          allow-unknown-protocol-over-https on
{% endif %}
}
{% endfor %}

acl {
  localhost {
    pass any
  }
  admins {
    pass any
  }
  vip {
    pass local_whitelist {% if squid_ufdb_dangerous_categories | intersect(squid_ufdb_categories.stdout_lines) | length > 0 %}!{{ squid_ufdb_dangerous_categories | intersect(squid_ufdb_categories.stdout_lines) | unique | join(' !') }}{% endif %} any
  }
  servers {
    pass local_whitelist !local_blacklist {% if squid_ufdb_dangerous_categories | intersect(squid_ufdb_categories.stdout_lines) | length > 0 %}!{{ squid_ufdb_dangerous_categories | intersect(squid_ufdb_categories.stdout_lines) | unique | join(' !') }}{% endif %} any
  }
  guests {
    pass local_whitelist !local_blacklist {% if squid_ufdb_dangerous_categories | intersect(squid_ufdb_categories.stdout_lines) | length > 0 %}!{{ squid_ufdb_dangerous_categories | intersect(squid_ufdb_categories.stdout_lines) | unique | join(' !') }}{% endif %} {% if squid_ufdb_guests_blocked_categories | intersect(squid_ufdb_categories.stdout_lines) | length > 0 %}!{{ squid_ufdb_guests_blocked_categories | intersect(squid_ufdb_categories.stdout_lines) | join(' !') }}{% endif %} any
  }
  workstations {
    pass local_whitelist !local_blacklist {% if squid_ufdb_dangerous_categories | intersect(squid_ufdb_categories.stdout_lines) | length > 0 %}!{{ squid_ufdb_dangerous_categories | intersect(squid_ufdb_categories.stdout_lines) | unique | join(' !') }}{% endif %} {% if squid_ufdb_blocked_categories | intersect(squid_ufdb_categories.stdout_lines) | length > 0 %}!{{ squid_ufdb_blocked_categories | intersect(squid_ufdb_categories.stdout_lines) | join(' !') }}{% endif %} any
  }
  default {
    pass none
    redirect        "302:{{ squid_ufdb_blocked_url }}"
  }
}