hosts: Deploy Squid on gw1

Running Squid on the firewall makes sense; it's a sort of layer-7 firewall, after all. There's not much storage on that machine, though so we don't really want to cache anything. In fact, it's only purpose is to allow very limited web access for certain applications. All outbound traffic is blocked, with two exceptions: * Fedora package repositories (for the UniFi controller server) * Google Fonts (for Invoice Ninja)
2024-01-27 20:09:34 -06:00
parent 541a6385e2
commit be63424fd8
2 changed files with 35 additions and 0 deletions
--- a/host_vars/gw1.pyrocufflink.blue/squid.yml
+++ b/host_vars/gw1.pyrocufflink.blue/squid.yml
@@ -0,0 +1,32 @@
+squid_acl:
+  localnet:
+    - 'src 10.0.0.0/8		# RFC 1918 local private network (LAN)'
+    - 'src 172.16.0.0/12		# RFC 1918 local private network (LAN)'
+    - 'src 192.168.0.0/16		# RFC 1918 local private network (LAN)'
+    - 'src fc00::/7       	# RFC 4193 local private network range'
+    - 'src fe80::/10      	# RFC 4291 link-local (directly plugged) machines'
+  SSL_ports:
+  - port 443
+  Safe_ports:
+  - 'port 80		# http'
+  - 'port 443		# https'
+  CONNECT:
+  - method CONNECT
+  fedora_repo:
+  - dstdomain mirrors.fedoraproject.org
+  - dstdomain dl.fedoraproject.org
+  google_fonts:
+  - dstdomain fonts.googleapis.com
+  - dstdomain fonts.gstatic.com
+
+squid_http_access:
+- 'deny !Safe_ports'
+- 'deny CONNECT !SSL_ports'
+- allow localhost manager
+- deny manager
+- deny to_localhost
+- allow localnet fedora_repo
+- allow google_fonts
+- deny all
+
+squid_cache_dir: []
--- a/hosts.gw
+++ b/hosts.gw
@@ -9,3 +9,6 @@ gw1.pyrocufflink.blue

 [nut-monitor]
 gw1.pyrocufflink.blue
+
+[squid]
+gw1.pyrocufflink.blue