Ansible roles
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

300 lines
7.5 KiB

---
squid_http_ports:
- port: 3128
- port: 3129
mode: intercept
squid_https_ports:
- port: 3130
mode: intercept
options:
- ssl-bump
- cert=/etc/squid/tls/cert.pem
- key=/etc/squid/tls/key.pem
- generate-host-certificates=off
squid_nat_http_ports: [80]
squid_nat_https_ports: [443,8006,8443]
squid_src_ip: "{{ squid_servers_ip + squid_workstations_ip + squid_admins_ip + squid_vip_ip + squid_guests_ip }}"
squid_safe_ports: [ 80, 443, 21 ]
squid_ssl_ports: [ 443, 8006, 8443 ]
# Admin email displayed on denied and error pages
# squid_admin_email: admin@example.com
# Should we scan content with ClamAV. Default is disabled
squid_scan_av: True
# Files bigger than (in bytes) this won't be scanned
squid_av_max_size: 5000000
squid_servers_ip:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
squid_workstations_ip:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
squid_vip_ip: []
squid_admins_ip: []
squid_guests_ip: []
squid_base_acl:
- name: safe_ports
type: port
items: "{{ squid_safe_ports }}"
- name: ssl_ports
type: port
items: "{{ squid_ssl_ports }}"
- name: servers_src
type: src
items: "{{ squid_servers_ip }}"
- name: workstations_src
type: src
items: "{{ squid_workstations_ip }}"
- name: guests_src
type: src
items: "{{ squid_guests_ip }}"
- name: vip_src
type: src
items: "{{ squid_vip_ip }}"
- name: admins_src
type: src
items: "{{ squid_admins_ip }}"
- name: av_src
type: src
items: "{{ (squid_vip_ip + squid_workstations_ip + squid_guests_ip + squid_servers_ip) | unique }}" # Everyone except admins will have AV scans. Admins might need to check suspucious stuff
- name: servers_dst
type: dst
items: "{{ squid_servers_ip }}"
- name: workstations_dst
type: dst
items: "{{ squid_workstations_ip }}"
- name: guests_dst
type: dst
items: "{{ squid_guests_ip }}"
- name: localnet_src
type: src
items: "{{ (squid_servers_ip + squid_workstations_ip + squid_vip_ip + squid_admins_ip + squid_guests_ip) | unique }}"
- name: localnet_dst
type: dst
items: "{{ (squid_servers_ip + squid_workstations_ip + squid_vip_ip + squid_admins_ip + squid_guests_ip) | unique }}"
- name: connect
type: method
items: [ CONNECT ]
- name: sys_urls
type: url_regex
items: []
- name: sys_domains
type: dstdomain
items:
- '"/etc/squid/acl/software_windows.domains"'
- '"/etc/squid/acl/service_fws.domains"'
- '"/etc/squid/acl/service_various.domains"'
- '"/etc/squid/acl/software_epel.domains"'
- '"/etc/squid/acl/software_centos.domains"'
- '"/etc/squid/acl/software_debian.domains"'
- '"/etc/squid/acl/software_various.domains"'
- '"/etc/squid/acl/software_smeserver.domains"'
- '"/etc/squid/acl/software_remi.domains"'
- name: local_whitelist_domains
type: dstdomain
items:
- '"/etc/squid/acl/local_whitelist.domains"'
- name: local_blacklist_domains
type: dstdomain
items:
- '"/etc/squid/acl/local_blacklist.domains"'
- name: local_whitelist_urls
type: dstdomain
items:
- '"/etc/squid/acl/local_whitelist.urls"'
- name: local_blacklist_urls
type: dstdomain
items:
- '"/etc/squid/acl/local_blacklist.urls"'
- name: local_whitelist_sni
type: ssl::server_name
items:
- '"/etc/squid/acl/local_whitelist.domains"'
- name: local_blacklist_sni
type: ssl::server_name
items:
- '"/etc/squid/acl/local_blacklist.domains"'
- name: wuconnect
type: dstdomain
items:
- www.update.microsoft.com
- sls.microsoft.com
- name: no_av_scan_req
type: req_mime_type
items:
- '-i ^text/plain'
- '-i ^text/css'
- '-i ^application/xml'
- '-i ^application/json'
- '-i ^image/'
- '-i ^audio/'
- '-i ^video/'
- name: no_av_scan_rep
type: rep_mime_type
items:
- '-i ^text/plain'
- '-i ^text/css'
- '-i ^application/xml'
- '-i ^application/json'
- '-i ^image/'
- '-i ^audio/'
- '-i ^video/'
- name: sslbump_step1
type: at_step
items: [SslBump1]
- name: sslbump_step2
type: at_step
items: [SslBump2]
- name: sslbump_step3
type: at_step
items: [SslBump3]
# List of URL regex not to cache
squid_no_cache:
- 'https?://.*\.letsencrypt\.org/'
squid_extra_acl: []
squid_acl: "{{ squid_base_acl + squid_extra_acl }}"
squid_local_whitelist: []
squid_local_blacklist: []
# Access rules. There's always a last default deny all access rule
squid_base_http_access:
- policy: allow
match: "local_whitelist_domains"
priority: 10
- policy: allow
match: "local_whitelist_urls"
priority: 10
- policy: deny
match: "local_blacklist_domains"
priority: 20
- policy: deny
match: "local_blacklist_urls"
priority: 20
- policy: allow
match:
- "localhost"
- "manager"
priority: 100
- policy: deny
match: "manager"
priority: 200
- policy: deny
match: "!safe_ports"
priority: 300
- policy: deny
match:
- "connect"
- "!ssl_ports"
priority: 400
- policy: allow
match:
- "localnet_src"
- "sys_urls"
priority: 500
- policy: allow
match:
- "localnet_src"
- "sys_domains"
priority: 500
- policy: allow
match:
- "CONNECT"
- "wuconnect"
- "localnet_src"
priority: 700
- policy: deny
match: "localnet_dst"
priority: 800
- policy: allow
match: "vip_src"
priority: 1300
- policy: allow
match: "admins_src"
priority: 1400
squid_extra_http_access: []
squid_http_access: "{{ squid_base_http_access + squid_extra_http_access }}"
squid_base_ssl_bump:
- policy: peek
match:
- "sslbump_step1"
- "all"
priority: 100
- policy: splice
match: "local_whitelist_sni"
priority: 200
- policy: terminate
match: "local_blacklist_sni"
priority: 300
- policy: splice
match: "all"
priority: 400
squid_extra_ssl_bump: []
squid_ssl_bump: "{{ squid_base_ssl_bump + squid_extra_ssl_bump }}"
# Should disk cache be enabled
squid_disk_cache: True
# Size of the on-disk cache, in MB
squid_disk_cache_size: 2048
# Size of the in-memory cache, in MB
squid_mem_cache_size: 200
# Max size of objects to cache, in MB
squid_max_object_size: 300
# Filter URL using ufdbGuard
squid_filter_url: True
squid_ufdb_deny_tunnels: True
squid_ufdb_blocked_url: http://{{ inventory_hostname }}/cgi-bin/URLblocked.cgi?admin=Le staff IT&color=orange&size=normal&clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&category=%t&url=%u
# Should we update blacklists from the university of Toulouse
squid_ufdb_update_from_univ: True
# Categories blocked for everyone, except admins (but including vip)
squid_ufdb_base_dangerous_categories:
- cryptojacking
- ddos
- malware
- phishing
squid_ufdb_extra_dangerous_categories: []
squid_ufdb_dangerous_categories: "{{ squid_ufdb_base_dangerous_categories + squid_ufdb_extra_dangerous_categories }}"
# Blocked for regular user (workstations)
squid_ufdb_base_blocked_categories:
- warez
- redirector
- strict_redirector
- strong_redirector
squid_ufdb_guests_blocked_categories:
- warez
- redirector
- strict_redirector
- strong_redirector
- adult
- agressif
- astrology
- arjel
- dangerous_material
- ddos
- download
- drogue
- gambling
- hacking
- malware
- marketingware
- mixed_adult
- mobile-phone
- phishing
squid_ufdb_extra_blocked_categories: []
squid_ufdb_blocked_categories: "{{ squid_ufdb_base_blocked_categories + squid_ufdb_extra_blocked_categories }}"