Spring Cleaning for dysfunctional Squid

roles/0-init/defaults/main.yml

@@ -43,10 +43,10 @@ FQDN_changed: False
 
 #wifi_id: none          # 2021-07-30: Had been used in 2-common/tasks/xo.yml
 
-# 2021-07-30: roles/network/tasks/squid.yml#L16 to stop Squid
+# 2021-08-16: roles/network/tasks/squid.yml#L16 to stop Squid
-# ("when: not installing") is the only non-Fedora use of this var.
+# ("when: not installing") was the only non-Fedora use of this var.
 # Earlier, this var HAD also been used in 2-common and 3-base-server.
-installing: False
+# installing: False
 
 # 2021-07-30: Broadly used across roles/network/tasks/*.yml -- but things might
 # possibly change if roles/network becomes optional per PR #2876 ?

roles/network/tasks/enable_services.yml

@@ -143,25 +143,25 @@
 
 - name: Enable systemd service '{{ proxy }}' - if squid_install and squid_enabled
   systemd:
-    name: "{{ proxy }}"    # squid (or squid3 on old OS's vars/debian-8.yml & vars/raspbian-8.yml)
+    name: "{{ proxy }}"    # squid (or 'squid3' on vars/debian-8.yml, vars/raspbian-8.yml)
     enabled: yes
   when: squid_install and squid_enabled
 
-- name: Install /etc/{{ proxy }}/squid-iiab.conf from template, owned by {{ proxy_user }}:{{ proxy_user }} (0644 by default) - if squid_install and squid_enabled
+- name: Install /etc/{{ proxy }}/squid.conf from template (root:root, 0644 by default) - and create a timestamped backup of the original - if squid_install and squid_enabled
   template:
-    src: squid/squid-iiab.conf.j2
+    src: squid/squid.conf.j2
-    dest: "/etc/{{ proxy }}/squid-iiab.conf"
+    dest: /etc/{{ proxy }}/squid.conf
-    owner: "{{ proxy_user }}"    # proxy (or "squid" on vars/centos-7.yml, vars/fedora-18.yml, vars/fedora-12.yml)
+    # owner: "{{ proxy_user }}"    # proxy (or 'squid' on vars/centos-7.yml, vars/fedora-18.yml, vars/fedora-12.yml)
-    group: "{{ proxy_user }}"
+    # group: "{{ proxy_user }}"
-    # mode: 0644
+    backup: yes
   when: squid_install and squid_enabled
 
-- name: Point /etc/init.d/{{ proxy }} to /etc/{{ proxy }}/squid-iiab.conf - if squid_install and squid_enabled
+# - name: Point /etc/init.d/{{ proxy }} to /etc/{{ proxy }}/squid-iiab.conf - if squid_install and squid_enabled
-  lineinfile:
+#   lineinfile:
-    regexp: '^CONFIG'
+#     regexp: '^CONFIG'
-    line: "CONFIG=/etc/{{ proxy }}/squid-iiab.conf"
+#     line: "CONFIG=/etc/{{ proxy }}/squid-iiab.conf"
-    path: "/etc/init.d/{{ proxy }}"
+#     path: "/etc/init.d/{{ proxy }}"
-  when: squid_install and squid_enabled
+#   when: squid_install and squid_enabled
 
 - name: Disable systemd service '{{ proxy }}' - if (squid_install or squid_installed [{{ squid_installed }}] is defined) and not squid_enabled
   systemd:

roles/network/tasks/squid.yml

@@ -1,82 +1,89 @@
-- name: "Install 2 packages: {{ proxy }}, cadaver"
+- name: "Install package: {{ proxy }}"
   package:
-    name:
+    name: "{{ proxy }}"    # squid (or 'squid3' on vars/debian-8.yml, vars/raspbian-8.yml)
-      - "{{ proxy }}"
+      # - cadaver
-      - cadaver
     state: present
 
-- name: "Bigger hammer for Ubuntu, run: /etc/init.d/squid stop"
+# - name: "Bigger hammer for Ubuntu, run: /etc/init.d/squid stop"
-  command: /etc/init.d/squid stop
+#   command: /etc/init.d/squid stop
-  when: is_ubuntu
+#   when: is_ubuntu
 
-- name: Stop Squid
+- name: Stop systemd service '{{ proxy }}'
-  service:
+  systemd:
     name: "{{ proxy }}"
     state: stopped
-  when: not installing
+  when: squid_installed is undefined
 
-- name: "Create the Squid user: {{ proxy_user }}"
+- name: Create Squid user:group '{{ proxy_user }}' to own /library/cache
   user:
-    name: "{{ proxy_user }}"
+    name: "{{ proxy_user }}"    # proxy (or 'squid' on vars/centos-7.yml, vars/fedora-18.yml, vars/fedora-12.yml)
     createhome: False
     shell: /bin/false
 
-- name: "Install from template: /usr/bin/iiab-httpcache, /etc/sysconfig/squid, /etc/{{ proxy }}/sites.whitelist.txt and 3 .rules files"
+- name: Create Squid directory /library/cache ({{ proxy_user }}:{{ proxy_user }}, 0750)
-  template:
-    src: "{{ item.src }}"
-    dest: "{{ item.dest }}"
-    owner: "{{ item.owner }}"
-    group: "{{ item.group }}"
-    mode: "{{ item.mode }}"
-    force: no
-  with_items:
-    - src: 'roles/network/templates/squid/squid.sysconfig'
-      dest: '/etc/sysconfig/squid'
-      owner: 'root'
-      group: 'root'
-      mode: '0755'
-    - src: 'roles/network/templates/squid/sites.whitelist.txt'
-      dest: '/etc/{{ proxy }}/sites.whitelist.txt'
-      owner: '{{ proxy_user }}'
-      group: '{{ proxy_user }}'
-      mode: '0644'
-    - src: 'roles/network/templates/squid/allowregex.rules'
-      dest: '/etc/{{ proxy }}/allowregex.rules'
-      owner: '{{ proxy_user }}'
-      group: '{{ proxy_user }}'
-      mode: '0644'
-    - src: 'roles/network/templates/squid/denyregex.rules'
-      dest: '/etc/{{ proxy }}/denyregex.rules'
-      owner: '{{ proxy_user }}'
-      group: '{{ proxy_user }}'
-      mode: '0644'
-    - src: 'roles/network/templates/squid/dstaddress.rules'
-      dest: '/etc/{{ proxy }}/dstaddress.rules'
-      owner: '{{ proxy_user }}'
-      group: '{{ proxy_user }}'
-      mode: '0644'
-    - src: 'roles/network/templates/squid/iiab-httpcache.j2'
-      dest: '/usr/bin/iiab-httpcache'
-      owner: 'root'
-      group: 'root'
-      mode: '0755'
-
-- name: Create Squid directory /library/cache
   file:
+    state: directory
     path: /library/cache
-    owner: "{{ proxy_user }}"
+    owner: "{{ proxy_user }}"    # Squid runs as 'nobody' according to http://www.squid-cache.org/Doc/config/cache_effective_user/
-    group: "{{ proxy_user }}"
+    group: "{{ proxy_user }}"    # So root:root ownership doesn't work for dir /library/cache
-    mode: '0750'
+    mode: 0750
-    state: directory
 
-- name: Create Squid directory /var/log/{{ proxy }}
+- name: Install site allowlists/whitelists /etc/{{ proxy }}/allow_dst_domains, /etc/{{ proxy }}/allow_url_regexs from template (root:root, 0644 by default)
-  file:
+  template:
-    path: "/var/log/{{ proxy }}"
+    src: "{{ item }}"
-    owner: "{{ proxy_user }}"
+    dest: /etc/{{ proxy }}/
-    group: "{{ proxy_user }}"
+    backup: yes
-    mode: '0750'
+  with_items:
-    state: directory
+    - roles/network/templates/squid/allow_dst_domains
+    - roles/network/templates/squid/allow_url_regexs
 
+# - name: "Install from template: /usr/bin/iiab-httpcache, /etc/sysconfig/squid, /etc/{{ proxy }}/sites.whitelist.txt and 3 .rules files"
+#   template:
+#     src: "{{ item.src }}"
+#     dest: "{{ item.dest }}"
+#     owner: "{{ item.owner }}"
+#     group: "{{ item.group }}"
+#     mode: "{{ item.mode }}"
+#     force: no
+#   with_items:
+#     - src: 'roles/network/templates/squid/squid.sysconfig'
+#       dest: '/etc/sysconfig/squid'
+#       owner: 'root'
+#       group: 'root'
+#       mode: '0755'
+#     - src: 'roles/network/templates/squid/sites.whitelist.txt'
+#       dest: '/etc/{{ proxy }}/sites.whitelist.txt'
+#       owner: '{{ proxy_user }}'
+#       group: '{{ proxy_user }}'
+#       mode: '0644'
+#     - src: 'roles/network/templates/squid/allowregex.rules'
+#       dest: '/etc/{{ proxy }}/allowregex.rules'
+#       owner: '{{ proxy_user }}'
+#       group: '{{ proxy_user }}'
+#       mode: '0644'
+#     - src: 'roles/network/templates/squid/denyregex.rules'
+#       dest: '/etc/{{ proxy }}/denyregex.rules'
+#       owner: '{{ proxy_user }}'
+#       group: '{{ proxy_user }}'
+#       mode: '0644'
+#     - src: 'roles/network/templates/squid/dstaddress.rules'
+#       dest: '/etc/{{ proxy }}/dstaddress.rules'
+#       owner: '{{ proxy_user }}'
+#       group: '{{ proxy_user }}'
+#       mode: '0644'
+#     - src: 'roles/network/templates/squid/iiab-httpcache.j2'
+#       dest: '/usr/bin/iiab-httpcache'
+#       owner: 'root'
+#       group: 'root'
+#       mode: '0755'
+
+# - name: Create Squid directory /var/log/{{ proxy }}
+#   file:
+#     path: "/var/log/{{ proxy }}"
+#     owner: "{{ proxy_user }}"
+#     group: "{{ proxy_user }}"
+#     mode: '0750'
+#     state: directory
 
 # - include_tasks: roles/network/tasks/dansguardian.yml
 #   when: dansguardian_install
@@ -98,7 +105,7 @@
 # {{ proxy }} is normally "squid", but is "squid3" on raspbian-8 & debian-8
 - name: Add '{{ proxy }}' variable values to {{ iiab_ini_file }}
   ini_file:
-    dest: "{{ iiab_ini_file }}"
+    dest: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
     section: "{{ proxy }}"
     option: "{{ item.option }}"
     value: "{{ item.value | string }}"

roles/network/templates/squid/allow_dst_domains

@@ -0,0 +1,17 @@
+# SEE ALSO /etc/squid/allow_url_regexs
+# the leading dot matches anything preceding
+# don't remove the .lan line
+# change this to your domain if necessary
+.lan
+.laptop.org
+.olpcMAP.net
+.mapmeld.appspot.com
+.googlecode.com
+.googleapis.com
+.gstatic.com
+.unleashkids.org
+.iiab.io
+.hopeforhaitischildren.org
+.lenouvelliste.com
+.voanouvel.com
+.sugarlabs.org

roles/network/templates/squid/allow_url_regexs

@@ -0,0 +1,4 @@
+# SEE ALSO /etc/squid/allow_url_regexs
+# put regular expressions that match desired urls
+translator
+translate

roles/network/templates/squid/squid.conf.j2

@@ -0,0 +1,48 @@
+# 2021-08-16 IIAB PR #2948 - April 2007 OLPC School Server legacy moved to:
+# https://github.com/iiab/iiab/blob/master/roles/network/templates/squid/squid-iiab.conf.j2.unused
+
+http_port 3129
+http_port 3128 intercept
+
+# Some measure of privacy: mask off the lowest byte of logged IP addresses
+client_netmask 255.255.255.0
+
+# https://wiki.squid-cache.org/Features/CacheManager
+# https://wiki.squid-cache.org/SquidFaq/SecurityPitfalls#The_manager_ACLs
+http_access allow localhost manager
+http_access deny manager
+
+#  Where is the cache stored on disk ?
+#  Parameters
+#         Type (ufs, aufs, or COSS)
+#          |       Where
+#          |         |        Size (in MB)
+#          |         |         |
+#          |         |         |    L1 (directories)
+#          |         |         |    |  L2 (directories)
+#          |         |         |    |  |
+#cache_dir aufs /library/cache 20000 32 256
+cache_dir ufs /library/cache 200 16 128
+# Remove the line above IF YOU WANT SQUID'S CACHE IN MEMORY INSTEAD OF DISK
+
+{% if gw_squid_whitelist %}
+#acl allow_src_ips src "/etc/squid/allow_src_ips"
+acl allow_dst_domains dstdomain "/etc/squid/allow_dst_domains"
+acl allow_url_regexs url_regex -i "/etc/squid/allow_url_regexs"
+#acl allow_dst_ips dst "/etc/squid/allow_dst_ips"
+#acl deny_url_regexs url_regex -i "/etc/squid/deny_url_regexs"
+#acl deny_dst_ips src "/etc/squid/deny_dst_ips"
+
+#http_access allow allow_src_ips
+http_access allow allow_dst_domains
+http_access allow allow_url_regexs
+#http_access allow allow_dst_ips
+#http_access deny deny_url_regexs
+#http_access deny deny_dst_ips
+{% endif %}
+
+# 2021-08-16: DEFAULTS HAPPEN ANYWAY
+# http_access deny all
+# access_log /var/log/squid/access.log
+# cache_log /var/log/squid/cache.log
+# pid_filename /var/run/squid.pid

vars/default_vars.yml

@@ -255,12 +255,12 @@ nginx_log_dir: /var/log/nginx
 
 # DNS prep (named &/or dhcpd) used to run here.  See dnsmasq in 1-PREP above.
 
-# Proxy Cache and basic site blocking using /etc/squid/sites.whitelist.txt
+# Proxy Cache & basic site blocking using /etc/squid allowlists: (whitelists)
-# e.g. /opt/iiab/iiab/roles/network/templates/squid/sites.whitelist.txt
+# e.g. /opt/iiab/iiab/roles/network/templates/squid/allow_dst_domains
-# LESS MAINTAINED as of July 2019: https://github.com/iiab/iiab/issues/1879
+# e.g. /opt/iiab/iiab/roles/network/templates/squid/allow_url_regexs
 squid_install: False
-squid_enabled: False         # SEE 'iiab_gateway_enabled' FURTHER ABOVE
+squid_enabled: False         # SET 'iiab_gateway_enabled' FURTHER ABOVE ?
-gw_squid_whitelist: False    # Works with HTTP sites, not HTTPS sites
+gw_squid_whitelist: False    # Works with HTTP sites, not HTTPS sites !
 gw_block_https: False
 
 # UNMAINTAINED as of July 2021

vars/local_vars_big.yml

@@ -147,12 +147,12 @@ pi_swap_file_size: 1024
 
 # DNS prep (named &/or dhcpd) used to run here.  See dnsmasq in 1-PREP above.
 
-# Proxy Cache and basic site blocking using /etc/squid/sites.whitelist.txt
+# Proxy Cache & basic site blocking using /etc/squid allowlists: (whitelists)
-# e.g. /opt/iiab/iiab/roles/network/templates/squid/sites.whitelist.txt
+# e.g. /opt/iiab/iiab/roles/network/templates/squid/allow_dst_domains
-# LESS MAINTAINED as of July 2019: https://github.com/iiab/iiab/issues/1879
+# e.g. /opt/iiab/iiab/roles/network/templates/squid/allow_url_regexs
 squid_install: False
-squid_enabled: False         # SET 'iiab_gateway_enabled: True' FURTHER ABOVE?
+squid_enabled: False         # SET 'iiab_gateway_enabled' FURTHER ABOVE ?
-gw_squid_whitelist: False    # Works with HTTP sites, not HTTPS sites
+gw_squid_whitelist: False    # Works with HTTP sites, not HTTPS sites !
 gw_block_https: False
 
 # Bluetooth PAN access to IIAB server - for Raspberry Pi - for 4-SERVER-OPTIONS

vars/local_vars_medium.yml

@@ -147,12 +147,12 @@ pi_swap_file_size: 1024
 
 # DNS prep (named &/or dhcpd) used to run here.  See dnsmasq in 1-PREP above.
 
-# Proxy Cache and basic site blocking using /etc/squid/sites.whitelist.txt
+# Proxy Cache & basic site blocking using /etc/squid allowlists: (whitelists)
-# e.g. /opt/iiab/iiab/roles/network/templates/squid/sites.whitelist.txt
+# e.g. /opt/iiab/iiab/roles/network/templates/squid/allow_dst_domains
-# LESS MAINTAINED as of July 2019: https://github.com/iiab/iiab/issues/1879
+# e.g. /opt/iiab/iiab/roles/network/templates/squid/allow_url_regexs
 squid_install: False
-squid_enabled: False         # SET 'iiab_gateway_enabled: True' FURTHER ABOVE?
+squid_enabled: False         # SET 'iiab_gateway_enabled' FURTHER ABOVE ?
-gw_squid_whitelist: False    # Works with HTTP sites, not HTTPS sites
+gw_squid_whitelist: False    # Works with HTTP sites, not HTTPS sites !
 gw_block_https: False
 
 # Bluetooth PAN access to IIAB server - for Raspberry Pi - for 4-SERVER-OPTIONS

vars/local_vars_min.yml

@@ -147,12 +147,12 @@ pi_swap_file_size: 1024
 
 # DNS prep (named &/or dhcpd) used to run here.  See dnsmasq in 1-PREP above.
 
-# Proxy Cache and basic site blocking using /etc/squid/sites.whitelist.txt
+# Proxy Cache & basic site blocking using /etc/squid allowlists: (whitelists)
-# e.g. /opt/iiab/iiab/roles/network/templates/squid/sites.whitelist.txt
+# e.g. /opt/iiab/iiab/roles/network/templates/squid/allow_dst_domains
-# LESS MAINTAINED as of July 2019: https://github.com/iiab/iiab/issues/1879
+# e.g. /opt/iiab/iiab/roles/network/templates/squid/allow_url_regexs
 squid_install: False
-squid_enabled: False         # SET 'iiab_gateway_enabled: True' FURTHER ABOVE?
+squid_enabled: False         # SET 'iiab_gateway_enabled' FURTHER ABOVE ?
-gw_squid_whitelist: False    # Works with HTTP sites, not HTTPS sites
+gw_squid_whitelist: False    # Works with HTTP sites, not HTTPS sites !
 gw_block_https: False
 
 # Bluetooth PAN access to IIAB server - for Raspberry Pi - for 4-SERVER-OPTIONS

vars/local_vars_unittest.yml

@@ -147,12 +147,12 @@ pi_swap_file_size: 1024
 
 # DNS prep (named &/or dhcpd) used to run here.  See dnsmasq in 1-PREP above.
 
-# Proxy Cache and basic site blocking using /etc/squid/sites.whitelist.txt
+# Proxy Cache & basic site blocking using /etc/squid allowlists: (whitelists)
-# e.g. /opt/iiab/iiab/roles/network/templates/squid/sites.whitelist.txt
+# e.g. /opt/iiab/iiab/roles/network/templates/squid/allow_dst_domains
-# LESS MAINTAINED as of July 2019: https://github.com/iiab/iiab/issues/1879
+# e.g. /opt/iiab/iiab/roles/network/templates/squid/allow_url_regexs
 squid_install: False
-squid_enabled: False         # SET 'iiab_gateway_enabled: True' FURTHER ABOVE?
+squid_enabled: False         # SET 'iiab_gateway_enabled' FURTHER ABOVE ?
-gw_squid_whitelist: False    # Works with HTTP sites, not HTTPS sites
+gw_squid_whitelist: False    # Works with HTTP sites, not HTTPS sites !
 gw_block_https: False
 
 # Bluetooth PAN access to IIAB server - for Raspberry Pi - for 4-SERVER-OPTIONS