From e2be22dd3cefc4cb2de46d7167169f81b58cef21 Mon Sep 17 00:00:00 2001 From: Daniel Berteaud Date: Sat, 13 Jan 2024 14:33:57 +0100 Subject: [PATCH] Update image and add rendered example --- example/images/squid/Dockerfile | 25 ++ .../squid/root/entrypoint.d/10-squid-conf.sh | 25 ++ .../squid/root/entrypoint.d/20-squid-users.sh | 9 + .../images/squid/root/etc/squid/squid.conf | 18 ++ example/prep.d/10-mv_conf.sh | 19 ++ example/squid.nomad.hcl | 230 ++++++++++++++++++ variables.yml | 2 +- 7 files changed, 327 insertions(+), 1 deletion(-) create mode 100644 example/images/squid/Dockerfile create mode 100755 example/images/squid/root/entrypoint.d/10-squid-conf.sh create mode 100755 example/images/squid/root/entrypoint.d/20-squid-users.sh create mode 100644 example/images/squid/root/etc/squid/squid.conf create mode 100755 example/prep.d/10-mv_conf.sh create mode 100644 example/squid.nomad.hcl diff --git a/example/images/squid/Dockerfile b/example/images/squid/Dockerfile new file mode 100644 index 0000000..c5d4a0b --- /dev/null +++ b/example/images/squid/Dockerfile @@ -0,0 +1,25 @@ +FROM danielberteaud/alpine:24.1-2 +MAINTAINER Daniel Berteaud + +ENV SQUID_CONFDIR=/etc/squid \ + SQUID_CONF_20_acl_10="safe_ports port 80 443 21" \ + SQUID_CONF_20_acl_11="ssl_ports port 443 8443 8006 8007" \ + SQUID_CONF_20_acl_12="rfc1918_dst dst 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8" \ + SQUID_CONF_100_http_access="deny CONNECT !ssl_ports"\ + SQUID_CONF_1000_http_access="allow all" + +RUN set -eux &&\ + apk --no-cache upgrade &&\ + apk --no-cache add squid apache2-utils &&\ + mkdir /etc/squid/conf.d/ &&\ + touch /etc/squid/conf.d/env.conf &&\ + touch /etc/squid/auth &&\ + chown squid:squid /etc/squid/auth &&\ + chmod 600 /etc/squid/auth &&\ + chown -R squid:squid /etc/squid/conf.d/ + +COPY root/ / + +EXPOSE 3128 +USER squid +CMD ["squid", "-N", "-u", "0"] diff --git a/example/images/squid/root/entrypoint.d/10-squid-conf.sh b/example/images/squid/root/entrypoint.d/10-squid-conf.sh new file mode 100755 index 0000000..ca936f8 --- /dev/null +++ b/example/images/squid/root/entrypoint.d/10-squid-conf.sh @@ -0,0 +1,25 @@ +#!/bin/sh + +set -e + +mkdir -p ${SQUID_CONFDIR} + +mkdir -p ${SQUID_CONFDIR}/conf.d +if [ -n "${SQUID_LISTS_DIR}" -a -d "${SQUID_LISTS_DIR}" ]; then + for CATEGORY in $(find "${SQUID_LISTS_DIR}" -type d -mindepth 1 -maxdepth 1); do + for LIST in $(ls ${CATEGORY}/*.list); do + CATEGORY=$(basename ${CATEGORY}) + ACL=$(basename ${LIST} .list) + echo "Adding acl ${CATEGORY} dstdomain \"${LIST}\" in ${SQUID_CONFDIR}/conf.d/env.conf" + echo "acl ${CATEGORY} dstdomain \"${LIST}\"" >> ${SQUID_CONFDIR}/conf.d/env.conf + echo "Adding acl ${ACL} dstdomain \"${LIST}\" in ${SQUID_CONFDIR}/conf.d/env.conf" + echo "acl ${ACL} dstdomain \"${LIST}\"" >> ${SQUID_CONFDIR}/conf.d/env.conf + done + done +fi + +for VAR in $(printenv | grep -E "^SQUID_CONF_" | sed -E 's/^SQUID_CONF_([^=]+)=.*/\1/' | sort -V); do + DIRECTIVE=$(echo ${VAR} | sed -E 's/^[0-9]+_//' | sed -E "s/_[0-9]+$//") + echo "Adding ${VAR} setting in ${SQUID_CONFDIR}/conf.d/env.conf" + echo "${DIRECTIVE} $(printenv SQUID_CONF_${VAR})" >> ${SQUID_CONFDIR}/conf.d/env.conf +done diff --git a/example/images/squid/root/entrypoint.d/20-squid-users.sh b/example/images/squid/root/entrypoint.d/20-squid-users.sh new file mode 100755 index 0000000..f0cb62d --- /dev/null +++ b/example/images/squid/root/entrypoint.d/20-squid-users.sh @@ -0,0 +1,9 @@ +#!/bin/sh + +set -euo pipefail + +for USER in $(printenv | grep -E "^SQUID_USER_" | sed -E 's/^SQUID_USER_([^=]+)=.*/\1/'); do + echo "Adding user ${USER} in ${SQUID_CONFDIR}/auth" + htpasswd -b -B ${SQUID_CONFDIR}/auth ${USER} "$(printenv SQUID_USER_${USER})" +done + diff --git a/example/images/squid/root/etc/squid/squid.conf b/example/images/squid/root/etc/squid/squid.conf new file mode 100644 index 0000000..dbb3eec --- /dev/null +++ b/example/images/squid/root/etc/squid/squid.conf @@ -0,0 +1,18 @@ +max_filedescriptors 8192 +pid_filename none +http_port 3128 + +# Log on stdout +access_log stdio:/dev/stdout combined + +# Deny cache manager +http_access deny manager + +# NCSA auth +auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/auth +auth_param basic children 2 startup=2 idle=1 +auth_param basic credentialsttl 1 hours + +# Include config fragment +include /etc/squid/conf.d/*.conf + diff --git a/example/prep.d/10-mv_conf.sh b/example/prep.d/10-mv_conf.sh new file mode 100755 index 0000000..08ff059 --- /dev/null +++ b/example/prep.d/10-mv_conf.sh @@ -0,0 +1,19 @@ +#!/bin/sh + +set -eu + + + +if [ "squid" != "squid" ]; then + for DIR in vault consul nomad; do + if [ -d output/${DIR} ]; then + for FILE in $(find output/${DIR} -name "*squid*.hcl" -type f); do + NEW_FILE=$(echo "${FILE}" | sed -E "s/squid/squid/g") + mv "${FILE}" "${NEW_FILE}" + done + fi + done +fi + + + diff --git a/example/squid.nomad.hcl b/example/squid.nomad.hcl new file mode 100644 index 0000000..36ae34c --- /dev/null +++ b/example/squid.nomad.hcl @@ -0,0 +1,230 @@ +job "squid" { + + + datacenters = ["dc1"] + + + group "squid" { + network { + mode = "bridge" + } + + service { + name = "squid" + port = 3128 + connect { + sidecar_service { + disable_default_tcp_check = true + } + sidecar_task { + resources { + cpu = 50 + memory = 64 + } + + } + } + + } + + task "squid" { + driver = "docker" + + config { + image = "danielberteaud/squid:24.1-1" + readonly_rootfs = true + pids_limit = 100 + volumes = [ + "secrets/:/etc/squid/conf.d", + "local/filter-acl.sh:/entrypoint.d/30-filter-acl.sh:ro" + ] + } + + env { + SQUID_LISTS_DIR = "/local/lists" + SQUID_CONF_5_auth_param = "basic program /usr/lib/squid/basic_ncsa_auth /secrets/auth" + SQUID_CONF_5_acl = "ssl_ports port 443 8443 8006 8007 8448" + } + + template { + data = <<_EOT +#!/bin/sh + +set -euo pipefail + +# Remove any line containing auth_XXX acl not present in /secrets/acl.conf +IFS=$'\n' +for LINE in $(grep -E "http_access .* auth_.*" /secrets/env.conf); do + ACL=$(echo ${LINE} | sed -E 's/http_access .* (auth_[^\s]+).*/\1/') + if ! grep -q ${ACL} /secrets/acl.conf; then + echo "Remove ${LINE} from /secrets/env.conf because acl ${ACL} doesn't exist" + sed -i -E "/.*${ACL}.*/d" /secrets/env.conf + fi +done + + +_EOT + destination = "local/filter-acl.sh" + uid = 100000 + gid = 100000 + perms = 755 + } + + template { + data = <<_EOT +#!/bin/sh + +set -euo pipefail + +# Empty the env.conf fragment and recreate it from env vars +> /etc/squid/conf.d/env.conf +/entrypoint.d/10-squid-conf.sh +/entrypoint.d/30-filter-acl.sh + +# Parse squid config and if OK, reload +if squid -k parse -f /etc/squid/squid.conf; then + killall -HUP squid +fi + +_EOT + destination = "local/reload.sh" + uid = 100000 + gid = 100000 + perms = 755 + } + + template { + data = <<_EOT +{{- range services }} + {{- if not (.Name | regexMatch ".*sidecar\\-proxy$") }} +{{ .Name }}:{{ sprig_bcrypt .Name }} + {{- end }} +{{- end }} + +_EOT + destination = "secrets/auth" + uid = 100000 + gid = 100031 + perms = 0640 + change_mode = "noop" + } + + template { + data = <<_EOT +{{- range services }} + {{- if not (.Name | regexMatch ".*sidecar\\-proxy$") }} +acl auth_{{ .Name }} proxy_auth {{ .Name }} + {{- end }} +{{- end }} + +_EOT + destination = "secrets/acl.conf" + uid = 100000 + gid = 100031 + perms = 0640 + change_mode = "script" + change_script { + command = "/local/reload.sh" + } + } + + artifact { + source = "https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_almalinux.domains" + destination = "local/lists/white/almalinux.list" + mode = "file" + } + + template { + data = <<_EOT +# Add an fake domain to prevents warnings in case Consul has no blacklist entry +.nonexistingdomain +{{- if keyExists "service/squid/lists/black" }} +{{ key "service/squid/lists/black" }} +{{- end }} + +_EOT + destination = "local/lists/black/blacklist.list" + change_mode = "script" + change_script { + command = "/local/reload.sh" + } + } + + template { + data = <<_EOT +.lapiole.org + +_EOT + destination = "local/lists/white/dbd.list" + change_mode = "script" + change_script { + command = "/local/reload.sh" + } + } + + artifact { + source = "https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_debian.domains" + destination = "local/lists/white/debian.list" + mode = "file" + } + + artifact { + source = "https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_epel.domains" + destination = "local/lists/white/epel.list" + mode = "file" + } + + artifact { + source = "https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_remi.domains" + destination = "local/lists/white/remi.list" + mode = "file" + } + + artifact { + source = "https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_various.domains" + destination = "local/lists/white/various.list" + mode = "file" + } + + template { + data = <<_EOT +{{- if keyExists "service/squid/lists/white" }} +{{ key "service/squid/lists/white" }} +{{- end }} + +_EOT + destination = "local/lists/white/whitelist.list" + change_mode = "script" + change_script { + command = "/local/reload.sh" + } + } + + artifact { + source = "https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_windows.domains" + destination = "local/lists/white/windows.list" + mode = "file" + } + # Use a template block instead of env {} so we can fetch values from vault + template { + data = <<_EOT +LANG=fr_FR.utf8 +SQUID_CONF_101_http_access=deny !auth all +SQUID_CONF_102_http_access=allow localhost white +SQUID_CONF_103_http_access=deny black +SQUID_CONF_10_acl=auth proxy_auth REQUIRED +SQUID_CONF_999_http_access=deny all +TZ=Europe/Paris +_EOT + destination = "secrets/.env" + perms = 400 + env = true + } + resources { + cpu = 100 + memory = 256 + } + + } + } +} diff --git a/variables.yml b/variables.yml index 4bab581..e0a9ff3 100644 --- a/variables.yml +++ b/variables.yml @@ -6,7 +6,7 @@ instance: squid squid: # Docker image to use - image: '[[ .docker.repo ]]squid:23.12-1' + image: '[[ .docker.repo ]]squid:24.1-1' # Resources resources: