121 lines
3.9 KiB
YAML
121 lines
3.9 KiB
YAML
---
|
|
|
|
# Name of this instance (job name and service name)
|
|
instance: squid
|
|
|
|
squid:
|
|
|
|
# Docker image to use
|
|
image: '[[ .docker.repo ]]squid:24.3-2'
|
|
|
|
# Number of instances to run:
|
|
count: 1
|
|
|
|
# Resources
|
|
resources:
|
|
cpu: 100
|
|
memory: 256
|
|
|
|
vault:
|
|
policies:
|
|
- '[[ .instance ]][[ .consul.suffix ]]'
|
|
rand_secrets:
|
|
- fields:
|
|
- manager_pwd
|
|
|
|
# Env variables passed to the container
|
|
# squid configuration can be passed with
|
|
#
|
|
# To add directive
|
|
# - SQUID_CONF_<directive>: value
|
|
# To add directive, but sorted using <index> (number)
|
|
# - SQUID_CONF_<index>_<directive>: value
|
|
# When a directive can be repeasted sevral times, you can also pass an additional number like
|
|
# - SQUID_CONF_<directive>_<number>: value
|
|
# For example
|
|
# # Ensure include is added before everything else
|
|
# SQUID_CONF_0_include_0: /secrets/squid/conf.d/*.conf
|
|
# # Add some access
|
|
# # Make authentication mandatory
|
|
# SQUID_CONF_http_access_20: deny !auth all
|
|
# # Allow access to the white category. As every access will be done through the service mesh
|
|
# # We can restrict it to localhost
|
|
# SQUID_CONF_http_access_21: allow localhost white
|
|
env:
|
|
SQUID_CONF_10_acl: auth proxy_auth REQUIRED
|
|
SQUID_CONF_101_http_access: deny !auth all
|
|
SQUID_CONF_102_http_access: allow localhost white
|
|
SQUID_CONF_103_http_access: deny black
|
|
SQUID_CONF_999_http_access: deny all
|
|
|
|
# List of destination ports for which squid will allow tunneling using CONNECT
|
|
ssl_ports:
|
|
- 443
|
|
- 8443
|
|
- 8006
|
|
- 8007
|
|
- 8448
|
|
|
|
# List of domain to build black/white lists
|
|
# content can be used to directly set the content of the list (which can include consul-template fragment to read from consul KV store)
|
|
# url can be used to download a file from an http(s) source
|
|
lists:
|
|
almalinux:
|
|
url: https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_almalinux.domains
|
|
category: white
|
|
dbd:
|
|
content: |
|
|
.lapiole.org
|
|
category: white
|
|
debian:
|
|
url: https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_debian.domains
|
|
category: white
|
|
epel:
|
|
url: https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_epel.domains
|
|
category: white
|
|
remi:
|
|
url: https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_remi.domains
|
|
category: white
|
|
windows:
|
|
url: https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_windows.domains
|
|
category: white
|
|
various:
|
|
url: https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_various.domains
|
|
category: white
|
|
services:
|
|
url: https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/service_various.domains
|
|
category: white
|
|
whitelist:
|
|
content: |
|
|
{{- if keyExists "[[ .consul.kv.root ]]service/[[ .instance ]]/lists/white" }}
|
|
{{ key "[[ .consul.kv.root ]]service/[[ .instance ]]/lists/white" }}
|
|
{{- end }}
|
|
category: white
|
|
blacklist:
|
|
content: |
|
|
# Add an fake domain to prevents warnings in case Consul has no blacklist entry
|
|
.nonexistingdomain
|
|
{{- if keyExists "[[ .consul.kv.root ]]service/[[ .instance ]]/lists/black" }}
|
|
{{ key "[[ .consul.kv.root ]]service/[[ .instance ]]/lists/black" }}
|
|
{{- end }}
|
|
category: black
|
|
|
|
# Disable default TCP check to prevent log noise
|
|
consul:
|
|
connect:
|
|
disable_default_tcp_check: true
|
|
|
|
prometheus:
|
|
enabled: '[[ .prometheus.available ]]'
|
|
metrics_url: http://127.0.0.1:9301/metrics
|
|
|
|
exporter:
|
|
version: 1.11.0
|
|
image: '[[ .docker.repo ]]squid-exporter:[[ .squid.exporter.version ]]-1'
|
|
resources:
|
|
cpu: 10
|
|
memory: 30
|
|
vault:
|
|
policies:
|
|
- '[[ .instance ]][[ .consul.suffix ]]'
|