Create reverse proxy new role with squid

7 files changed, 144 insertions, 0 deletions

diff --git a/hosts b/hosts
index b311e49..ef6f7c6 100644
--- a/hosts
+++ b/hosts
@@ -24,3 +24,6 @@ ns2.casperlefantom.net
 
 [tornodes]
 ns2.casperlefantom.net
+
+[proxies]
+ns2.casperlefantom.net
diff --git a/roles/squid/handlers/main.yml b/roles/squid/handlers/main.yml
new file mode 100644
index 0000000..ca24469
--- /dev/null
+++ b/roles/squid/handlers/main.yml
@@ -0,0 +1,2 @@
+- name: restart squid
+  service: name=squid state=restarted
diff --git a/roles/squid/tasks/main.yml b/roles/squid/tasks/main.yml
new file mode 100644
index 0000000..06a34ab
--- /dev/null
+++ b/roles/squid/tasks/main.yml
@@ -0,0 +1,19 @@
+- name: Installation du paquet squid depuis le dépôt
+  yum: name=squid state=present
+
+- name: Configuration du service
+  template: src=head.j2 dest=/etc/squid/squid.conf
+            owner=root
+            group=squid
+            mode=640
+  notify: restart squid
+
+- name: Ouverture des ports Firewalld
+  firewalld: port={{ item[0] }} permanent={{ item[1] }} state=enabled
+  with_nested:
+    - [ '80/tcp', '443/tcp' ]
+    - [ 'true', 'false' ]
+  when: ansible_distribution == "Fedora"
+
+- name: Activation et démarrage du reverse proxy squid
+  service: name=squid state=started enabled=yes
diff --git a/roles/squid/templates/head.j2 b/roles/squid/templates/head.j2
new file mode 100644
index 0000000..fed159e
--- /dev/null
+++ b/roles/squid/templates/head.j2
@@ -0,0 +1,24 @@
+{% extends "squid.conf.j2" %}
+{% block head %}
+http_port {{ ansible_default_ipv4.address }}:80 vhost
+http_port [{{ ansible_default_ipv6.address }}]:80 vhost
+
+# Not working: waiting for an openssl cert and key
+#https_port {{ ansible_default_ipv4.address }}:443 cert= key= vhost
+#https_port [{{ ansible_default_ipv6.address }}]:443 cert= key= vhost
+
+cache_peer 127.0.0.1 parent 9030 0 no-query originserver name=tor
+
+acl meshotes dstdomain {{ ansible_default_ipv4.address }} [{{ ansible_default_ipv6.address }}]
+
+acl torsites dstdomain tor-proxy-readme.casperlefantom.net
+
+http_access allow meshotes
+http_access allow torsites
+
+cache_peer_access tor allow meshotes
+cache_peer_access tor allow torsites
+cache_peer_access tor deny all
+
+cache_mgr hostmaster@casperlefantom.net
+{% endblock %}
diff --git a/roles/squid/templates/squid.conf.j2 b/roles/squid/templates/squid.conf.j2
new file mode 100644
index 0000000..4f618a0
--- /dev/null
+++ b/roles/squid/templates/squid.conf.j2
@@ -0,0 +1,91 @@
+{% block head %}{% endblock %}
+
+#
+# Recommended minimum configuration:
+#
+{% if ansible_distribution == "CentOS" %}
+acl manager proto cache_object
+acl localhost src 127.0.0.1/32 ::1
+acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
+{% endif %}
+
+# Example rule allowing access from your local networks.
+# Adapt to list your (internal) IP networks from where browsing
+# should be allowed
+acl localnet src 10.0.0.0/8	# RFC1918 possible internal network
+acl localnet src 172.16.0.0/12	# RFC1918 possible internal network
+acl localnet src 192.168.0.0/16	# RFC1918 possible internal network
+acl localnet src fc00::/7       # RFC 4193 local private network range
+acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
+
+acl SSL_ports port 443
+acl Safe_ports port 80		# http
+acl Safe_ports port 21		# ftp
+acl Safe_ports port 443		# https
+acl Safe_ports port 70		# gopher
+acl Safe_ports port 210		# wais
+acl Safe_ports port 1025-65535	# unregistered ports
+acl Safe_ports port 280		# http-mgmt
+acl Safe_ports port 488		# gss-http
+acl Safe_ports port 591		# filemaker
+acl Safe_ports port 777		# multiling http
+acl CONNECT method CONNECT
+
+#
+# Recommended minimum Access Permission configuration:
+#
+{% if ansible_distribution == "CentOS" %}
+# Only allow cachemgr access from localhost
+http_access allow manager localhost
+http_access deny manager
+{% endif %}
+
+# Deny requests to certain unsafe ports
+http_access deny !Safe_ports
+
+# Deny CONNECT to other than secure SSL ports
+http_access deny CONNECT !SSL_ports
+
+{% if ansible_distribution == "Fedora" %}
+# Only allow cachemgr access from localhost
+http_access allow localhost manager
+http_access deny manager
+{% endif %}
+
+# We strongly recommend the following be uncommented to protect innocent
+# web applications running on the proxy server who think the only
+# one who can access services on "localhost" is a local user
+#http_access deny to_localhost
+
+#
+# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
+#
+
+# Example rule allowing access from your local networks.
+# Adapt localnet in the ACL section to list your (internal) IP networks
+# from where browsing should be allowed
+http_access allow localnet
+http_access allow localhost
+
+# And finally deny all other access to this proxy
+http_access deny all
+
+# Squid normally listens to port 3128
+http_port 3128
+
+{% if ansible_distribution == "CentOS" %}
+# We recommend you to use at least the following line.
+hierarchy_stoplist cgi-bin ?
+{% endif %}
+
+# Uncomment and adjust the following to add a disk cache directory.
+#cache_dir ufs /var/spool/squid 100 16 256
+
+# Leave coredumps in the first cache dir
+coredump_dir /var/spool/squid
+
+# Add any of your own refresh_pattern entries above these.
+refresh_pattern ^ftp:		1440	20%	10080
+refresh_pattern ^gopher:	1440	0%	1440
+refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
+refresh_pattern .		0	20%	4320
diff --git a/site.yml b/site.yml
index 77241d3..533d56d 100644
--- a/site.yml
+++ b/site.yml
@@ -9,3 +9,4 @@
 - include: yum-updatesd.yml
 - include: dnsserver.yml
 - include: torrelay.yml
+- include: squid.yml
diff --git a/squid.yml b/squid.yml
new file mode 100644
index 0000000..feda70f
--- /dev/null
+++ b/squid.yml
@@ -0,0 +1,4 @@
+- hosts: proxies
+  remote_user: root
+  roles:
+    - squid