From cb337418b35b8dd93f01d541a492a3d1dce482cf Mon Sep 17 00:00:00 2001 From: root Date: Tue, 24 Aug 2021 08:34:51 -0400 Subject: [PATCH 1/3] Squid: Contextualize allowlists for new implementers (whitelists) --- roles/network/templates/squid/allow_dst_domains | 4 +++- roles/network/templates/squid/allow_url_regexs | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/roles/network/templates/squid/allow_dst_domains b/roles/network/templates/squid/allow_dst_domains index f16722ed1..5d71c65c1 100644 --- a/roles/network/templates/squid/allow_dst_domains +++ b/roles/network/templates/squid/allow_dst_domains @@ -1,4 +1,6 @@ -# SEE ALSO /etc/squid/allow_url_regexs +# SEE ALSO /etc/squid/squid.conf +# /etc/squid/allow_url_regexs +# https://wiki.squid-cache.org/SquidFaq/SquidAcl # the leading dot matches anything preceding # don't remove the .lan line # change this to your domain if necessary diff --git a/roles/network/templates/squid/allow_url_regexs b/roles/network/templates/squid/allow_url_regexs index 21a003f59..e7cde9407 100644 --- a/roles/network/templates/squid/allow_url_regexs +++ b/roles/network/templates/squid/allow_url_regexs @@ -1,4 +1,6 @@ -# SEE ALSO /etc/squid/allow_url_regexs +# SEE ALSO /etc/squid/squid.conf +# /etc/squid/allow_url_regexs +# https://wiki.squid-cache.org/SquidFaq/SquidAcl # put regular expressions that match desired urls translator translate From 87ec19cafe9aee559f2785a50bb77e667f0f968c Mon Sep 17 00:00:00 2001 From: root Date: Tue, 24 Aug 2021 09:10:54 -0400 Subject: [PATCH 2/3] network/tasks/squid.yml: Contextualize /etc/squid/squid.conf, allowlists + Stop svc during install --- roles/network/tasks/squid.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/network/tasks/squid.yml b/roles/network/tasks/squid.yml index e959d43de..ea85978a9 100644 --- a/roles/network/tasks/squid.yml +++ b/roles/network/tasks/squid.yml @@ -1,4 +1,4 @@ -- name: "Install package: {{ proxy }}" +- name: "Install package {{ proxy }} -- IIAB will later overwrite its /etc/squid/squid.conf" package: name: "{{ proxy }}" # squid (or 'squid3' on vars/debian-8.yml, vars/raspbian-8.yml) # - cadaver @@ -12,7 +12,7 @@ systemd: name: "{{ proxy }}" state: stopped - when: squid_installed is undefined + # when: squid_installed is undefined # 2021-08-17: This stanza is gratuitous on most distros, where the user 'proxy' # or 'squid' is preinstalled (typically with UID and GID 13 in /etc/passwd) but @@ -44,7 +44,7 @@ group: "{{ proxy_user }}" mode: 0750 -- name: Install site allowlists/whitelists /etc/{{ proxy }}/allow_dst_domains, /etc/{{ proxy }}/allow_url_regexs from template (root:root, 0644 by default) +- name: "Install site allowlists /etc/{{ proxy }}/allow_dst_domains, /etc/{{ proxy }}/allow_url_regexs from template (root:root, 0644 by default) -- activated for HTTP/80 if you set 'gw_squid_whitelist: True' in /etc/iiab/local_vars.yml -- SEE https://wiki.squid-cache.org/SquidFaq/SquidAcl" template: src: "{{ item }}" dest: /etc/{{ proxy }}/ From 9f013de57cd5c14f19bed07fa34fd5b389bb9a40 Mon Sep 17 00:00:00 2001 From: root Date: Tue, 24 Aug 2021 10:04:12 -0400 Subject: [PATCH 3/3] Fix Squid tips + optimize its install in 4-server-options --- roles/4-server-options/tasks/main.yml | 7 ++++--- roles/network/tasks/squid.yml | 2 +- roles/network/templates/squid/allow_url_regexs | 2 +- 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/roles/4-server-options/tasks/main.yml b/roles/4-server-options/tasks/main.yml index f5bc2f269..8ccf6b88b 100644 --- a/roles/4-server-options/tasks/main.yml +++ b/roles/4-server-options/tasks/main.yml @@ -16,6 +16,7 @@ - name: Install pylibs (IIAB's python libs) include_role: name: pylibs + #when: pylibs_installed is undefined #when: pylibs_install # Flag might be created in future? - name: SSHD -- also run by roles/1-prep/tasks/main.yml as required by OpenVPN @@ -34,10 +35,10 @@ include_tasks: roles/network/tasks/dhcpd.yml when: dhcpd_install is defined and dhcpd_install -# LESS MAINTAINED as of July 2019: https://github.com/iiab/iiab/issues/1879 +# LESS MAINTAINED - name: Install Squid include_tasks: roles/network/tasks/squid.yml - when: squid_install is defined and squid_install + when: squid_install and squid_installed is undefined - name: Install Bluetooth - only on Raspberry Pi @@ -69,7 +70,7 @@ - name: WWW_OPTIONS (WWW_BASE should have been installed earlier) include_role: name: www_options - #when: www_options_install # Flag might be created in future? + #when: www_options_installed is undefined # NO: as we encourage frequent settings changes here, e.g. php.ini and many others! - name: Recording STAGE 4 HAS COMPLETED ================== diff --git a/roles/network/tasks/squid.yml b/roles/network/tasks/squid.yml index ea85978a9..1f6acc39d 100644 --- a/roles/network/tasks/squid.yml +++ b/roles/network/tasks/squid.yml @@ -1,4 +1,4 @@ -- name: "Install package {{ proxy }} -- IIAB will later overwrite its /etc/squid/squid.conf" +- name: Install package '{{ proxy }}' -- IIAB will later overwrite its /etc/squid/squid.conf package: name: "{{ proxy }}" # squid (or 'squid3' on vars/debian-8.yml, vars/raspbian-8.yml) # - cadaver diff --git a/roles/network/templates/squid/allow_url_regexs b/roles/network/templates/squid/allow_url_regexs index e7cde9407..d3932420f 100644 --- a/roles/network/templates/squid/allow_url_regexs +++ b/roles/network/templates/squid/allow_url_regexs @@ -1,5 +1,5 @@ # SEE ALSO /etc/squid/squid.conf -# /etc/squid/allow_url_regexs +# /etc/squid/allow_dst_domains # https://wiki.squid-cache.org/SquidFaq/SquidAcl # put regular expressions that match desired urls translator