Ansible roles
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

93 lines
3.4 KiB

logdir "/var/log/ufdbGuard/"
dbhome "/var/ufdbguard/blacklists"
logall on
squid-version "3.5"
squid-uses-active-bumping off
url-lookup-result-during-database-reload allow
url-lookup-result-when-fatal-error deny
check-proxy-tunnels {{ squid_ufdb_deny_tunnels | ternary('queue-checks','log-only') }}
safe-search off
lookup-reverse-ip on
use-ipv6-on-wan off
upload-crash-reports off
max-logfile-size 200000000
youtube-edufilter off
source localhost {
ipv4 127.0.0.1/32
}
source workstations {
{% for net in squid_workstations_ip %}
ipv4 {{ net }}
{% endfor %}
}
source servers {
{% for net in squid_servers_ip %}
ipv4 {{ net }}
{% endfor %}
}
source vip {
{% for net in squid_vip_ip %}
ipv4 {{ net }}
{% endfor %}
}
source admins {
{% for net in squid_admins_ip %}
ipv4 {{ net }}
{% endfor %}
}
source guests {
{% for net in squid_guests_ip %}
ipv4 {{ net }}
{% endfor %}
}
{% for category in squid_ufdb_db.results %}
category {{ category.item }} {
redirect "302:{{ squid_ufdb_blocked_url }}"
{% if category.stat.exists %}
domainlist {{ category.item }}/domains
{% endif %}
{% if category.item == 'security' %}
cacerts "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"
# TODO: options to turn on/off
option enforce-https-with-hostname off
option enforce-https-official-certificate off
option https-prohibit-insecure-sslv2 on
option https-prohibit-insecure-sslv3 off
option allow-aim-over-https on
option allow-gtalk-over-https on
option allow-skype-over-https on
option allow-yahoomsg-over-https on
option allow-fb-chat-over-https on
option allow-citrixonline-over-https on
option allow-unknown-protocol-over-https on
{% endif %}
}
{% endfor %}
acl {
localhost {
pass any
}
admins {
pass any
}
vip {
pass local_whitelist {% if squid_ufdb_dangerous_categories | intersect(squid_ufdb_categories.stdout_lines) | length > 0 %}!{{ squid_ufdb_dangerous_categories | intersect(squid_ufdb_categories.stdout_lines) | unique | join(' !') }}{% endif %} any
}
servers {
pass local_whitelist !local_blacklist {% if squid_ufdb_dangerous_categories | intersect(squid_ufdb_categories.stdout_lines) | length > 0 %}!{{ squid_ufdb_dangerous_categories | intersect(squid_ufdb_categories.stdout_lines) | unique | join(' !') }}{% endif %} any
}
guests {
pass local_whitelist !local_blacklist {% if squid_ufdb_dangerous_categories | intersect(squid_ufdb_categories.stdout_lines) | length > 0 %}!{{ squid_ufdb_dangerous_categories | intersect(squid_ufdb_categories.stdout_lines) | unique | join(' !') }}{% endif %} {% if squid_ufdb_guests_blocked_categories | intersect(squid_ufdb_categories.stdout_lines) | length > 0 %}!{{ squid_ufdb_guests_blocked_categories | intersect(squid_ufdb_categories.stdout_lines) | join(' !') }}{% endif %} any
}
workstations {
pass local_whitelist !local_blacklist {% if squid_ufdb_dangerous_categories | intersect(squid_ufdb_categories.stdout_lines) | length > 0 %}!{{ squid_ufdb_dangerous_categories | intersect(squid_ufdb_categories.stdout_lines) | unique | join(' !') }}{% endif %} {% if squid_ufdb_blocked_categories | intersect(squid_ufdb_categories.stdout_lines) | length > 0 %}!{{ squid_ufdb_blocked_categories | intersect(squid_ufdb_categories.stdout_lines) | join(' !') }}{% endif %} any
}
default {
pass none
redirect "302:{{ squid_ufdb_blocked_url }}"
}
}