From be63424fd8057e80a794bbc7cbfebfc287b99a6d Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Sat, 27 Jan 2024 20:09:34 -0600 Subject: [PATCH] hosts: Deploy Squid on gw1 Running Squid on the firewall makes sense; it's a sort of layer-7 firewall, after all. There's not much storage on that machine, though so we don't really want to cache anything. In fact, it's only purpose is to allow very limited web access for certain applications. All outbound traffic is blocked, with two exceptions: * Fedora package repositories (for the UniFi controller server) * Google Fonts (for Invoice Ninja) --- host_vars/gw1.pyrocufflink.blue/squid.yml | 32 +++++++++++++++++++++++ hosts.gw | 3 +++ 2 files changed, 35 insertions(+) create mode 100644 host_vars/gw1.pyrocufflink.blue/squid.yml diff --git a/host_vars/gw1.pyrocufflink.blue/squid.yml b/host_vars/gw1.pyrocufflink.blue/squid.yml new file mode 100644 index 0000000..9642567 --- /dev/null +++ b/host_vars/gw1.pyrocufflink.blue/squid.yml @@ -0,0 +1,32 @@ +squid_acl: + localnet: + - 'src 10.0.0.0/8 # RFC 1918 local private network (LAN)' + - 'src 172.16.0.0/12 # RFC 1918 local private network (LAN)' + - 'src 192.168.0.0/16 # RFC 1918 local private network (LAN)' + - 'src fc00::/7 # RFC 4193 local private network range' + - 'src fe80::/10 # RFC 4291 link-local (directly plugged) machines' + SSL_ports: + - port 443 + Safe_ports: + - 'port 80 # http' + - 'port 443 # https' + CONNECT: + - method CONNECT + fedora_repo: + - dstdomain mirrors.fedoraproject.org + - dstdomain dl.fedoraproject.org + google_fonts: + - dstdomain fonts.googleapis.com + - dstdomain fonts.gstatic.com + +squid_http_access: +- 'deny !Safe_ports' +- 'deny CONNECT !SSL_ports' +- allow localhost manager +- deny manager +- deny to_localhost +- allow localnet fedora_repo +- allow google_fonts +- deny all + +squid_cache_dir: [] diff --git a/hosts.gw b/hosts.gw index bfd7ca0..d4c657c 100644 --- a/hosts.gw +++ b/hosts.gw @@ -9,3 +9,6 @@ gw1.pyrocufflink.blue [nut-monitor] gw1.pyrocufflink.blue + +[squid] +gw1.pyrocufflink.blue