101 lines
2.7 KiB
YAML
101 lines
2.7 KiB
YAML
squid_auth_param:
|
|
basic:
|
|
program: /usr/lib64/squid/basic_ncsa_auth /etc/squid/squid.htpasswd
|
|
children: 1
|
|
|
|
squid_acl:
|
|
localnet:
|
|
- 'src 10.0.0.0/8 # RFC 1918 local private network (LAN)'
|
|
- 'src 172.16.0.0/12 # RFC 1918 local private network (LAN)'
|
|
- 'src 192.168.0.0/16 # RFC 1918 local private network (LAN)'
|
|
- 'src fc00::/7 # RFC 4193 local private network range'
|
|
- 'src fe80::/10 # RFC 4291 link-local (directly plugged) machines'
|
|
trusted:
|
|
- src 172.30.0.0/26
|
|
- src 172.30.0.211/32
|
|
- src 172.30.0.214/32
|
|
- src 172.31.1.0/24
|
|
kubernetes:
|
|
- src 172.30.0.160/28
|
|
unifi_controller:
|
|
- src 172.30.0.242/32
|
|
SSL_ports:
|
|
- port 443
|
|
Safe_ports:
|
|
- 'port 80 # http'
|
|
- 'port 443 # https'
|
|
CONNECT:
|
|
- method CONNECT
|
|
frigate:
|
|
- proxy_auth frigate
|
|
github_api:
|
|
- dstdomain api.github.com
|
|
kickstart:
|
|
- url_regex rosalina.pyrocufflink.blue/~dustin/kickstart/.*\.ks$
|
|
- url_regex git.pyrocufflink.net/infra/kickstart/raw/.*/.*\.ks$
|
|
fcos_updates:
|
|
- dstdomain d2uk5hbyrobdzx.cloudfront.net
|
|
- dstdomain ostree.fedoraproject.org
|
|
- dstdomain updates.coreos.fedoraproject.org
|
|
fedora_repo:
|
|
- dstdomain codecs.fedoraproject.org
|
|
- dstdomain dl.fedoraproject.org
|
|
- dstdomain fedoraproject-updates-archive.fedoraproject.org
|
|
- dstdomain mirrors.fedoraproject.org
|
|
fedora_copr:
|
|
- dstdomain copr.fedorainfracloud.org
|
|
- dstdomain download.copr.fedorainfracloud.org
|
|
dch_repo:
|
|
- url_regex files.pyrocufflink.blue/yum/.+
|
|
google_fonts:
|
|
- dstdomain fonts.googleapis.com
|
|
- dstdomain fonts.gstatic.com
|
|
grafana_rpm:
|
|
- dstdomain rpm.grafana.com
|
|
stripe_api:
|
|
- dstdomain api.stripe.com
|
|
dockerhub:
|
|
- dstdomain registry-1.docker.io
|
|
- dstdomain docker.io
|
|
- dstdomain auth.docker.io
|
|
- dstdomain production.cloudflare.docker.com
|
|
ghcr:
|
|
- dstdomain ghcr.io
|
|
- dstdomain pkg-containers.githubusercontent.com
|
|
linuxserverio:
|
|
- dstdomain lscr.io
|
|
gitea:
|
|
- dstdomain git.pyrocufflink.blue
|
|
- dstdomain git.pyrocufflink.net
|
|
|
|
squid_http_access:
|
|
- 'deny !Safe_ports'
|
|
- 'deny CONNECT !SSL_ports'
|
|
- allow localhost manager
|
|
- deny manager
|
|
- deny to_localhost
|
|
- allow localnet fcos_updates
|
|
- allow localnet fedora_repo
|
|
- allow localnet fedora_copr
|
|
- allow localnet grafana_rpm
|
|
- allow google_fonts
|
|
- allow trusted kickstart
|
|
- allow trusted dch_repo
|
|
- allow trusted ghcr
|
|
- allow trusted gitea
|
|
- allow kubernetes stripe_api
|
|
- allow unifi_controller dockerhub
|
|
- allow unifi_controller ghcr
|
|
- allow unifi_controller linuxserverio
|
|
- allow trusted frigate github_api
|
|
- deny all
|
|
|
|
squid_cache_dir:
|
|
- ufs /var/cache/squid 20480 16 256
|
|
|
|
squid_refresh_pattern:
|
|
- \.{{ ansible_domain|replace('.', '\.') }} 0 0% 0
|
|
- repomd\.xml$ 0 0% 0
|
|
- (vmlinuz|(initrd|squashfs|install)\.img)$ 480 20% 10080
|
|
- \.rpm$ 86400 80% 2592000
|