forked from evolix/ansible-roles
review squid role whith https://wiki.evolix.org/HowtoSquid
This commit is contained in:
parent
6526e88b9c
commit
32bcec3cc8
|
@ -1,6 +1,6 @@
|
||||||
# squid
|
# squid
|
||||||
|
|
||||||
Installation and configuration of Squid as an outgoing proxy.
|
Installation and configuration of Squid
|
||||||
|
|
||||||
## Tasks
|
## Tasks
|
||||||
|
|
||||||
|
@ -12,7 +12,9 @@ A blank file is created at `/etc/squid3/whitelist-custom.conf` to add addresses
|
||||||
|
|
||||||
* `squid_address` : IP address for internal/outgoing traffic (default: Ansible detected IPv4 address) ;
|
* `squid_address` : IP address for internal/outgoing traffic (default: Ansible detected IPv4 address) ;
|
||||||
* `squid_whitelist_items` : list of URL to add to the whitelist (default: `[]`) ;
|
* `squid_whitelist_items` : list of URL to add to the whitelist (default: `[]`) ;
|
||||||
* `general_alert_email`: email address to send various alert messages (default: `root@localhost`).
|
* `squid_localproxy_enable` : enable configuration for squid as local proxy (default: False) ;
|
||||||
|
* `general_alert_email`: email address to send various alert messages (default: `root@localhost`) ;
|
||||||
* `log2mail_alert_email`: email address to send Log2mail messages to (default: `general_alert_email`).
|
* `log2mail_alert_email`: email address to send Log2mail messages to (default: `general_alert_email`).
|
||||||
|
|
||||||
|
|
||||||
The full list of variables (with default values) can be found in `defaults/main.yml`.
|
The full list of variables (with default values) can be found in `defaults/main.yml`.
|
||||||
|
|
|
@ -5,4 +5,4 @@ log2mail_alert_email: Null
|
||||||
squid_address: "{{ ansible_default_ipv4.address }}"
|
squid_address: "{{ ansible_default_ipv4.address }}"
|
||||||
squid_whitelist_items: []
|
squid_whitelist_items: []
|
||||||
|
|
||||||
squid_service_name: squid
|
squid_localproxy_enable: False
|
||||||
|
|
2
squid/files/default_squid
Normal file
2
squid/files/default_squid
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
CONFIG=/etc/squid/evolinux-defaults.conf
|
||||||
|
SQUID_ARGS="-YC -f $CONFIG"
|
35
squid/files/evolinux-defaults.conf
Normal file
35
squid/files/evolinux-defaults.conf
Normal file
|
@ -0,0 +1,35 @@
|
||||||
|
http_port 127.0.0.1:3128
|
||||||
|
coredump_dir /var/spool/squid
|
||||||
|
max_filedescriptors 4096
|
||||||
|
|
||||||
|
acl SSL_ports port 443
|
||||||
|
acl Safe_ports port 80 # http
|
||||||
|
acl Safe_ports port 21 # ftp
|
||||||
|
acl Safe_ports port 443 # https
|
||||||
|
acl Safe_ports port 70 # gopher
|
||||||
|
acl Safe_ports port 210 # wais
|
||||||
|
acl Safe_ports port 1025-65535 # unregistered ports
|
||||||
|
acl Safe_ports port 280 # http-mgmt
|
||||||
|
acl Safe_ports port 488 # gss-http
|
||||||
|
acl Safe_ports port 591 # filemaker
|
||||||
|
acl Safe_ports port 777 # multiling http
|
||||||
|
acl CONNECT method CONNECT
|
||||||
|
acl Whitelist_domains dstdom_regex -i "/etc/squid/evolinux-whitelist-defaults.conf"
|
||||||
|
acl Whitelist_domains dstdom_regex -i "/etc/squid/evolinux-whitelist-custom.conf"
|
||||||
|
include /etc/squid/evolinux-acl.conf
|
||||||
|
|
||||||
|
http_access deny !Safe_ports
|
||||||
|
http_access deny CONNECT !SSL_ports
|
||||||
|
http_access allow localhost manager
|
||||||
|
http_access deny manager
|
||||||
|
include /etc/squid/evolinux-httpaccess.conf
|
||||||
|
http_access allow localhost
|
||||||
|
http_access deny all
|
||||||
|
|
||||||
|
refresh_pattern ^ftp: 1440 20% 10080
|
||||||
|
refresh_pattern ^gopher: 1440 0% 1440
|
||||||
|
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
|
||||||
|
refresh_pattern . 0 20% 4320
|
||||||
|
|
||||||
|
logformat combined %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
|
||||||
|
access_log /var/log/squid/access.log combined
|
2
squid/files/evolinux-httpaccess.conf
Normal file
2
squid/files/evolinux-httpaccess.conf
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
http_access deny !Whitelist_domains
|
||||||
|
http_access allow LOCAL
|
119
squid/files/evolinux-whitelist-defaults.conf
Normal file
119
squid/files/evolinux-whitelist-defaults.conf
Normal file
|
@ -0,0 +1,119 @@
|
||||||
|
### Evolix & System
|
||||||
|
^.*\.evolix\.(net|org|com|fr)$
|
||||||
|
^.*\.debian\.org$
|
||||||
|
^www\.backports\.org$
|
||||||
|
^backports\.debian\.org$
|
||||||
|
^www\.kernel\.org$
|
||||||
|
^hwraid\.le-vert\.net$
|
||||||
|
^.*clamav\.net$
|
||||||
|
^spamassassin\.apache\.org$
|
||||||
|
^.*sa-update.*$
|
||||||
|
^pear\.php\.net$
|
||||||
|
|
||||||
|
# Let's Encrypt
|
||||||
|
^.*\.letsencrypt.org$
|
||||||
|
|
||||||
|
# Other OCSP endpoint
|
||||||
|
^ocsp\.usertrust\.com$
|
||||||
|
|
||||||
|
### CMS / Wordpress / Drupal / ...
|
||||||
|
# Wordpress
|
||||||
|
^.*akismet\.com$
|
||||||
|
^.*wordpress\.(org|com)$
|
||||||
|
^.*gravatar\.com$
|
||||||
|
^www\.wordpress-fr\.net$
|
||||||
|
^pixel\.wp\.com$
|
||||||
|
# Wordpress pingback
|
||||||
|
^rpc\.pingomatic\.com$
|
||||||
|
^blo\.gs$
|
||||||
|
^ping\.blo\.gs$
|
||||||
|
^ping\.baidu\.com$
|
||||||
|
^blogsearch\.google\.ru$
|
||||||
|
^ping\.pubsub\.com$
|
||||||
|
^rpc\.twingly\.com$
|
||||||
|
^api\.feedster\.com$
|
||||||
|
^api\.moreover\.com$
|
||||||
|
^api\.moreover\.com$
|
||||||
|
^www\.blogdigger\.com$
|
||||||
|
^www\.blogshares\.com$
|
||||||
|
^www\.blogsnow\.com$
|
||||||
|
^www\.blogstreet\.com$
|
||||||
|
^bulkfeeds\.net$
|
||||||
|
^www\.newsisfree\.com$
|
||||||
|
^ping\.feedburner\.com$
|
||||||
|
^ping\.syndic8\.com$
|
||||||
|
^ping\.weblogalot\.com$
|
||||||
|
^rpc\.blogrolling\.com$
|
||||||
|
^rpc\.technorati\.com$
|
||||||
|
^rpc\.weblogs\.com$
|
||||||
|
^www\.feedsubmitter\.com$
|
||||||
|
^www\.pingerati\.net$
|
||||||
|
^www\.pingmyblog\.com$
|
||||||
|
^geourl\.org$
|
||||||
|
^ipings\.com$
|
||||||
|
^www\.weblogalot\.com$
|
||||||
|
# Wordpress plugins
|
||||||
|
^.*wpml\.org$
|
||||||
|
^www\.wpcube\.co\.uk$
|
||||||
|
^.*wp-rocket\.me$
|
||||||
|
^www\.yithemes\.com$
|
||||||
|
^.*yoast\.com$
|
||||||
|
^yarpp\.org$
|
||||||
|
^repository\.kreaturamedia\.com$
|
||||||
|
^api\.wp-events-plugin\.com$
|
||||||
|
^updates\.themepunch\.com$
|
||||||
|
^themeisle\.com$
|
||||||
|
^download\.advancedcustomfields\.com$
|
||||||
|
^wpcdn\.io$
|
||||||
|
^vimeo\.com$
|
||||||
|
^api\.genesistheme\.com$
|
||||||
|
^www\.bolderelements\.net$
|
||||||
|
# Magento Plugins
|
||||||
|
^extensions\.activo\.com$
|
||||||
|
^amasty\.com$
|
||||||
|
# Joomla
|
||||||
|
^.*.joomla\.org$
|
||||||
|
^getk2\.org$
|
||||||
|
^miwisoft\.com$
|
||||||
|
^mijosoft\.com$
|
||||||
|
^www\.joomlaworks\.net$
|
||||||
|
^cdn\.joomlaworks\.org$
|
||||||
|
^download\.regularlabs\.com$
|
||||||
|
# Prestashop
|
||||||
|
^.*.prestashop\.com$
|
||||||
|
^www\.presta-module\.com$
|
||||||
|
^www\.presteamshop\.com$
|
||||||
|
# Others
|
||||||
|
^.*.drupal\.org$
|
||||||
|
^.*\.dotclear\.(net|org)$
|
||||||
|
^www\.phpbb\.com$
|
||||||
|
^www\.typolight\.org$
|
||||||
|
^www\.spip\.net$
|
||||||
|
|
||||||
|
### Feeds / API / WS Tools / ...
|
||||||
|
# Google
|
||||||
|
^.*\.googleapis\.com$
|
||||||
|
^.*\.google-analytics\.com$
|
||||||
|
^blogsearch\.google\.(com|fr)$
|
||||||
|
^csi\.gstatic\.com$
|
||||||
|
^maps\.google\..*$
|
||||||
|
^translate\.google\.com$
|
||||||
|
^www\.google\.com$
|
||||||
|
# Facebook
|
||||||
|
^.*\.facebook\.com$
|
||||||
|
^.*\.fbcdn\.net$
|
||||||
|
# Maxmind
|
||||||
|
^geolite\.maxmind\.com$
|
||||||
|
# Others
|
||||||
|
#^.*amazon.com$
|
||||||
|
^.*twitter\.com$
|
||||||
|
^.*feedburner\.com$
|
||||||
|
^.*openx\.(org|com|net)$
|
||||||
|
^geoip-api\.meteor\.com$
|
||||||
|
^www\.bing\.com$
|
||||||
|
^www\.telize\.com$
|
||||||
|
^.*ident\.me$
|
||||||
|
^.*icanhazip\.com$
|
||||||
|
^www\.express-mailing\.com$
|
||||||
|
^bot\.whatismyipaddress\.com$
|
||||||
|
^ipecho\.net$
|
|
@ -1,2 +0,0 @@
|
||||||
### Custom whitelist
|
|
||||||
# http://example.com/.*
|
|
|
@ -119,4 +119,3 @@ http://bot.whatismyipaddress.com/.*
|
||||||
http://ipecho.net/.*
|
http://ipecho.net/.*
|
||||||
|
|
||||||
### Various / Manual entry
|
### Various / Manual entry
|
||||||
http://.*.s3.amazonaws.com/.*
|
|
||||||
|
|
|
@ -2,5 +2,5 @@
|
||||||
- name: logrotate configuration
|
- name: logrotate configuration
|
||||||
template:
|
template:
|
||||||
src: logrotate.j2
|
src: logrotate.j2
|
||||||
dest: /etc/logrotate.d/{{ squid_daemon }}
|
dest: /etc/logrotate.d/{{ squid_daemoname }}
|
||||||
force: no
|
force: no
|
||||||
|
|
|
@ -1,41 +1,128 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: Include OS-specific variables
|
- fail:
|
||||||
include_vars: "{{ ansible_os_family }}-{{ ansible_distribution_release }}.yml"
|
msg: only compatible with Debian >= 8
|
||||||
|
when:
|
||||||
|
- ansible_distribution == "Debian"
|
||||||
|
- ansible_distribution_major_version | version_compare('8', '<')
|
||||||
|
|
||||||
- name: package is installed
|
- name: "Set squid name (jessie)"
|
||||||
|
set_fact:
|
||||||
|
squid_daemoname: squid3
|
||||||
|
when: ansible_distribution_release == "jessie"
|
||||||
|
|
||||||
|
- name: "Set squid name (Debian 9 or later)"
|
||||||
|
set_fact:
|
||||||
|
squid_daemoname: squid
|
||||||
|
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||||
|
|
||||||
|
- name: "Install Squid packages"
|
||||||
apt:
|
apt:
|
||||||
name: "{{ squid_package }}"
|
name: '{{ item }}'
|
||||||
state: present
|
state: present
|
||||||
|
with_items:
|
||||||
|
- "{{ squid_daemoname }}"
|
||||||
|
- squidclient
|
||||||
|
|
||||||
- name: squid.conf is present
|
- name: "Set alternative config file (Debian 9 or later)"
|
||||||
|
copy:
|
||||||
|
src: default_squid
|
||||||
|
dest: /etc/default/squid
|
||||||
|
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||||
|
|
||||||
|
- name: "squid.conf is present (jessie)"
|
||||||
template:
|
template:
|
||||||
src: squid.j2
|
src: squid.conf.j2
|
||||||
dest: "{{ squid_conf_file }}"
|
dest: /etc/squid3/squid.conf
|
||||||
notify: "restart {{ squid_daemon }}"
|
notify: "restart squid3"
|
||||||
|
when: ansible_distribution_release == "jessie"
|
||||||
|
|
||||||
- name: evolix whitelist is present
|
- name: "evolix whitelist is present (jessie)"
|
||||||
copy:
|
copy:
|
||||||
src: whitelist-evolinux.conf
|
src: whitelist-evolinux.conf
|
||||||
dest: "{{ squid_conf_path }}/whitelist-evolinux.conf"
|
dest: /etc/squid3/whitelist.conf
|
||||||
force: yes
|
notify: "reload squid3"
|
||||||
notify: "reload {{ squid_daemon }}"
|
when: ansible_distribution_release == "jessie"
|
||||||
|
|
||||||
- name: custom whitelist is present
|
- name: "evolinux custom squid file (Debian 9 or later)"
|
||||||
copy:
|
copy:
|
||||||
src: whitelist-custom.conf
|
src: evolinux-defaults.conf
|
||||||
dest: "{{ squid_conf_path }}/whitelist-custom.conf"
|
dest: /etc/squid/evolinux-defaults.conf
|
||||||
|
notify: "restart squid"
|
||||||
|
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||||
|
|
||||||
|
- name: "evolinux defaults whitelist (Debian 9 or later)"
|
||||||
|
copy:
|
||||||
|
src: evolinux-whitelist-defaults.conf
|
||||||
|
dest: /etc/squid/evolinux-whitelist-defaults.conf
|
||||||
|
notify: "reload squid"
|
||||||
|
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||||
|
|
||||||
|
- name: "evolinux custom whitelist (Debian 9 or later)"
|
||||||
|
copy:
|
||||||
|
dest: /etc/squid/evolinux-whitelist-custom.conf
|
||||||
|
content: |
|
||||||
|
# Put customized values here.
|
||||||
force: no
|
force: no
|
||||||
notify: "reload {{ squid_daemon }}"
|
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||||
|
|
||||||
|
- name: "evolinux acl for local proxy (Debian 9 or later)"
|
||||||
|
template:
|
||||||
|
src: evolinux-acl.conf.j2
|
||||||
|
dest: /etc/squid/evolinux-acl.conf
|
||||||
|
force: no
|
||||||
|
notify: "reload squid"
|
||||||
|
when: squid_localproxy_enable and ansible_distribution_major_version | version_compare('9', '>=')
|
||||||
|
|
||||||
|
- name: "evolinux custom acl (Debian 9 or later)"
|
||||||
|
copy:
|
||||||
|
dest: /etc/squid/evolinux-acl.conf
|
||||||
|
content: |
|
||||||
|
# Put customized values here.
|
||||||
|
force: no
|
||||||
|
when: squid_localproxy_enable == False and ansible_distribution_major_version | version_compare('9', '>=')
|
||||||
|
|
||||||
|
- name: "evolinux http_access for local proxy (Debian 9 or later)"
|
||||||
|
copy:
|
||||||
|
src: evolinux-httpaccess.conf
|
||||||
|
dest: /etc/squid/evolinux-httpaccess.conf
|
||||||
|
force: no
|
||||||
|
notify: "reload squid"
|
||||||
|
when: squid_localproxy_enable and ansible_distribution_major_version | version_compare('9', '>=')
|
||||||
|
|
||||||
|
- name: "evolinux custom http_access (Debian 9 or later)"
|
||||||
|
copy:
|
||||||
|
dest: /etc/squid/evolinux-httpaccess.conf
|
||||||
|
content: |
|
||||||
|
# Put customized values here.
|
||||||
|
force: no
|
||||||
|
when: squid_localproxy_enable == False and ansible_distribution_major_version | version_compare('9', '>=')
|
||||||
|
|
||||||
|
- name: "evolinux overrides for local proxy (Debian 9 or later)"
|
||||||
|
template:
|
||||||
|
src: evolinux-custom.conf.j2
|
||||||
|
dest: /etc/squid/evolinux-custom.conf
|
||||||
|
force: no
|
||||||
|
notify: "reload squid"
|
||||||
|
when: squid_localproxy_enable and ansible_distribution_major_version | version_compare('9', '>=')
|
||||||
|
|
||||||
|
- name: "evolinux custom overrides (Debian 9 or later)"
|
||||||
|
copy:
|
||||||
|
dest: /etc/squid/evolinux-custom.conf
|
||||||
|
content: |
|
||||||
|
# Put customized values here.
|
||||||
|
force: no
|
||||||
|
when: squid_localproxy_enable == False and ansible_distribution_major_version | version_compare('9', '>=')
|
||||||
|
|
||||||
- name: add some URL in whitelist
|
- name: add some URL in whitelist
|
||||||
lineinfile:
|
lineinfile:
|
||||||
insertafter: EOF
|
insertafter: EOF
|
||||||
dest: "{{ squid_conf_path }}/whitelist-custom.conf"
|
dest: /etc/squid/evolinux-whitelist-custom.conf
|
||||||
line: "{{ item }}"
|
line: "{{ item }}"
|
||||||
state: present
|
state: present
|
||||||
with_items: '{{ squid_whitelist_items }}'
|
with_items: '{{ squid_whitelist_items }}'
|
||||||
notify: "reload {{ squid_daemon }}"
|
notify: "reload squid"
|
||||||
|
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||||
|
|
||||||
- include: logrotate.yml
|
- include: logrotate.yml
|
||||||
|
|
||||||
|
|
1
squid/templates/evolinux-acl.conf.j2
Normal file
1
squid/templates/evolinux-acl.conf.j2
Normal file
|
@ -0,0 +1 @@
|
||||||
|
acl LOCAL src {{ squid_address }}/32
|
4
squid/templates/evolinux-custom.conf.j2
Normal file
4
squid/templates/evolinux-custom.conf.j2
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
http_port 8888 transparent
|
||||||
|
cache deny all
|
||||||
|
ignore_expect_100 on
|
||||||
|
tcp_outgoing_address {{ squid_address }}
|
|
@ -1,4 +1,4 @@
|
||||||
file = /var/log/squid3/access.log
|
file = /var/log/{{ squid_daemoname }}/access.log
|
||||||
pattern = "TCP_DENIED"
|
pattern = "TCP_DENIED"
|
||||||
mailto = {{ log2mail_alert_email or general_alert_email | mandatory }}
|
mailto = {{ log2mail_alert_email or general_alert_email | mandatory }}
|
||||||
template = /etc/log2mail/mail
|
template = /etc/log2mail/mail
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
/var/log/{{ squid_daemon }}/*.log {
|
/var/log/{{ squid_daemoname }}/*.log {
|
||||||
monthly
|
monthly
|
||||||
compress
|
compress
|
||||||
rotate 12
|
rotate 12
|
||||||
|
@ -6,6 +6,6 @@
|
||||||
create 640 proxy adm
|
create 640 proxy adm
|
||||||
sharedscripts
|
sharedscripts
|
||||||
postrotate
|
postrotate
|
||||||
test ! -e /var/run/{{ squid_daemon }}.pid || /usr/sbin/{{ squid_daemon }} -k rotate
|
test ! -e /var/run/{{ squid_daemoname }}.pid || /usr/sbin/{{ squid_daemoname }} -k rotate
|
||||||
endscript
|
endscript
|
||||||
}
|
}
|
||||||
|
|
|
@ -8,8 +8,7 @@ acl localhost src 127.0.0.0/32
|
||||||
acl INTERNE src {{ squid_address }}/32 127.0.0.0/8
|
acl INTERNE src {{ squid_address }}/32 127.0.0.0/8
|
||||||
acl Safe_ports port 80 # http
|
acl Safe_ports port 80 # http
|
||||||
acl SSL_ports port 443 563
|
acl SSL_ports port 443 563
|
||||||
acl WHITELIST url_regex "{{ squid_conf_path }}/whitelist-evolinux.conf"
|
acl WHITELIST url_regex "/etc/squid3/whitelist.conf"
|
||||||
acl WHITELIST url_regex "{{ squid_conf_path }}/whitelist-custom.conf"
|
|
||||||
http_access deny !WHITELIST
|
http_access deny !WHITELIST
|
||||||
http_access allow INTERNE
|
http_access allow INTERNE
|
||||||
http_access deny all
|
http_access deny all
|
||||||
|
@ -17,4 +16,4 @@ tcp_outgoing_address {{ squid_address }}
|
||||||
|
|
||||||
# Logs
|
# Logs
|
||||||
logformat combined %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
|
logformat combined %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
|
||||||
access_log {{ squid_log_path }}/access.log combined
|
access_log /var/log/squid3/access.log combined
|
|
@ -1,6 +0,0 @@
|
||||||
---
|
|
||||||
squid_package: squid3
|
|
||||||
squid_daemon: squid3
|
|
||||||
squid_conf_path: /etc/squid3
|
|
||||||
squid_conf_file: /etc/squid3/squid.conf
|
|
||||||
squid_log_path: /var/log/squid3
|
|
|
@ -1,6 +0,0 @@
|
||||||
---
|
|
||||||
squid_package: squid
|
|
||||||
squid_daemon: squid
|
|
||||||
squid_conf_path: /etc/squid
|
|
||||||
squid_conf_file: /etc/squid/squid.conf
|
|
||||||
squid_log_path: /var/log/squid
|
|
Loading…
Reference in a new issue