From 41329af173c7d2c598d89710eddccac716f9089f Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Wed, 23 Aug 2017 01:26:57 +0200 Subject: [PATCH] Remove dynamic add of whitelist Squid proxy --- evoacme/tasks/certbot.yml | 21 -------------- jenkins/tasks/main.yml | 29 -------------------- mongodb/tasks/main.yml | 27 ------------------ newrelic/tasks/sources.yml | 24 ---------------- squid/files/evolinux-whitelist-defaults.conf | 7 +++++ squid/files/whitelist-evolinux.conf | 9 ++++-- 6 files changed, 14 insertions(+), 103 deletions(-) diff --git a/evoacme/tasks/certbot.yml b/evoacme/tasks/certbot.yml index 526fbb07..20658ec2 100644 --- a/evoacme/tasks/certbot.yml +++ b/evoacme/tasks/certbot.yml @@ -53,24 +53,3 @@ dest: /etc/cron.daily/certbot mode: "0755" -- name: Find squid config whitelist - shell: find /etc/squid/whitelist-custom.conf /etc/squid3/whitelist-custom.conf /etc/squid/whitelist.conf /etc/squid3/whitelist.conf 2> /dev/null - failed_when: false - changed_when: false - check_mode: no - register: squid_whitelist_files - -- name: set squid_service_name=squid3 for Debian < 9 - set_fact: - squid_service_name: squid3 - when: - - ansible_distribution == "Debian" - - ansible_distribution_release == "jessie" - -- name: Let's Encrypt OCSP server is authorized by squid - lineinfile: - dest: "{{ squid_whitelist_files.stdout_lines | first }}" - line: "http://.*.letsencrypt.org/.*" - state: present - notify: "reload {{ squid_service_name | default('squid') }}" - when: squid_whitelist_files.stdout != "" diff --git a/jenkins/tasks/main.yml b/jenkins/tasks/main.yml index 83d3ec92..a1070229 100644 --- a/jenkins/tasks/main.yml +++ b/jenkins/tasks/main.yml @@ -4,35 +4,6 @@ # url: https://jenkins-ci.org/debian/jenkins-ci.org.key data: "{{ lookup('file', 'jenkins.key') }}" -- name: Find squid config whitelist - shell: find /etc/squid/whitelist-custom.conf /etc/squid3/whitelist-custom.conf /etc/squid/whitelist.conf /etc/squid3/whitelist.conf 2> /dev/null - failed_when: false - changed_when: false - check_mode: no - register: squid_whitelist_files - -- name: set squid_service_name=squid3 for Debian 8 - set_fact: - squid_service_name: squid3 - when: - - ansible_distribution == "Debian" - - ansible_distribution_release == "jessie" - -- name: Append packages.dotdeb.org to Squid whitelist - lineinfile: - dest: "{{ squid_whitelist_files.stdout_lines | first }}" - line: "{{ item }}" - state: present - with_items: - - "http://pkg.jenkins-ci.org/.*" - - "http://mirrors.jenkins.io/.*" - - "http://jenkins.mirror.isppower.de/.*" - - "http://ftp.icm.edu.pl/.*" - notify: "reload {{ squid_service_name | default('squid') }}" - when: squid_whitelist_files.stdout != "" - -- meta: flush_handlers - - name: Add jenkins APT repository apt_repository: repo: deb http://pkg.jenkins-ci.org/debian-stable binary/ diff --git a/mongodb/tasks/main.yml b/mongodb/tasks/main.yml index f222c799..42d7c385 100644 --- a/mongodb/tasks/main.yml +++ b/mongodb/tasks/main.yml @@ -1,32 +1,5 @@ --- # tasks file for mongodb -- name: Find squid config whitelist - shell: find /etc/squid/whitelist-custom.conf /etc/squid3/whitelist-custom.conf /etc/squid/whitelist.conf /etc/squid3/whitelist.conf 2> /dev/null - failed_when: false - changed_when: false - check_mode: no - register: squid_whitelist_files - -- name: set squid_service_name=squid3 for Debian 8 - set_fact: - squid_service_name: squid3 - when: - - ansible_distribution == "Debian" - - ansible_distribution_release == "jessie" - -- name: Append packages.dotdeb.org to Squid whitelist - lineinfile: - dest: "{{ squid_whitelist_files.stdout_lines | first }}" - line: "{{ item }}" - state: present - with_items: - - "http://keyserver.ubuntu.com/.*" - - "hkp://keyserver.ubuntu.com/.*" - - "http://repo.mongodb.org/.*" - notify: "reload {{ squid_service_name | default('squid') }}" - when: squid_whitelist_files.stdout != "" - -- meta: flush_handlers # Attention à bien indiquer le protocole et le port, sinon le firewall ne laisse pas passer - name: MongoDB public GPG Key diff --git a/newrelic/tasks/sources.yml b/newrelic/tasks/sources.yml index 551fc8b5..b5b35fd0 100644 --- a/newrelic/tasks/sources.yml +++ b/newrelic/tasks/sources.yml @@ -5,30 +5,6 @@ # url: https://download.newrelic.com/548C16BF.gpg data: "{{ lookup('file', '548C16BF.gpg') }}" -- name: set squid_service_name=squid3 for Debian 8 - set_fact: - squid_service_name: squid3 - when: - - ansible_distribution == "Debian" - - ansible_distribution_release == "jessie" - -- name: Find squid config whitelist - shell: find /etc/{{ squid_service_name | default('squid') }}/whitelist-custom.conf /etc/{{ squid_service_name | default('squid') }}/whitelist.conf 2> /dev/null - failed_when: false - changed_when: false - check_mode: no - register: squid_whitelist_files - -- name: Append packages.dotdeb.org to Squid whitelist - lineinfile: - dest: "{{ squid_whitelist_files.stdout_lines | first }}" - line: "http://apt.newrelic.com/.*" - state: present - notify: "reload {{ squid_service_name | default('squid') }}" - when: squid_whitelist_files.stdout != "" - -- meta: flush_handlers - - name: Install NewRelic repository apt_repository: repo: "deb http://apt.newrelic.com/debian/ newrelic non-free" diff --git a/squid/files/evolinux-whitelist-defaults.conf b/squid/files/evolinux-whitelist-defaults.conf index 310763e5..ada4fcdc 100644 --- a/squid/files/evolinux-whitelist-defaults.conf +++ b/squid/files/evolinux-whitelist-defaults.conf @@ -117,3 +117,10 @@ ^www\.express-mailing\.com$ ^bot\.whatismyipaddress\.com$ ^ipecho\.net$ +^keyserver\.ubuntu\.com$ +^repo\.mongodb\.org$ +^pkg\.jenkins-ci\.org$ +^mirrors\.jenkins\.io$ +^jenkins\.mirror\.isppower\.de$ +^ftp\.icm\.edu\.pl$ +^apt\.newrelic\.com$ diff --git a/squid/files/whitelist-evolinux.conf b/squid/files/whitelist-evolinux.conf index f9691802..10bcd779 100644 --- a/squid/files/whitelist-evolinux.conf +++ b/squid/files/whitelist-evolinux.conf @@ -117,5 +117,10 @@ http://.*icanhazip.com/.* http://www.express-mailing.com/.* http://bot.whatismyipaddress.com/.* http://ipecho.net/.* - -### Various / Manual entry +http://keyserver.ubuntu.com/.* +http://repo.mongodb.org/.* +http://pkg.jenkins-ci.org/.* +http://mirrors.jenkins.io/.* +http://jenkins.mirror.isppower.de/.* +http://ftp.icm.edu.pl/.* +http://apt.newrelic.com/.*