diff --git a/squid/README.md b/squid/README.md index d25e85c0..a2d5c29f 100644 --- a/squid/README.md +++ b/squid/README.md @@ -1,6 +1,6 @@ # squid -Installation and configuration of Squid as an outgoing proxy. +Installation and configuration of Squid ## Tasks @@ -12,7 +12,9 @@ A blank file is created at `/etc/squid3/whitelist-custom.conf` to add addresses * `squid_address` : IP address for internal/outgoing traffic (default: Ansible detected IPv4 address) ; * `squid_whitelist_items` : list of URL to add to the whitelist (default: `[]`) ; -* `general_alert_email`: email address to send various alert messages (default: `root@localhost`). +* `squid_localproxy_enable` : enable configuration for squid as local proxy (default: False) ; +* `general_alert_email`: email address to send various alert messages (default: `root@localhost`) ; * `log2mail_alert_email`: email address to send Log2mail messages to (default: `general_alert_email`). + The full list of variables (with default values) can be found in `defaults/main.yml`. diff --git a/squid/defaults/main.yml b/squid/defaults/main.yml index 2f81cc43..1a6db438 100644 --- a/squid/defaults/main.yml +++ b/squid/defaults/main.yml @@ -5,4 +5,4 @@ log2mail_alert_email: Null squid_address: "{{ ansible_default_ipv4.address }}" squid_whitelist_items: [] -squid_service_name: squid +squid_localproxy_enable: False diff --git a/squid/files/default_squid b/squid/files/default_squid new file mode 100644 index 00000000..ae39d9ed --- /dev/null +++ b/squid/files/default_squid @@ -0,0 +1,2 @@ +CONFIG=/etc/squid/evolinux-defaults.conf +SQUID_ARGS="-YC -f $CONFIG" diff --git a/squid/files/evolinux-defaults.conf b/squid/files/evolinux-defaults.conf new file mode 100644 index 00000000..3153221a --- /dev/null +++ b/squid/files/evolinux-defaults.conf @@ -0,0 +1,35 @@ +http_port 127.0.0.1:3128 +coredump_dir /var/spool/squid +max_filedescriptors 4096 + +acl SSL_ports port 443 +acl Safe_ports port 80 # http +acl Safe_ports port 21 # ftp +acl Safe_ports port 443 # https +acl Safe_ports port 70 # gopher +acl Safe_ports port 210 # wais +acl Safe_ports port 1025-65535 # unregistered ports +acl Safe_ports port 280 # http-mgmt +acl Safe_ports port 488 # gss-http +acl Safe_ports port 591 # filemaker +acl Safe_ports port 777 # multiling http +acl CONNECT method CONNECT +acl Whitelist_domains dstdom_regex -i "/etc/squid/evolinux-whitelist-defaults.conf" +acl Whitelist_domains dstdom_regex -i "/etc/squid/evolinux-whitelist-custom.conf" +include /etc/squid/evolinux-acl.conf + +http_access deny !Safe_ports +http_access deny CONNECT !SSL_ports +http_access allow localhost manager +http_access deny manager +include /etc/squid/evolinux-httpaccess.conf +http_access allow localhost +http_access deny all + +refresh_pattern ^ftp: 1440 20% 10080 +refresh_pattern ^gopher: 1440 0% 1440 +refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 +refresh_pattern . 0 20% 4320 + +logformat combined %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh +access_log /var/log/squid/access.log combined diff --git a/squid/files/evolinux-httpaccess.conf b/squid/files/evolinux-httpaccess.conf new file mode 100644 index 00000000..7a4e00a2 --- /dev/null +++ b/squid/files/evolinux-httpaccess.conf @@ -0,0 +1,2 @@ +http_access deny !Whitelist_domains +http_access allow LOCAL diff --git a/squid/files/evolinux-whitelist-defaults.conf b/squid/files/evolinux-whitelist-defaults.conf new file mode 100644 index 00000000..310763e5 --- /dev/null +++ b/squid/files/evolinux-whitelist-defaults.conf @@ -0,0 +1,119 @@ +### Evolix & System +^.*\.evolix\.(net|org|com|fr)$ +^.*\.debian\.org$ +^www\.backports\.org$ +^backports\.debian\.org$ +^www\.kernel\.org$ +^hwraid\.le-vert\.net$ +^.*clamav\.net$ +^spamassassin\.apache\.org$ +^.*sa-update.*$ +^pear\.php\.net$ + +# Let's Encrypt +^.*\.letsencrypt.org$ + +# Other OCSP endpoint +^ocsp\.usertrust\.com$ + +### CMS / Wordpress / Drupal / ... +# Wordpress +^.*akismet\.com$ +^.*wordpress\.(org|com)$ +^.*gravatar\.com$ +^www\.wordpress-fr\.net$ +^pixel\.wp\.com$ +# Wordpress pingback +^rpc\.pingomatic\.com$ +^blo\.gs$ +^ping\.blo\.gs$ +^ping\.baidu\.com$ +^blogsearch\.google\.ru$ +^ping\.pubsub\.com$ +^rpc\.twingly\.com$ +^api\.feedster\.com$ +^api\.moreover\.com$ +^api\.moreover\.com$ +^www\.blogdigger\.com$ +^www\.blogshares\.com$ +^www\.blogsnow\.com$ +^www\.blogstreet\.com$ +^bulkfeeds\.net$ +^www\.newsisfree\.com$ +^ping\.feedburner\.com$ +^ping\.syndic8\.com$ +^ping\.weblogalot\.com$ +^rpc\.blogrolling\.com$ +^rpc\.technorati\.com$ +^rpc\.weblogs\.com$ +^www\.feedsubmitter\.com$ +^www\.pingerati\.net$ +^www\.pingmyblog\.com$ +^geourl\.org$ +^ipings\.com$ +^www\.weblogalot\.com$ +# Wordpress plugins +^.*wpml\.org$ +^www\.wpcube\.co\.uk$ +^.*wp-rocket\.me$ +^www\.yithemes\.com$ +^.*yoast\.com$ +^yarpp\.org$ +^repository\.kreaturamedia\.com$ +^api\.wp-events-plugin\.com$ +^updates\.themepunch\.com$ +^themeisle\.com$ +^download\.advancedcustomfields\.com$ +^wpcdn\.io$ +^vimeo\.com$ +^api\.genesistheme\.com$ +^www\.bolderelements\.net$ +# Magento Plugins +^extensions\.activo\.com$ +^amasty\.com$ +# Joomla +^.*.joomla\.org$ +^getk2\.org$ +^miwisoft\.com$ +^mijosoft\.com$ +^www\.joomlaworks\.net$ +^cdn\.joomlaworks\.org$ +^download\.regularlabs\.com$ +# Prestashop +^.*.prestashop\.com$ +^www\.presta-module\.com$ +^www\.presteamshop\.com$ +# Others +^.*.drupal\.org$ +^.*\.dotclear\.(net|org)$ +^www\.phpbb\.com$ +^www\.typolight\.org$ +^www\.spip\.net$ + +### Feeds / API / WS Tools / ... +# Google +^.*\.googleapis\.com$ +^.*\.google-analytics\.com$ +^blogsearch\.google\.(com|fr)$ +^csi\.gstatic\.com$ +^maps\.google\..*$ +^translate\.google\.com$ +^www\.google\.com$ +# Facebook +^.*\.facebook\.com$ +^.*\.fbcdn\.net$ +# Maxmind +^geolite\.maxmind\.com$ +# Others +#^.*amazon.com$ +^.*twitter\.com$ +^.*feedburner\.com$ +^.*openx\.(org|com|net)$ +^geoip-api\.meteor\.com$ +^www\.bing\.com$ +^www\.telize\.com$ +^.*ident\.me$ +^.*icanhazip\.com$ +^www\.express-mailing\.com$ +^bot\.whatismyipaddress\.com$ +^ipecho\.net$ diff --git a/squid/files/whitelist-custom.conf b/squid/files/whitelist-custom.conf deleted file mode 100644 index 5d930f2c..00000000 --- a/squid/files/whitelist-custom.conf +++ /dev/null @@ -1,2 +0,0 @@ -### Custom whitelist -# http://example.com/.* diff --git a/squid/files/whitelist-evolinux.conf b/squid/files/whitelist-evolinux.conf index 407e7645..f9691802 100644 --- a/squid/files/whitelist-evolinux.conf +++ b/squid/files/whitelist-evolinux.conf @@ -119,4 +119,3 @@ http://bot.whatismyipaddress.com/.* http://ipecho.net/.* ### Various / Manual entry -http://.*.s3.amazonaws.com/.* diff --git a/squid/tasks/logrotate.yml b/squid/tasks/logrotate.yml index 3ac53a6e..8464d309 100644 --- a/squid/tasks/logrotate.yml +++ b/squid/tasks/logrotate.yml @@ -2,5 +2,5 @@ - name: logrotate configuration template: src: logrotate.j2 - dest: /etc/logrotate.d/{{ squid_daemon }} + dest: /etc/logrotate.d/{{ squid_daemoname }} force: no diff --git a/squid/tasks/main.yml b/squid/tasks/main.yml index eaf690a6..5d81a670 100644 --- a/squid/tasks/main.yml +++ b/squid/tasks/main.yml @@ -1,41 +1,128 @@ --- -- name: Include OS-specific variables - include_vars: "{{ ansible_os_family }}-{{ ansible_distribution_release }}.yml" +- fail: + msg: only compatible with Debian >= 8 + when: + - ansible_distribution == "Debian" + - ansible_distribution_major_version | version_compare('8', '<') -- name: package is installed +- name: "Set squid name (jessie)" + set_fact: + squid_daemoname: squid3 + when: ansible_distribution_release == "jessie" + +- name: "Set squid name (Debian 9 or later)" + set_fact: + squid_daemoname: squid + when: ansible_distribution_major_version | version_compare('9', '>=') + +- name: "Install Squid packages" apt: - name: "{{ squid_package }}" + name: '{{ item }}' state: present + with_items: + - "{{ squid_daemoname }}" + - squidclient -- name: squid.conf is present +- name: "Set alternative config file (Debian 9 or later)" + copy: + src: default_squid + dest: /etc/default/squid + when: ansible_distribution_major_version | version_compare('9', '>=') + +- name: "squid.conf is present (jessie)" template: - src: squid.j2 - dest: "{{ squid_conf_file }}" - notify: "restart {{ squid_daemon }}" + src: squid.conf.j2 + dest: /etc/squid3/squid.conf + notify: "restart squid3" + when: ansible_distribution_release == "jessie" -- name: evolix whitelist is present +- name: "evolix whitelist is present (jessie)" copy: src: whitelist-evolinux.conf - dest: "{{ squid_conf_path }}/whitelist-evolinux.conf" - force: yes - notify: "reload {{ squid_daemon }}" + dest: /etc/squid3/whitelist.conf + notify: "reload squid3" + when: ansible_distribution_release == "jessie" -- name: custom whitelist is present +- name: "evolinux custom squid file (Debian 9 or later)" copy: - src: whitelist-custom.conf - dest: "{{ squid_conf_path }}/whitelist-custom.conf" + src: evolinux-defaults.conf + dest: /etc/squid/evolinux-defaults.conf + notify: "restart squid" + when: ansible_distribution_major_version | version_compare('9', '>=') + +- name: "evolinux defaults whitelist (Debian 9 or later)" + copy: + src: evolinux-whitelist-defaults.conf + dest: /etc/squid/evolinux-whitelist-defaults.conf + notify: "reload squid" + when: ansible_distribution_major_version | version_compare('9', '>=') + +- name: "evolinux custom whitelist (Debian 9 or later)" + copy: + dest: /etc/squid/evolinux-whitelist-custom.conf + content: | + # Put customized values here. force: no - notify: "reload {{ squid_daemon }}" + when: ansible_distribution_major_version | version_compare('9', '>=') + +- name: "evolinux acl for local proxy (Debian 9 or later)" + template: + src: evolinux-acl.conf.j2 + dest: /etc/squid/evolinux-acl.conf + force: no + notify: "reload squid" + when: squid_localproxy_enable and ansible_distribution_major_version | version_compare('9', '>=') + +- name: "evolinux custom acl (Debian 9 or later)" + copy: + dest: /etc/squid/evolinux-acl.conf + content: | + # Put customized values here. + force: no + when: squid_localproxy_enable == False and ansible_distribution_major_version | version_compare('9', '>=') + +- name: "evolinux http_access for local proxy (Debian 9 or later)" + copy: + src: evolinux-httpaccess.conf + dest: /etc/squid/evolinux-httpaccess.conf + force: no + notify: "reload squid" + when: squid_localproxy_enable and ansible_distribution_major_version | version_compare('9', '>=') + +- name: "evolinux custom http_access (Debian 9 or later)" + copy: + dest: /etc/squid/evolinux-httpaccess.conf + content: | + # Put customized values here. + force: no + when: squid_localproxy_enable == False and ansible_distribution_major_version | version_compare('9', '>=') + +- name: "evolinux overrides for local proxy (Debian 9 or later)" + template: + src: evolinux-custom.conf.j2 + dest: /etc/squid/evolinux-custom.conf + force: no + notify: "reload squid" + when: squid_localproxy_enable and ansible_distribution_major_version | version_compare('9', '>=') + +- name: "evolinux custom overrides (Debian 9 or later)" + copy: + dest: /etc/squid/evolinux-custom.conf + content: | + # Put customized values here. + force: no + when: squid_localproxy_enable == False and ansible_distribution_major_version | version_compare('9', '>=') - name: add some URL in whitelist lineinfile: insertafter: EOF - dest: "{{ squid_conf_path }}/whitelist-custom.conf" + dest: /etc/squid/evolinux-whitelist-custom.conf line: "{{ item }}" state: present with_items: '{{ squid_whitelist_items }}' - notify: "reload {{ squid_daemon }}" + notify: "reload squid" + when: ansible_distribution_major_version | version_compare('9', '>=') - include: logrotate.yml diff --git a/squid/templates/evolinux-acl.conf.j2 b/squid/templates/evolinux-acl.conf.j2 new file mode 100644 index 00000000..dbd83927 --- /dev/null +++ b/squid/templates/evolinux-acl.conf.j2 @@ -0,0 +1 @@ +acl LOCAL src {{ squid_address }}/32 diff --git a/squid/templates/evolinux-custom.conf.j2 b/squid/templates/evolinux-custom.conf.j2 new file mode 100644 index 00000000..cc465dc7 --- /dev/null +++ b/squid/templates/evolinux-custom.conf.j2 @@ -0,0 +1,4 @@ +http_port 8888 transparent +cache deny all +ignore_expect_100 on +tcp_outgoing_address {{ squid_address }} diff --git a/squid/templates/log2mail.j2 b/squid/templates/log2mail.j2 index 223c8e27..7a025676 100644 --- a/squid/templates/log2mail.j2 +++ b/squid/templates/log2mail.j2 @@ -1,4 +1,4 @@ -file = /var/log/squid3/access.log +file = /var/log/{{ squid_daemoname }}/access.log pattern = "TCP_DENIED" mailto = {{ log2mail_alert_email or general_alert_email | mandatory }} template = /etc/log2mail/mail diff --git a/squid/templates/logrotate.j2 b/squid/templates/logrotate.j2 index 409776b2..118e837b 100644 --- a/squid/templates/logrotate.j2 +++ b/squid/templates/logrotate.j2 @@ -1,4 +1,4 @@ -/var/log/{{ squid_daemon }}/*.log { +/var/log/{{ squid_daemoname }}/*.log { monthly compress rotate 12 @@ -6,6 +6,6 @@ create 640 proxy adm sharedscripts postrotate - test ! -e /var/run/{{ squid_daemon }}.pid || /usr/sbin/{{ squid_daemon }} -k rotate + test ! -e /var/run/{{ squid_daemoname }}.pid || /usr/sbin/{{ squid_daemoname }} -k rotate endscript } diff --git a/squid/templates/squid.j2 b/squid/templates/squid.conf.j2 similarity index 70% rename from squid/templates/squid.j2 rename to squid/templates/squid.conf.j2 index c983f7ff..108a3bc1 100644 --- a/squid/templates/squid.j2 +++ b/squid/templates/squid.conf.j2 @@ -8,8 +8,7 @@ acl localhost src 127.0.0.0/32 acl INTERNE src {{ squid_address }}/32 127.0.0.0/8 acl Safe_ports port 80 # http acl SSL_ports port 443 563 -acl WHITELIST url_regex "{{ squid_conf_path }}/whitelist-evolinux.conf" -acl WHITELIST url_regex "{{ squid_conf_path }}/whitelist-custom.conf" +acl WHITELIST url_regex "/etc/squid3/whitelist.conf" http_access deny !WHITELIST http_access allow INTERNE http_access deny all @@ -17,4 +16,4 @@ tcp_outgoing_address {{ squid_address }} # Logs logformat combined %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh -access_log {{ squid_log_path }}/access.log combined +access_log /var/log/squid3/access.log combined diff --git a/squid/vars/Debian-jessie.yml b/squid/vars/Debian-jessie.yml deleted file mode 100644 index 91b0e615..00000000 --- a/squid/vars/Debian-jessie.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -squid_package: squid3 -squid_daemon: squid3 -squid_conf_path: /etc/squid3 -squid_conf_file: /etc/squid3/squid.conf -squid_log_path: /var/log/squid3 diff --git a/squid/vars/Debian-stretch.yml b/squid/vars/Debian-stretch.yml deleted file mode 100644 index 4ed3046e..00000000 --- a/squid/vars/Debian-stretch.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -squid_package: squid -squid_daemon: squid -squid_conf_path: /etc/squid -squid_conf_file: /etc/squid/squid.conf -squid_log_path: /var/log/squid