Initial commit
This commit is contained in:
commit
dba7ec36d0
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
|
||||
dependencies:
|
||||
- url: ../common.git
|
|
@ -0,0 +1,25 @@
|
|||
FROM [[ .docker.repo ]][[ .docker.base_images.alpine.image ]]
|
||||
MAINTAINER [[ .docker.maintainer ]]
|
||||
|
||||
ENV SQUID_CONFDIR=/etc/squid \
|
||||
SQUID_CONF_acl_10="safe_ports port 80 443 21" \
|
||||
SQUID_CONF_acl_11="ssl_ports port 443 8443 8006 8007" \
|
||||
SQUID_CONF_acl_12="rfc1918_dst dst 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8" \
|
||||
SQUID_CONF_http_access_10="deny CONNECT !ssl_ports"\
|
||||
SQUID_CONF_http_access_1000="allow all"
|
||||
|
||||
RUN set -eux &&\
|
||||
apk --no-cache upgrade &&\
|
||||
apk --no-cache add squid apache2-utils &&\
|
||||
mkdir /etc/squid/conf.d/ &&\
|
||||
touch /etc/squid/conf.d/env.conf &&\
|
||||
touch /etc/squid/auth &&\
|
||||
chown squid:squid /etc/squid/auth &&\
|
||||
chmod 600 /etc/squid/auth &&\
|
||||
chown -R squid:squid /etc/squid/conf.d/
|
||||
|
||||
COPY root/ /
|
||||
|
||||
EXPOSE 3128
|
||||
USER squid
|
||||
CMD ["squid", "-N", "-u", "0"]
|
|
@ -0,0 +1,26 @@
|
|||
#!/bin/sh
|
||||
|
||||
set -e
|
||||
|
||||
mkdir -p ${SQUID_CONFDIR}
|
||||
for USER in $(printenv | grep -E "^SQUID_USER_" | sed -E 's/^SQUID_USER_([^=]+)=.*/\1/'); do
|
||||
echo "Adding user ${USER} in ${SQUID_CONFDIR}/auth"
|
||||
htpasswd -b -B ${SQUID_CONFDIR}/auth ${USER} "$(printenv SQUID_USER_${USER})"
|
||||
done
|
||||
|
||||
mkdir -p ${SQUID_CONFDIR}/conf.d
|
||||
if [ -n "${SQUID_LISTS_DIR}" -a -d "${SQUID_LISTS_DIR}" ]; then
|
||||
for CATEGORY in $(find "${SQUID_LISTS_DIR}" -type d -mindepth 1 -maxdepth 1); do
|
||||
for LIST in $(ls ${CATEGORY}/*.list); do
|
||||
CATEGORY=$(basename ${CATEGORY})
|
||||
echo "Adding acl ${CATEGORY} dstdomain \"${LIST}\" in ${SQUID_CONFDIR}/conf.d/env.conf"
|
||||
echo "acl ${CATEGORY} dstdomain \"${LIST}\"" >> ${SQUID_CONFDIR}/conf.d/env.conf
|
||||
done
|
||||
done
|
||||
fi
|
||||
|
||||
for VAR in $(printenv | grep -E "^SQUID_CONF_" | sed -E 's/^SQUID_CONF_([^=]+)=.*/\1/' | sort -V); do
|
||||
DIRECTIVE=$(echo ${VAR} | sed -E 's/^[0-9]+_//' | sed -E "s/_[0-9]+$//")
|
||||
echo "Adding ${VAR} setting in ${SQUID_CONFDIR}/conf.d/env.conf"
|
||||
echo "${DIRECTIVE} $(printenv SQUID_CONF_${VAR})" >> ${SQUID_CONFDIR}/conf.d/env.conf
|
||||
done
|
|
@ -0,0 +1,18 @@
|
|||
max_filedescriptors 8192
|
||||
pid_filename none
|
||||
http_port 3128
|
||||
|
||||
# Log on stdout
|
||||
access_log stdio:/dev/stdout combined
|
||||
|
||||
# Deny cache manager
|
||||
http_access deny manager
|
||||
|
||||
# NCSA auth
|
||||
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/auth
|
||||
auth_param basic children 2 startup=2 idle=1
|
||||
auth_param basic credentialsttl 1 hours
|
||||
|
||||
# Include config fragment
|
||||
include /etc/squid/conf.d/*.conf
|
||||
|
|
@ -0,0 +1 @@
|
|||
[[ template "common/mv_conf.sh.tpl" dict "ctx" . "services" (dict "squid" .squid.instance) ]]
|
|
@ -0,0 +1,82 @@
|
|||
[[- $c := merge .squid . -]]
|
||||
|
||||
job [[ $c.instance | toJSON ]] {
|
||||
|
||||
[[ template "common/job_start.tpl" $c ]]
|
||||
|
||||
group "squid" {
|
||||
network {
|
||||
mode = "bridge"
|
||||
}
|
||||
|
||||
service {
|
||||
name = "[[ $c.instance ]][[ $c.consul.suffix ]]"
|
||||
port = 3128
|
||||
[[ template "common/connect.tpl" $c ]]
|
||||
}
|
||||
|
||||
task "squid" {
|
||||
driver = [[ $c.nomad.driver | toJSON ]]
|
||||
|
||||
config {
|
||||
image = [[ .squid.image | toJSON ]]
|
||||
#readonly_rootfs = true
|
||||
pids_limit = 100
|
||||
}
|
||||
|
||||
env {
|
||||
SQUID_LISTS_DIR = "/local/lists"
|
||||
SQUID_CONF_0_include_0 = "/secrets/squid/conf.d/*.conf"
|
||||
SQUID_CONF_auth_param_0 = "basic program /usr/lib/squid/basic_ncsa_auth /secrets/squid/auth"
|
||||
SQUID_CONF_acl_10 = "ssl_ports ports [[ join .squid.ssl_ports " " ]]"
|
||||
}
|
||||
|
||||
template {
|
||||
data =<<_EOT
|
||||
[[ template "squid/auth.tpl" . ]]
|
||||
_EOT
|
||||
destination = "secrets/squid/auth"
|
||||
uid = 100000
|
||||
gid = 100031
|
||||
perms = 0640
|
||||
change_mode = "noop"
|
||||
}
|
||||
|
||||
template {
|
||||
data =<<_EOT
|
||||
[[ template "squid/acl.conf.tpl" . ]]
|
||||
_EOT
|
||||
destination = "secrets/squid/conf.d/acl.conf"
|
||||
uid = 100000
|
||||
gid = 100031
|
||||
perms = 0640
|
||||
change_mode = "signal"
|
||||
change_signal = "SIGHUP"
|
||||
}
|
||||
|
||||
[[- range $k, $v := .squid.lists ]]
|
||||
[[- if has $v "url" ]]
|
||||
|
||||
artifact {
|
||||
source = [[ $v.url | toJSON ]]
|
||||
destination = "local/lists/[[ $v.category ]]/[[ $k ]].list"
|
||||
mode = "file"
|
||||
}
|
||||
[[- else if has $v "content" ]]
|
||||
|
||||
template {
|
||||
data =<<_EOT
|
||||
[[ $v.content ]]
|
||||
_EOT
|
||||
destination = "local/lists/[[ $v.category ]]/[[ $k ]].list"
|
||||
change_mode = "signal"
|
||||
change_signal = "SIGHUP"
|
||||
}
|
||||
[[- end ]]
|
||||
[[- end ]]
|
||||
|
||||
[[- template "common/file_env.tpl" $c.env ]]
|
||||
[[- template "common/resources.tpl" .squid.resources ]]
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,5 @@
|
|||
{{- range services }}
|
||||
{{- if not (.Name | regexMatch ".*sidecar\\-proxy$") }}
|
||||
acl auth_{{ .Name }} proxy_auth {{ .Name }}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,5 @@
|
|||
{{- range services }}
|
||||
{{- if not (.Name | regexMatch ".*sidecar\\-proxy$") }}
|
||||
{{ .Name }}:{{ sprig_bcrypt .Name }}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,89 @@
|
|||
---
|
||||
|
||||
squid:
|
||||
# Name of this instance (job name and service name)
|
||||
instance: squid
|
||||
|
||||
# Docker image to use
|
||||
image: danielberteaud/squid:23.10-1
|
||||
|
||||
# Resources
|
||||
resources:
|
||||
cpu: 100
|
||||
memory: 256
|
||||
|
||||
# Env variables passed to the container
|
||||
# squid configuration can be passed with
|
||||
#
|
||||
# To add directive
|
||||
# - SQUID_CONF_<directive>: value
|
||||
# To add directive, but sorted using <index> (number)
|
||||
# - SQUID_CONF_<index>_<directive>: value
|
||||
# When a directive can be repeasted sevral times, you can also pass an additional number like
|
||||
# - SQUID_CONF_<directive>_<number>: value
|
||||
# For example
|
||||
# # Ensure include is added before everything else
|
||||
# SQUID_CONF_0_include_0: /secrets/squid/conf.d/*.conf
|
||||
# # Add some access
|
||||
# # Make authentication mandatory
|
||||
# SQUID_CONF_http_access_20: deny !auth all
|
||||
# # Allow access to the white category. As every access will be done through the service mesh
|
||||
# # We can restrict it to localhost
|
||||
# SQUID_CONF_http_access_21: allow localhost white
|
||||
env:
|
||||
SQUID_CONF_acl_10: auth proxy_auth REQUIRED
|
||||
SQUID_CONF_http_access_20: deny !auth all
|
||||
SQUID_CONF_http_access_21: allow localhost white
|
||||
SQUID_CONF_http_access_22: deny black
|
||||
SQUID_CONF_http_access_200: deny all
|
||||
|
||||
# List of destination ports for which squid will allow tunneling using CONNECT
|
||||
ssl_ports:
|
||||
- 443
|
||||
- 8443
|
||||
- 8006
|
||||
- 8007
|
||||
|
||||
# List of domain to build black/white lists
|
||||
# content can be used to directly set the content of the list (which can include consul-template fragment to read from consul KV store)
|
||||
# url can be used to download a file from an http(s) source
|
||||
lists:
|
||||
almalinux:
|
||||
url: https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_almalinux.domains
|
||||
category: white
|
||||
dbd:
|
||||
content: |
|
||||
.lapiole.org
|
||||
category: white
|
||||
debian:
|
||||
url: https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_debian.domains
|
||||
category: white
|
||||
epel:
|
||||
url: https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_epel.domains
|
||||
category: white
|
||||
remi:
|
||||
url: https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_remi.domains
|
||||
category: white
|
||||
windows:
|
||||
url: https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_windows.domains
|
||||
category: white
|
||||
various:
|
||||
url: https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_various.domains
|
||||
category: white
|
||||
whitelist:
|
||||
content: |
|
||||
{{- if keyExists "[[ .consul.prefix ]]service/[[ .squid.instance ]]/lists/white" }}
|
||||
{{ key "[[ .consul.prefix ]]service/[[ .squid.instance ]]/lists/white" }}
|
||||
{{- end }}
|
||||
category: white
|
||||
blacklist:
|
||||
content: |
|
||||
{{- if keyExists "[[ .consul.prefix ]]service/[[ .squid.instance ]]/lists/black" }}
|
||||
{{ key "[[ .consul.prefix ]]service/[[ .squid.instance ]]/lists/black" }}
|
||||
{{- end }}
|
||||
category: black
|
||||
|
||||
# Disable default TCP check to prevent log noise
|
||||
consul:
|
||||
connect:
|
||||
disable_default_tcp_check: true
|
Loading…
Reference in New Issue