nomad
/
squid
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
squid/variables.yml

121 lines
3.9 KiB
YAML
Raw Permalink Blame History

---
# Name of this instance (job name and service name)
instance: squid
squid:
# Docker image to use
image: '[[ .docker.repo ]]squid:24.5-1'
# Number of instances to run:
count: 1
# Resources
resources:
cpu: 100
memory: 256
vault:
policies:
- '[[ .instance ]][[ .consul.suffix ]]'
rand_secrets:
- fields:
- manager_pwd
# Env variables passed to the container
# squid configuration can be passed with
#
# To add directive
# - SQUID_CONF_<directive>: value
# To add directive, but sorted using <index> (number)
# - SQUID_CONF_<index>_<directive>: value
# When a directive can be repeasted sevral times, you can also pass an additional number like
# - SQUID_CONF_<directive>_<number>: value
# For example
# # Ensure include is added before everything else
# SQUID_CONF_0_include_0: /secrets/squid/conf.d/*.conf
# # Add some access
# # Make authentication mandatory
# SQUID_CONF_http_access_20: deny !auth all
# # Allow access to the white category. As every access will be done through the service mesh
# # We can restrict it to localhost
# SQUID_CONF_http_access_21: allow localhost white
env:
SQUID_CONF_10_acl: auth proxy_auth REQUIRED
SQUID_CONF_101_http_access: deny !auth all
SQUID_CONF_102_http_access: allow localhost white
SQUID_CONF_103_http_access: deny black
SQUID_CONF_999_http_access: deny all
# List of destination ports for which squid will allow tunneling using CONNECT
ssl_ports:
- 443
- 8443
- 8006
- 8007
- 8448
# List of domain to build black/white lists
# content can be used to directly set the content of the list (which can include consul-template fragment to read from consul KV store)
# url can be used to download a file from an http(s) source
lists:
almalinux:
url: https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_almalinux.domains
category: white
dbd:
content: |
.lapiole.org
category: white
debian:
url: https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_debian.domains
category: white
epel:
url: https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_epel.domains
category: white
remi:
url: https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_remi.domains
category: white
windows:
url: https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_windows.domains
category: white
various:
url: https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_various.domains
category: white
services:
url: https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/service_various.domains
category: white
whitelist:
content: |
{{- if keyExists "[[ .consul.kv.root ]]service/[[ .instance ]]/lists/white" }}
{{ key "[[ .consul.kv.root ]]service/[[ .instance ]]/lists/white" }}
{{- end }}
category: white
blacklist:
content: |
# Add an fake domain to prevents warnings in case Consul has no blacklist entry
.nonexistingdomain
{{- if keyExists "[[ .consul.kv.root ]]service/[[ .instance ]]/lists/black" }}
{{ key "[[ .consul.kv.root ]]service/[[ .instance ]]/lists/black" }}
{{- end }}
category: black
# Disable default TCP check to prevent log noise
consul:
connect:
disable_default_tcp_check: true
prometheus:
enabled: '[[ .prometheus.available ]]'
metrics_url: http://127.0.0.1:9301/metrics
exporter:
version: 1.11.0
image: '[[ .docker.repo ]]squid-exporter:[[ .squid.exporter.version ]]-1'
resources:
cpu: 10
memory: 30
vault:
policies:
- '[[ .instance ]][[ .consul.suffix ]]'
Reference in New Issue View Git Blame Copy Permalink