Update image and add rendered example

2024-01-13 14:33:57 +01:00 · 2024-01-13 14:33:57 +01:00 · e2be22dd3c
parent 1801bfdb17
commit e2be22dd3c
7 changed files with 327 additions and 1 deletions
--- a/example/images/squid/Dockerfile
+++ b/example/images/squid/Dockerfile
@ -0,0 +1,25 @@
+FROM danielberteaud/alpine:24.1-2
+MAINTAINER Daniel Berteaud <dbd@ehtrace.com>
+
+ENV SQUID_CONFDIR=/etc/squid \
+    SQUID_CONF_20_acl_10="safe_ports port 80 443 21" \
+    SQUID_CONF_20_acl_11="ssl_ports port 443 8443 8006 8007" \
+    SQUID_CONF_20_acl_12="rfc1918_dst dst 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8" \
+    SQUID_CONF_100_http_access="deny CONNECT !ssl_ports"\
+    SQUID_CONF_1000_http_access="allow all"
+
+RUN set -eux &&\
+    apk --no-cache upgrade &&\
+    apk --no-cache add squid apache2-utils &&\
+    mkdir /etc/squid/conf.d/ &&\
+    touch /etc/squid/conf.d/env.conf &&\
+    touch /etc/squid/auth &&\
+    chown squid:squid /etc/squid/auth &&\
+    chmod 600 /etc/squid/auth &&\
+    chown -R squid:squid /etc/squid/conf.d/
+
+COPY root/ /
+
+EXPOSE 3128
+USER squid
+CMD ["squid", "-N", "-u", "0"]
--- a/example/images/squid/root/entrypoint.d/10-squid-conf.sh
+++ b/example/images/squid/root/entrypoint.d/10-squid-conf.sh
@ -0,0 +1,25 @@
+#!/bin/sh
+
+set -e
+
+mkdir -p ${SQUID_CONFDIR}
+
+mkdir -p ${SQUID_CONFDIR}/conf.d
+if [ -n "${SQUID_LISTS_DIR}" -a -d "${SQUID_LISTS_DIR}" ]; then
+  for CATEGORY in $(find "${SQUID_LISTS_DIR}" -type d -mindepth 1 -maxdepth 1); do
+    for LIST in $(ls ${CATEGORY}/*.list); do
+      CATEGORY=$(basename ${CATEGORY})
+      ACL=$(basename ${LIST} .list)
+      echo "Adding acl ${CATEGORY} dstdomain \"${LIST}\" in ${SQUID_CONFDIR}/conf.d/env.conf"
+      echo "acl ${CATEGORY} dstdomain \"${LIST}\"" >> ${SQUID_CONFDIR}/conf.d/env.conf
+      echo "Adding acl ${ACL} dstdomain \"${LIST}\" in ${SQUID_CONFDIR}/conf.d/env.conf"
+      echo "acl ${ACL} dstdomain \"${LIST}\"" >> ${SQUID_CONFDIR}/conf.d/env.conf
+    done
+  done
+fi
+
+for VAR in $(printenv | grep -E "^SQUID_CONF_" | sed -E 's/^SQUID_CONF_([^=]+)=.*/\1/' | sort -V); do
+  DIRECTIVE=$(echo ${VAR} | sed -E 's/^[0-9]+_//' | sed -E "s/_[0-9]+$//")
+  echo "Adding ${VAR} setting in ${SQUID_CONFDIR}/conf.d/env.conf"
+  echo "${DIRECTIVE} $(printenv SQUID_CONF_${VAR})" >> ${SQUID_CONFDIR}/conf.d/env.conf
+done
--- a/example/images/squid/root/entrypoint.d/20-squid-users.sh
+++ b/example/images/squid/root/entrypoint.d/20-squid-users.sh
@ -0,0 +1,9 @@
+#!/bin/sh
+
+set -euo pipefail
+
+for USER in $(printenv | grep -E "^SQUID_USER_" | sed -E 's/^SQUID_USER_([^=]+)=.*/\1/'); do
+  echo "Adding user ${USER} in ${SQUID_CONFDIR}/auth"
+  htpasswd -b -B ${SQUID_CONFDIR}/auth ${USER} "$(printenv SQUID_USER_${USER})"
+done
+
--- a/example/images/squid/root/etc/squid/squid.conf
+++ b/example/images/squid/root/etc/squid/squid.conf
@ -0,0 +1,18 @@
+max_filedescriptors 8192
+pid_filename none
+http_port 3128
+
+# Log on stdout
+access_log stdio:/dev/stdout combined
+
+# Deny cache manager
+http_access deny manager
+
+# NCSA auth
+auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/auth
+auth_param basic children 2 startup=2 idle=1
+auth_param basic credentialsttl 1 hours
+
+# Include config fragment
+include /etc/squid/conf.d/*.conf
+
--- a/example/prep.d/10-mv_conf.sh
+++ b/example/prep.d/10-mv_conf.sh
@ -0,0 +1,19 @@
+#!/bin/sh
+
+set -eu
+
+
+
+if [ "squid" != "squid" ]; then
+  for DIR in vault consul nomad; do
+    if [ -d output/${DIR} ]; then
+      for FILE in $(find output/${DIR} -name "*squid*.hcl" -type f); do
+        NEW_FILE=$(echo "${FILE}" | sed -E "s/squid/squid/g")
+        mv "${FILE}" "${NEW_FILE}"
+      done
+    fi
+  done
+fi
+
+
+
--- a/example/squid.nomad.hcl
+++ b/example/squid.nomad.hcl
@ -0,0 +1,230 @@
+job "squid" {
+
+
+  datacenters = ["dc1"]
+
+
+  group "squid" {
+    network {
+      mode = "bridge"
+    }
+
+    service {
+      name = "squid"
+      port = 3128
+      connect {
+        sidecar_service {
+          disable_default_tcp_check = true
+        }
+        sidecar_task {
+          resources {
+            cpu    = 50
+            memory = 64
+          }
+
+        }
+      }
+
+    }
+
+    task "squid" {
+      driver = "docker"
+
+      config {
+        image           = "danielberteaud/squid:24.1-1"
+        readonly_rootfs = true
+        pids_limit      = 100
+        volumes = [
+          "secrets/:/etc/squid/conf.d",
+          "local/filter-acl.sh:/entrypoint.d/30-filter-acl.sh:ro"
+        ]
+      }
+
+      env {
+        SQUID_LISTS_DIR         = "/local/lists"
+        SQUID_CONF_5_auth_param = "basic program /usr/lib/squid/basic_ncsa_auth /secrets/auth"
+        SQUID_CONF_5_acl        = "ssl_ports port 443 8443 8006 8007 8448"
+      }
+
+      template {
+        data        = <<_EOT
+#!/bin/sh
+
+set -euo pipefail
+
+# Remove any line containing auth_XXX acl not present in /secrets/acl.conf
+IFS=$'\n'
+for LINE in $(grep -E "http_access .* auth_.*" /secrets/env.conf); do
+  ACL=$(echo ${LINE} | sed -E 's/http_access .* (auth_[^\s]+).*/\1/')
+  if ! grep -q ${ACL} /secrets/acl.conf; then
+    echo "Remove ${LINE} from /secrets/env.conf because acl ${ACL} doesn't exist"
+    sed -i -E "/.*${ACL}.*/d" /secrets/env.conf
+  fi
+done
+
+
+_EOT
+        destination = "local/filter-acl.sh"
+        uid         = 100000
+        gid         = 100000
+        perms       = 755
+      }
+
+      template {
+        data        = <<_EOT
+#!/bin/sh
+
+set -euo pipefail
+
+# Empty the env.conf fragment and recreate it from env vars
+> /etc/squid/conf.d/env.conf
+/entrypoint.d/10-squid-conf.sh
+/entrypoint.d/30-filter-acl.sh
+
+# Parse squid config and if OK, reload
+if squid -k parse -f /etc/squid/squid.conf; then
+  killall -HUP squid
+fi
+
+_EOT
+        destination = "local/reload.sh"
+        uid         = 100000
+        gid         = 100000
+        perms       = 755
+      }
+
+      template {
+        data        = <<_EOT
+{{- range services }}
+  {{- if not (.Name | regexMatch ".*sidecar\\-proxy$") }}
+{{ .Name }}:{{ sprig_bcrypt .Name }}
+  {{- end }}
+{{- end }}
+
+_EOT
+        destination = "secrets/auth"
+        uid         = 100000
+        gid         = 100031
+        perms       = 0640
+        change_mode = "noop"
+      }
+
+      template {
+        data        = <<_EOT
+{{- range services }}
+  {{- if not (.Name | regexMatch ".*sidecar\\-proxy$") }}
+acl auth_{{ .Name }} proxy_auth {{ .Name }}
+  {{- end }}
+{{- end }}
+
+_EOT
+        destination = "secrets/acl.conf"
+        uid         = 100000
+        gid         = 100031
+        perms       = 0640
+        change_mode = "script"
+        change_script {
+          command = "/local/reload.sh"
+        }
+      }
+
+      artifact {
+        source      = "https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_almalinux.domains"
+        destination = "local/lists/white/almalinux.list"
+        mode        = "file"
+      }
+
+      template {
+        data        = <<_EOT
+# Add an fake domain to prevents warnings in case Consul has no blacklist entry
+.nonexistingdomain
+{{- if keyExists "service/squid/lists/black" }}
+{{ key "service/squid/lists/black" }}
+{{- end }}
+
+_EOT
+        destination = "local/lists/black/blacklist.list"
+        change_mode = "script"
+        change_script {
+          command = "/local/reload.sh"
+        }
+      }
+
+      template {
+        data        = <<_EOT
+.lapiole.org
+
+_EOT
+        destination = "local/lists/white/dbd.list"
+        change_mode = "script"
+        change_script {
+          command = "/local/reload.sh"
+        }
+      }
+
+      artifact {
+        source      = "https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_debian.domains"
+        destination = "local/lists/white/debian.list"
+        mode        = "file"
+      }
+
+      artifact {
+        source      = "https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_epel.domains"
+        destination = "local/lists/white/epel.list"
+        mode        = "file"
+      }
+
+      artifact {
+        source      = "https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_remi.domains"
+        destination = "local/lists/white/remi.list"
+        mode        = "file"
+      }
+
+      artifact {
+        source      = "https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_various.domains"
+        destination = "local/lists/white/various.list"
+        mode        = "file"
+      }
+
+      template {
+        data        = <<_EOT
+{{- if keyExists "service/squid/lists/white" }}
+{{ key "service/squid/lists/white" }}
+{{- end }}
+
+_EOT
+        destination = "local/lists/white/whitelist.list"
+        change_mode = "script"
+        change_script {
+          command = "/local/reload.sh"
+        }
+      }
+
+      artifact {
+        source      = "https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_windows.domains"
+        destination = "local/lists/white/windows.list"
+        mode        = "file"
+      }
+      # Use a template block instead of env {} so we can fetch values from vault
+      template {
+        data        = <<_EOT
+LANG=fr_FR.utf8
+SQUID_CONF_101_http_access=deny !auth all
+SQUID_CONF_102_http_access=allow localhost white
+SQUID_CONF_103_http_access=deny black
+SQUID_CONF_10_acl=auth proxy_auth REQUIRED
+SQUID_CONF_999_http_access=deny all
+TZ=Europe/Paris
+_EOT
+        destination = "secrets/.env"
+        perms       = 400
+        env         = true
+      }
+      resources {
+        cpu    = 100
+        memory = 256
+      }
+
+    }
+  }
+}
--- a/variables.yml
+++ b/variables.yml
@ -6,7 +6,7 @@ instance: squid
 squid:

  # Docker image to use
-  image: '[[ .docker.repo ]]squid:23.12-1'
+  image: '[[ .docker.repo ]]squid:24.1-1'

  # Resources
  resources: