Update image and add rendered example
This commit is contained in:
parent
1801bfdb17
commit
e2be22dd3c
|
@ -0,0 +1,25 @@
|
|||
FROM danielberteaud/alpine:24.1-2
|
||||
MAINTAINER Daniel Berteaud <dbd@ehtrace.com>
|
||||
|
||||
ENV SQUID_CONFDIR=/etc/squid \
|
||||
SQUID_CONF_20_acl_10="safe_ports port 80 443 21" \
|
||||
SQUID_CONF_20_acl_11="ssl_ports port 443 8443 8006 8007" \
|
||||
SQUID_CONF_20_acl_12="rfc1918_dst dst 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8" \
|
||||
SQUID_CONF_100_http_access="deny CONNECT !ssl_ports"\
|
||||
SQUID_CONF_1000_http_access="allow all"
|
||||
|
||||
RUN set -eux &&\
|
||||
apk --no-cache upgrade &&\
|
||||
apk --no-cache add squid apache2-utils &&\
|
||||
mkdir /etc/squid/conf.d/ &&\
|
||||
touch /etc/squid/conf.d/env.conf &&\
|
||||
touch /etc/squid/auth &&\
|
||||
chown squid:squid /etc/squid/auth &&\
|
||||
chmod 600 /etc/squid/auth &&\
|
||||
chown -R squid:squid /etc/squid/conf.d/
|
||||
|
||||
COPY root/ /
|
||||
|
||||
EXPOSE 3128
|
||||
USER squid
|
||||
CMD ["squid", "-N", "-u", "0"]
|
|
@ -0,0 +1,25 @@
|
|||
#!/bin/sh
|
||||
|
||||
set -e
|
||||
|
||||
mkdir -p ${SQUID_CONFDIR}
|
||||
|
||||
mkdir -p ${SQUID_CONFDIR}/conf.d
|
||||
if [ -n "${SQUID_LISTS_DIR}" -a -d "${SQUID_LISTS_DIR}" ]; then
|
||||
for CATEGORY in $(find "${SQUID_LISTS_DIR}" -type d -mindepth 1 -maxdepth 1); do
|
||||
for LIST in $(ls ${CATEGORY}/*.list); do
|
||||
CATEGORY=$(basename ${CATEGORY})
|
||||
ACL=$(basename ${LIST} .list)
|
||||
echo "Adding acl ${CATEGORY} dstdomain \"${LIST}\" in ${SQUID_CONFDIR}/conf.d/env.conf"
|
||||
echo "acl ${CATEGORY} dstdomain \"${LIST}\"" >> ${SQUID_CONFDIR}/conf.d/env.conf
|
||||
echo "Adding acl ${ACL} dstdomain \"${LIST}\" in ${SQUID_CONFDIR}/conf.d/env.conf"
|
||||
echo "acl ${ACL} dstdomain \"${LIST}\"" >> ${SQUID_CONFDIR}/conf.d/env.conf
|
||||
done
|
||||
done
|
||||
fi
|
||||
|
||||
for VAR in $(printenv | grep -E "^SQUID_CONF_" | sed -E 's/^SQUID_CONF_([^=]+)=.*/\1/' | sort -V); do
|
||||
DIRECTIVE=$(echo ${VAR} | sed -E 's/^[0-9]+_//' | sed -E "s/_[0-9]+$//")
|
||||
echo "Adding ${VAR} setting in ${SQUID_CONFDIR}/conf.d/env.conf"
|
||||
echo "${DIRECTIVE} $(printenv SQUID_CONF_${VAR})" >> ${SQUID_CONFDIR}/conf.d/env.conf
|
||||
done
|
|
@ -0,0 +1,9 @@
|
|||
#!/bin/sh
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
for USER in $(printenv | grep -E "^SQUID_USER_" | sed -E 's/^SQUID_USER_([^=]+)=.*/\1/'); do
|
||||
echo "Adding user ${USER} in ${SQUID_CONFDIR}/auth"
|
||||
htpasswd -b -B ${SQUID_CONFDIR}/auth ${USER} "$(printenv SQUID_USER_${USER})"
|
||||
done
|
||||
|
|
@ -0,0 +1,18 @@
|
|||
max_filedescriptors 8192
|
||||
pid_filename none
|
||||
http_port 3128
|
||||
|
||||
# Log on stdout
|
||||
access_log stdio:/dev/stdout combined
|
||||
|
||||
# Deny cache manager
|
||||
http_access deny manager
|
||||
|
||||
# NCSA auth
|
||||
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/auth
|
||||
auth_param basic children 2 startup=2 idle=1
|
||||
auth_param basic credentialsttl 1 hours
|
||||
|
||||
# Include config fragment
|
||||
include /etc/squid/conf.d/*.conf
|
||||
|
|
@ -0,0 +1,19 @@
|
|||
#!/bin/sh
|
||||
|
||||
set -eu
|
||||
|
||||
|
||||
|
||||
if [ "squid" != "squid" ]; then
|
||||
for DIR in vault consul nomad; do
|
||||
if [ -d output/${DIR} ]; then
|
||||
for FILE in $(find output/${DIR} -name "*squid*.hcl" -type f); do
|
||||
NEW_FILE=$(echo "${FILE}" | sed -E "s/squid/squid/g")
|
||||
mv "${FILE}" "${NEW_FILE}"
|
||||
done
|
||||
fi
|
||||
done
|
||||
fi
|
||||
|
||||
|
||||
|
|
@ -0,0 +1,230 @@
|
|||
job "squid" {
|
||||
|
||||
|
||||
datacenters = ["dc1"]
|
||||
|
||||
|
||||
group "squid" {
|
||||
network {
|
||||
mode = "bridge"
|
||||
}
|
||||
|
||||
service {
|
||||
name = "squid"
|
||||
port = 3128
|
||||
connect {
|
||||
sidecar_service {
|
||||
disable_default_tcp_check = true
|
||||
}
|
||||
sidecar_task {
|
||||
resources {
|
||||
cpu = 50
|
||||
memory = 64
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
task "squid" {
|
||||
driver = "docker"
|
||||
|
||||
config {
|
||||
image = "danielberteaud/squid:24.1-1"
|
||||
readonly_rootfs = true
|
||||
pids_limit = 100
|
||||
volumes = [
|
||||
"secrets/:/etc/squid/conf.d",
|
||||
"local/filter-acl.sh:/entrypoint.d/30-filter-acl.sh:ro"
|
||||
]
|
||||
}
|
||||
|
||||
env {
|
||||
SQUID_LISTS_DIR = "/local/lists"
|
||||
SQUID_CONF_5_auth_param = "basic program /usr/lib/squid/basic_ncsa_auth /secrets/auth"
|
||||
SQUID_CONF_5_acl = "ssl_ports port 443 8443 8006 8007 8448"
|
||||
}
|
||||
|
||||
template {
|
||||
data = <<_EOT
|
||||
#!/bin/sh
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
# Remove any line containing auth_XXX acl not present in /secrets/acl.conf
|
||||
IFS=$'\n'
|
||||
for LINE in $(grep -E "http_access .* auth_.*" /secrets/env.conf); do
|
||||
ACL=$(echo ${LINE} | sed -E 's/http_access .* (auth_[^\s]+).*/\1/')
|
||||
if ! grep -q ${ACL} /secrets/acl.conf; then
|
||||
echo "Remove ${LINE} from /secrets/env.conf because acl ${ACL} doesn't exist"
|
||||
sed -i -E "/.*${ACL}.*/d" /secrets/env.conf
|
||||
fi
|
||||
done
|
||||
|
||||
|
||||
_EOT
|
||||
destination = "local/filter-acl.sh"
|
||||
uid = 100000
|
||||
gid = 100000
|
||||
perms = 755
|
||||
}
|
||||
|
||||
template {
|
||||
data = <<_EOT
|
||||
#!/bin/sh
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
# Empty the env.conf fragment and recreate it from env vars
|
||||
> /etc/squid/conf.d/env.conf
|
||||
/entrypoint.d/10-squid-conf.sh
|
||||
/entrypoint.d/30-filter-acl.sh
|
||||
|
||||
# Parse squid config and if OK, reload
|
||||
if squid -k parse -f /etc/squid/squid.conf; then
|
||||
killall -HUP squid
|
||||
fi
|
||||
|
||||
_EOT
|
||||
destination = "local/reload.sh"
|
||||
uid = 100000
|
||||
gid = 100000
|
||||
perms = 755
|
||||
}
|
||||
|
||||
template {
|
||||
data = <<_EOT
|
||||
{{- range services }}
|
||||
{{- if not (.Name | regexMatch ".*sidecar\\-proxy$") }}
|
||||
{{ .Name }}:{{ sprig_bcrypt .Name }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
_EOT
|
||||
destination = "secrets/auth"
|
||||
uid = 100000
|
||||
gid = 100031
|
||||
perms = 0640
|
||||
change_mode = "noop"
|
||||
}
|
||||
|
||||
template {
|
||||
data = <<_EOT
|
||||
{{- range services }}
|
||||
{{- if not (.Name | regexMatch ".*sidecar\\-proxy$") }}
|
||||
acl auth_{{ .Name }} proxy_auth {{ .Name }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
_EOT
|
||||
destination = "secrets/acl.conf"
|
||||
uid = 100000
|
||||
gid = 100031
|
||||
perms = 0640
|
||||
change_mode = "script"
|
||||
change_script {
|
||||
command = "/local/reload.sh"
|
||||
}
|
||||
}
|
||||
|
||||
artifact {
|
||||
source = "https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_almalinux.domains"
|
||||
destination = "local/lists/white/almalinux.list"
|
||||
mode = "file"
|
||||
}
|
||||
|
||||
template {
|
||||
data = <<_EOT
|
||||
# Add an fake domain to prevents warnings in case Consul has no blacklist entry
|
||||
.nonexistingdomain
|
||||
{{- if keyExists "service/squid/lists/black" }}
|
||||
{{ key "service/squid/lists/black" }}
|
||||
{{- end }}
|
||||
|
||||
_EOT
|
||||
destination = "local/lists/black/blacklist.list"
|
||||
change_mode = "script"
|
||||
change_script {
|
||||
command = "/local/reload.sh"
|
||||
}
|
||||
}
|
||||
|
||||
template {
|
||||
data = <<_EOT
|
||||
.lapiole.org
|
||||
|
||||
_EOT
|
||||
destination = "local/lists/white/dbd.list"
|
||||
change_mode = "script"
|
||||
change_script {
|
||||
command = "/local/reload.sh"
|
||||
}
|
||||
}
|
||||
|
||||
artifact {
|
||||
source = "https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_debian.domains"
|
||||
destination = "local/lists/white/debian.list"
|
||||
mode = "file"
|
||||
}
|
||||
|
||||
artifact {
|
||||
source = "https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_epel.domains"
|
||||
destination = "local/lists/white/epel.list"
|
||||
mode = "file"
|
||||
}
|
||||
|
||||
artifact {
|
||||
source = "https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_remi.domains"
|
||||
destination = "local/lists/white/remi.list"
|
||||
mode = "file"
|
||||
}
|
||||
|
||||
artifact {
|
||||
source = "https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_various.domains"
|
||||
destination = "local/lists/white/various.list"
|
||||
mode = "file"
|
||||
}
|
||||
|
||||
template {
|
||||
data = <<_EOT
|
||||
{{- if keyExists "service/squid/lists/white" }}
|
||||
{{ key "service/squid/lists/white" }}
|
||||
{{- end }}
|
||||
|
||||
_EOT
|
||||
destination = "local/lists/white/whitelist.list"
|
||||
change_mode = "script"
|
||||
change_script {
|
||||
command = "/local/reload.sh"
|
||||
}
|
||||
}
|
||||
|
||||
artifact {
|
||||
source = "https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_windows.domains"
|
||||
destination = "local/lists/white/windows.list"
|
||||
mode = "file"
|
||||
}
|
||||
# Use a template block instead of env {} so we can fetch values from vault
|
||||
template {
|
||||
data = <<_EOT
|
||||
LANG=fr_FR.utf8
|
||||
SQUID_CONF_101_http_access=deny !auth all
|
||||
SQUID_CONF_102_http_access=allow localhost white
|
||||
SQUID_CONF_103_http_access=deny black
|
||||
SQUID_CONF_10_acl=auth proxy_auth REQUIRED
|
||||
SQUID_CONF_999_http_access=deny all
|
||||
TZ=Europe/Paris
|
||||
_EOT
|
||||
destination = "secrets/.env"
|
||||
perms = 400
|
||||
env = true
|
||||
}
|
||||
resources {
|
||||
cpu = 100
|
||||
memory = 256
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
}
|
|
@ -6,7 +6,7 @@ instance: squid
|
|||
squid:
|
||||
|
||||
# Docker image to use
|
||||
image: '[[ .docker.repo ]]squid:23.12-1'
|
||||
image: '[[ .docker.repo ]]squid:24.1-1'
|
||||
|
||||
# Resources
|
||||
resources:
|
||||
|
|
Loading…
Reference in New Issue