review squid role whith https://wiki.evolix.org/HowtoSquid

2017-08-23 01:03:07 +02:00 · 2017-08-23 01:03:07 +02:00 · 32bcec3cc8
parent 6526e88b9c
commit 32bcec3cc8
17 changed files with 279 additions and 43 deletions
--- a/squid/README.md
+++ b/squid/README.md
@ -1,6 +1,6 @@
 # squid

-Installation and configuration of Squid as an outgoing proxy.
+Installation and configuration of Squid

 ## Tasks

@ -12,7 +12,9 @@ A blank file is created at `/etc/squid3/whitelist-custom.conf` to add addresses

 * `squid_address` : IP address for internal/outgoing traffic (default: Ansible detected IPv4 address) ;
 * `squid_whitelist_items` : list of URL to add to the whitelist (default: `[]`) ;
-* `general_alert_email`: email address to send various alert messages (default: `root@localhost`).
+* `squid_localproxy_enable` : enable configuration for squid as local proxy (default: False) ;
+* `general_alert_email`: email address to send various alert messages (default: `root@localhost`) ;
 * `log2mail_alert_email`: email address to send Log2mail messages to (default: `general_alert_email`).

+
 The full list of variables (with default values) can be found in `defaults/main.yml`.
--- a/squid/defaults/main.yml
+++ b/squid/defaults/main.yml
@ -5,4 +5,4 @@ log2mail_alert_email: Null
 squid_address: "{{ ansible_default_ipv4.address }}"
 squid_whitelist_items: []

-squid_service_name: squid
+squid_localproxy_enable: False
--- a/squid/files/default_squid
+++ b/squid/files/default_squid
@ -0,0 +1,2 @@
+CONFIG=/etc/squid/evolinux-defaults.conf
+SQUID_ARGS="-YC -f $CONFIG"
--- a/squid/files/evolinux-defaults.conf
+++ b/squid/files/evolinux-defaults.conf
@ -0,0 +1,35 @@
+http_port 127.0.0.1:3128
+coredump_dir /var/spool/squid
+max_filedescriptors 4096
+
+acl SSL_ports port 443
+acl Safe_ports port 80          # http
+acl Safe_ports port 21          # ftp
+acl Safe_ports port 443         # https
+acl Safe_ports port 70          # gopher
+acl Safe_ports port 210         # wais
+acl Safe_ports port 1025-65535  # unregistered ports
+acl Safe_ports port 280         # http-mgmt
+acl Safe_ports port 488         # gss-http
+acl Safe_ports port 591         # filemaker
+acl Safe_ports port 777         # multiling http
+acl CONNECT method CONNECT
+acl Whitelist_domains dstdom_regex -i "/etc/squid/evolinux-whitelist-defaults.conf"
+acl Whitelist_domains dstdom_regex -i "/etc/squid/evolinux-whitelist-custom.conf"
+include /etc/squid/evolinux-acl.conf
+
+http_access deny !Safe_ports
+http_access deny CONNECT !SSL_ports
+http_access allow localhost manager
+http_access deny manager
+include /etc/squid/evolinux-httpaccess.conf
+http_access allow localhost
+http_access deny all
+
+refresh_pattern ^ftp:           1440    20%     10080
+refresh_pattern ^gopher:        1440    0%      1440
+refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
+refresh_pattern .               0       20%     4320
+
+logformat combined %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
+access_log /var/log/squid/access.log combined
--- a/squid/files/evolinux-httpaccess.conf
+++ b/squid/files/evolinux-httpaccess.conf
@ -0,0 +1,2 @@
+http_access deny !Whitelist_domains
+http_access allow LOCAL
--- a/squid/files/evolinux-whitelist-defaults.conf
+++ b/squid/files/evolinux-whitelist-defaults.conf
@ -0,0 +1,119 @@
+### Evolix & System
+^.*\.evolix\.(net|org|com|fr)$
+^.*\.debian\.org$
+^www\.backports\.org$
+^backports\.debian\.org$
+^www\.kernel\.org$
+^hwraid\.le-vert\.net$
+^.*clamav\.net$
+^spamassassin\.apache\.org$
+^.*sa-update.*$
+^pear\.php\.net$
+
+# Let's Encrypt
+^.*\.letsencrypt.org$
+
+# Other OCSP endpoint
+^ocsp\.usertrust\.com$
+
+### CMS / Wordpress / Drupal / ...
+# Wordpress
+^.*akismet\.com$
+^.*wordpress\.(org|com)$
+^.*gravatar\.com$
+^www\.wordpress-fr\.net$
+^pixel\.wp\.com$
+# Wordpress pingback
+^rpc\.pingomatic\.com$
+^blo\.gs$
+^ping\.blo\.gs$
+^ping\.baidu\.com$
+^blogsearch\.google\.ru$
+^ping\.pubsub\.com$
+^rpc\.twingly\.com$
+^api\.feedster\.com$
+^api\.moreover\.com$
+^api\.moreover\.com$
+^www\.blogdigger\.com$
+^www\.blogshares\.com$
+^www\.blogsnow\.com$
+^www\.blogstreet\.com$
+^bulkfeeds\.net$
+^www\.newsisfree\.com$
+^ping\.feedburner\.com$
+^ping\.syndic8\.com$
+^ping\.weblogalot\.com$
+^rpc\.blogrolling\.com$
+^rpc\.technorati\.com$
+^rpc\.weblogs\.com$
+^www\.feedsubmitter\.com$
+^www\.pingerati\.net$
+^www\.pingmyblog\.com$
+^geourl\.org$
+^ipings\.com$
+^www\.weblogalot\.com$
+# Wordpress plugins
+^.*wpml\.org$
+^www\.wpcube\.co\.uk$
+^.*wp-rocket\.me$
+^www\.yithemes\.com$
+^.*yoast\.com$
+^yarpp\.org$
+^repository\.kreaturamedia\.com$
+^api\.wp-events-plugin\.com$
+^updates\.themepunch\.com$
+^themeisle\.com$
+^download\.advancedcustomfields\.com$
+^wpcdn\.io$
+^vimeo\.com$
+^api\.genesistheme\.com$
+^www\.bolderelements\.net$
+# Magento Plugins
+^extensions\.activo\.com$
+^amasty\.com$
+# Joomla
+^.*.joomla\.org$
+^getk2\.org$
+^miwisoft\.com$
+^mijosoft\.com$
+^www\.joomlaworks\.net$
+^cdn\.joomlaworks\.org$
+^download\.regularlabs\.com$
+# Prestashop
+^.*.prestashop\.com$
+^www\.presta-module\.com$
+^www\.presteamshop\.com$
+# Others
+^.*.drupal\.org$
+^.*\.dotclear\.(net|org)$
+^www\.phpbb\.com$
+^www\.typolight\.org$
+^www\.spip\.net$
+
+### Feeds / API / WS Tools / ...
+# Google
+^.*\.googleapis\.com$
+^.*\.google-analytics\.com$
+^blogsearch\.google\.(com|fr)$
+^csi\.gstatic\.com$
+^maps\.google\..*$
+^translate\.google\.com$
+^www\.google\.com$
+# Facebook
+^.*\.facebook\.com$
+^.*\.fbcdn\.net$
+# Maxmind
+^geolite\.maxmind\.com$
+# Others
+#^.*amazon.com$
+^.*twitter\.com$
+^.*feedburner\.com$
+^.*openx\.(org|com|net)$
+^geoip-api\.meteor\.com$
+^www\.bing\.com$
+^www\.telize\.com$
+^.*ident\.me$
+^.*icanhazip\.com$
+^www\.express-mailing\.com$
+^bot\.whatismyipaddress\.com$
+^ipecho\.net$
--- a/squid/files/whitelist-custom.conf
+++ b/squid/files/whitelist-custom.conf
@ -1,2 +0,0 @@
-### Custom whitelist
-# http://example.com/.*
--- a/squid/files/whitelist-evolinux.conf
+++ b/squid/files/whitelist-evolinux.conf
@ -119,4 +119,3 @@ http://bot.whatismyipaddress.com/.*
 http://ipecho.net/.*

 ### Various / Manual entry
-http://.*.s3.amazonaws.com/.*
--- a/squid/tasks/logrotate.yml
+++ b/squid/tasks/logrotate.yml
@ -2,5 +2,5 @@
 - name: logrotate configuration
  template:
    src: logrotate.j2
-    dest: /etc/logrotate.d/{{ squid_daemon }}
+    dest: /etc/logrotate.d/{{ squid_daemoname }}
    force: no
--- a/squid/tasks/main.yml
+++ b/squid/tasks/main.yml
@ -1,41 +1,128 @@
 ---

- name: Include OS-specific variables
-  include_vars: "{{ ansible_os_family }}-{{ ansible_distribution_release }}.yml"
+- fail:
+    msg: only compatible with Debian >= 8
+  when:
+  - ansible_distribution == "Debian"
+  - ansible_distribution_major_version | version_compare('8', '<')

- name: package is installed
+- name: "Set squid name (jessie)"
+  set_fact:
+    squid_daemoname: squid3
+  when: ansible_distribution_release == "jessie"
+
+- name: "Set squid name (Debian 9 or later)"
+  set_fact:
+    squid_daemoname: squid
+  when: ansible_distribution_major_version | version_compare('9', '>=')
+
+- name: "Install Squid packages"
  apt:
-    name: "{{ squid_package }}"
+    name: '{{ item }}'
    state: present
+  with_items:
+  - "{{ squid_daemoname }}"
+  - squidclient

- name: squid.conf is present
+- name: "Set alternative config file (Debian 9 or later)"
+  copy:
+    src: default_squid
+    dest: /etc/default/squid
+  when: ansible_distribution_major_version | version_compare('9', '>=')
+
+- name: "squid.conf is present (jessie)"
  template:
-    src: squid.j2
-    dest: "{{ squid_conf_file }}"
-  notify: "restart {{ squid_daemon }}"
+    src: squid.conf.j2
+    dest: /etc/squid3/squid.conf
+  notify: "restart squid3"
+  when: ansible_distribution_release == "jessie"

- name: evolix whitelist is present
+- name: "evolix whitelist is present (jessie)"
  copy:
    src: whitelist-evolinux.conf
-    dest: "{{ squid_conf_path }}/whitelist-evolinux.conf"
-    force: yes
-  notify: "reload {{ squid_daemon }}"
+    dest: /etc/squid3/whitelist.conf
+  notify: "reload squid3"
+  when: ansible_distribution_release == "jessie"

- name: custom whitelist is present
+- name: "evolinux custom squid file (Debian 9 or later)"
  copy:
-    src: whitelist-custom.conf
-    dest: "{{ squid_conf_path }}/whitelist-custom.conf"
+    src: evolinux-defaults.conf
+    dest: /etc/squid/evolinux-defaults.conf
+  notify: "restart squid"
+  when: ansible_distribution_major_version | version_compare('9', '>=')
+
+- name: "evolinux defaults whitelist (Debian 9 or later)"
+  copy:
+    src: evolinux-whitelist-defaults.conf
+    dest: /etc/squid/evolinux-whitelist-defaults.conf
+  notify: "reload squid"
+  when: ansible_distribution_major_version | version_compare('9', '>=')
+
+- name: "evolinux custom whitelist (Debian 9 or later)"
+  copy:
+    dest: /etc/squid/evolinux-whitelist-custom.conf
+    content: |
+      # Put customized values here.
    force: no
-  notify: "reload {{ squid_daemon }}"
+  when: ansible_distribution_major_version | version_compare('9', '>=')
+
+- name: "evolinux acl for local proxy (Debian 9 or later)"
+  template:
+    src: evolinux-acl.conf.j2
+    dest: /etc/squid/evolinux-acl.conf
+    force: no
+  notify: "reload squid"
+  when: squid_localproxy_enable and ansible_distribution_major_version | version_compare('9', '>=')
+
+- name: "evolinux custom acl (Debian 9 or later)"
+  copy:
+    dest: /etc/squid/evolinux-acl.conf
+    content: |
+      # Put customized values here.
+    force: no
+  when: squid_localproxy_enable == False and ansible_distribution_major_version | version_compare('9', '>=')
+
+- name: "evolinux http_access for local proxy (Debian 9 or later)"
+  copy:
+    src: evolinux-httpaccess.conf
+    dest: /etc/squid/evolinux-httpaccess.conf
+    force: no
+  notify: "reload squid"
+  when: squid_localproxy_enable and ansible_distribution_major_version | version_compare('9', '>=')
+
+- name: "evolinux custom http_access (Debian 9 or later)"
+  copy:
+    dest: /etc/squid/evolinux-httpaccess.conf
+    content: |
+      # Put customized values here.
+    force: no
+  when: squid_localproxy_enable == False and ansible_distribution_major_version | version_compare('9', '>=')
+
+- name: "evolinux overrides for local proxy (Debian 9 or later)"
+  template:
+    src: evolinux-custom.conf.j2
+    dest: /etc/squid/evolinux-custom.conf
+    force: no
+  notify: "reload squid"
+  when: squid_localproxy_enable and ansible_distribution_major_version | version_compare('9', '>=')
+
+- name: "evolinux custom overrides (Debian 9 or later)"
+  copy:
+    dest: /etc/squid/evolinux-custom.conf
+    content: |
+      # Put customized values here.
+    force: no
+  when: squid_localproxy_enable == False and ansible_distribution_major_version | version_compare('9', '>=')

 - name: add some URL in whitelist
  lineinfile:
    insertafter: EOF
-    dest: "{{ squid_conf_path }}/whitelist-custom.conf"
+    dest: /etc/squid/evolinux-whitelist-custom.conf
    line: "{{ item }}"
    state: present
  with_items: '{{ squid_whitelist_items }}'
-  notify: "reload {{ squid_daemon }}"
+  notify: "reload squid"
+  when: ansible_distribution_major_version | version_compare('9', '>=')

 - include: logrotate.yml

--- a/squid/templates/evolinux-acl.conf.j2
+++ b/squid/templates/evolinux-acl.conf.j2
@ -0,0 +1 @@
+acl LOCAL src {{ squid_address }}/32
--- a/squid/templates/evolinux-custom.conf.j2
+++ b/squid/templates/evolinux-custom.conf.j2
@ -0,0 +1,4 @@
+http_port 8888 transparent
+cache deny all
+ignore_expect_100 on
+tcp_outgoing_address {{ squid_address }}
--- a/squid/templates/log2mail.j2
+++ b/squid/templates/log2mail.j2
@ -1,4 +1,4 @@
-file = /var/log/squid3/access.log
+file = /var/log/{{ squid_daemoname }}/access.log
 pattern = "TCP_DENIED"
 mailto = {{ log2mail_alert_email or general_alert_email | mandatory }}
 template = /etc/log2mail/mail
--- a/squid/templates/logrotate.j2
+++ b/squid/templates/logrotate.j2
@ -1,4 +1,4 @@
-/var/log/{{ squid_daemon }}/*.log {
+/var/log/{{ squid_daemoname }}/*.log {
    monthly
    compress
    rotate 12
@ -6,6 +6,6 @@
    create 640 proxy adm
    sharedscripts
    postrotate
-        test ! -e /var/run/{{ squid_daemon }}.pid || /usr/sbin/{{ squid_daemon }} -k rotate
+        test ! -e /var/run/{{ squid_daemoname }}.pid || /usr/sbin/{{ squid_daemoname }} -k rotate
    endscript
 }
--- a/squid/templates/squid.conf.j2
+++ b/squid/templates/squid.conf.j2
@ -8,8 +8,7 @@ acl localhost src 127.0.0.0/32
 acl INTERNE src {{ squid_address }}/32 127.0.0.0/8
 acl Safe_ports port 80          # http
 acl SSL_ports port 443 563
-acl WHITELIST url_regex "{{ squid_conf_path }}/whitelist-evolinux.conf"
-acl WHITELIST url_regex "{{ squid_conf_path }}/whitelist-custom.conf"
+acl WHITELIST url_regex "/etc/squid3/whitelist.conf"
 http_access deny !WHITELIST
 http_access allow INTERNE
 http_access deny all
@ -17,4 +16,4 @@ tcp_outgoing_address {{ squid_address }}

 # Logs
 logformat combined %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
-access_log {{ squid_log_path }}/access.log combined
+access_log /var/log/squid3/access.log combined
--- a/squid/vars/Debian-jessie.yml
+++ b/squid/vars/Debian-jessie.yml
@ -1,6 +0,0 @@
---
-squid_package: squid3
-squid_daemon: squid3
-squid_conf_path: /etc/squid3
-squid_conf_file: /etc/squid3/squid.conf
-squid_log_path: /var/log/squid3
--- a/squid/vars/Debian-stretch.yml
+++ b/squid/vars/Debian-stretch.yml
@ -1,6 +0,0 @@
---
-squid_package: squid
-squid_daemon: squid
-squid_conf_path: /etc/squid
-squid_conf_file: /etc/squid/squid.conf
-squid_log_path: /var/log/squid