90 lines
3.2 KiB
YAML
90 lines
3.2 KiB
YAML
---
|
|
|
|
squid:
|
|
# Name of this instance (job name and service name)
|
|
instance: squid
|
|
|
|
# Docker image to use
|
|
image: danielberteaud/squid:23.10-1
|
|
|
|
# Resources
|
|
resources:
|
|
cpu: 100
|
|
memory: 256
|
|
|
|
# Env variables passed to the container
|
|
# squid configuration can be passed with
|
|
#
|
|
# To add directive
|
|
# - SQUID_CONF_<directive>: value
|
|
# To add directive, but sorted using <index> (number)
|
|
# - SQUID_CONF_<index>_<directive>: value
|
|
# When a directive can be repeasted sevral times, you can also pass an additional number like
|
|
# - SQUID_CONF_<directive>_<number>: value
|
|
# For example
|
|
# # Ensure include is added before everything else
|
|
# SQUID_CONF_0_include_0: /secrets/squid/conf.d/*.conf
|
|
# # Add some access
|
|
# # Make authentication mandatory
|
|
# SQUID_CONF_http_access_20: deny !auth all
|
|
# # Allow access to the white category. As every access will be done through the service mesh
|
|
# # We can restrict it to localhost
|
|
# SQUID_CONF_http_access_21: allow localhost white
|
|
env:
|
|
SQUID_CONF_acl_10: auth proxy_auth REQUIRED
|
|
SQUID_CONF_http_access_20: deny !auth all
|
|
SQUID_CONF_http_access_21: allow localhost white
|
|
SQUID_CONF_http_access_22: deny black
|
|
SQUID_CONF_http_access_200: deny all
|
|
|
|
# List of destination ports for which squid will allow tunneling using CONNECT
|
|
ssl_ports:
|
|
- 443
|
|
- 8443
|
|
- 8006
|
|
- 8007
|
|
|
|
# List of domain to build black/white lists
|
|
# content can be used to directly set the content of the list (which can include consul-template fragment to read from consul KV store)
|
|
# url can be used to download a file from an http(s) source
|
|
lists:
|
|
almalinux:
|
|
url: https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_almalinux.domains
|
|
category: white
|
|
dbd:
|
|
content: |
|
|
.lapiole.org
|
|
category: white
|
|
debian:
|
|
url: https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_debian.domains
|
|
category: white
|
|
epel:
|
|
url: https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_epel.domains
|
|
category: white
|
|
remi:
|
|
url: https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_remi.domains
|
|
category: white
|
|
windows:
|
|
url: https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_windows.domains
|
|
category: white
|
|
various:
|
|
url: https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_various.domains
|
|
category: white
|
|
whitelist:
|
|
content: |
|
|
{{- if keyExists "[[ .consul.prefix ]]service/[[ .squid.instance ]]/lists/white" }}
|
|
{{ key "[[ .consul.prefix ]]service/[[ .squid.instance ]]/lists/white" }}
|
|
{{- end }}
|
|
category: white
|
|
blacklist:
|
|
content: |
|
|
{{- if keyExists "[[ .consul.prefix ]]service/[[ .squid.instance ]]/lists/black" }}
|
|
{{ key "[[ .consul.prefix ]]service/[[ .squid.instance ]]/lists/black" }}
|
|
{{- end }}
|
|
category: black
|
|
|
|
# Disable default TCP check to prevent log noise
|
|
consul:
|
|
connect:
|
|
disable_default_tcp_check: true
|