r/squid: Support custom ACLs and rules

The default set of access control lists and access rules for Squid are fine for allowing hosts on the local network access to the web in general. For other uses, such as web filtering, etc. more complex rules may be needed. To that end, the *squid* role now supports some additional variables. Notably, `squid_acl` contains a map of ACL names to list entries and `squid_http_access` contains a list of access rules. If these are set, their corresponding defaults are not included in the rendered configuration file.
2024-01-27 08:55:30 -06:00 · 2024-01-27 08:55:30 -06:00 · af18a575d1
parent 7b54bc4400
commit af18a575d1
2 changed files with 17 additions and 1 deletions
--- a/roles/squid/defaults/main.yml
+++ b/roles/squid/defaults/main.yml
@ -5,3 +5,4 @@ squid_cache_dir: /var/cache/squid
 squid_cache_dir_max_size: 51200
 squid_cache_dir_l1: 16
 squid_cache_dir_l2: 256
+squid_access_log: syslog:daemon.info
--- a/roles/squid/templates/squid.conf.j2
+++ b/roles/squid/templates/squid.conf.j2
@ -1,3 +1,4 @@
+{% if squid_acl is not defined %}
 #
 # Recommended minimum configuration:
 #
@ -23,8 +24,17 @@ acl Safe_ports port 488		# gss-http
 acl Safe_ports port 591		# filemaker
 acl Safe_ports port 777		# multiling http
 acl CONNECT method CONNECT
+{% else %}
+{% for name in squid_acl %}

-access_log syslog:daemon.info
+{% for acl in squid_acl[name] %}
+acl {{ name }} {{ acl }}
+{% endfor %}
+{% endfor %}
+{% endif %}
+
+access_log {{ squid_access_log }}
+{% if squid_http_access is not defined %}
 #
 # Recommended minimum Access Permission configuration:
 #
@ -55,6 +65,11 @@ http_access allow localhost

 # And finally deny all other access to this proxy
 http_access deny all
+{% else %}
+{% for rule in squid_http_access %}
+http_access {{ rule }}
+{% endfor %}
+{% endif %}

 # Squid normally listens to port 3128
 http_port 3128