nomad
/
squid
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Remove http_access for non existing acl

This commit is contained in:
Daniel Berteaud 2023-10-18 14:52:04 +02:00
parent dba7ec36d0
commit cc908f4b44
7 changed files with 86 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
images/squid/Dockerfile
View File

@ -2,11 +2,11 @@ FROM [[ .docker.repo ]][[ .docker.base_images.alpine.image ]]
MAINTAINER [[ .docker.maintainer ]]
ENV SQUID_CONFDIR=/etc/squid \
SQUID_CONF_acl_10="safe_ports port 80 443 21" \
SQUID_CONF_acl_11="ssl_ports port 443 8443 8006 8007" \
SQUID_CONF_acl_12="rfc1918_dst dst 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8" \
SQUID_CONF_http_access_10="deny CONNECT !ssl_ports"\
SQUID_CONF_http_access_1000="allow all"
SQUID_CONF_20_acl_10="safe_ports port 80 443 21" \
SQUID_CONF_20_acl_11="ssl_ports port 443 8443 8006 8007" \
SQUID_CONF_20_acl_12="rfc1918_dst dst 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8" \
SQUID_CONF_100_http_access="deny CONNECT !ssl_ports"\
SQUID_CONF_1000_http_access="allow all"
RUN set -eux &&\
apk --no-cache upgrade &&\

7
images/squid/root/entrypoint.d/10-squid-conf.sh
View File

@ -3,18 +3,17 @@
set -e
mkdir -p ${SQUID_CONFDIR}
for USER in $(printenv | grep -E "^SQUID_USER_" | sed -E 's/^SQUID_USER_([^=]+)=.*/\1/'); do
echo "Adding user ${USER} in ${SQUID_CONFDIR}/auth"
htpasswd -b -B ${SQUID_CONFDIR}/auth ${USER} "$(printenv SQUID_USER_${USER})"
done
mkdir -p ${SQUID_CONFDIR}/conf.d
if [ -n "${SQUID_LISTS_DIR}" -a -d "${SQUID_LISTS_DIR}" ]; then
for CATEGORY in $(find "${SQUID_LISTS_DIR}" -type d -mindepth 1 -maxdepth 1); do
for LIST in $(ls ${CATEGORY}/*.list); do
CATEGORY=$(basename ${CATEGORY})
ACL=$(basename ${LIST} .list)
echo "Adding acl ${CATEGORY} dstdomain \"${LIST}\" in ${SQUID_CONFDIR}/conf.d/env.conf"
echo "acl ${CATEGORY} dstdomain \"${LIST}\"" >> ${SQUID_CONFDIR}/conf.d/env.conf
echo "Adding acl ${ACL} dstdomain \"${LIST}\" in ${SQUID_CONFDIR}/conf.d/env.conf"
echo "acl ${ACL} dstdomain \"${LIST}\"" >> ${SQUID_CONFDIR}/conf.d/env.conf
done
done
fi

9
images/squid/root/entrypoint.d/20-squid-users.sh Executable file
View File

@ -0,0 +1,9 @@
#!/bin/sh
set -euo pipefail
for USER in $(printenv | grep -E "^SQUID_USER_" | sed -E 's/^SQUID_USER_([^=]+)=.*/\1/'); do
echo "Adding user ${USER} in ${SQUID_CONFDIR}/auth"
htpasswd -b -B ${SQUID_CONFDIR}/auth ${USER} "$(printenv SQUID_USER_${USER})"
done

41
squid.nomad.hcl
View File

@ -22,13 +22,36 @@ job [[ $c.instance | toJSON ]] {
image = [[ .squid.image | toJSON ]]
#readonly_rootfs = true
pids_limit = 100
volumes = [
"local/filter-acl.sh:/entrypoint.d/30-filter-acl.sh:ro"
]
}
env {
SQUID_LISTS_DIR = "/local/lists"
SQUID_CONF_0_include_0 = "/secrets/squid/conf.d/*.conf"
SQUID_CONF_auth_param_0 = "basic program /usr/lib/squid/basic_ncsa_auth /secrets/squid/auth"
SQUID_CONF_acl_10 = "ssl_ports ports [[ join .squid.ssl_ports " " ]]"
SQUID_CONF_5_auth_param = "basic program /usr/lib/squid/basic_ncsa_auth /secrets/squid/auth"
SQUID_CONF_5_acl = "ssl_ports port [[ join .squid.ssl_ports " " ]]"
SQUID_CONF_40_include = "/secrets/squid/conf.d/*.conf"
}
template {
data =<<_EOT
[[ template "squid/filter_acl.sh.tpl" . ]]
_EOT
destination = "local/filter-acl.sh"
uid = 100000
gid = 100000
perms = 755
}
template {
data =<<_EOT
[[ template "squid/reload.sh.tpl" . ]]
_EOT
destination = "local/reload.sh"
uid = 100000
gid = 100000
perms = 755
}
template {
@ -50,8 +73,10 @@ _EOT
uid = 100000
gid = 100031
perms = 0640
change_mode = "signal"
change_signal = "SIGHUP"
change_mode = "script"
change_script {
command = "/local/reload.sh"
}
}
[[- range $k, $v := .squid.lists ]]
@ -69,8 +94,10 @@ _EOT
[[ $v.content ]]
_EOT
destination = "local/lists/[[ $v.category ]]/[[ $k ]].list"
change_mode = "signal"
change_signal = "SIGHUP"
change_mode = "script"
change_script {
command = "/local/reload.sh"
}
}
[[- end ]]
[[- end ]]

14
templates/filter_acl.sh.tpl Normal file
View File

@ -0,0 +1,14 @@
#!/bin/sh
set -euo pipefail
# Remove any line containing auth_XXX acl not present in /secrets/squid/conf.d/acl.conf
IFS=$'\n'
for LINE in $(grep -E "http_access .* auth_.*" /etc/squid/conf.d/env.conf); do
ACL=$(echo ${LINE} | sed -E 's/http_access .* (auth_[^\s]+).*/\1/')
if ! grep -q ${ACL} /secrets/squid/conf.d/acl.conf; then
echo "Remove ${LINE} from /etc/squid/conf.d/env.conf because acl ${ACL} doesn't exist"
sed -i -E "/.*${ACL}.*/d" /etc/squid/conf.d/env.conf
fi
done

13
templates/reload.sh.tpl Normal file
View File

@ -0,0 +1,13 @@
#!/bin/sh
set -euo pipefail
# Empty the env.conf fragment and recreate it from env vars
> /etc/squid/conf.d/env.conf
/entrypoint.d/10-squid-conf.sh
/entrypoint.d/30-filter-acl.sh
# Parse squid config and if OK, reload
if squid -k parse -f /etc/squid/squid.conf; then
killall -HUP squid
fi

14
variables.yml
View File

@ -5,7 +5,7 @@ squid:
instance: squid
# Docker image to use
image: danielberteaud/squid:23.10-1
image: danielberteaud/squid:23.10-6
# Resources
resources:
@ -31,11 +31,11 @@ squid:
# # We can restrict it to localhost
# SQUID_CONF_http_access_21: allow localhost white
env:
SQUID_CONF_acl_10: auth proxy_auth REQUIRED
SQUID_CONF_http_access_20: deny !auth all
SQUID_CONF_http_access_21: allow localhost white
SQUID_CONF_http_access_22: deny black
SQUID_CONF_http_access_200: deny all
SQUID_CONF_10_acl: auth proxy_auth REQUIRED
SQUID_CONF_101_http_access: deny !auth all
SQUID_CONF_102_http_access: allow localhost white
SQUID_CONF_103_http_access: deny black
SQUID_CONF_999_http_access: deny all
# List of destination ports for which squid will allow tunneling using CONNECT
ssl_ports:
@ -78,6 +78,8 @@ squid:
category: white
blacklist:
content: |
# Add an fake domain to prevents warnings in case Consul has no blacklist entry
.nonexistingdomain
{{- if keyExists "[[ .consul.prefix ]]service/[[ .squid.instance ]]/lists/black" }}
{{ key "[[ .consul.prefix ]]service/[[ .squid.instance ]]/lists/black" }}
{{- end }}