Remove http_access for non existing acl
This commit is contained in:
parent
dba7ec36d0
commit
cc908f4b44
|
@ -2,11 +2,11 @@ FROM [[ .docker.repo ]][[ .docker.base_images.alpine.image ]]
|
|||
MAINTAINER [[ .docker.maintainer ]]
|
||||
|
||||
ENV SQUID_CONFDIR=/etc/squid \
|
||||
SQUID_CONF_acl_10="safe_ports port 80 443 21" \
|
||||
SQUID_CONF_acl_11="ssl_ports port 443 8443 8006 8007" \
|
||||
SQUID_CONF_acl_12="rfc1918_dst dst 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8" \
|
||||
SQUID_CONF_http_access_10="deny CONNECT !ssl_ports"\
|
||||
SQUID_CONF_http_access_1000="allow all"
|
||||
SQUID_CONF_20_acl_10="safe_ports port 80 443 21" \
|
||||
SQUID_CONF_20_acl_11="ssl_ports port 443 8443 8006 8007" \
|
||||
SQUID_CONF_20_acl_12="rfc1918_dst dst 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8" \
|
||||
SQUID_CONF_100_http_access="deny CONNECT !ssl_ports"\
|
||||
SQUID_CONF_1000_http_access="allow all"
|
||||
|
||||
RUN set -eux &&\
|
||||
apk --no-cache upgrade &&\
|
||||
|
|
|
@ -3,18 +3,17 @@
|
|||
set -e
|
||||
|
||||
mkdir -p ${SQUID_CONFDIR}
|
||||
for USER in $(printenv | grep -E "^SQUID_USER_" | sed -E 's/^SQUID_USER_([^=]+)=.*/\1/'); do
|
||||
echo "Adding user ${USER} in ${SQUID_CONFDIR}/auth"
|
||||
htpasswd -b -B ${SQUID_CONFDIR}/auth ${USER} "$(printenv SQUID_USER_${USER})"
|
||||
done
|
||||
|
||||
mkdir -p ${SQUID_CONFDIR}/conf.d
|
||||
if [ -n "${SQUID_LISTS_DIR}" -a -d "${SQUID_LISTS_DIR}" ]; then
|
||||
for CATEGORY in $(find "${SQUID_LISTS_DIR}" -type d -mindepth 1 -maxdepth 1); do
|
||||
for LIST in $(ls ${CATEGORY}/*.list); do
|
||||
CATEGORY=$(basename ${CATEGORY})
|
||||
ACL=$(basename ${LIST} .list)
|
||||
echo "Adding acl ${CATEGORY} dstdomain \"${LIST}\" in ${SQUID_CONFDIR}/conf.d/env.conf"
|
||||
echo "acl ${CATEGORY} dstdomain \"${LIST}\"" >> ${SQUID_CONFDIR}/conf.d/env.conf
|
||||
echo "Adding acl ${ACL} dstdomain \"${LIST}\" in ${SQUID_CONFDIR}/conf.d/env.conf"
|
||||
echo "acl ${ACL} dstdomain \"${LIST}\"" >> ${SQUID_CONFDIR}/conf.d/env.conf
|
||||
done
|
||||
done
|
||||
fi
|
||||
|
|
|
@ -0,0 +1,9 @@
|
|||
#!/bin/sh
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
for USER in $(printenv | grep -E "^SQUID_USER_" | sed -E 's/^SQUID_USER_([^=]+)=.*/\1/'); do
|
||||
echo "Adding user ${USER} in ${SQUID_CONFDIR}/auth"
|
||||
htpasswd -b -B ${SQUID_CONFDIR}/auth ${USER} "$(printenv SQUID_USER_${USER})"
|
||||
done
|
||||
|
|
@ -22,13 +22,36 @@ job [[ $c.instance | toJSON ]] {
|
|||
image = [[ .squid.image | toJSON ]]
|
||||
#readonly_rootfs = true
|
||||
pids_limit = 100
|
||||
volumes = [
|
||||
"local/filter-acl.sh:/entrypoint.d/30-filter-acl.sh:ro"
|
||||
]
|
||||
}
|
||||
|
||||
env {
|
||||
SQUID_LISTS_DIR = "/local/lists"
|
||||
SQUID_CONF_0_include_0 = "/secrets/squid/conf.d/*.conf"
|
||||
SQUID_CONF_auth_param_0 = "basic program /usr/lib/squid/basic_ncsa_auth /secrets/squid/auth"
|
||||
SQUID_CONF_acl_10 = "ssl_ports ports [[ join .squid.ssl_ports " " ]]"
|
||||
SQUID_CONF_5_auth_param = "basic program /usr/lib/squid/basic_ncsa_auth /secrets/squid/auth"
|
||||
SQUID_CONF_5_acl = "ssl_ports port [[ join .squid.ssl_ports " " ]]"
|
||||
SQUID_CONF_40_include = "/secrets/squid/conf.d/*.conf"
|
||||
}
|
||||
|
||||
template {
|
||||
data =<<_EOT
|
||||
[[ template "squid/filter_acl.sh.tpl" . ]]
|
||||
_EOT
|
||||
destination = "local/filter-acl.sh"
|
||||
uid = 100000
|
||||
gid = 100000
|
||||
perms = 755
|
||||
}
|
||||
|
||||
template {
|
||||
data =<<_EOT
|
||||
[[ template "squid/reload.sh.tpl" . ]]
|
||||
_EOT
|
||||
destination = "local/reload.sh"
|
||||
uid = 100000
|
||||
gid = 100000
|
||||
perms = 755
|
||||
}
|
||||
|
||||
template {
|
||||
|
@ -50,8 +73,10 @@ _EOT
|
|||
uid = 100000
|
||||
gid = 100031
|
||||
perms = 0640
|
||||
change_mode = "signal"
|
||||
change_signal = "SIGHUP"
|
||||
change_mode = "script"
|
||||
change_script {
|
||||
command = "/local/reload.sh"
|
||||
}
|
||||
}
|
||||
|
||||
[[- range $k, $v := .squid.lists ]]
|
||||
|
@ -69,8 +94,10 @@ _EOT
|
|||
[[ $v.content ]]
|
||||
_EOT
|
||||
destination = "local/lists/[[ $v.category ]]/[[ $k ]].list"
|
||||
change_mode = "signal"
|
||||
change_signal = "SIGHUP"
|
||||
change_mode = "script"
|
||||
change_script {
|
||||
command = "/local/reload.sh"
|
||||
}
|
||||
}
|
||||
[[- end ]]
|
||||
[[- end ]]
|
||||
|
|
|
@ -0,0 +1,14 @@
|
|||
#!/bin/sh
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
# Remove any line containing auth_XXX acl not present in /secrets/squid/conf.d/acl.conf
|
||||
IFS=$'\n'
|
||||
for LINE in $(grep -E "http_access .* auth_.*" /etc/squid/conf.d/env.conf); do
|
||||
ACL=$(echo ${LINE} | sed -E 's/http_access .* (auth_[^\s]+).*/\1/')
|
||||
if ! grep -q ${ACL} /secrets/squid/conf.d/acl.conf; then
|
||||
echo "Remove ${LINE} from /etc/squid/conf.d/env.conf because acl ${ACL} doesn't exist"
|
||||
sed -i -E "/.*${ACL}.*/d" /etc/squid/conf.d/env.conf
|
||||
fi
|
||||
done
|
||||
|
|
@ -0,0 +1,13 @@
|
|||
#!/bin/sh
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
# Empty the env.conf fragment and recreate it from env vars
|
||||
> /etc/squid/conf.d/env.conf
|
||||
/entrypoint.d/10-squid-conf.sh
|
||||
/entrypoint.d/30-filter-acl.sh
|
||||
|
||||
# Parse squid config and if OK, reload
|
||||
if squid -k parse -f /etc/squid/squid.conf; then
|
||||
killall -HUP squid
|
||||
fi
|
|
@ -5,7 +5,7 @@ squid:
|
|||
instance: squid
|
||||
|
||||
# Docker image to use
|
||||
image: danielberteaud/squid:23.10-1
|
||||
image: danielberteaud/squid:23.10-6
|
||||
|
||||
# Resources
|
||||
resources:
|
||||
|
@ -31,11 +31,11 @@ squid:
|
|||
# # We can restrict it to localhost
|
||||
# SQUID_CONF_http_access_21: allow localhost white
|
||||
env:
|
||||
SQUID_CONF_acl_10: auth proxy_auth REQUIRED
|
||||
SQUID_CONF_http_access_20: deny !auth all
|
||||
SQUID_CONF_http_access_21: allow localhost white
|
||||
SQUID_CONF_http_access_22: deny black
|
||||
SQUID_CONF_http_access_200: deny all
|
||||
SQUID_CONF_10_acl: auth proxy_auth REQUIRED
|
||||
SQUID_CONF_101_http_access: deny !auth all
|
||||
SQUID_CONF_102_http_access: allow localhost white
|
||||
SQUID_CONF_103_http_access: deny black
|
||||
SQUID_CONF_999_http_access: deny all
|
||||
|
||||
# List of destination ports for which squid will allow tunneling using CONNECT
|
||||
ssl_ports:
|
||||
|
@ -78,6 +78,8 @@ squid:
|
|||
category: white
|
||||
blacklist:
|
||||
content: |
|
||||
# Add an fake domain to prevents warnings in case Consul has no blacklist entry
|
||||
.nonexistingdomain
|
||||
{{- if keyExists "[[ .consul.prefix ]]service/[[ .squid.instance ]]/lists/black" }}
|
||||
{{ key "[[ .consul.prefix ]]service/[[ .squid.instance ]]/lists/black" }}
|
||||
{{- end }}
|
||||
|
|
Loading…
Reference in New Issue