commit ea5a8d8c87755fae0141fd54fd99f79d0604c6c0 Author: Nicolas Chauvet <kwizart(a)gmail.com&gt; Date: Thu Aug 24 11:59:00 2017 +0200 Add squid role files/squid/custom_redirect.py | 49 +++++++++++ files/squid/squid.conf | 76 +++++++++++++++++ files/squid/squid.conf.hv01.online.rpmfusion.net | 97 ++++++++++++++++++++++ files/squid/squid.conf.linaro | 80 ++++++++++++++++++ files/squid/squid.conf.osuosl | 80 ++++++++++++++++++ files/squid/squid.conf.scaleway | 80 ++++++++++++++++++ roles/squid/tasks/main.yml | 54 ++++++++++++ 7 files changed, 516 insertions(+), 0 deletions(-) --- diff --git a/files/squid/custom_redirect.py b/files/squid/custom_redirect.py new file mode 100755 index 0000000..00f4f03 --- /dev/null +++ b/files/squid/custom_redirect.py @@ -0,0 +1,49 @@ +#!/usr/bin/env python + +import sys + +fedorasecondary = [ 'rawhide', '26', '27'] +fedorasecondaryarches = [ 'i386', 'ppc64', 'aarch64' ] + +def modify_url(line): + list = line.split(' ') + # first element of the list is the URL + old_url = list[0] + new_url = '\n' + # take the decision and modify the url if needed + # do remember that the new_url should contain a '\n' at the end. + if 'dl.fedoraproject.org' in old_url: + #if 'rawhide' or '/26/' or '/27/' in old_url: + if '/fedora/linux/' in old_url: + if '/25/' not in old_url: + if '/i386/' in old_url: + new_url = old_url.replace('/fedora/linux/', '/fedora-secondary/') + '\n' + elif '/ppc64' in old_url: + new_url = old_url.replace('/fedora/linux/', '/fedora-secondary/') + '\n' + elif '/aarch64/' in old_url: + new_url = old_url.replace('/fedora/linux/', '/fedora-secondary/') + '\n' + + if '/epel/7/' in old_url: + if '/i386/' in old_url: + new_url = old_url.replace('/i386/', '/x86_64/') + '\n' + + #altarch support for centos + if 'mirror.centos.org' in old_url: + if '/centos/6/' not in old_url: + if '/x86_64/' not in old_url: + new_url = old_url.replace('/centos/', '/altarch/') + '\n' + + return new_url + +while True: + # the format of the line read from stdin is + # URL ip-address/fqdn ident method + # for example + # http://saini.co.in 172.17.8.175/saini.co.in - GET - + line = sys.stdin.readline().strip() + # new_url is a simple URL only + # for example + # http://fedora.co.in + new_url = modify_url(line) + sys.stdout.write(new_url) + sys.stdout.flush() diff --git a/files/squid/squid.conf b/files/squid/squid.conf new file mode 100644 index 0000000..1e1694e --- /dev/null +++ b/files/squid/squid.conf @@ -0,0 +1,76 @@ +# +# Recommended minimum configuration: +# + +# Example rule allowing access from your local networks. +# Adapt to list your (internal) IP networks from where browsing +# should be allowed +acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) +acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN) +acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN) +acl localhet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines +acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN) +acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN) +acl localnet src fc00::/7 # RFC 4193 local private network range +acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines + +acl SSL_ports port 443 +acl Safe_ports port 80 # http +acl Safe_ports port 21 # ftp +acl Safe_ports port 443 # https +acl Safe_ports port 70 # gopher +acl Safe_ports port 210 # wais +acl Safe_ports port 1025-65535 # unregistered ports +acl Safe_ports port 280 # http-mgmt +acl Safe_ports port 488 # gss-http +acl Safe_ports port 591 # filemaker +acl Safe_ports port 777 # multiling http +acl CONNECT method CONNECT + +# +# Recommended minimum Access Permission configuration: +# +# Deny requests to certain unsafe ports +http_access deny !Safe_ports + +# Deny CONNECT to other than secure SSL ports +http_access deny CONNECT !SSL_ports + +# Only allow cachemgr access from localhost +http_access allow localhost manager +http_access deny manager + +# We strongly recommend the following be uncommented to protect innocent +# web applications running on the proxy server who think the only +# one who can access services on "localhost" is a local user +#http_access deny to_localhost + +# +# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS +# + +# Example rule allowing access from your local networks. +# Adapt localnet in the ACL section to list your (internal) IP networks +# from where browsing should be allowed +http_access allow localnet +http_access allow localhost + +# And finally deny all other access to this proxy +http_access deny all + +# Squid normally listens to port 3128 +http_port 3128 + +# Uncomment and adjust the following to add a disk cache directory. +#cache_dir ufs /var/spool/squid 100 16 256 + +# Leave coredumps in the first cache dir +coredump_dir /var/spool/squid + +# +# Add any of your own refresh_pattern entries above these. +# +refresh_pattern ^ftp: 1440 20% 10080 +refresh_pattern ^gopher: 1440 0% 1440 +refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 +refresh_pattern . 0 20% 4320 diff --git a/files/squid/squid.conf.hv01.online.rpmfusion.net b/files/squid/squid.conf.hv01.online.rpmfusion.net new file mode 100644 index 0000000..1862f42 --- /dev/null +++ b/files/squid/squid.conf.hv01.online.rpmfusion.net @@ -0,0 +1,97 @@ +# +# Recommended minimum configuration: +# + +# Example rule allowing access from your local networks. +# Adapt to list your (internal) IP networks from where browsing +# should be allowed +acl localnet src 10.0.0.0/8 # RFC1918 possible internal network +acl localnet src 172.16.0.0/12 # RFC1918 possible internal network +acl localnet src 192.168.0.0/16 # RFC1918 possible internal network +acl localnet src fc00::/7 # RFC 4193 local private network range +acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines + +acl SSL_ports port 443 +acl Safe_ports port 80 # http +acl Safe_ports port 21 # ftp +acl Safe_ports port 443 # https +acl Safe_ports port 70 # gopher +acl Safe_ports port 210 # wais +acl Safe_ports port 1025-65535 # unregistered ports +acl Safe_ports port 280 # http-mgmt +acl Safe_ports port 488 # gss-http +acl Safe_ports port 591 # filemaker +acl Safe_ports port 777 # multiling http +acl CONNECT method CONNECT + +acl to_rpmfusion dstdomain .rpmfusion.org + +# +# Recommended minimum Access Permission configuration: +# +# Deny requests to certain unsafe ports +#http_access deny !Safe_ports + +# Deny CONNECT to other than secure SSL ports +#http_access deny CONNECT !SSL_ports + +# Only allow cachemgr access from localhost +http_access allow localhost manager +http_access allow localnet manager +http_access deny manager + +acl Purge method PURGE +http_access allow localhost Purge +http_access allow localnet Purge +http_access deny Purge + +# We strongly recommend the following be uncommented to protect innocent +# web applications running on the proxy server who think the only +# one who can access services on "localhost" is a local user +#http_access deny to_localhost + +# +# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS +# + +# Example rule allowing access from your local networks. +# Adapt localnet in the ACL section to list your (internal) IP networks +# from where browsing should be allowed +http_access allow localnet +http_access allow localhost + +# And finally deny all other access to this proxy +http_access deny all + +# Squid normally listens to port 3128 +http_port 192.168.181.254:3128 +http_port 192.168.182.1:3128 + +# Uncomment and adjust the following to add a disk cache directory. +cache_dir ufs /var/spool/squid 100000 16 256 + +#cache_peer download.fedoraproject.org parent 80 0 no-query +#cache_peer mirror.centos.org parent 80 0 no-query +#cache_peer epel.mirrors.ovh.net parent 80 0 no-query +#cache_peer mirrors.ircam.fr parent 80 0 no-query + + +acl nonCacheURL urlpath_regex .*/repodata/repomd.xml$ +cache deny nonCacheURL +cache deny to_rpmfusion + +redirect_program /usr/bin/python /etc/squid/custom_redirect.py +redirect_children 20 + +# Leave coredumps in the first cache dir +coredump_dir /var/spool/squid + +# +# Add any of your own refresh_pattern entries above these. +# +refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 +refresh_pattern -i \.rpm$ 604800 90% 604800 +refresh_pattern -i \.(bz2|gz|xml)$ 172800 90% 259200 +refresh_pattern . 0 20% 4320 + +dns_v4_first on diff --git a/files/squid/squid.conf.linaro b/files/squid/squid.conf.linaro new file mode 100644 index 0000000..25b913e --- /dev/null +++ b/files/squid/squid.conf.linaro @@ -0,0 +1,80 @@ +# +# Recommended minimum configuration: +# + +# Example rule allowing access from your local networks. +# Adapt to list your (internal) IP networks from where browsing +# should be allowed +acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) +acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN) +acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN) +acl localhet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines +acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN) +acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN) +acl localnet src fc00::/7 # RFC 4193 local private network range +acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines + +acl SSL_ports port 443 +acl Safe_ports port 80 # http +acl Safe_ports port 21 # ftp +acl Safe_ports port 443 # https +acl Safe_ports port 70 # gopher +acl Safe_ports port 210 # wais +acl Safe_ports port 1025-65535 # unregistered ports +acl Safe_ports port 280 # http-mgmt +acl Safe_ports port 488 # gss-http +acl Safe_ports port 591 # filemaker +acl Safe_ports port 777 # multiling http +acl CONNECT method CONNECT + +# +# Recommended minimum Access Permission configuration: +# +# Deny requests to certain unsafe ports +http_access deny !Safe_ports + +# Deny CONNECT to other than secure SSL ports +http_access deny CONNECT !SSL_ports + +# Only allow cachemgr access from localhost +http_access allow localhost manager +http_access deny manager + +# We strongly recommend the following be uncommented to protect innocent +# web applications running on the proxy server who think the only +# one who can access services on "localhost" is a local user +http_access deny to_localhost + +# +# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS +# + +# Example rule allowing access from your local networks. +# Adapt localnet in the ACL section to list your (internal) IP networks +# from where browsing should be allowed +http_access allow localnet +http_access allow localhost + +# And finally deny all other access to this proxy +http_access deny all + +# Squid normally listens to port 3128 +http_port 3128 + +# Uncomment and adjust the following to add a disk cache directory. +cache_dir ufs /var/spool/squid 15000 16 256 + +cache_peer proxy.vpn.rpmfusion.net parent 3128 0 no-query + +acl nonCacheURL urlpath_regex .*/repodata/repomd.xml$ +cache deny nonCacheURL + +# Leave coredumps in the first cache dir +coredump_dir /var/spool/squid + +# +# Add any of your own refresh_pattern entries above these. +# +refresh_pattern -i \.rpm$ 604800 90% 604800 +refresh_pattern -i \.(bz2|gz|xml)$ 172800 90% 259200 +refresh_pattern . 0 20% 4320 diff --git a/files/squid/squid.conf.osuosl b/files/squid/squid.conf.osuosl new file mode 100644 index 0000000..1cf1ce0 --- /dev/null +++ b/files/squid/squid.conf.osuosl @@ -0,0 +1,80 @@ +# +# Recommended minimum configuration: +# + +# Example rule allowing access from your local networks. +# Adapt to list your (internal) IP networks from where browsing +# should be allowed +acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) +acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN) +acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN) +acl localhet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines +acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN) +acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN) +acl localnet src fc00::/7 # RFC 4193 local private network range +acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines + +acl SSL_ports port 443 +acl Safe_ports port 80 # http +acl Safe_ports port 21 # ftp +acl Safe_ports port 443 # https +acl Safe_ports port 70 # gopher +acl Safe_ports port 210 # wais +acl Safe_ports port 1025-65535 # unregistered ports +acl Safe_ports port 280 # http-mgmt +acl Safe_ports port 488 # gss-http +acl Safe_ports port 591 # filemaker +acl Safe_ports port 777 # multiling http +acl CONNECT method CONNECT + +# +# Recommended minimum Access Permission configuration: +# +# Deny requests to certain unsafe ports +http_access deny !Safe_ports + +# Deny CONNECT to other than secure SSL ports +http_access deny CONNECT !SSL_ports + +# Only allow cachemgr access from localhost +http_access allow localhost manager +http_access deny manager + +# We strongly recommend the following be uncommented to protect innocent +# web applications running on the proxy server who think the only +# one who can access services on "localhost" is a local user +http_access deny to_localhost + +# +# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS +# + +# Example rule allowing access from your local networks. +# Adapt localnet in the ACL section to list your (internal) IP networks +# from where browsing should be allowed +http_access allow localnet +http_access allow localhost + +# And finally deny all other access to this proxy +http_access deny all + +# Squid normally listens to port 3128 +http_port 3128 + +# Uncomment and adjust the following to add a disk cache directory. +cache_dir ufs /var/spool/squid 40000 16 256 + +cache_peer proxy.vpn.rpmfusion.net parent 3128 0 no-query + +acl nonCacheURL urlpath_regex .*/repodata/repomd.xml$ +cache deny nonCacheURL + +# Leave coredumps in the first cache dir +coredump_dir /var/spool/squid + +# +# Add any of your own refresh_pattern entries above these. +# +refresh_pattern -i \.rpm$ 604800 90% 604800 +refresh_pattern -i \.(bz2|gz|xml)$ 172800 90% 259200 +refresh_pattern . 0 20% 4320 diff --git a/files/squid/squid.conf.scaleway b/files/squid/squid.conf.scaleway new file mode 100644 index 0000000..1cf1ce0 --- /dev/null +++ b/files/squid/squid.conf.scaleway @@ -0,0 +1,80 @@ +# +# Recommended minimum configuration: +# + +# Example rule allowing access from your local networks. +# Adapt to list your (internal) IP networks from where browsing +# should be allowed +acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) +acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN) +acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN) +acl localhet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines +acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN) +acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN) +acl localnet src fc00::/7 # RFC 4193 local private network range +acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines + +acl SSL_ports port 443 +acl Safe_ports port 80 # http +acl Safe_ports port 21 # ftp +acl Safe_ports port 443 # https +acl Safe_ports port 70 # gopher +acl Safe_ports port 210 # wais +acl Safe_ports port 1025-65535 # unregistered ports +acl Safe_ports port 280 # http-mgmt +acl Safe_ports port 488 # gss-http +acl Safe_ports port 591 # filemaker +acl Safe_ports port 777 # multiling http +acl CONNECT method CONNECT + +# +# Recommended minimum Access Permission configuration: +# +# Deny requests to certain unsafe ports +http_access deny !Safe_ports + +# Deny CONNECT to other than secure SSL ports +http_access deny CONNECT !SSL_ports + +# Only allow cachemgr access from localhost +http_access allow localhost manager +http_access deny manager + +# We strongly recommend the following be uncommented to protect innocent +# web applications running on the proxy server who think the only +# one who can access services on "localhost" is a local user +http_access deny to_localhost + +# +# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS +# + +# Example rule allowing access from your local networks. +# Adapt localnet in the ACL section to list your (internal) IP networks +# from where browsing should be allowed +http_access allow localnet +http_access allow localhost + +# And finally deny all other access to this proxy +http_access deny all + +# Squid normally listens to port 3128 +http_port 3128 + +# Uncomment and adjust the following to add a disk cache directory. +cache_dir ufs /var/spool/squid 40000 16 256 + +cache_peer proxy.vpn.rpmfusion.net parent 3128 0 no-query + +acl nonCacheURL urlpath_regex .*/repodata/repomd.xml$ +cache deny nonCacheURL + +# Leave coredumps in the first cache dir +coredump_dir /var/spool/squid + +# +# Add any of your own refresh_pattern entries above these. +# +refresh_pattern -i \.rpm$ 604800 90% 604800 +refresh_pattern -i \.(bz2|gz|xml)$ 172800 90% 259200 +refresh_pattern . 0 20% 4320 diff --git a/roles/squid/tasks/main.yml b/roles/squid/tasks/main.yml new file mode 100644 index 0000000..a2b9737 --- /dev/null +++ b/roles/squid/tasks/main.yml @@ -0,0 +1,54 @@ +--- +# tasks file for squid + +- name: install squid (yum) + yum: name=squid state=present + tags: + - squid + - packages + when: ansible_distribution_major_version|int < 22 + +- name: install squid (dnf) + dnf: name=squid state=present + tags: + - squid + - packages + when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined + +- name: set squid running/enabled + service: name=squid enabled=yes + ignore_errors: true + tags: + - service + - squid + +- name: custom_redirect + file: src="{{files}}/squid/custom_redirect.py" dest=/etc/squid/custom_redirect.py mode=0750 + owner=root group=squid + notify: + - reload squid + tags: + - squid + - config + when: inventory_hostname.startswith('hv01.online') + +- name: squid.conf + template: src={{item}} dest=/etc/squid/squid.conf mode=0640 owner=root group=squid + with_first_found: + - "{{files}}/squid/squid.conf.{{ansible_hostname}}" + - "{{files}}/squid/squid.conf.{{datacenter}}" + - "{{files}}/squid/squid.conf" + notify: + - reload squid + tags: + - squid + - config + +- name: create squid swap files + command: /usr/sbin/squid -z creates="/var/spool/squid/00" + notify: + - reload squid + tags: + - squid + - config +