nomad
/
squid
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Initial commit

This commit is contained in:
Daniel Berteaud 2023-10-16 00:31:11 +02:00
commit dba7ec36d0
9 changed files with 255 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
bundles.yml Normal file
View File

@ -0,0 +1,4 @@
---
dependencies:
- url: ../common.git

25
images/squid/Dockerfile Normal file
View File

@ -0,0 +1,25 @@
FROM [[ .docker.repo ]][[ .docker.base_images.alpine.image ]]
MAINTAINER [[ .docker.maintainer ]]
ENV SQUID_CONFDIR=/etc/squid \
SQUID_CONF_acl_10="safe_ports port 80 443 21" \
SQUID_CONF_acl_11="ssl_ports port 443 8443 8006 8007" \
SQUID_CONF_acl_12="rfc1918_dst dst 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8" \
SQUID_CONF_http_access_10="deny CONNECT !ssl_ports"\
SQUID_CONF_http_access_1000="allow all"
RUN set -eux &&\
apk --no-cache upgrade &&\
apk --no-cache add squid apache2-utils &&\
mkdir /etc/squid/conf.d/ &&\
touch /etc/squid/conf.d/env.conf &&\
touch /etc/squid/auth &&\
chown squid:squid /etc/squid/auth &&\
chmod 600 /etc/squid/auth &&\
chown -R squid:squid /etc/squid/conf.d/
COPY root/ /
EXPOSE 3128
USER squid
CMD ["squid", "-N", "-u", "0"]

26
images/squid/root/entrypoint.d/10-squid-conf.sh Executable file
View File

@ -0,0 +1,26 @@
#!/bin/sh
set -e
mkdir -p ${SQUID_CONFDIR}
for USER in $(printenv | grep -E "^SQUID_USER_" | sed -E 's/^SQUID_USER_([^=]+)=.*/\1/'); do
echo "Adding user ${USER} in ${SQUID_CONFDIR}/auth"
htpasswd -b -B ${SQUID_CONFDIR}/auth ${USER} "$(printenv SQUID_USER_${USER})"
done
mkdir -p ${SQUID_CONFDIR}/conf.d
if [ -n "${SQUID_LISTS_DIR}" -a -d "${SQUID_LISTS_DIR}" ]; then
for CATEGORY in $(find "${SQUID_LISTS_DIR}" -type d -mindepth 1 -maxdepth 1); do
for LIST in $(ls ${CATEGORY}/*.list); do
CATEGORY=$(basename ${CATEGORY})
echo "Adding acl ${CATEGORY} dstdomain \"${LIST}\" in ${SQUID_CONFDIR}/conf.d/env.conf"
echo "acl ${CATEGORY} dstdomain \"${LIST}\"" >> ${SQUID_CONFDIR}/conf.d/env.conf
done
done
fi
for VAR in $(printenv | grep -E "^SQUID_CONF_" | sed -E 's/^SQUID_CONF_([^=]+)=.*/\1/' | sort -V); do
DIRECTIVE=$(echo ${VAR} | sed -E 's/^[0-9]+_//' | sed -E "s/_[0-9]+$//")
echo "Adding ${VAR} setting in ${SQUID_CONFDIR}/conf.d/env.conf"
echo "${DIRECTIVE} $(printenv SQUID_CONF_${VAR})" >> ${SQUID_CONFDIR}/conf.d/env.conf
done

18
images/squid/root/etc/squid/squid.conf Normal file
View File

@ -0,0 +1,18 @@
max_filedescriptors 8192
pid_filename none
http_port 3128
# Log on stdout
access_log stdio:/dev/stdout combined
# Deny cache manager
http_access deny manager
# NCSA auth
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/auth
auth_param basic children 2 startup=2 idle=1
auth_param basic credentialsttl 1 hours
# Include config fragment
include /etc/squid/conf.d/*.conf

1
prep.d/10-mv_conf.sh Executable file
View File

@ -0,0 +1 @@
[[ template "common/mv_conf.sh.tpl" dict "ctx" . "services" (dict "squid" .squid.instance) ]]

82
squid.nomad.hcl Normal file
View File

@ -0,0 +1,82 @@
[[- $c := merge .squid . -]]
job [[ $c.instance | toJSON ]] {
[[ template "common/job_start.tpl" $c ]]
group "squid" {
network {
mode = "bridge"
}
service {
name = "[[ $c.instance ]][[ $c.consul.suffix ]]"
port = 3128
[[ template "common/connect.tpl" $c ]]
}
task "squid" {
driver = [[ $c.nomad.driver | toJSON ]]
config {
image = [[ .squid.image | toJSON ]]
#readonly_rootfs = true
pids_limit = 100
}
env {
SQUID_LISTS_DIR = "/local/lists"
SQUID_CONF_0_include_0 = "/secrets/squid/conf.d/*.conf"
SQUID_CONF_auth_param_0 = "basic program /usr/lib/squid/basic_ncsa_auth /secrets/squid/auth"
SQUID_CONF_acl_10 = "ssl_ports ports [[ join .squid.ssl_ports " " ]]"
}
template {
data =<<_EOT
[[ template "squid/auth.tpl" . ]]
_EOT
destination = "secrets/squid/auth"
uid = 100000
gid = 100031
perms = 0640
change_mode = "noop"
}
template {
data =<<_EOT
[[ template "squid/acl.conf.tpl" . ]]
_EOT
destination = "secrets/squid/conf.d/acl.conf"
uid = 100000
gid = 100031
perms = 0640
change_mode = "signal"
change_signal = "SIGHUP"
}
[[- range $k, $v := .squid.lists ]]
[[- if has $v "url" ]]
artifact {
source = [[ $v.url | toJSON ]]
destination = "local/lists/[[ $v.category ]]/[[ $k ]].list"
mode = "file"
}
[[- else if has $v "content" ]]
template {
data =<<_EOT
[[ $v.content ]]
_EOT
destination = "local/lists/[[ $v.category ]]/[[ $k ]].list"
change_mode = "signal"
change_signal = "SIGHUP"
}
[[- end ]]
[[- end ]]
[[- template "common/file_env.tpl" $c.env ]]
[[- template "common/resources.tpl" .squid.resources ]]
}
}
}

5
templates/acl.conf.tpl Normal file
View File

@ -0,0 +1,5 @@
{{- range services }}
{{- if not (.Name | regexMatch ".*sidecar\\-proxy$") }}
acl auth_{{ .Name }} proxy_auth {{ .Name }}
{{- end }}
{{- end }}

5
templates/auth.tpl Normal file
View File

@ -0,0 +1,5 @@
{{- range services }}
{{- if not (.Name | regexMatch ".*sidecar\\-proxy$") }}
{{ .Name }}:{{ sprig_bcrypt .Name }}
{{- end }}
{{- end }}

89
variables.yml Normal file
View File

@ -0,0 +1,89 @@
---
squid:
# Name of this instance (job name and service name)
instance: squid
# Docker image to use
image: danielberteaud/squid:23.10-1
# Resources
resources:
cpu: 100
memory: 256
# Env variables passed to the container
# squid configuration can be passed with
#
# To add directive
# - SQUID_CONF_<directive>: value
# To add directive, but sorted using <index> (number)
# - SQUID_CONF_<index>_<directive>: value
# When a directive can be repeasted sevral times, you can also pass an additional number like
# - SQUID_CONF_<directive>_<number>: value
# For example
# # Ensure include is added before everything else
# SQUID_CONF_0_include_0: /secrets/squid/conf.d/*.conf
# # Add some access
# # Make authentication mandatory
# SQUID_CONF_http_access_20: deny !auth all
# # Allow access to the white category. As every access will be done through the service mesh
# # We can restrict it to localhost
# SQUID_CONF_http_access_21: allow localhost white
env:
SQUID_CONF_acl_10: auth proxy_auth REQUIRED
SQUID_CONF_http_access_20: deny !auth all
SQUID_CONF_http_access_21: allow localhost white
SQUID_CONF_http_access_22: deny black
SQUID_CONF_http_access_200: deny all
# List of destination ports for which squid will allow tunneling using CONNECT
ssl_ports:
- 443
- 8443
- 8006
- 8007
# List of domain to build black/white lists
# content can be used to directly set the content of the list (which can include consul-template fragment to read from consul KV store)
# url can be used to download a file from an http(s) source
lists:
almalinux:
url: https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_almalinux.domains
category: white
dbd:
content: |
.lapiole.org
category: white
debian:
url: https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_debian.domains
category: white
epel:
url: https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_epel.domains
category: white
remi:
url: https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_remi.domains
category: white
windows:
url: https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_windows.domains
category: white
various:
url: https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_various.domains
category: white
whitelist:
content: |
{{- if keyExists "[[ .consul.prefix ]]service/[[ .squid.instance ]]/lists/white" }}
{{ key "[[ .consul.prefix ]]service/[[ .squid.instance ]]/lists/white" }}
{{- end }}
category: white
blacklist:
content: |
{{- if keyExists "[[ .consul.prefix ]]service/[[ .squid.instance ]]/lists/black" }}
{{ key "[[ .consul.prefix ]]service/[[ .squid.instance ]]/lists/black" }}
{{- end }}
category: black
# Disable default TCP check to prevent log noise
consul:
connect:
disable_default_tcp_check: true