configpolicy/host_vars/gw1.pyrocufflink.blue/squid.yml

squid_acl:
  localnet:
    - 'src 10.0.0.0/8		# RFC 1918 local private network (LAN)'
    - 'src 172.16.0.0/12		# RFC 1918 local private network (LAN)'
    - 'src 192.168.0.0/16		# RFC 1918 local private network (LAN)'
    - 'src fc00::/7       	# RFC 4193 local private network range'
    - 'src fe80::/10      	# RFC 4291 link-local (directly plugged) machines'
  trusted:
  - src 172.30.0.0/26
  SSL_ports:
  - port 443
  Safe_ports:
  - 'port 80		# http'
  - 'port 443		# https'
  CONNECT:
  - method CONNECT
  kickstart:
  - url_regex rosalina.pyrocufflink.blue/~dustin/kickstart/.*\.ks$
  fcos_updates:
  - dstdomain updates.coreos.fedoraproject.org
  - dstdomain ostree.fedoraproject.org
  fedora_repo:
  - dstdomain mirrors.fedoraproject.org
  - dstdomain dl.fedoraproject.org
  google_fonts:
  - dstdomain fonts.googleapis.com
  - dstdomain fonts.gstatic.com
  grafana_rpm:
  - dstdomain rpm.grafana.com

squid_http_access:
- 'deny !Safe_ports'
- 'deny CONNECT !SSL_ports'
- allow localhost manager
- deny manager
- deny to_localhost
- allow localnet fcos_updates
- allow localnet fedora_repo
- allow localnet grafana_rpm
- allow google_fonts
- allow trusted kickstart
- deny all

squid_cache_dir:
- ufs /var/cache/squid 20480 16 256

squid_refresh_pattern:
- \.{{ ansible_domain|replace('.', '\.') }} 0 0% 0
- repomd\.xml$ 0 0% 0
- (vmlinuz|(initrd|squashfs|install)\.img)$ 480 20% 10080
- \.rpm$ 86400 80% 2592000