review squid role whith https://wiki.evolix.org/HowtoSquid
This commit is contained in:
parent
6526e88b9c
commit
32bcec3cc8
|
@ -1,6 +1,6 @@
|
|||
# squid
|
||||
|
||||
Installation and configuration of Squid as an outgoing proxy.
|
||||
Installation and configuration of Squid
|
||||
|
||||
## Tasks
|
||||
|
||||
|
@ -12,7 +12,9 @@ A blank file is created at `/etc/squid3/whitelist-custom.conf` to add addresses
|
|||
|
||||
* `squid_address` : IP address for internal/outgoing traffic (default: Ansible detected IPv4 address) ;
|
||||
* `squid_whitelist_items` : list of URL to add to the whitelist (default: `[]`) ;
|
||||
* `general_alert_email`: email address to send various alert messages (default: `root@localhost`).
|
||||
* `squid_localproxy_enable` : enable configuration for squid as local proxy (default: False) ;
|
||||
* `general_alert_email`: email address to send various alert messages (default: `root@localhost`) ;
|
||||
* `log2mail_alert_email`: email address to send Log2mail messages to (default: `general_alert_email`).
|
||||
|
||||
|
||||
The full list of variables (with default values) can be found in `defaults/main.yml`.
|
||||
|
|
|
@ -5,4 +5,4 @@ log2mail_alert_email: Null
|
|||
squid_address: "{{ ansible_default_ipv4.address }}"
|
||||
squid_whitelist_items: []
|
||||
|
||||
squid_service_name: squid
|
||||
squid_localproxy_enable: False
|
||||
|
|
|
@ -0,0 +1,2 @@
|
|||
CONFIG=/etc/squid/evolinux-defaults.conf
|
||||
SQUID_ARGS="-YC -f $CONFIG"
|
|
@ -0,0 +1,35 @@
|
|||
http_port 127.0.0.1:3128
|
||||
coredump_dir /var/spool/squid
|
||||
max_filedescriptors 4096
|
||||
|
||||
acl SSL_ports port 443
|
||||
acl Safe_ports port 80 # http
|
||||
acl Safe_ports port 21 # ftp
|
||||
acl Safe_ports port 443 # https
|
||||
acl Safe_ports port 70 # gopher
|
||||
acl Safe_ports port 210 # wais
|
||||
acl Safe_ports port 1025-65535 # unregistered ports
|
||||
acl Safe_ports port 280 # http-mgmt
|
||||
acl Safe_ports port 488 # gss-http
|
||||
acl Safe_ports port 591 # filemaker
|
||||
acl Safe_ports port 777 # multiling http
|
||||
acl CONNECT method CONNECT
|
||||
acl Whitelist_domains dstdom_regex -i "/etc/squid/evolinux-whitelist-defaults.conf"
|
||||
acl Whitelist_domains dstdom_regex -i "/etc/squid/evolinux-whitelist-custom.conf"
|
||||
include /etc/squid/evolinux-acl.conf
|
||||
|
||||
http_access deny !Safe_ports
|
||||
http_access deny CONNECT !SSL_ports
|
||||
http_access allow localhost manager
|
||||
http_access deny manager
|
||||
include /etc/squid/evolinux-httpaccess.conf
|
||||
http_access allow localhost
|
||||
http_access deny all
|
||||
|
||||
refresh_pattern ^ftp: 1440 20% 10080
|
||||
refresh_pattern ^gopher: 1440 0% 1440
|
||||
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
|
||||
refresh_pattern . 0 20% 4320
|
||||
|
||||
logformat combined %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
|
||||
access_log /var/log/squid/access.log combined
|
|
@ -0,0 +1,2 @@
|
|||
http_access deny !Whitelist_domains
|
||||
http_access allow LOCAL
|
|
@ -0,0 +1,119 @@
|
|||
### Evolix & System
|
||||
^.*\.evolix\.(net|org|com|fr)$
|
||||
^.*\.debian\.org$
|
||||
^www\.backports\.org$
|
||||
^backports\.debian\.org$
|
||||
^www\.kernel\.org$
|
||||
^hwraid\.le-vert\.net$
|
||||
^.*clamav\.net$
|
||||
^spamassassin\.apache\.org$
|
||||
^.*sa-update.*$
|
||||
^pear\.php\.net$
|
||||
|
||||
# Let's Encrypt
|
||||
^.*\.letsencrypt.org$
|
||||
|
||||
# Other OCSP endpoint
|
||||
^ocsp\.usertrust\.com$
|
||||
|
||||
### CMS / Wordpress / Drupal / ...
|
||||
# Wordpress
|
||||
^.*akismet\.com$
|
||||
^.*wordpress\.(org|com)$
|
||||
^.*gravatar\.com$
|
||||
^www\.wordpress-fr\.net$
|
||||
^pixel\.wp\.com$
|
||||
# Wordpress pingback
|
||||
^rpc\.pingomatic\.com$
|
||||
^blo\.gs$
|
||||
^ping\.blo\.gs$
|
||||
^ping\.baidu\.com$
|
||||
^blogsearch\.google\.ru$
|
||||
^ping\.pubsub\.com$
|
||||
^rpc\.twingly\.com$
|
||||
^api\.feedster\.com$
|
||||
^api\.moreover\.com$
|
||||
^api\.moreover\.com$
|
||||
^www\.blogdigger\.com$
|
||||
^www\.blogshares\.com$
|
||||
^www\.blogsnow\.com$
|
||||
^www\.blogstreet\.com$
|
||||
^bulkfeeds\.net$
|
||||
^www\.newsisfree\.com$
|
||||
^ping\.feedburner\.com$
|
||||
^ping\.syndic8\.com$
|
||||
^ping\.weblogalot\.com$
|
||||
^rpc\.blogrolling\.com$
|
||||
^rpc\.technorati\.com$
|
||||
^rpc\.weblogs\.com$
|
||||
^www\.feedsubmitter\.com$
|
||||
^www\.pingerati\.net$
|
||||
^www\.pingmyblog\.com$
|
||||
^geourl\.org$
|
||||
^ipings\.com$
|
||||
^www\.weblogalot\.com$
|
||||
# Wordpress plugins
|
||||
^.*wpml\.org$
|
||||
^www\.wpcube\.co\.uk$
|
||||
^.*wp-rocket\.me$
|
||||
^www\.yithemes\.com$
|
||||
^.*yoast\.com$
|
||||
^yarpp\.org$
|
||||
^repository\.kreaturamedia\.com$
|
||||
^api\.wp-events-plugin\.com$
|
||||
^updates\.themepunch\.com$
|
||||
^themeisle\.com$
|
||||
^download\.advancedcustomfields\.com$
|
||||
^wpcdn\.io$
|
||||
^vimeo\.com$
|
||||
^api\.genesistheme\.com$
|
||||
^www\.bolderelements\.net$
|
||||
# Magento Plugins
|
||||
^extensions\.activo\.com$
|
||||
^amasty\.com$
|
||||
# Joomla
|
||||
^.*.joomla\.org$
|
||||
^getk2\.org$
|
||||
^miwisoft\.com$
|
||||
^mijosoft\.com$
|
||||
^www\.joomlaworks\.net$
|
||||
^cdn\.joomlaworks\.org$
|
||||
^download\.regularlabs\.com$
|
||||
# Prestashop
|
||||
^.*.prestashop\.com$
|
||||
^www\.presta-module\.com$
|
||||
^www\.presteamshop\.com$
|
||||
# Others
|
||||
^.*.drupal\.org$
|
||||
^.*\.dotclear\.(net|org)$
|
||||
^www\.phpbb\.com$
|
||||
^www\.typolight\.org$
|
||||
^www\.spip\.net$
|
||||
|
||||
### Feeds / API / WS Tools / ...
|
||||
# Google
|
||||
^.*\.googleapis\.com$
|
||||
^.*\.google-analytics\.com$
|
||||
^blogsearch\.google\.(com|fr)$
|
||||
^csi\.gstatic\.com$
|
||||
^maps\.google\..*$
|
||||
^translate\.google\.com$
|
||||
^www\.google\.com$
|
||||
# Facebook
|
||||
^.*\.facebook\.com$
|
||||
^.*\.fbcdn\.net$
|
||||
# Maxmind
|
||||
^geolite\.maxmind\.com$
|
||||
# Others
|
||||
#^.*amazon.com$
|
||||
^.*twitter\.com$
|
||||
^.*feedburner\.com$
|
||||
^.*openx\.(org|com|net)$
|
||||
^geoip-api\.meteor\.com$
|
||||
^www\.bing\.com$
|
||||
^www\.telize\.com$
|
||||
^.*ident\.me$
|
||||
^.*icanhazip\.com$
|
||||
^www\.express-mailing\.com$
|
||||
^bot\.whatismyipaddress\.com$
|
||||
^ipecho\.net$
|
|
@ -1,2 +0,0 @@
|
|||
### Custom whitelist
|
||||
# http://example.com/.*
|
|
@ -119,4 +119,3 @@ http://bot.whatismyipaddress.com/.*
|
|||
http://ipecho.net/.*
|
||||
|
||||
### Various / Manual entry
|
||||
http://.*.s3.amazonaws.com/.*
|
||||
|
|
|
@ -2,5 +2,5 @@
|
|||
- name: logrotate configuration
|
||||
template:
|
||||
src: logrotate.j2
|
||||
dest: /etc/logrotate.d/{{ squid_daemon }}
|
||||
dest: /etc/logrotate.d/{{ squid_daemoname }}
|
||||
force: no
|
||||
|
|
|
@ -1,41 +1,128 @@
|
|||
---
|
||||
|
||||
- name: Include OS-specific variables
|
||||
include_vars: "{{ ansible_os_family }}-{{ ansible_distribution_release }}.yml"
|
||||
- fail:
|
||||
msg: only compatible with Debian >= 8
|
||||
when:
|
||||
- ansible_distribution == "Debian"
|
||||
- ansible_distribution_major_version | version_compare('8', '<')
|
||||
|
||||
- name: package is installed
|
||||
- name: "Set squid name (jessie)"
|
||||
set_fact:
|
||||
squid_daemoname: squid3
|
||||
when: ansible_distribution_release == "jessie"
|
||||
|
||||
- name: "Set squid name (Debian 9 or later)"
|
||||
set_fact:
|
||||
squid_daemoname: squid
|
||||
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||
|
||||
- name: "Install Squid packages"
|
||||
apt:
|
||||
name: "{{ squid_package }}"
|
||||
name: '{{ item }}'
|
||||
state: present
|
||||
with_items:
|
||||
- "{{ squid_daemoname }}"
|
||||
- squidclient
|
||||
|
||||
- name: squid.conf is present
|
||||
- name: "Set alternative config file (Debian 9 or later)"
|
||||
copy:
|
||||
src: default_squid
|
||||
dest: /etc/default/squid
|
||||
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||
|
||||
- name: "squid.conf is present (jessie)"
|
||||
template:
|
||||
src: squid.j2
|
||||
dest: "{{ squid_conf_file }}"
|
||||
notify: "restart {{ squid_daemon }}"
|
||||
src: squid.conf.j2
|
||||
dest: /etc/squid3/squid.conf
|
||||
notify: "restart squid3"
|
||||
when: ansible_distribution_release == "jessie"
|
||||
|
||||
- name: evolix whitelist is present
|
||||
- name: "evolix whitelist is present (jessie)"
|
||||
copy:
|
||||
src: whitelist-evolinux.conf
|
||||
dest: "{{ squid_conf_path }}/whitelist-evolinux.conf"
|
||||
force: yes
|
||||
notify: "reload {{ squid_daemon }}"
|
||||
dest: /etc/squid3/whitelist.conf
|
||||
notify: "reload squid3"
|
||||
when: ansible_distribution_release == "jessie"
|
||||
|
||||
- name: custom whitelist is present
|
||||
- name: "evolinux custom squid file (Debian 9 or later)"
|
||||
copy:
|
||||
src: whitelist-custom.conf
|
||||
dest: "{{ squid_conf_path }}/whitelist-custom.conf"
|
||||
src: evolinux-defaults.conf
|
||||
dest: /etc/squid/evolinux-defaults.conf
|
||||
notify: "restart squid"
|
||||
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||
|
||||
- name: "evolinux defaults whitelist (Debian 9 or later)"
|
||||
copy:
|
||||
src: evolinux-whitelist-defaults.conf
|
||||
dest: /etc/squid/evolinux-whitelist-defaults.conf
|
||||
notify: "reload squid"
|
||||
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||
|
||||
- name: "evolinux custom whitelist (Debian 9 or later)"
|
||||
copy:
|
||||
dest: /etc/squid/evolinux-whitelist-custom.conf
|
||||
content: |
|
||||
# Put customized values here.
|
||||
force: no
|
||||
notify: "reload {{ squid_daemon }}"
|
||||
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||
|
||||
- name: "evolinux acl for local proxy (Debian 9 or later)"
|
||||
template:
|
||||
src: evolinux-acl.conf.j2
|
||||
dest: /etc/squid/evolinux-acl.conf
|
||||
force: no
|
||||
notify: "reload squid"
|
||||
when: squid_localproxy_enable and ansible_distribution_major_version | version_compare('9', '>=')
|
||||
|
||||
- name: "evolinux custom acl (Debian 9 or later)"
|
||||
copy:
|
||||
dest: /etc/squid/evolinux-acl.conf
|
||||
content: |
|
||||
# Put customized values here.
|
||||
force: no
|
||||
when: squid_localproxy_enable == False and ansible_distribution_major_version | version_compare('9', '>=')
|
||||
|
||||
- name: "evolinux http_access for local proxy (Debian 9 or later)"
|
||||
copy:
|
||||
src: evolinux-httpaccess.conf
|
||||
dest: /etc/squid/evolinux-httpaccess.conf
|
||||
force: no
|
||||
notify: "reload squid"
|
||||
when: squid_localproxy_enable and ansible_distribution_major_version | version_compare('9', '>=')
|
||||
|
||||
- name: "evolinux custom http_access (Debian 9 or later)"
|
||||
copy:
|
||||
dest: /etc/squid/evolinux-httpaccess.conf
|
||||
content: |
|
||||
# Put customized values here.
|
||||
force: no
|
||||
when: squid_localproxy_enable == False and ansible_distribution_major_version | version_compare('9', '>=')
|
||||
|
||||
- name: "evolinux overrides for local proxy (Debian 9 or later)"
|
||||
template:
|
||||
src: evolinux-custom.conf.j2
|
||||
dest: /etc/squid/evolinux-custom.conf
|
||||
force: no
|
||||
notify: "reload squid"
|
||||
when: squid_localproxy_enable and ansible_distribution_major_version | version_compare('9', '>=')
|
||||
|
||||
- name: "evolinux custom overrides (Debian 9 or later)"
|
||||
copy:
|
||||
dest: /etc/squid/evolinux-custom.conf
|
||||
content: |
|
||||
# Put customized values here.
|
||||
force: no
|
||||
when: squid_localproxy_enable == False and ansible_distribution_major_version | version_compare('9', '>=')
|
||||
|
||||
- name: add some URL in whitelist
|
||||
lineinfile:
|
||||
insertafter: EOF
|
||||
dest: "{{ squid_conf_path }}/whitelist-custom.conf"
|
||||
dest: /etc/squid/evolinux-whitelist-custom.conf
|
||||
line: "{{ item }}"
|
||||
state: present
|
||||
with_items: '{{ squid_whitelist_items }}'
|
||||
notify: "reload {{ squid_daemon }}"
|
||||
notify: "reload squid"
|
||||
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||
|
||||
- include: logrotate.yml
|
||||
|
||||
|
|
|
@ -0,0 +1 @@
|
|||
acl LOCAL src {{ squid_address }}/32
|
|
@ -0,0 +1,4 @@
|
|||
http_port 8888 transparent
|
||||
cache deny all
|
||||
ignore_expect_100 on
|
||||
tcp_outgoing_address {{ squid_address }}
|
|
@ -1,4 +1,4 @@
|
|||
file = /var/log/squid3/access.log
|
||||
file = /var/log/{{ squid_daemoname }}/access.log
|
||||
pattern = "TCP_DENIED"
|
||||
mailto = {{ log2mail_alert_email or general_alert_email | mandatory }}
|
||||
template = /etc/log2mail/mail
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/var/log/{{ squid_daemon }}/*.log {
|
||||
/var/log/{{ squid_daemoname }}/*.log {
|
||||
monthly
|
||||
compress
|
||||
rotate 12
|
||||
|
@ -6,6 +6,6 @@
|
|||
create 640 proxy adm
|
||||
sharedscripts
|
||||
postrotate
|
||||
test ! -e /var/run/{{ squid_daemon }}.pid || /usr/sbin/{{ squid_daemon }} -k rotate
|
||||
test ! -e /var/run/{{ squid_daemoname }}.pid || /usr/sbin/{{ squid_daemoname }} -k rotate
|
||||
endscript
|
||||
}
|
||||
|
|
|
@ -8,8 +8,7 @@ acl localhost src 127.0.0.0/32
|
|||
acl INTERNE src {{ squid_address }}/32 127.0.0.0/8
|
||||
acl Safe_ports port 80 # http
|
||||
acl SSL_ports port 443 563
|
||||
acl WHITELIST url_regex "{{ squid_conf_path }}/whitelist-evolinux.conf"
|
||||
acl WHITELIST url_regex "{{ squid_conf_path }}/whitelist-custom.conf"
|
||||
acl WHITELIST url_regex "/etc/squid3/whitelist.conf"
|
||||
http_access deny !WHITELIST
|
||||
http_access allow INTERNE
|
||||
http_access deny all
|
||||
|
@ -17,4 +16,4 @@ tcp_outgoing_address {{ squid_address }}
|
|||
|
||||
# Logs
|
||||
logformat combined %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
|
||||
access_log {{ squid_log_path }}/access.log combined
|
||||
access_log /var/log/squid3/access.log combined
|
|
@ -1,6 +0,0 @@
|
|||
---
|
||||
squid_package: squid3
|
||||
squid_daemon: squid3
|
||||
squid_conf_path: /etc/squid3
|
||||
squid_conf_file: /etc/squid3/squid.conf
|
||||
squid_log_path: /var/log/squid3
|
|
@ -1,6 +0,0 @@
|
|||
---
|
||||
squid_package: squid
|
||||
squid_daemon: squid
|
||||
squid_conf_path: /etc/squid
|
||||
squid_conf_file: /etc/squid/squid.conf
|
||||
squid_log_path: /var/log/squid
|
Loading…
Reference in New Issue