diff --git a/hosts b/hosts index f6312ae..90ec284 100644 --- a/hosts +++ b/hosts @@ -96,6 +96,8 @@ smtp1.pyrocufflink.blue [smtp-relay:children] zabbix-server +[squid] + [zabbix-server] zbx0.pyrocufflink.blue diff --git a/roles/squid/defaults/main.yml b/roles/squid/defaults/main.yml new file mode 100644 index 0000000..7edc835 --- /dev/null +++ b/roles/squid/defaults/main.yml @@ -0,0 +1,7 @@ +squid_max_object_size: 4096 MB +squid_cache_replacement_policy: heap LFUDA +squid_cache_dir_type: aufs +squid_cache_dir: /var/cache/squid +squid_cache_dir_max_size: 51200 +squid_cache_dir_l1: 16 +squid_cache_dir_l2: 256 diff --git a/roles/squid/handlers/main.yml b/roles/squid/handlers/main.yml new file mode 100644 index 0000000..5bca94b --- /dev/null +++ b/roles/squid/handlers/main.yml @@ -0,0 +1,6 @@ +- name: reload squid + service: + name=squid + state=reloaded +- name: save firewalld configuration + command: firewall-cmd --runtime-to-permanent diff --git a/roles/squid/tasks/main.yml b/roles/squid/tasks/main.yml new file mode 100644 index 0000000..f6bc187 --- /dev/null +++ b/roles/squid/tasks/main.yml @@ -0,0 +1,48 @@ +- name: ensure squid is installed + package: + name=squid + state=present + tags: + - install + +- name: ensure squid cache dir exists + file: + path={{ squid_cache_dir }} + owner=squid + group=squid + mode=0750 + setype=squid_cache_t + state=directory + +- name: ensure squid is configured + template: + src=squid.conf.j2 + dest=/etc/squid/squid.conf + mode=0640 + owner=root + group=squid + setype=squid_conf_t + notify: reload squid + +- name: ensure squid cache directory exists + command: + /usr/sbin/squid -N -z -F -f /etc/squid/squid.conf + creates={{ squid_cache_dir }}/00 + +- meta: flush_handlers +- name: ensure squid service starts at boot + service: + name=squid + enabled=yes +- name: ensure squid is running + service: + name=squid + state=started + +- name: ensure proxy is allowed through firewall + firewalld: + port=3128/tcp + permanent=no + immediate=yes + state=enabled + notify: save firewalld configuration diff --git a/roles/squid/templates/squid.conf.j2 b/roles/squid/templates/squid.conf.j2 new file mode 100644 index 0000000..06a07a1 --- /dev/null +++ b/roles/squid/templates/squid.conf.j2 @@ -0,0 +1,81 @@ +# +# Recommended minimum configuration: +# + +# Example rule allowing access from your local networks. +# Adapt to list your (internal) IP networks from where browsing +# should be allowed +acl localnet src 10.0.0.0/8 # RFC1918 possible internal network +acl localnet src 172.16.0.0/12 # RFC1918 possible internal network +acl localnet src 192.168.0.0/16 # RFC1918 possible internal network +acl localnet src fc00::/7 # RFC 4193 local private network range +acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines + +acl SSL_ports port 443 +acl Safe_ports port 80 # http +acl Safe_ports port 21 # ftp +acl Safe_ports port 443 # https +acl Safe_ports port 70 # gopher +acl Safe_ports port 210 # wais +acl Safe_ports port 1025-65535 # unregistered ports +acl Safe_ports port 280 # http-mgmt +acl Safe_ports port 488 # gss-http +acl Safe_ports port 591 # filemaker +acl Safe_ports port 777 # multiling http +acl CONNECT method CONNECT + +access_log syslog:daemon.info +# +# Recommended minimum Access Permission configuration: +# +# Deny requests to certain unsafe ports +http_access deny !Safe_ports + +# Deny CONNECT to other than secure SSL ports +http_access deny CONNECT !SSL_ports + +# Only allow cachemgr access from localhost +http_access allow localhost manager +http_access deny manager + +# We strongly recommend the following be uncommented to protect innocent +# web applications running on the proxy server who think the only +# one who can access services on "localhost" is a local user +#http_access deny to_localhost + +# +# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS +# + +# Example rule allowing access from your local networks. +# Adapt localnet in the ACL section to list your (internal) IP networks +# from where browsing should be allowed +http_access allow localnet +http_access allow localhost + +# And finally deny all other access to this proxy +http_access deny all + +# Squid normally listens to port 3128 +http_port 3128 + +maximum_object_size {{ squid_max_object_size }} +cache_replacement_policy {{ squid_cache_replacement_policy }} + +# Uncomment and adjust the following to add a disk cache directory. +cache_dir {{ squid_cache_dir_type }} {{ squid_cache_dir }} {{ squid_cache_dir_max_size }} {{ squid_cache_dir_l1 }} {{ squid_cache_dir_l2 }} + +# Leave coredumps in the first cache dir +coredump_dir /var/spool/squid + +# Never cache objects from internal servers +refresh_pattern \.{{ ansible_domain|replace('.', '\\.') }} 0 0% 0 +# Never cache Yum repository metadata files +refresh_pattern repomd.xml 0 0% 0 +# +# Add any of your own refresh_pattern entries above these. +# +refresh_pattern ^ftp: 1440 20% 10080 +refresh_pattern ^gopher: 1440 0% 1440 +refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 +refresh_pattern . 0 20% 4320 diff --git a/squid.yml b/squid.yml new file mode 100644 index 0000000..37629bd --- /dev/null +++ b/squid.yml @@ -0,0 +1,3 @@ +- hosts: squid + roles: + - squid