diff --git a/roles/0-init/defaults/main.yml b/roles/0-init/defaults/main.yml index 7fe2e28f7..98dcdd597 100644 --- a/roles/0-init/defaults/main.yml +++ b/roles/0-init/defaults/main.yml @@ -43,10 +43,10 @@ FQDN_changed: False #wifi_id: none # 2021-07-30: Had been used in 2-common/tasks/xo.yml -# 2021-07-30: roles/network/tasks/squid.yml#L16 to stop Squid -# ("when: not installing") is the only non-Fedora use of this var. +# 2021-08-16: roles/network/tasks/squid.yml#L16 to stop Squid +# ("when: not installing") was the only non-Fedora use of this var. # Earlier, this var HAD also been used in 2-common and 3-base-server. -installing: False +# installing: False # 2021-07-30: Broadly used across roles/network/tasks/*.yml -- but things might # possibly change if roles/network becomes optional per PR #2876 ? diff --git a/roles/network/tasks/enable_services.yml b/roles/network/tasks/enable_services.yml index 2b9d99dde..d87f9ab36 100644 --- a/roles/network/tasks/enable_services.yml +++ b/roles/network/tasks/enable_services.yml @@ -143,25 +143,25 @@ - name: Enable systemd service '{{ proxy }}' - if squid_install and squid_enabled systemd: - name: "{{ proxy }}" # squid (or squid3 on old OS's vars/debian-8.yml & vars/raspbian-8.yml) + name: "{{ proxy }}" # squid (or 'squid3' on vars/debian-8.yml, vars/raspbian-8.yml) enabled: yes when: squid_install and squid_enabled -- name: Install /etc/{{ proxy }}/squid-iiab.conf from template, owned by {{ proxy_user }}:{{ proxy_user }} (0644 by default) - if squid_install and squid_enabled +- name: Install /etc/{{ proxy }}/squid.conf from template (root:root, 0644 by default) - and create a timestamped backup of the original - if squid_install and squid_enabled template: - src: squid/squid-iiab.conf.j2 - dest: "/etc/{{ proxy }}/squid-iiab.conf" - owner: "{{ proxy_user }}" # proxy (or "squid" on vars/centos-7.yml, vars/fedora-18.yml, vars/fedora-12.yml) - group: "{{ proxy_user }}" - # mode: 0644 + src: squid/squid.conf.j2 + dest: /etc/{{ proxy }}/squid.conf + # owner: "{{ proxy_user }}" # proxy (or 'squid' on vars/centos-7.yml, vars/fedora-18.yml, vars/fedora-12.yml) + # group: "{{ proxy_user }}" + backup: yes when: squid_install and squid_enabled -- name: Point /etc/init.d/{{ proxy }} to /etc/{{ proxy }}/squid-iiab.conf - if squid_install and squid_enabled - lineinfile: - regexp: '^CONFIG' - line: "CONFIG=/etc/{{ proxy }}/squid-iiab.conf" - path: "/etc/init.d/{{ proxy }}" - when: squid_install and squid_enabled +# - name: Point /etc/init.d/{{ proxy }} to /etc/{{ proxy }}/squid-iiab.conf - if squid_install and squid_enabled +# lineinfile: +# regexp: '^CONFIG' +# line: "CONFIG=/etc/{{ proxy }}/squid-iiab.conf" +# path: "/etc/init.d/{{ proxy }}" +# when: squid_install and squid_enabled - name: Disable systemd service '{{ proxy }}' - if (squid_install or squid_installed [{{ squid_installed }}] is defined) and not squid_enabled systemd: diff --git a/roles/network/tasks/squid.yml b/roles/network/tasks/squid.yml index 0190f2e0d..3e7034886 100644 --- a/roles/network/tasks/squid.yml +++ b/roles/network/tasks/squid.yml @@ -1,82 +1,89 @@ -- name: "Install 2 packages: {{ proxy }}, cadaver" +- name: "Install package: {{ proxy }}" package: - name: - - "{{ proxy }}" - - cadaver + name: "{{ proxy }}" # squid (or 'squid3' on vars/debian-8.yml, vars/raspbian-8.yml) + # - cadaver state: present -- name: "Bigger hammer for Ubuntu, run: /etc/init.d/squid stop" - command: /etc/init.d/squid stop - when: is_ubuntu +# - name: "Bigger hammer for Ubuntu, run: /etc/init.d/squid stop" +# command: /etc/init.d/squid stop +# when: is_ubuntu -- name: Stop Squid - service: +- name: Stop systemd service '{{ proxy }}' + systemd: name: "{{ proxy }}" state: stopped - when: not installing + when: squid_installed is undefined -- name: "Create the Squid user: {{ proxy_user }}" +- name: Create Squid user:group '{{ proxy_user }}' to own /library/cache user: - name: "{{ proxy_user }}" + name: "{{ proxy_user }}" # proxy (or 'squid' on vars/centos-7.yml, vars/fedora-18.yml, vars/fedora-12.yml) createhome: False shell: /bin/false -- name: "Install from template: /usr/bin/iiab-httpcache, /etc/sysconfig/squid, /etc/{{ proxy }}/sites.whitelist.txt and 3 .rules files" - template: - src: "{{ item.src }}" - dest: "{{ item.dest }}" - owner: "{{ item.owner }}" - group: "{{ item.group }}" - mode: "{{ item.mode }}" - force: no - with_items: - - src: 'roles/network/templates/squid/squid.sysconfig' - dest: '/etc/sysconfig/squid' - owner: 'root' - group: 'root' - mode: '0755' - - src: 'roles/network/templates/squid/sites.whitelist.txt' - dest: '/etc/{{ proxy }}/sites.whitelist.txt' - owner: '{{ proxy_user }}' - group: '{{ proxy_user }}' - mode: '0644' - - src: 'roles/network/templates/squid/allowregex.rules' - dest: '/etc/{{ proxy }}/allowregex.rules' - owner: '{{ proxy_user }}' - group: '{{ proxy_user }}' - mode: '0644' - - src: 'roles/network/templates/squid/denyregex.rules' - dest: '/etc/{{ proxy }}/denyregex.rules' - owner: '{{ proxy_user }}' - group: '{{ proxy_user }}' - mode: '0644' - - src: 'roles/network/templates/squid/dstaddress.rules' - dest: '/etc/{{ proxy }}/dstaddress.rules' - owner: '{{ proxy_user }}' - group: '{{ proxy_user }}' - mode: '0644' - - src: 'roles/network/templates/squid/iiab-httpcache.j2' - dest: '/usr/bin/iiab-httpcache' - owner: 'root' - group: 'root' - mode: '0755' - -- name: Create Squid directory /library/cache +- name: Create Squid directory /library/cache ({{ proxy_user }}:{{ proxy_user }}, 0750) file: + state: directory path: /library/cache - owner: "{{ proxy_user }}" - group: "{{ proxy_user }}" - mode: '0750' - state: directory + owner: "{{ proxy_user }}" # Squid runs as 'nobody' according to http://www.squid-cache.org/Doc/config/cache_effective_user/ + group: "{{ proxy_user }}" # So root:root ownership doesn't work for dir /library/cache + mode: 0750 -- name: Create Squid directory /var/log/{{ proxy }} - file: - path: "/var/log/{{ proxy }}" - owner: "{{ proxy_user }}" - group: "{{ proxy_user }}" - mode: '0750' - state: directory +- name: Install site allowlists/whitelists /etc/{{ proxy }}/allow_dst_domains, /etc/{{ proxy }}/allow_url_regexs from template (root:root, 0644 by default) + template: + src: "{{ item }}" + dest: /etc/{{ proxy }}/ + backup: yes + with_items: + - roles/network/templates/squid/allow_dst_domains + - roles/network/templates/squid/allow_url_regexs +# - name: "Install from template: /usr/bin/iiab-httpcache, /etc/sysconfig/squid, /etc/{{ proxy }}/sites.whitelist.txt and 3 .rules files" +# template: +# src: "{{ item.src }}" +# dest: "{{ item.dest }}" +# owner: "{{ item.owner }}" +# group: "{{ item.group }}" +# mode: "{{ item.mode }}" +# force: no +# with_items: +# - src: 'roles/network/templates/squid/squid.sysconfig' +# dest: '/etc/sysconfig/squid' +# owner: 'root' +# group: 'root' +# mode: '0755' +# - src: 'roles/network/templates/squid/sites.whitelist.txt' +# dest: '/etc/{{ proxy }}/sites.whitelist.txt' +# owner: '{{ proxy_user }}' +# group: '{{ proxy_user }}' +# mode: '0644' +# - src: 'roles/network/templates/squid/allowregex.rules' +# dest: '/etc/{{ proxy }}/allowregex.rules' +# owner: '{{ proxy_user }}' +# group: '{{ proxy_user }}' +# mode: '0644' +# - src: 'roles/network/templates/squid/denyregex.rules' +# dest: '/etc/{{ proxy }}/denyregex.rules' +# owner: '{{ proxy_user }}' +# group: '{{ proxy_user }}' +# mode: '0644' +# - src: 'roles/network/templates/squid/dstaddress.rules' +# dest: '/etc/{{ proxy }}/dstaddress.rules' +# owner: '{{ proxy_user }}' +# group: '{{ proxy_user }}' +# mode: '0644' +# - src: 'roles/network/templates/squid/iiab-httpcache.j2' +# dest: '/usr/bin/iiab-httpcache' +# owner: 'root' +# group: 'root' +# mode: '0755' + +# - name: Create Squid directory /var/log/{{ proxy }} +# file: +# path: "/var/log/{{ proxy }}" +# owner: "{{ proxy_user }}" +# group: "{{ proxy_user }}" +# mode: '0750' +# state: directory # - include_tasks: roles/network/tasks/dansguardian.yml # when: dansguardian_install @@ -98,7 +105,7 @@ # {{ proxy }} is normally "squid", but is "squid3" on raspbian-8 & debian-8 - name: Add '{{ proxy }}' variable values to {{ iiab_ini_file }} ini_file: - dest: "{{ iiab_ini_file }}" + dest: "{{ iiab_ini_file }}" # /etc/iiab/iiab.ini section: "{{ proxy }}" option: "{{ item.option }}" value: "{{ item.value | string }}" diff --git a/roles/network/templates/squid/allow_dst_domains b/roles/network/templates/squid/allow_dst_domains new file mode 100644 index 000000000..f16722ed1 --- /dev/null +++ b/roles/network/templates/squid/allow_dst_domains @@ -0,0 +1,17 @@ +# SEE ALSO /etc/squid/allow_url_regexs +# the leading dot matches anything preceding +# don't remove the .lan line +# change this to your domain if necessary +.lan +.laptop.org +.olpcMAP.net +.mapmeld.appspot.com +.googlecode.com +.googleapis.com +.gstatic.com +.unleashkids.org +.iiab.io +.hopeforhaitischildren.org +.lenouvelliste.com +.voanouvel.com +.sugarlabs.org diff --git a/roles/network/templates/squid/allow_url_regexs b/roles/network/templates/squid/allow_url_regexs new file mode 100644 index 000000000..21a003f59 --- /dev/null +++ b/roles/network/templates/squid/allow_url_regexs @@ -0,0 +1,4 @@ +# SEE ALSO /etc/squid/allow_url_regexs +# put regular expressions that match desired urls +translator +translate diff --git a/roles/network/templates/squid/allowregex.rules b/roles/network/templates/squid/allowregex.rules.unused similarity index 100% rename from roles/network/templates/squid/allowregex.rules rename to roles/network/templates/squid/allowregex.rules.unused diff --git a/roles/network/templates/squid/denyregex.rules b/roles/network/templates/squid/denyregex.rules.unused similarity index 100% rename from roles/network/templates/squid/denyregex.rules rename to roles/network/templates/squid/denyregex.rules.unused diff --git a/roles/network/templates/squid/dstaddress.rules b/roles/network/templates/squid/dstaddress.rules.unused similarity index 100% rename from roles/network/templates/squid/dstaddress.rules rename to roles/network/templates/squid/dstaddress.rules.unused diff --git a/roles/network/templates/squid/iiab-httpcache.j2 b/roles/network/templates/squid/iiab-httpcache.j2.unused similarity index 100% rename from roles/network/templates/squid/iiab-httpcache.j2 rename to roles/network/templates/squid/iiab-httpcache.j2.unused diff --git a/roles/network/templates/squid/sites.whitelist.txt b/roles/network/templates/squid/sites.whitelist.txt.unused similarity index 100% rename from roles/network/templates/squid/sites.whitelist.txt rename to roles/network/templates/squid/sites.whitelist.txt.unused diff --git a/roles/network/templates/squid/squid-iiab.conf.j2 b/roles/network/templates/squid/squid-iiab.conf.j2.unused similarity index 100% rename from roles/network/templates/squid/squid-iiab.conf.j2 rename to roles/network/templates/squid/squid-iiab.conf.j2.unused diff --git a/roles/network/templates/squid/squid.conf.j2 b/roles/network/templates/squid/squid.conf.j2 new file mode 100644 index 000000000..feca47c22 --- /dev/null +++ b/roles/network/templates/squid/squid.conf.j2 @@ -0,0 +1,48 @@ +# 2021-08-16 IIAB PR #2948 - April 2007 OLPC School Server legacy moved to: +# https://github.com/iiab/iiab/blob/master/roles/network/templates/squid/squid-iiab.conf.j2.unused + +http_port 3129 +http_port 3128 intercept + +# Some measure of privacy: mask off the lowest byte of logged IP addresses +client_netmask 255.255.255.0 + +# https://wiki.squid-cache.org/Features/CacheManager +# https://wiki.squid-cache.org/SquidFaq/SecurityPitfalls#The_manager_ACLs +http_access allow localhost manager +http_access deny manager + +# Where is the cache stored on disk ? +# Parameters +# Type (ufs, aufs, or COSS) +# | Where +# | | Size (in MB) +# | | | +# | | | L1 (directories) +# | | | | L2 (directories) +# | | | | | +#cache_dir aufs /library/cache 20000 32 256 +cache_dir ufs /library/cache 200 16 128 +# Remove the line above IF YOU WANT SQUID'S CACHE IN MEMORY INSTEAD OF DISK + +{% if gw_squid_whitelist %} +#acl allow_src_ips src "/etc/squid/allow_src_ips" +acl allow_dst_domains dstdomain "/etc/squid/allow_dst_domains" +acl allow_url_regexs url_regex -i "/etc/squid/allow_url_regexs" +#acl allow_dst_ips dst "/etc/squid/allow_dst_ips" +#acl deny_url_regexs url_regex -i "/etc/squid/deny_url_regexs" +#acl deny_dst_ips src "/etc/squid/deny_dst_ips" + +#http_access allow allow_src_ips +http_access allow allow_dst_domains +http_access allow allow_url_regexs +#http_access allow allow_dst_ips +#http_access deny deny_url_regexs +#http_access deny deny_dst_ips +{% endif %} + +# 2021-08-16: DEFAULTS HAPPEN ANYWAY +# http_access deny all +# access_log /var/log/squid/access.log +# cache_log /var/log/squid/cache.log +# pid_filename /var/run/squid.pid diff --git a/roles/network/templates/squid/squid.sysconfig b/roles/network/templates/squid/squid.sysconfig.unused similarity index 100% rename from roles/network/templates/squid/squid.sysconfig rename to roles/network/templates/squid/squid.sysconfig.unused diff --git a/vars/default_vars.yml b/vars/default_vars.yml index 6bd1bc68a..2ac11849c 100644 --- a/vars/default_vars.yml +++ b/vars/default_vars.yml @@ -255,12 +255,12 @@ nginx_log_dir: /var/log/nginx # DNS prep (named &/or dhcpd) used to run here. See dnsmasq in 1-PREP above. -# Proxy Cache and basic site blocking using /etc/squid/sites.whitelist.txt -# e.g. /opt/iiab/iiab/roles/network/templates/squid/sites.whitelist.txt -# LESS MAINTAINED as of July 2019: https://github.com/iiab/iiab/issues/1879 +# Proxy Cache & basic site blocking using /etc/squid allowlists: (whitelists) +# e.g. /opt/iiab/iiab/roles/network/templates/squid/allow_dst_domains +# e.g. /opt/iiab/iiab/roles/network/templates/squid/allow_url_regexs squid_install: False -squid_enabled: False # SEE 'iiab_gateway_enabled' FURTHER ABOVE -gw_squid_whitelist: False # Works with HTTP sites, not HTTPS sites +squid_enabled: False # SET 'iiab_gateway_enabled' FURTHER ABOVE ? +gw_squid_whitelist: False # Works with HTTP sites, not HTTPS sites ! gw_block_https: False # UNMAINTAINED as of July 2021 diff --git a/vars/local_vars_big.yml b/vars/local_vars_big.yml index f218b957d..ddcaaed90 100644 --- a/vars/local_vars_big.yml +++ b/vars/local_vars_big.yml @@ -147,12 +147,12 @@ pi_swap_file_size: 1024 # DNS prep (named &/or dhcpd) used to run here. See dnsmasq in 1-PREP above. -# Proxy Cache and basic site blocking using /etc/squid/sites.whitelist.txt -# e.g. /opt/iiab/iiab/roles/network/templates/squid/sites.whitelist.txt -# LESS MAINTAINED as of July 2019: https://github.com/iiab/iiab/issues/1879 +# Proxy Cache & basic site blocking using /etc/squid allowlists: (whitelists) +# e.g. /opt/iiab/iiab/roles/network/templates/squid/allow_dst_domains +# e.g. /opt/iiab/iiab/roles/network/templates/squid/allow_url_regexs squid_install: False -squid_enabled: False # SET 'iiab_gateway_enabled: True' FURTHER ABOVE? -gw_squid_whitelist: False # Works with HTTP sites, not HTTPS sites +squid_enabled: False # SET 'iiab_gateway_enabled' FURTHER ABOVE ? +gw_squid_whitelist: False # Works with HTTP sites, not HTTPS sites ! gw_block_https: False # Bluetooth PAN access to IIAB server - for Raspberry Pi - for 4-SERVER-OPTIONS diff --git a/vars/local_vars_medium.yml b/vars/local_vars_medium.yml index 9e4f5c5ba..7e00f6c4b 100644 --- a/vars/local_vars_medium.yml +++ b/vars/local_vars_medium.yml @@ -147,12 +147,12 @@ pi_swap_file_size: 1024 # DNS prep (named &/or dhcpd) used to run here. See dnsmasq in 1-PREP above. -# Proxy Cache and basic site blocking using /etc/squid/sites.whitelist.txt -# e.g. /opt/iiab/iiab/roles/network/templates/squid/sites.whitelist.txt -# LESS MAINTAINED as of July 2019: https://github.com/iiab/iiab/issues/1879 +# Proxy Cache & basic site blocking using /etc/squid allowlists: (whitelists) +# e.g. /opt/iiab/iiab/roles/network/templates/squid/allow_dst_domains +# e.g. /opt/iiab/iiab/roles/network/templates/squid/allow_url_regexs squid_install: False -squid_enabled: False # SET 'iiab_gateway_enabled: True' FURTHER ABOVE? -gw_squid_whitelist: False # Works with HTTP sites, not HTTPS sites +squid_enabled: False # SET 'iiab_gateway_enabled' FURTHER ABOVE ? +gw_squid_whitelist: False # Works with HTTP sites, not HTTPS sites ! gw_block_https: False # Bluetooth PAN access to IIAB server - for Raspberry Pi - for 4-SERVER-OPTIONS diff --git a/vars/local_vars_min.yml b/vars/local_vars_min.yml index a7ddcdccf..f4aa1e9e4 100644 --- a/vars/local_vars_min.yml +++ b/vars/local_vars_min.yml @@ -147,12 +147,12 @@ pi_swap_file_size: 1024 # DNS prep (named &/or dhcpd) used to run here. See dnsmasq in 1-PREP above. -# Proxy Cache and basic site blocking using /etc/squid/sites.whitelist.txt -# e.g. /opt/iiab/iiab/roles/network/templates/squid/sites.whitelist.txt -# LESS MAINTAINED as of July 2019: https://github.com/iiab/iiab/issues/1879 +# Proxy Cache & basic site blocking using /etc/squid allowlists: (whitelists) +# e.g. /opt/iiab/iiab/roles/network/templates/squid/allow_dst_domains +# e.g. /opt/iiab/iiab/roles/network/templates/squid/allow_url_regexs squid_install: False -squid_enabled: False # SET 'iiab_gateway_enabled: True' FURTHER ABOVE? -gw_squid_whitelist: False # Works with HTTP sites, not HTTPS sites +squid_enabled: False # SET 'iiab_gateway_enabled' FURTHER ABOVE ? +gw_squid_whitelist: False # Works with HTTP sites, not HTTPS sites ! gw_block_https: False # Bluetooth PAN access to IIAB server - for Raspberry Pi - for 4-SERVER-OPTIONS diff --git a/vars/local_vars_unittest.yml b/vars/local_vars_unittest.yml index c00e34530..e538fe140 100644 --- a/vars/local_vars_unittest.yml +++ b/vars/local_vars_unittest.yml @@ -147,12 +147,12 @@ pi_swap_file_size: 1024 # DNS prep (named &/or dhcpd) used to run here. See dnsmasq in 1-PREP above. -# Proxy Cache and basic site blocking using /etc/squid/sites.whitelist.txt -# e.g. /opt/iiab/iiab/roles/network/templates/squid/sites.whitelist.txt -# LESS MAINTAINED as of July 2019: https://github.com/iiab/iiab/issues/1879 +# Proxy Cache & basic site blocking using /etc/squid allowlists: (whitelists) +# e.g. /opt/iiab/iiab/roles/network/templates/squid/allow_dst_domains +# e.g. /opt/iiab/iiab/roles/network/templates/squid/allow_url_regexs squid_install: False -squid_enabled: False # SET 'iiab_gateway_enabled: True' FURTHER ABOVE? -gw_squid_whitelist: False # Works with HTTP sites, not HTTPS sites +squid_enabled: False # SET 'iiab_gateway_enabled' FURTHER ABOVE ? +gw_squid_whitelist: False # Works with HTTP sites, not HTTPS sites ! gw_block_https: False # Bluetooth PAN access to IIAB server - for Raspberry Pi - for 4-SERVER-OPTIONS