summaryrefslogtreecommitdiff
path: root/sitemodules/profiles
diff options
context:
space:
mode:
authorJan Dittberner <jandd@cacert.org>2017-08-26 17:18:38 +0200
committerJan Dittberner <jandd@cacert.org>2017-08-26 17:18:38 +0200
commit22ae2f3bc8c6359a71694380ee070640ebdf99ba (patch)
tree7ae19e96d774fd1fdb756b8bb0f19e32347e7111 /sitemodules/profiles
parent0971e020ea28a876b67b0b02c7cd5e8126ebb20b (diff)
downloadcacert-puppet-22ae2f3bc8c6359a71694380ee070640ebdf99ba.tar.gz
cacert-puppet-22ae2f3bc8c6359a71694380ee070640ebdf99ba.tar.xz
cacert-puppet-22ae2f3bc8c6359a71694380ee070640ebdf99ba.zip
Add ACLs for squid on proxyout
Diffstat (limited to 'sitemodules/profiles')
-rw-r--r--sitemodules/profiles/manifests/squid.pp7
-rw-r--r--sitemodules/profiles/templates/squid/squid.conf.epp15
2 files changed, 19 insertions, 3 deletions
diff --git a/sitemodules/profiles/manifests/squid.pp b/sitemodules/profiles/manifests/squid.pp
index d614d91..193d4cf 100644
--- a/sitemodules/profiles/manifests/squid.pp
+++ b/sitemodules/profiles/manifests/squid.pp
@@ -27,7 +27,8 @@
#
# Copyright 2017 Jan Dittberner
class profiles::squid (
- Array[String] $acls = [],
+ Optional[Array[String]] $acls = undef,
+ Optional[Array[String]] $http_access = undef,
) {
package { 'squid':
ensure => latest,
@@ -42,7 +43,9 @@ class profiles::squid (
owner => 'root',
group => 'root',
mode => '0644',
- content => epp('profiles/squid/squid.conf.epp', {'acls' => $acls}),
+ content => epp('profiles/squid/squid.conf.epp',
+ {'acls' => $acls, 'http_access' => $http_access}
+ ),
require => Package['squid'],
notify => Service['squid'],
}
diff --git a/sitemodules/profiles/templates/squid/squid.conf.epp b/sitemodules/profiles/templates/squid/squid.conf.epp
index 66cc63f..da39138 100644
--- a/sitemodules/profiles/templates/squid/squid.conf.epp
+++ b/sitemodules/profiles/templates/squid/squid.conf.epp
@@ -1,3 +1,9 @@
+<%- | Array[String] $acls = [],
+ Array[String] $http_access = [],
+ |-%>
+# THIS FILE IS MANAGED BY PUPPET, MANUAL CHANGES WILL BE OVERWRITTEN AT THE
+# NEXT PUPPET RUN.
+#
# WELCOME TO SQUID 3.5.23
# ----------------------------
#
@@ -978,6 +984,10 @@
#acl localnet src fc00::/7 # RFC 4193 local private network range
#acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
+<%- $acls.each |acl| { %>
+acl <%= $acl %>
+<% } -%>
+
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
@@ -1178,7 +1188,7 @@ http_access deny manager
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
-#http_access deny to_localhost
+http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
@@ -1189,6 +1199,9 @@ http_access deny manager
# from where browsing should be allowed
#http_access allow localnet
http_access allow localhost
+<%- $http_access.each |access_rule| { %>
+http_access <%= $access_rule %>
+<% } -%>
# And finally deny all other access to this proxy
http_access deny all