squid: Add role and PB to deploy Squid

2018-08-12 15:58:43 -05:00 · 2018-08-12 15:58:43 -05:00 · b86ecb99fd
parent 00b04179b1
commit b86ecb99fd
6 changed files with 147 additions and 0 deletions
--- a/2
+++ b/2
@ -96,6 +96,8 @@ smtp1.pyrocufflink.blue
 [smtp-relay:children]
 zabbix-server

+[squid]
+
 [zabbix-server]
 zbx0.pyrocufflink.blue

--- a/roles/squid/defaults/main.yml
+++ b/roles/squid/defaults/main.yml
@ -0,0 +1,7 @@
+squid_max_object_size: 4096 MB
+squid_cache_replacement_policy: heap LFUDA
+squid_cache_dir_type: aufs
+squid_cache_dir: /var/cache/squid
+squid_cache_dir_max_size: 51200
+squid_cache_dir_l1: 16
+squid_cache_dir_l2: 256
--- a/roles/squid/handlers/main.yml
+++ b/roles/squid/handlers/main.yml
@ -0,0 +1,6 @@
+- name: reload squid
+  service:
+    name=squid
+    state=reloaded
+- name: save firewalld configuration
+  command: firewall-cmd --runtime-to-permanent
--- a/roles/squid/tasks/main.yml
+++ b/roles/squid/tasks/main.yml
@ -0,0 +1,48 @@
+- name: ensure squid is installed
+  package:
+    name=squid
+    state=present
+  tags:
+  - install
+
+- name: ensure squid cache dir exists
+  file:
+    path={{ squid_cache_dir }}
+    owner=squid
+    group=squid
+    mode=0750
+    setype=squid_cache_t
+    state=directory
+
+- name: ensure squid is configured
+  template:
+    src=squid.conf.j2
+    dest=/etc/squid/squid.conf
+    mode=0640
+    owner=root
+    group=squid
+    setype=squid_conf_t
+  notify: reload squid
+
+- name: ensure squid cache directory exists
+  command:
+    /usr/sbin/squid -N -z -F -f /etc/squid/squid.conf
+    creates={{ squid_cache_dir }}/00
+
+- meta: flush_handlers
+- name: ensure squid service starts at boot
+  service:
+    name=squid
+    enabled=yes
+- name: ensure squid is running
+  service:
+    name=squid
+    state=started
+
+- name: ensure proxy is allowed through firewall
+  firewalld:
+    port=3128/tcp
+    permanent=no
+    immediate=yes
+    state=enabled
+  notify: save firewalld configuration
--- a/roles/squid/templates/squid.conf.j2
+++ b/roles/squid/templates/squid.conf.j2
@ -0,0 +1,81 @@
+#
+# Recommended minimum configuration:
+#
+
+# Example rule allowing access from your local networks.
+# Adapt to list your (internal) IP networks from where browsing
+# should be allowed
+acl localnet src 10.0.0.0/8	# RFC1918 possible internal network
+acl localnet src 172.16.0.0/12	# RFC1918 possible internal network
+acl localnet src 192.168.0.0/16	# RFC1918 possible internal network
+acl localnet src fc00::/7       # RFC 4193 local private network range
+acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
+
+acl SSL_ports port 443
+acl Safe_ports port 80		# http
+acl Safe_ports port 21		# ftp
+acl Safe_ports port 443		# https
+acl Safe_ports port 70		# gopher
+acl Safe_ports port 210		# wais
+acl Safe_ports port 1025-65535	# unregistered ports
+acl Safe_ports port 280		# http-mgmt
+acl Safe_ports port 488		# gss-http
+acl Safe_ports port 591		# filemaker
+acl Safe_ports port 777		# multiling http
+acl CONNECT method CONNECT
+
+access_log syslog:daemon.info
+#
+# Recommended minimum Access Permission configuration:
+#
+# Deny requests to certain unsafe ports
+http_access deny !Safe_ports
+
+# Deny CONNECT to other than secure SSL ports
+http_access deny CONNECT !SSL_ports
+
+# Only allow cachemgr access from localhost
+http_access allow localhost manager
+http_access deny manager
+
+# We strongly recommend the following be uncommented to protect innocent
+# web applications running on the proxy server who think the only
+# one who can access services on "localhost" is a local user
+#http_access deny to_localhost
+
+#
+# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
+#
+
+# Example rule allowing access from your local networks.
+# Adapt localnet in the ACL section to list your (internal) IP networks
+# from where browsing should be allowed
+http_access allow localnet
+http_access allow localhost
+
+# And finally deny all other access to this proxy
+http_access deny all
+
+# Squid normally listens to port 3128
+http_port 3128
+
+maximum_object_size {{ squid_max_object_size }}
+cache_replacement_policy {{ squid_cache_replacement_policy }}
+
+# Uncomment and adjust the following to add a disk cache directory.
+cache_dir {{ squid_cache_dir_type }} {{ squid_cache_dir }} {{ squid_cache_dir_max_size }} {{ squid_cache_dir_l1 }} {{ squid_cache_dir_l2 }}
+
+# Leave coredumps in the first cache dir
+coredump_dir /var/spool/squid
+
+# Never cache objects from internal servers
+refresh_pattern \.{{ ansible_domain|replace('.', '\\.') }}	0	0%	0
+# Never cache Yum repository metadata files
+refresh_pattern repomd.xml	0	0%	0
+#
+# Add any of your own refresh_pattern entries above these.
+#
+refresh_pattern ^ftp:		1440	20%	10080
+refresh_pattern ^gopher:	1440	0%	1440
+refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
+refresh_pattern .		0	20%	4320
--- a/squid.yml
+++ b/squid.yml
@ -0,0 +1,3 @@
+- hosts: squid
+  roles:
+  - squid