
257 lines
6.3 KiB

job "squid" {
datacenters = ["dc1"]
region = "global"
group "squid" {
network {
mode = "bridge"
count = 1
service {
name = "squid"
port = 3128
connect {
sidecar_service {
disable_default_tcp_check = true
sidecar_task {
config {
args = [
resources {
cpu = 50
memory = 64
task "squid" {
driver = "docker"
config {
image = "danielberteaud/squid:24.3-2"
readonly_rootfs = true
pids_limit = 100
volumes = [
env {
SQUID_LISTS_DIR = "/local/lists"
SQUID_CONF_5_auth_param = "basic program /usr/lib/squid/basic_ncsa_auth /secrets/auth"
SQUID_CONF_5_acl = "ssl_ports port 443 8443 8006 8007 8448"
template {
data = <<_EOT
set -euo pipefail
# Remove any line containing auth_XXX acl not present in /secrets/acl.conf
for LINE in $(grep -E "http_access .* auth_.*" /secrets/env.conf); do
ACL=$(echo ${LINE} | sed -E 's/http_access .* (auth_[^\ ]+).*/\1/')
if ! grep -q ${ACL} /secrets/acl.conf; then
echo "Remove ${LINE} from /secrets/env.conf because acl ${ACL} doesn't exist"
sed -i -E "/.*${ACL}.*/d" /secrets/env.conf
destination = "local/filter-acl.sh"
uid = 100000
gid = 100000
perms = 755
template {
data = <<_EOT
set -euo pipefail
# Empty the env.conf fragment and recreate it from env vars
> /etc/squid/conf.d/env.conf
# Parse squid config and if OK, reload
if squid -k parse -f /etc/squid/squid.conf; then
killall -HUP squid
destination = "local/reload.sh"
uid = 100000
gid = 100000
perms = 755
template {
data = <<_EOT
{{- range services }}
{{- if not (.Name | regexMatch ".*sidecar\\-proxy$") }}
{{ .Name }}:{{ sprig_bcrypt .Name }}
{{- end }}
{{- end }}
destination = "secrets/auth"
uid = 100000
gid = 100031
perms = 0640
change_mode = "noop"
template {
data = <<_EOT
{{- range services }}
{{- if not (.Name | regexMatch ".*sidecar\\-proxy$") }}
acl auth_{{ .Name }} proxy_auth {{ .Name }}
{{- end }}
{{- end }}
destination = "secrets/acl.conf"
uid = 100000
gid = 100031
perms = 0640
change_mode = "script"
change_script {
command = "/local/reload.sh"
artifact {
source = "https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_almalinux.domains"
destination = "local/lists/white/almalinux.list"
mode = "file"
template {
data = <<_EOT
# Add an fake domain to prevents warnings in case Consul has no blacklist entry
{{- if keyExists "service/squid/lists/black" }}
{{ key "service/squid/lists/black" }}
{{- end }}
destination = "local/lists/black/blacklist.list"
change_mode = "script"
change_script {
command = "/local/reload.sh"
template {
data = <<_EOT
destination = "local/lists/white/dbd.list"
change_mode = "script"
change_script {
command = "/local/reload.sh"
artifact {
source = "https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_debian.domains"
destination = "local/lists/white/debian.list"
mode = "file"
artifact {
source = "https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_epel.domains"
destination = "local/lists/white/epel.list"
mode = "file"
artifact {
source = "https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_remi.domains"
destination = "local/lists/white/remi.list"
mode = "file"
artifact {
source = "https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/service_various.domains"
destination = "local/lists/white/services.list"
mode = "file"
artifact {
source = "https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_various.domains"
destination = "local/lists/white/various.list"
mode = "file"
template {
data = <<_EOT
{{- if keyExists "service/squid/lists/white" }}
{{ key "service/squid/lists/white" }}
{{- end }}
destination = "local/lists/white/whitelist.list"
change_mode = "script"
change_script {
command = "/local/reload.sh"
artifact {
source = "https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_windows.domains"
destination = "local/lists/white/windows.list"
mode = "file"
# Use a template block instead of env {} so we can fetch values from vault
template {
data = <<_EOT
SQUID_CONF_101_http_access=deny !auth all
SQUID_CONF_102_http_access=allow localhost white
SQUID_CONF_103_http_access=deny black
SQUID_CONF_10_acl=auth proxy_auth REQUIRED
SQUID_CONF_999_http_access=deny all
destination = "secrets/.env"
perms = 400
env = true
resources {
cpu = 100
memory = 256