nomad
/
squid
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
squid/example/squid.nomad.hcl

314 lines
7.5 KiB
HCL
Raw Permalink Blame History

job "squid" {
datacenters = ["dc1"]
region = "global"
group "squid" {
network {
mode = "bridge"
}
count = 1
service {
name = "squid"
port = 3128
meta {
alloc = "${NOMAD_ALLOC_INDEX}"
datacenter = "${NOMAD_DC}"
group = "${NOMAD_GROUP_NAME}"
job = "${NOMAD_JOB_NAME}"
namespace = "${NOMAD_NAMESPACE}"
node = "${node.unique.name}"
region = "${NOMAD_REGION}"
}
connect {
sidecar_service {
disable_default_tcp_check = true
}
sidecar_task {
logs {
disabled = false
}
config {
args = [
"-c",
"${NOMAD_SECRETS_DIR}/envoy_bootstrap.json",
"-l",
"${meta.connect.log_level}",
"--concurrency",
"${meta.connect.proxy_concurrency}",
"--disable-hot-restart"
]
}
resources {
cpu = 50
memory = 64
}
}
}
}
task "squid" {
driver = "docker"
config {
image = "danielberteaud/squid:24.5-1"
readonly_rootfs = true
pids_limit = 100
volumes = [
"local/squid.conf:/etc/squid/squid.conf:ro",
"secrets/:/etc/squid/conf.d",
"local/filter-acl.sh:/entrypoint.d/30-filter-acl.sh:ro"
]
}
vault {
policies = ["squid"]
env = false
disable_file = true
change_mode = "noop"
}
env {
SQUID_LISTS_DIR = "/local/lists"
SQUID_CONF_5_auth_param = "basic program /usr/lib/squid/basic_ncsa_auth /secrets/auth"
SQUID_CONF_5_acl = "ssl_ports port 443 8443 8006 8007 8448"
}
template {
data = <<_EOT
#!/bin/sh
set -euo pipefail
# Remove any line containing auth_XXX acl not present in /secrets/acl.conf
IFS=$'\n'
for LINE in $(grep -E "http_access .* auth_.*" /secrets/env.conf); do
ACL=$(echo ${LINE} | sed -E 's/http_access .* (auth_[^\ ]+).*/\1/')
if ! grep -q ${ACL} /secrets/acl.conf; then
echo "Remove ${LINE} from /secrets/env.conf because acl ${ACL} doesn't exist"
sed -i -E "/.*${ACL}.*/d" /secrets/env.conf
fi
done
_EOT
destination = "local/filter-acl.sh"
uid = 100000
gid = 100000
perms = 755
}
template {
data = <<_EOT
max_filedescriptors 8192
pid_filename none
http_port 3128
# Log on stdout
access_log stdio:/dev/stdout combined
# NCSA auth
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/auth
auth_param basic children 2 startup=2 idle=1
auth_param basic credentialsttl 1 hours
# Allow squid manager
acl auth_squid_manager proxy_auth squid_manager
http_access allow manager localhost auth_squid_manager
# Deny cache manager to anyone else
http_access deny manager
# Include config fragment
include /etc/squid/conf.d/*.conf
_EOT
destination = "local/squid.conf"
}
template {
data = <<_EOT
#!/bin/sh
set -euo pipefail
# Empty the env.conf fragment and recreate it from env vars
> /etc/squid/conf.d/env.conf
/entrypoint.d/10-squid-conf.sh
/entrypoint.d/30-filter-acl.sh
# Parse squid config and if OK, reload
if squid -k parse -f /etc/squid/squid.conf; then
killall -HUP squid
fi
_EOT
destination = "local/reload.sh"
uid = 100000
gid = 100000
perms = 755
}
template {
data = <<_EOT
squid_manager:{{ with secret "kv/service/squid" }}{{ sprig_bcrypt .Data.data.manager_pwd }}{{ end }}
{{- range services }}
{{- if not (.Name | regexMatch ".*sidecar\\-proxy$") }}
{{ .Name }}:{{ sprig_bcrypt .Name }}
{{- end }}
{{- end }}
_EOT
destination = "secrets/auth"
uid = 100000
gid = 100031
perms = 0640
change_mode = "noop"
}
template {
data = <<_EOT
{{- range services }}
{{- if not (.Name | regexMatch ".*sidecar\\-proxy$") }}
acl auth_{{ .Name }} proxy_auth {{ .Name }}
{{- end }}
{{- end }}
_EOT
destination = "secrets/acl.conf"
uid = 100000
gid = 100031
perms = 0640
change_mode = "script"
change_script {
command = "/local/reload.sh"
}
}
artifact {
source = "https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_almalinux.domains"
destination = "local/lists/white/almalinux.list"
mode = "file"
}
template {
data = <<_EOT
# Add an fake domain to prevents warnings in case Consul has no blacklist entry
.nonexistingdomain
{{- if keyExists "service/squid/lists/black" }}
{{ key "service/squid/lists/black" }}
{{- end }}
_EOT
destination = "local/lists/black/blacklist.list"
change_mode = "script"
change_script {
command = "/local/reload.sh"
}
}
template {
data = <<_EOT
.lapiole.org
_EOT
destination = "local/lists/white/dbd.list"
change_mode = "script"
change_script {
command = "/local/reload.sh"
}
}
artifact {
source = "https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_debian.domains"
destination = "local/lists/white/debian.list"
mode = "file"
}
artifact {
source = "https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_epel.domains"
destination = "local/lists/white/epel.list"
mode = "file"
}
artifact {
source = "https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_remi.domains"
destination = "local/lists/white/remi.list"
mode = "file"
}
artifact {
source = "https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/service_various.domains"
destination = "local/lists/white/services.list"
mode = "file"
}
artifact {
source = "https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_various.domains"
destination = "local/lists/white/various.list"
mode = "file"
}
template {
data = <<_EOT
{{- if keyExists "service/squid/lists/white" }}
{{ key "service/squid/lists/white" }}
{{- end }}
_EOT
destination = "local/lists/white/whitelist.list"
change_mode = "script"
change_script {
command = "/local/reload.sh"
}
}
artifact {
source = "https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_windows.domains"
destination = "local/lists/white/windows.list"
mode = "file"
}
# Use a template block instead of env {} so we can fetch values from vault
template {
data = <<_EOT
LANG=fr_FR.utf8
SQUID_CONF_101_http_access=deny !auth all
SQUID_CONF_102_http_access=allow localhost white
SQUID_CONF_103_http_access=deny black
SQUID_CONF_10_acl=auth proxy_auth REQUIRED
SQUID_CONF_999_http_access=deny all
TZ=Europe/Paris
_EOT
destination = "secrets/.env"
perms = 400
env = true
}
resources {
cpu = 100
memory = 256
}
}
}
}
Reference in New Issue View Git Blame Copy Permalink