squidguard/config/e2guardian/common.story

# Storyboard library file

# For ease of upgrade DO NOT CHANGE THIS library file 
# Make your function changes by overriding functions
# in the site.story file - for site wide changes
# and in filtergroup specific story file - see examplef1.story
#
# This library is built to largely duplicate the logic in V4
# 
# Many e2guardian[f1].conf flags are replaced by overiding
# library functions - see site.story and examplef1.story
#
# Simple functions are defined which control the logic flow and the
# lists that are used.  See notes/Storyboard for details.
#
# The entry point in v5 for standard filtering is 'checkrequest'
#
# Entry function called by proxy module to check http request
function(checkrequest)
if(viruscheckset) checknoscanlists
if(bypassallowset) checknobypasslists
if(exceptionset) return true
if(fullurlin,searchterms) setsearchterm
ifnot(greyset) returnif localcheckrequest
if(connect) return sslrequestcheck
ifnot(greyset) returnif exceptioncheck
ifnot(greyset) greycheck
ifnot(greyset) returnif bannedcheck
if(fullurlin, change) setmodurl
if(true) returnif embeddedcheck
if(headerin,headermods) setmodheader
if(fullurlin, addheader) setaddheader
if(searchin,override) return setgrey
if(searchin,banned) return setblock
if(fullurlin,redirect) return setredirect
if(true) setgrey


# Entry function called by proxy module to check http response
function(checkresponse)
if(exceptionset) return false
if(viruscheckset) checknoscantypes
if(urlin,exceptionfile) return false
if(true) return checkfiletype

# Entry function called by THTTPS module to check https request
function(thttps-checkrequest)
if(true) returnif localsslrequestcheck
if(true) returnif sslrequestcheck
ifnot(hassniset) checksni

# Entry function called by ICAP module to check reqmod
function(icap-checkrequest)
#unless blocked or redirect or connect - leave logging for RESPMOD
if(connect) return icapsslrequestcheck
ifnot(greyset) icap-checkrequest2
if(redirectset) return true
ifnot(blockset) setnolog

function(icap-checkrequest2)
if(viruscheckset) checknoscanlists
if(bypassallowset) checknobypasslists
if(exceptionset) return true
if(fullurlin,searchterms) setsearchterm
ifnot(greyset) returnif localcheckrequest
ifnot(greyset) returnif exceptioncheck
ifnot(greyset) greycheck
ifnot(greyset) returnif bannedcheck
if(fullurlin, change) setmodurl
if(true) returnif embeddedcheck
if(headerin,headermods) setmodheader
if(fullurlin, addheader) setaddheader
if(searchin,override) return setgrey
if(searchin,banned) return setblock
if(true) setgrey

# Entry function called by ICAP module to check respmod
function(icap-checkresponse)
if(viruscheckset) checknoscanlists
if(true) return checkresponse

# Checks embeded urls
#  returns true if blocked, otherwise false
function(embeddedcheck)
if(embeddedin, localexception) return false
if(embeddedin, localgrey) return false
if(embeddedin, localbanned) return setblock
if(embeddedin, exception) return false
if(embeddedin, grey) return false
if(embeddedin, banned) return setblock

# Local checks
#  returns true if matches local exception or banned
function(localcheckrequest)
if(connect) return localsslrequestcheck
ifnot(greyset) returnif localexceptioncheck
ifnot(greyset) localgreycheck
ifnot(greyset) returnif localbannedcheck
if(searchin,localbanned) return setblock


# Local SSL checks
#  returns true if matches local exception 
function(localsslrequestcheck)
if(sitein, localexception) return setexception
if(sitein, localgreyssl) returnif sslcheckmitm
if(sitein, localbanned) true
ifnot(returnset) return false
if(true) returnif sslcheckmitm
if(true) return setblock

# SSL site replace (used instead of dns kulge)
#  returns true on match and successful replacement
function(sslreplace)
if(fullurlin,sslreplace) return setconnectsite
if(true) return false

# Local grey check
#  returns true on match
function(localgreycheck)
if(urlin, localgrey) return setgrey

# Local banned check
#  returns true on match
function(localbannedcheck)
if(urlin, localbanned) return setblock

# Local exception check
#  returns true on match
function(localexceptioncheck)
if(urlin, localexception) return setexception

# Exception check
#  returns true on match
function(exceptioncheck)
if(urlin, exception) return setexception
if(headerin, exceptionheader) return setexception
if(useragentin, exceptionuseragent) return setexception

# SSL Exception check
#  returns true on match
function(sslexceptioncheck)
if(sitein, exception) return setexception
if(headerin, exceptionheader) return setexception
if(useragentin, exceptionuseragent) return setexception
if(true) return false

# Greylist check
#  returns true on match
function(greycheck)
if(urlin, grey) return setgrey

# Banned list check
#  returns true on match
function(bannedcheck)
if(true) returnif checkblanketblock
if(urlin, banned) return setblock
if(urlin,bannedextension) return setblock
if(useragentin, banneduseragent) return setblock
if(headerin, bannedheader) return setblock

# Local SSL list(s) check
#  returns true on match
function(localsslcheckrequest)
if(sitein, localexception) return setexception
#if(sitein, localbanned) return setblock

# Check whether to go MITM
#  returns true if yes, false if no
function(sslcheckmitm)
# use next line to have general MITM
if(true) return sslcheckmitmgeneral
# use next line instead of last to limit MITM to greylist
#if(true) return sslcheckmitmgreyonly

# Always go MITM
#  returns true if yes, false if no
function(sslcheckmitmgeneral)
if(true) setgomitm
ifnot(returnset) return false
if(sitein, nocheckcert) setnocheckcert
if(true) sslreplace
if(true) return true

# Only go MITM when in greyssl list
#  returns true if yes, false if no
function(sslcheckmitmgreyonly)
if(sitein, greyssl) setgomitm
ifnot(returnset) return false
if(sitein, nocheckcert) setnocheckcert
if(true) sslreplace
if(true) return true

# SSL request check
#  returns true if exception or gomitm
function(sslrequestcheck)
if(true) returnif sslexceptioncheck
if(true) returnif sslcheckmitm
if(sitein, banned) return setblock
if(true) sslreplace
ifnot(returnset) returnif sslcheckblanketblock
if(true) setgrey

function(checknoscanlists)
if(urlin,exceptionvirus) unsetviruscheck

function(checknoscantypes)
if(mimein,exceptionvirus) return unsetviruscheck
if(extensionin,exceptionvirus) return unsetviruscheck

function(checknobypasslists)
if(urlin,bannedbypass) return unsetbypassallow

# ICAP SSL request check
#  returns true if exception 
function(icapsslrequestcheck)
if(true) returnif icapsquidbump
if(true) returnif sslexceptioncheck
if(true) sslreplace
if(sitein, banned) return setblock

# Blanket block
#  returns true if to block
#  Placeholder function - overide in fn.story
function(checkblanketblock)

# SSL Blanket block
#  returns true if to block
#  Placeholder function - overide in fn.story
function(sslcheckblanketblock)

# ICAP Squid bump
#  override in site.story to return true if bump is being deployed on squid
function(icapsquidbump)

# File type blocking
#  returns true if blocking
# Default uses banned lists and allows all others
# Overide in site.story or fn.story if only types in exception file type lists 
# are to be allowed
function(checkfiletype)
if(mimein, bannedmime) return setblock
if(extensionin, bannedextension) return setblock

# SNI checking - determines default action when no SNI or TSL is present on a 
#    THTTPS connection
# Default blocks all requests with TLS or SNI absent that are not ip site exceptions
function(checksni)
ifnot(tls,,511) return setblock
ifnot(hassniset,,512) return setblock
🦈🏠🐜❗ Initial Commit ❗🐜🦈🏠 2022-02-15 09:55:45 -05:00			`# Storyboard library file`

			`# For ease of upgrade DO NOT CHANGE THIS library file`
			`# Make your function changes by overriding functions`
			`# in the site.story file - for site wide changes`
			`# and in filtergroup specific story file - see examplef1.story`
			`#`
			`# This library is built to largely duplicate the logic in V4`
			`#`
			`# Many e2guardian[f1].conf flags are replaced by overiding`
			`# library functions - see site.story and examplef1.story`
			`#`
			`# Simple functions are defined which control the logic flow and the`
			`# lists that are used. See notes/Storyboard for details.`
			`#`
			`# The entry point in v5 for standard filtering is 'checkrequest'`
			`#`
			`# Entry function called by proxy module to check http request`
			`function(checkrequest)`
			`if(viruscheckset) checknoscanlists`
			`if(bypassallowset) checknobypasslists`
			`if(exceptionset) return true`
			`if(fullurlin,searchterms) setsearchterm`
			`ifnot(greyset) returnif localcheckrequest`
			`if(connect) return sslrequestcheck`
			`ifnot(greyset) returnif exceptioncheck`
			`ifnot(greyset) greycheck`
			`ifnot(greyset) returnif bannedcheck`
			`if(fullurlin, change) setmodurl`
			`if(true) returnif embeddedcheck`
			`if(headerin,headermods) setmodheader`
			`if(fullurlin, addheader) setaddheader`
			`if(searchin,override) return setgrey`
			`if(searchin,banned) return setblock`
			`if(fullurlin,redirect) return setredirect`
			`if(true) setgrey`


			`# Entry function called by proxy module to check http response`
			`function(checkresponse)`
			`if(exceptionset) return false`
			`if(viruscheckset) checknoscantypes`
			`if(urlin,exceptionfile) return false`
			`if(true) return checkfiletype`

			`# Entry function called by THTTPS module to check https request`
			`function(thttps-checkrequest)`
			`if(true) returnif localsslrequestcheck`
			`if(true) returnif sslrequestcheck`
			`ifnot(hassniset) checksni`

			`# Entry function called by ICAP module to check reqmod`
			`function(icap-checkrequest)`
			`#unless blocked or redirect or connect - leave logging for RESPMOD`
			`if(connect) return icapsslrequestcheck`
			`ifnot(greyset) icap-checkrequest2`
			`if(redirectset) return true`
			`ifnot(blockset) setnolog`

			`function(icap-checkrequest2)`
			`if(viruscheckset) checknoscanlists`
			`if(bypassallowset) checknobypasslists`
			`if(exceptionset) return true`
			`if(fullurlin,searchterms) setsearchterm`
			`ifnot(greyset) returnif localcheckrequest`
			`ifnot(greyset) returnif exceptioncheck`
			`ifnot(greyset) greycheck`
			`ifnot(greyset) returnif bannedcheck`
			`if(fullurlin, change) setmodurl`
			`if(true) returnif embeddedcheck`
			`if(headerin,headermods) setmodheader`
			`if(fullurlin, addheader) setaddheader`
			`if(searchin,override) return setgrey`
			`if(searchin,banned) return setblock`
			`if(true) setgrey`

			`# Entry function called by ICAP module to check respmod`
			`function(icap-checkresponse)`
			`if(viruscheckset) checknoscanlists`
			`if(true) return checkresponse`

			`# Checks embeded urls`
			`# returns true if blocked, otherwise false`
			`function(embeddedcheck)`
			`if(embeddedin, localexception) return false`
			`if(embeddedin, localgrey) return false`
			`if(embeddedin, localbanned) return setblock`
			`if(embeddedin, exception) return false`
			`if(embeddedin, grey) return false`
			`if(embeddedin, banned) return setblock`

			`# Local checks`
			`# returns true if matches local exception or banned`
			`function(localcheckrequest)`
			`if(connect) return localsslrequestcheck`
			`ifnot(greyset) returnif localexceptioncheck`
			`ifnot(greyset) localgreycheck`
			`ifnot(greyset) returnif localbannedcheck`
			`if(searchin,localbanned) return setblock`


			`# Local SSL checks`
			`# returns true if matches local exception`
			`function(localsslrequestcheck)`
			`if(sitein, localexception) return setexception`
			`if(sitein, localgreyssl) returnif sslcheckmitm`
			`if(sitein, localbanned) true`
			`ifnot(returnset) return false`
			`if(true) returnif sslcheckmitm`
			`if(true) return setblock`

			`# SSL site replace (used instead of dns kulge)`
			`# returns true on match and successful replacement`
			`function(sslreplace)`
			`if(fullurlin,sslreplace) return setconnectsite`
			`if(true) return false`

			`# Local grey check`
			`# returns true on match`
			`function(localgreycheck)`
			`if(urlin, localgrey) return setgrey`

			`# Local banned check`
			`# returns true on match`
			`function(localbannedcheck)`
			`if(urlin, localbanned) return setblock`

			`# Local exception check`
			`# returns true on match`
			`function(localexceptioncheck)`
			`if(urlin, localexception) return setexception`

			`# Exception check`
			`# returns true on match`
			`function(exceptioncheck)`
			`if(urlin, exception) return setexception`
			`if(headerin, exceptionheader) return setexception`
			`if(useragentin, exceptionuseragent) return setexception`

			`# SSL Exception check`
			`# returns true on match`
			`function(sslexceptioncheck)`
			`if(sitein, exception) return setexception`
			`if(headerin, exceptionheader) return setexception`
			`if(useragentin, exceptionuseragent) return setexception`
			`if(true) return false`

			`# Greylist check`
			`# returns true on match`
			`function(greycheck)`
			`if(urlin, grey) return setgrey`

			`# Banned list check`
			`# returns true on match`
			`function(bannedcheck)`
			`if(true) returnif checkblanketblock`
			`if(urlin, banned) return setblock`
			`if(urlin,bannedextension) return setblock`
			`if(useragentin, banneduseragent) return setblock`
			`if(headerin, bannedheader) return setblock`

			`# Local SSL list(s) check`
			`# returns true on match`
			`function(localsslcheckrequest)`
			`if(sitein, localexception) return setexception`
			`#if(sitein, localbanned) return setblock`

			`# Check whether to go MITM`
			`# returns true if yes, false if no`
			`function(sslcheckmitm)`
			`# use next line to have general MITM`
			`if(true) return sslcheckmitmgeneral`
			`# use next line instead of last to limit MITM to greylist`
			`#if(true) return sslcheckmitmgreyonly`

			`# Always go MITM`
			`# returns true if yes, false if no`
			`function(sslcheckmitmgeneral)`
			`if(true) setgomitm`
			`ifnot(returnset) return false`
			`if(sitein, nocheckcert) setnocheckcert`
			`if(true) sslreplace`
			`if(true) return true`

			`# Only go MITM when in greyssl list`
			`# returns true if yes, false if no`
			`function(sslcheckmitmgreyonly)`
			`if(sitein, greyssl) setgomitm`
			`ifnot(returnset) return false`
			`if(sitein, nocheckcert) setnocheckcert`
			`if(true) sslreplace`
			`if(true) return true`

			`# SSL request check`
			`# returns true if exception or gomitm`
			`function(sslrequestcheck)`
			`if(true) returnif sslexceptioncheck`
			`if(true) returnif sslcheckmitm`
			`if(sitein, banned) return setblock`
			`if(true) sslreplace`
			`ifnot(returnset) returnif sslcheckblanketblock`
			`if(true) setgrey`

			`function(checknoscanlists)`
			`if(urlin,exceptionvirus) unsetviruscheck`

			`function(checknoscantypes)`
			`if(mimein,exceptionvirus) return unsetviruscheck`
			`if(extensionin,exceptionvirus) return unsetviruscheck`

			`function(checknobypasslists)`
			`if(urlin,bannedbypass) return unsetbypassallow`

			`# ICAP SSL request check`
			`# returns true if exception`
			`function(icapsslrequestcheck)`
			`if(true) returnif icapsquidbump`
			`if(true) returnif sslexceptioncheck`
			`if(true) sslreplace`
			`if(sitein, banned) return setblock`

			`# Blanket block`
			`# returns true if to block`
			`# Placeholder function - overide in fn.story`
			`function(checkblanketblock)`

			`# SSL Blanket block`
			`# returns true if to block`
			`# Placeholder function - overide in fn.story`
			`function(sslcheckblanketblock)`

			`# ICAP Squid bump`
			`# override in site.story to return true if bump is being deployed on squid`
			`function(icapsquidbump)`

			`# File type blocking`
			`# returns true if blocking`
			`# Default uses banned lists and allows all others`
			`# Overide in site.story or fn.story if only types in exception file type lists`
			`# are to be allowed`
			`function(checkfiletype)`
			`if(mimein, bannedmime) return setblock`
			`if(extensionin, bannedextension) return setblock`

			`# SNI checking - determines default action when no SNI or TSL is present on a`
			`# THTTPS connection`
			`# Default blocks all requests with TLS or SNI absent that are not ip site exceptions`
			`function(checksni)`
			`ifnot(tls,,511) return setblock`
			`ifnot(hassniset,,512) return setblock`