diff options
| -rw-r--r-- | hieradata/nodes/proxyout.yaml | 9 | ||||
| -rw-r--r-- | sitemodules/profiles/manifests/squid.pp | 7 | ||||
| -rw-r--r-- | sitemodules/profiles/templates/squid/squid.conf.epp | 15 |
3 files changed, 28 insertions, 3 deletions
diff --git a/hieradata/nodes/proxyout.yaml b/hieradata/nodes/proxyout.yaml index 47c228c..27ff49b 100644 --- a/hieradata/nodes/proxyout.yaml +++ b/hieradata/nodes/proxyout.yaml @@ -4,3 +4,12 @@ classes: profiles::base::admins: - jandd - law +profiles::squid: + acls: + - "localnet src 10.0.0.0/24" + - "debmirror dstdomain .debian.org" + - "debpgsql dstdomain apt.postgresql.org" + - "debpuppet dstdomain apt.puppetlabs.com" + http_access: + - "allow localnet debmirror" + - "allow localnet debpuppet" diff --git a/sitemodules/profiles/manifests/squid.pp b/sitemodules/profiles/manifests/squid.pp index d614d91..193d4cf 100644 --- a/sitemodules/profiles/manifests/squid.pp +++ b/sitemodules/profiles/manifests/squid.pp @@ -27,7 +27,8 @@ # # Copyright 2017 Jan Dittberner class profiles::squid ( - Array[String] $acls = [], + Optional[Array[String]] $acls = undef, + Optional[Array[String]] $http_access = undef, ) { package { 'squid': ensure => latest, @@ -42,7 +43,9 @@ class profiles::squid ( owner => 'root', group => 'root', mode => '0644', - content => epp('profiles/squid/squid.conf.epp', {'acls' => $acls}), + content => epp('profiles/squid/squid.conf.epp', + {'acls' => $acls, 'http_access' => $http_access} + ), require => Package['squid'], notify => Service['squid'], } diff --git a/sitemodules/profiles/templates/squid/squid.conf.epp b/sitemodules/profiles/templates/squid/squid.conf.epp index 66cc63f..da39138 100644 --- a/sitemodules/profiles/templates/squid/squid.conf.epp +++ b/sitemodules/profiles/templates/squid/squid.conf.epp @@ -1,3 +1,9 @@ +<%- | Array[String] $acls = [], + Array[String] $http_access = [], + |-%> +# THIS FILE IS MANAGED BY PUPPET, MANUAL CHANGES WILL BE OVERWRITTEN AT THE +# NEXT PUPPET RUN. +# # WELCOME TO SQUID 3.5.23 # ---------------------------- # @@ -978,6 +984,10 @@ #acl localnet src fc00::/7 # RFC 4193 local private network range #acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines +<%- $acls.each |acl| { %> +acl <%= $acl %> +<% } -%> + acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp @@ -1178,7 +1188,7 @@ http_access deny manager # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user -#http_access deny to_localhost +http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS @@ -1189,6 +1199,9 @@ http_access deny manager # from where browsing should be allowed #http_access allow localnet http_access allow localhost +<%- $http_access.each |access_rule| { %> +http_access <%= $access_rule %> +<% } -%> # And finally deny all other access to this proxy http_access deny all |