🦈🏠🐜❗ Initial Commit ❗🐜🦈🏠

config/e2guardian/common.story

@@ -0,0 +1,250 @@
+# Storyboard library file
+
+# For ease of upgrade DO NOT CHANGE THIS library file 
+# Make your function changes by overriding functions
+# in the site.story file - for site wide changes
+# and in filtergroup specific story file - see examplef1.story
+#
+# This library is built to largely duplicate the logic in V4
+# 
+# Many e2guardian[f1].conf flags are replaced by overiding
+# library functions - see site.story and examplef1.story
+#
+# Simple functions are defined which control the logic flow and the
+# lists that are used.  See notes/Storyboard for details.
+#
+# The entry point in v5 for standard filtering is 'checkrequest'
+#
+# Entry function called by proxy module to check http request
+function(checkrequest)
+if(viruscheckset) checknoscanlists
+if(bypassallowset) checknobypasslists
+if(exceptionset) return true
+if(fullurlin,searchterms) setsearchterm
+ifnot(greyset) returnif localcheckrequest
+if(connect) return sslrequestcheck
+ifnot(greyset) returnif exceptioncheck
+ifnot(greyset) greycheck
+ifnot(greyset) returnif bannedcheck
+if(fullurlin, change) setmodurl
+if(true) returnif embeddedcheck
+if(headerin,headermods) setmodheader
+if(fullurlin, addheader) setaddheader
+if(searchin,override) return setgrey
+if(searchin,banned) return setblock
+if(fullurlin,redirect) return setredirect
+if(true) setgrey
+
+
+# Entry function called by proxy module to check http response
+function(checkresponse)
+if(exceptionset) return false
+if(viruscheckset) checknoscantypes
+if(urlin,exceptionfile) return false
+if(true) return checkfiletype
+
+# Entry function called by THTTPS module to check https request
+function(thttps-checkrequest)
+if(true) returnif localsslrequestcheck
+if(true) returnif sslrequestcheck
+ifnot(hassniset) checksni
+
+# Entry function called by ICAP module to check reqmod
+function(icap-checkrequest)
+#unless blocked or redirect or connect - leave logging for RESPMOD
+if(connect) return icapsslrequestcheck
+ifnot(greyset) icap-checkrequest2
+if(redirectset) return true
+ifnot(blockset) setnolog
+
+function(icap-checkrequest2)
+if(viruscheckset) checknoscanlists
+if(bypassallowset) checknobypasslists
+if(exceptionset) return true
+if(fullurlin,searchterms) setsearchterm
+ifnot(greyset) returnif localcheckrequest
+ifnot(greyset) returnif exceptioncheck
+ifnot(greyset) greycheck
+ifnot(greyset) returnif bannedcheck
+if(fullurlin, change) setmodurl
+if(true) returnif embeddedcheck
+if(headerin,headermods) setmodheader
+if(fullurlin, addheader) setaddheader
+if(searchin,override) return setgrey
+if(searchin,banned) return setblock
+if(true) setgrey
+
+# Entry function called by ICAP module to check respmod
+function(icap-checkresponse)
+if(viruscheckset) checknoscanlists
+if(true) return checkresponse
+
+# Checks embeded urls
+#  returns true if blocked, otherwise false
+function(embeddedcheck)
+if(embeddedin, localexception) return false
+if(embeddedin, localgrey) return false
+if(embeddedin, localbanned) return setblock
+if(embeddedin, exception) return false
+if(embeddedin, grey) return false
+if(embeddedin, banned) return setblock
+
+# Local checks
+#  returns true if matches local exception or banned
+function(localcheckrequest)
+if(connect) return localsslrequestcheck
+ifnot(greyset) returnif localexceptioncheck
+ifnot(greyset) localgreycheck
+ifnot(greyset) returnif localbannedcheck
+if(searchin,localbanned) return setblock
+
+
+# Local SSL checks
+#  returns true if matches local exception 
+function(localsslrequestcheck)
+if(sitein, localexception) return setexception
+if(sitein, localgreyssl) returnif sslcheckmitm
+if(sitein, localbanned) true
+ifnot(returnset) return false
+if(true) returnif sslcheckmitm
+if(true) return setblock
+
+# SSL site replace (used instead of dns kulge)
+#  returns true on match and successful replacement
+function(sslreplace)
+if(fullurlin,sslreplace) return setconnectsite
+if(true) return false
+
+# Local grey check
+#  returns true on match
+function(localgreycheck)
+if(urlin, localgrey) return setgrey
+
+# Local banned check
+#  returns true on match
+function(localbannedcheck)
+if(urlin, localbanned) return setblock
+
+# Local exception check
+#  returns true on match
+function(localexceptioncheck)
+if(urlin, localexception) return setexception
+
+# Exception check
+#  returns true on match
+function(exceptioncheck)
+if(urlin, exception) return setexception
+if(headerin, exceptionheader) return setexception
+if(useragentin, exceptionuseragent) return setexception
+
+# SSL Exception check
+#  returns true on match
+function(sslexceptioncheck)
+if(sitein, exception) return setexception
+if(headerin, exceptionheader) return setexception
+if(useragentin, exceptionuseragent) return setexception
+if(true) return false
+
+# Greylist check
+#  returns true on match
+function(greycheck)
+if(urlin, grey) return setgrey
+
+# Banned list check
+#  returns true on match
+function(bannedcheck)
+if(true) returnif checkblanketblock
+if(urlin, banned) return setblock
+if(urlin,bannedextension) return setblock
+if(useragentin, banneduseragent) return setblock
+if(headerin, bannedheader) return setblock
+
+# Local SSL list(s) check
+#  returns true on match
+function(localsslcheckrequest)
+if(sitein, localexception) return setexception
+#if(sitein, localbanned) return setblock
+
+# Check whether to go MITM
+#  returns true if yes, false if no
+function(sslcheckmitm)
+# use next line to have general MITM
+if(true) return sslcheckmitmgeneral
+# use next line instead of last to limit MITM to greylist
+#if(true) return sslcheckmitmgreyonly
+
+# Always go MITM
+#  returns true if yes, false if no
+function(sslcheckmitmgeneral)
+if(true) setgomitm
+ifnot(returnset) return false
+if(sitein, nocheckcert) setnocheckcert
+if(true) sslreplace
+if(true) return true
+
+# Only go MITM when in greyssl list
+#  returns true if yes, false if no
+function(sslcheckmitmgreyonly)
+if(sitein, greyssl) setgomitm
+ifnot(returnset) return false
+if(sitein, nocheckcert) setnocheckcert
+if(true) sslreplace
+if(true) return true
+
+# SSL request check
+#  returns true if exception or gomitm
+function(sslrequestcheck)
+if(true) returnif sslexceptioncheck
+if(true) returnif sslcheckmitm
+if(sitein, banned) return setblock
+if(true) sslreplace
+ifnot(returnset) returnif sslcheckblanketblock
+if(true) setgrey
+
+function(checknoscanlists)
+if(urlin,exceptionvirus) unsetviruscheck
+
+function(checknoscantypes)
+if(mimein,exceptionvirus) return unsetviruscheck
+if(extensionin,exceptionvirus) return unsetviruscheck
+
+function(checknobypasslists)
+if(urlin,bannedbypass) return unsetbypassallow
+
+# ICAP SSL request check
+#  returns true if exception 
+function(icapsslrequestcheck)
+if(true) returnif icapsquidbump
+if(true) returnif sslexceptioncheck
+if(true) sslreplace
+if(sitein, banned) return setblock
+
+# Blanket block
+#  returns true if to block
+#  Placeholder function - overide in fn.story
+function(checkblanketblock)
+
+# SSL Blanket block
+#  returns true if to block
+#  Placeholder function - overide in fn.story
+function(sslcheckblanketblock)
+
+# ICAP Squid bump
+#  override in site.story to return true if bump is being deployed on squid
+function(icapsquidbump)
+
+# File type blocking
+#  returns true if blocking
+# Default uses banned lists and allows all others
+# Overide in site.story or fn.story if only types in exception file type lists 
+# are to be allowed
+function(checkfiletype)
+if(mimein, bannedmime) return setblock
+if(extensionin, bannedextension) return setblock
+
+# SNI checking - determines default action when no SNI or TSL is present on a 
+#    THTTPS connection
+# Default blocks all requests with TLS or SNI absent that are not ip site exceptions
+function(checksni)
+ifnot(tls,,511) return setblock
+ifnot(hassniset,,512) return setblock