Spring Cleaning for dysfunctional Squid

2025-03-09 15:40:17 +00:00 · 2021-08-16 12:44:14 -04:00 · 2021-08-16 12:44:14 -04:00 · a8114e65dd
commit a8114e65dd
parent cfce51744c
18 changed files with 182 additions and 106 deletions
--- a/roles/network/tasks/enable_services.yml
+++ b/roles/network/tasks/enable_services.yml
@ -143,25 +143,25 @@

 - name: Enable systemd service '{{ proxy }}' - if squid_install and squid_enabled
  systemd:
-    name: "{{ proxy }}"    # squid (or squid3 on old OS's vars/debian-8.yml & vars/raspbian-8.yml)
+    name: "{{ proxy }}"    # squid (or 'squid3' on vars/debian-8.yml, vars/raspbian-8.yml)
    enabled: yes
  when: squid_install and squid_enabled

- name: Install /etc/{{ proxy }}/squid-iiab.conf from template, owned by {{ proxy_user }}:{{ proxy_user }} (0644 by default) - if squid_install and squid_enabled
+- name: Install /etc/{{ proxy }}/squid.conf from template (root:root, 0644 by default) - and create a timestamped backup of the original - if squid_install and squid_enabled
  template:
-    src: squid/squid-iiab.conf.j2
-    dest: "/etc/{{ proxy }}/squid-iiab.conf"
-    owner: "{{ proxy_user }}"    # proxy (or "squid" on vars/centos-7.yml, vars/fedora-18.yml, vars/fedora-12.yml)
-    group: "{{ proxy_user }}"
-    # mode: 0644
+    src: squid/squid.conf.j2
+    dest: /etc/{{ proxy }}/squid.conf
+    # owner: "{{ proxy_user }}"    # proxy (or 'squid' on vars/centos-7.yml, vars/fedora-18.yml, vars/fedora-12.yml)
+    # group: "{{ proxy_user }}"
+    backup: yes
  when: squid_install and squid_enabled

- name: Point /etc/init.d/{{ proxy }} to /etc/{{ proxy }}/squid-iiab.conf - if squid_install and squid_enabled
-  lineinfile:
-    regexp: '^CONFIG'
-    line: "CONFIG=/etc/{{ proxy }}/squid-iiab.conf"
-    path: "/etc/init.d/{{ proxy }}"
-  when: squid_install and squid_enabled
+# - name: Point /etc/init.d/{{ proxy }} to /etc/{{ proxy }}/squid-iiab.conf - if squid_install and squid_enabled
+#   lineinfile:
+#     regexp: '^CONFIG'
+#     line: "CONFIG=/etc/{{ proxy }}/squid-iiab.conf"
+#     path: "/etc/init.d/{{ proxy }}"
+#   when: squid_install and squid_enabled

 - name: Disable systemd service '{{ proxy }}' - if (squid_install or squid_installed [{{ squid_installed }}] is defined) and not squid_enabled
  systemd:
--- a/roles/network/tasks/squid.yml
+++ b/roles/network/tasks/squid.yml
@ -1,82 +1,89 @@
- name: "Install 2 packages: {{ proxy }}, cadaver"
+- name: "Install package: {{ proxy }}"
  package:
-    name:
-      - "{{ proxy }}"
-      - cadaver
+    name: "{{ proxy }}"    # squid (or 'squid3' on vars/debian-8.yml, vars/raspbian-8.yml)
+      # - cadaver
    state: present

- name: "Bigger hammer for Ubuntu, run: /etc/init.d/squid stop"
-  command: /etc/init.d/squid stop
-  when: is_ubuntu
+# - name: "Bigger hammer for Ubuntu, run: /etc/init.d/squid stop"
+#   command: /etc/init.d/squid stop
+#   when: is_ubuntu

- name: Stop Squid
-  service:
+- name: Stop systemd service '{{ proxy }}'
+  systemd:
    name: "{{ proxy }}"
    state: stopped
-  when: not installing
+  when: squid_installed is undefined

- name: "Create the Squid user: {{ proxy_user }}"
+- name: Create Squid user:group '{{ proxy_user }}' to own /library/cache
  user:
-    name: "{{ proxy_user }}"
+    name: "{{ proxy_user }}"    # proxy (or 'squid' on vars/centos-7.yml, vars/fedora-18.yml, vars/fedora-12.yml)
    createhome: False
    shell: /bin/false

- name: "Install from template: /usr/bin/iiab-httpcache, /etc/sysconfig/squid, /etc/{{ proxy }}/sites.whitelist.txt and 3 .rules files"
-  template:
-    src: "{{ item.src }}"
-    dest: "{{ item.dest }}"
-    owner: "{{ item.owner }}"
-    group: "{{ item.group }}"
-    mode: "{{ item.mode }}"
-    force: no
-  with_items:
-    - src: 'roles/network/templates/squid/squid.sysconfig'
-      dest: '/etc/sysconfig/squid'
-      owner: 'root'
-      group: 'root'
-      mode: '0755'
-    - src: 'roles/network/templates/squid/sites.whitelist.txt'
-      dest: '/etc/{{ proxy }}/sites.whitelist.txt'
-      owner: '{{ proxy_user }}'
-      group: '{{ proxy_user }}'
-      mode: '0644'
-    - src: 'roles/network/templates/squid/allowregex.rules'
-      dest: '/etc/{{ proxy }}/allowregex.rules'
-      owner: '{{ proxy_user }}'
-      group: '{{ proxy_user }}'
-      mode: '0644'
-    - src: 'roles/network/templates/squid/denyregex.rules'
-      dest: '/etc/{{ proxy }}/denyregex.rules'
-      owner: '{{ proxy_user }}'
-      group: '{{ proxy_user }}'
-      mode: '0644'
-    - src: 'roles/network/templates/squid/dstaddress.rules'
-      dest: '/etc/{{ proxy }}/dstaddress.rules'
-      owner: '{{ proxy_user }}'
-      group: '{{ proxy_user }}'
-      mode: '0644'
-    - src: 'roles/network/templates/squid/iiab-httpcache.j2'
-      dest: '/usr/bin/iiab-httpcache'
-      owner: 'root'
-      group: 'root'
-      mode: '0755'
-
- name: Create Squid directory /library/cache
+- name: Create Squid directory /library/cache ({{ proxy_user }}:{{ proxy_user }}, 0750)
  file:
+    state: directory
    path: /library/cache
-    owner: "{{ proxy_user }}"
-    group: "{{ proxy_user }}"
-    mode: '0750'
-    state: directory
+    owner: "{{ proxy_user }}"    # Squid runs as 'nobody' according to http://www.squid-cache.org/Doc/config/cache_effective_user/
+    group: "{{ proxy_user }}"    # So root:root ownership doesn't work for dir /library/cache
+    mode: 0750

- name: Create Squid directory /var/log/{{ proxy }}
-  file:
-    path: "/var/log/{{ proxy }}"
-    owner: "{{ proxy_user }}"
-    group: "{{ proxy_user }}"
-    mode: '0750'
-    state: directory
+- name: Install site allowlists/whitelists /etc/{{ proxy }}/allow_dst_domains, /etc/{{ proxy }}/allow_url_regexs from template (root:root, 0644 by default)
+  template:
+    src: "{{ item }}"
+    dest: /etc/{{ proxy }}/
+    backup: yes
+  with_items:
+    - roles/network/templates/squid/allow_dst_domains
+    - roles/network/templates/squid/allow_url_regexs

+# - name: "Install from template: /usr/bin/iiab-httpcache, /etc/sysconfig/squid, /etc/{{ proxy }}/sites.whitelist.txt and 3 .rules files"
+#   template:
+#     src: "{{ item.src }}"
+#     dest: "{{ item.dest }}"
+#     owner: "{{ item.owner }}"
+#     group: "{{ item.group }}"
+#     mode: "{{ item.mode }}"
+#     force: no
+#   with_items:
+#     - src: 'roles/network/templates/squid/squid.sysconfig'
+#       dest: '/etc/sysconfig/squid'
+#       owner: 'root'
+#       group: 'root'
+#       mode: '0755'
+#     - src: 'roles/network/templates/squid/sites.whitelist.txt'
+#       dest: '/etc/{{ proxy }}/sites.whitelist.txt'
+#       owner: '{{ proxy_user }}'
+#       group: '{{ proxy_user }}'
+#       mode: '0644'
+#     - src: 'roles/network/templates/squid/allowregex.rules'
+#       dest: '/etc/{{ proxy }}/allowregex.rules'
+#       owner: '{{ proxy_user }}'
+#       group: '{{ proxy_user }}'
+#       mode: '0644'
+#     - src: 'roles/network/templates/squid/denyregex.rules'
+#       dest: '/etc/{{ proxy }}/denyregex.rules'
+#       owner: '{{ proxy_user }}'
+#       group: '{{ proxy_user }}'
+#       mode: '0644'
+#     - src: 'roles/network/templates/squid/dstaddress.rules'
+#       dest: '/etc/{{ proxy }}/dstaddress.rules'
+#       owner: '{{ proxy_user }}'
+#       group: '{{ proxy_user }}'
+#       mode: '0644'
+#     - src: 'roles/network/templates/squid/iiab-httpcache.j2'
+#       dest: '/usr/bin/iiab-httpcache'
+#       owner: 'root'
+#       group: 'root'
+#       mode: '0755'
+
+# - name: Create Squid directory /var/log/{{ proxy }}
+#   file:
+#     path: "/var/log/{{ proxy }}"
+#     owner: "{{ proxy_user }}"
+#     group: "{{ proxy_user }}"
+#     mode: '0750'
+#     state: directory

 # - include_tasks: roles/network/tasks/dansguardian.yml
 #   when: dansguardian_install
@ -98,7 +105,7 @@
 # {{ proxy }} is normally "squid", but is "squid3" on raspbian-8 & debian-8
 - name: Add '{{ proxy }}' variable values to {{ iiab_ini_file }}
  ini_file:
-    dest: "{{ iiab_ini_file }}"
+    dest: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
    section: "{{ proxy }}"
    option: "{{ item.option }}"
    value: "{{ item.value | string }}"