311 lines
7.5 KiB
HCL
311 lines
7.5 KiB
HCL
job "squid" {
|
|
|
|
|
|
datacenters = ["dc1"]
|
|
region = "global"
|
|
|
|
|
|
|
|
|
|
group "squid" {
|
|
network {
|
|
mode = "bridge"
|
|
}
|
|
|
|
count = 1
|
|
|
|
service {
|
|
name = "squid"
|
|
port = 3128
|
|
meta {
|
|
alloc = "${NOMAD_ALLOC_INDEX}"
|
|
datacenter = "${NOMAD_DC}"
|
|
group = "${NOMAD_GROUP_NAME}"
|
|
job = "${NOMAD_JOB_NAME}"
|
|
namespace = "${NOMAD_NAMESPACE}"
|
|
node = "${node.unique.name}"
|
|
region = "${NOMAD_REGION}"
|
|
}
|
|
|
|
connect {
|
|
sidecar_service {
|
|
disable_default_tcp_check = true
|
|
}
|
|
sidecar_task {
|
|
config {
|
|
args = [
|
|
"-c",
|
|
"${NOMAD_SECRETS_DIR}/envoy_bootstrap.json",
|
|
"-l",
|
|
"${meta.connect.log_level}",
|
|
"--concurrency",
|
|
"${meta.connect.proxy_concurrency}",
|
|
"--disable-hot-restart"
|
|
]
|
|
}
|
|
|
|
resources {
|
|
cpu = 50
|
|
memory = 64
|
|
}
|
|
|
|
}
|
|
}
|
|
|
|
}
|
|
|
|
task "squid" {
|
|
driver = "docker"
|
|
|
|
config {
|
|
image = "danielberteaud/squid:24.3-2"
|
|
readonly_rootfs = true
|
|
pids_limit = 100
|
|
volumes = [
|
|
"local/squid.conf:/etc/squid/squid.conf:ro",
|
|
"secrets/:/etc/squid/conf.d",
|
|
"local/filter-acl.sh:/entrypoint.d/30-filter-acl.sh:ro"
|
|
]
|
|
}
|
|
|
|
|
|
|
|
|
|
vault {
|
|
policies = ["squid"]
|
|
env = false
|
|
disable_file = true
|
|
change_mode = "noop"
|
|
}
|
|
|
|
|
|
env {
|
|
SQUID_LISTS_DIR = "/local/lists"
|
|
SQUID_CONF_5_auth_param = "basic program /usr/lib/squid/basic_ncsa_auth /secrets/auth"
|
|
SQUID_CONF_5_acl = "ssl_ports port 443 8443 8006 8007 8448"
|
|
}
|
|
|
|
template {
|
|
data = <<_EOT
|
|
#!/bin/sh
|
|
|
|
set -euo pipefail
|
|
|
|
# Remove any line containing auth_XXX acl not present in /secrets/acl.conf
|
|
IFS=$'\n'
|
|
for LINE in $(grep -E "http_access .* auth_.*" /secrets/env.conf); do
|
|
ACL=$(echo ${LINE} | sed -E 's/http_access .* (auth_[^\ ]+).*/\1/')
|
|
if ! grep -q ${ACL} /secrets/acl.conf; then
|
|
echo "Remove ${LINE} from /secrets/env.conf because acl ${ACL} doesn't exist"
|
|
sed -i -E "/.*${ACL}.*/d" /secrets/env.conf
|
|
fi
|
|
done
|
|
|
|
|
|
_EOT
|
|
destination = "local/filter-acl.sh"
|
|
uid = 100000
|
|
gid = 100000
|
|
perms = 755
|
|
}
|
|
|
|
template {
|
|
data = <<_EOT
|
|
max_filedescriptors 8192
|
|
pid_filename none
|
|
http_port 3128
|
|
|
|
# Log on stdout
|
|
access_log stdio:/dev/stdout combined
|
|
|
|
# NCSA auth
|
|
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/auth
|
|
auth_param basic children 2 startup=2 idle=1
|
|
auth_param basic credentialsttl 1 hours
|
|
|
|
# Allow squid manager
|
|
acl auth_squid_manager proxy_auth squid_manager
|
|
http_access allow manager localhost auth_squid_manager
|
|
# Deny cache manager to anyone else
|
|
http_access deny manager
|
|
|
|
# Include config fragment
|
|
include /etc/squid/conf.d/*.conf
|
|
|
|
|
|
|
|
_EOT
|
|
destination = "local/squid.conf"
|
|
}
|
|
|
|
template {
|
|
data = <<_EOT
|
|
#!/bin/sh
|
|
|
|
set -euo pipefail
|
|
|
|
# Empty the env.conf fragment and recreate it from env vars
|
|
> /etc/squid/conf.d/env.conf
|
|
/entrypoint.d/10-squid-conf.sh
|
|
/entrypoint.d/30-filter-acl.sh
|
|
|
|
# Parse squid config and if OK, reload
|
|
if squid -k parse -f /etc/squid/squid.conf; then
|
|
killall -HUP squid
|
|
fi
|
|
|
|
_EOT
|
|
destination = "local/reload.sh"
|
|
uid = 100000
|
|
gid = 100000
|
|
perms = 755
|
|
}
|
|
|
|
template {
|
|
data = <<_EOT
|
|
squid_manager:{{ with secret "kv/service/squid" }}{{ sprig_bcrypt .Data.data.manager_pwd }}{{ end }}
|
|
{{- range services }}
|
|
{{- if not (.Name | regexMatch ".*sidecar\\-proxy$") }}
|
|
{{ .Name }}:{{ sprig_bcrypt .Name }}
|
|
{{- end }}
|
|
{{- end }}
|
|
|
|
_EOT
|
|
destination = "secrets/auth"
|
|
uid = 100000
|
|
gid = 100031
|
|
perms = 0640
|
|
change_mode = "noop"
|
|
}
|
|
|
|
template {
|
|
data = <<_EOT
|
|
{{- range services }}
|
|
{{- if not (.Name | regexMatch ".*sidecar\\-proxy$") }}
|
|
acl auth_{{ .Name }} proxy_auth {{ .Name }}
|
|
{{- end }}
|
|
{{- end }}
|
|
|
|
_EOT
|
|
destination = "secrets/acl.conf"
|
|
uid = 100000
|
|
gid = 100031
|
|
perms = 0640
|
|
change_mode = "script"
|
|
change_script {
|
|
command = "/local/reload.sh"
|
|
}
|
|
}
|
|
|
|
artifact {
|
|
source = "https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_almalinux.domains"
|
|
destination = "local/lists/white/almalinux.list"
|
|
mode = "file"
|
|
}
|
|
|
|
template {
|
|
data = <<_EOT
|
|
# Add an fake domain to prevents warnings in case Consul has no blacklist entry
|
|
.nonexistingdomain
|
|
{{- if keyExists "service/squid/lists/black" }}
|
|
{{ key "service/squid/lists/black" }}
|
|
{{- end }}
|
|
|
|
_EOT
|
|
destination = "local/lists/black/blacklist.list"
|
|
change_mode = "script"
|
|
change_script {
|
|
command = "/local/reload.sh"
|
|
}
|
|
}
|
|
|
|
template {
|
|
data = <<_EOT
|
|
.lapiole.org
|
|
|
|
_EOT
|
|
destination = "local/lists/white/dbd.list"
|
|
change_mode = "script"
|
|
change_script {
|
|
command = "/local/reload.sh"
|
|
}
|
|
}
|
|
|
|
artifact {
|
|
source = "https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_debian.domains"
|
|
destination = "local/lists/white/debian.list"
|
|
mode = "file"
|
|
}
|
|
|
|
artifact {
|
|
source = "https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_epel.domains"
|
|
destination = "local/lists/white/epel.list"
|
|
mode = "file"
|
|
}
|
|
|
|
artifact {
|
|
source = "https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_remi.domains"
|
|
destination = "local/lists/white/remi.list"
|
|
mode = "file"
|
|
}
|
|
|
|
artifact {
|
|
source = "https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/service_various.domains"
|
|
destination = "local/lists/white/services.list"
|
|
mode = "file"
|
|
}
|
|
|
|
artifact {
|
|
source = "https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_various.domains"
|
|
destination = "local/lists/white/various.list"
|
|
mode = "file"
|
|
}
|
|
|
|
template {
|
|
data = <<_EOT
|
|
{{- if keyExists "service/squid/lists/white" }}
|
|
{{ key "service/squid/lists/white" }}
|
|
{{- end }}
|
|
|
|
_EOT
|
|
destination = "local/lists/white/whitelist.list"
|
|
change_mode = "script"
|
|
change_script {
|
|
command = "/local/reload.sh"
|
|
}
|
|
}
|
|
|
|
artifact {
|
|
source = "https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_windows.domains"
|
|
destination = "local/lists/white/windows.list"
|
|
mode = "file"
|
|
}
|
|
|
|
|
|
|
|
# Use a template block instead of env {} so we can fetch values from vault
|
|
template {
|
|
data = <<_EOT
|
|
LANG=fr_FR.utf8
|
|
SQUID_CONF_101_http_access=deny !auth all
|
|
SQUID_CONF_102_http_access=allow localhost white
|
|
SQUID_CONF_103_http_access=deny black
|
|
SQUID_CONF_10_acl=auth proxy_auth REQUIRED
|
|
SQUID_CONF_999_http_access=deny all
|
|
TZ=Europe/Paris
|
|
_EOT
|
|
destination = "secrets/.env"
|
|
perms = 400
|
|
env = true
|
|
}
|
|
|
|
|
|
resources {
|
|
cpu = 100
|
|
memory = 256
|
|
}
|
|
|
|
}
|
|
}
|
|
}
|