From 22ae2f3bc8c6359a71694380ee070640ebdf99ba Mon Sep 17 00:00:00 2001
From: Jan Dittberner <jandd@cacert.org>
Date: Sat, 26 Aug 2017 17:18:38 +0200
Subject: Add ACLs for squid on proxyout

---
 sitemodules/profiles/manifests/squid.pp             |  7 +++++--
 sitemodules/profiles/templates/squid/squid.conf.epp | 15 ++++++++++++++-
 2 files changed, 19 insertions(+), 3 deletions(-)

(limited to 'sitemodules')

diff --git a/sitemodules/profiles/manifests/squid.pp b/sitemodules/profiles/manifests/squid.pp
index d614d91..193d4cf 100644
--- a/sitemodules/profiles/manifests/squid.pp
+++ b/sitemodules/profiles/manifests/squid.pp
@@ -27,7 +27,8 @@
 #
 # Copyright 2017 Jan Dittberner
 class profiles::squid (
-  Array[String] $acls = [],
+  Optional[Array[String]] $acls = undef,
+  Optional[Array[String]] $http_access = undef,
 ) {
   package { 'squid':
     ensure => latest,
@@ -42,7 +43,9 @@ class profiles::squid (
     owner   => 'root',
     group   => 'root',
     mode    => '0644',
-    content => epp('profiles/squid/squid.conf.epp', {'acls' => $acls}),
+    content => epp('profiles/squid/squid.conf.epp',
+                   {'acls' => $acls, 'http_access' => $http_access}
+               ),
     require => Package['squid'],
     notify  => Service['squid'],
   }
diff --git a/sitemodules/profiles/templates/squid/squid.conf.epp b/sitemodules/profiles/templates/squid/squid.conf.epp
index 66cc63f..da39138 100644
--- a/sitemodules/profiles/templates/squid/squid.conf.epp
+++ b/sitemodules/profiles/templates/squid/squid.conf.epp
@@ -1,3 +1,9 @@
+<%- | Array[String] $acls = [],
+      Array[String] $http_access = [],
+    |-%>
+# THIS FILE IS MANAGED BY PUPPET, MANUAL CHANGES WILL BE OVERWRITTEN AT THE
+# NEXT PUPPET RUN.
+#
 #	WELCOME TO SQUID 3.5.23
 #	----------------------------
 #	
@@ -978,6 +984,10 @@
 #acl localnet src fc00::/7       # RFC 4193 local private network range
 #acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
 
+<%- $acls.each |acl| { %>
+acl <%= $acl %>
+<% } -%>
+
 acl SSL_ports port 443
 acl Safe_ports port 80		# http
 acl Safe_ports port 21		# ftp
@@ -1178,7 +1188,7 @@ http_access deny manager
 # We strongly recommend the following be uncommented to protect innocent
 # web applications running on the proxy server who think the only
 # one who can access services on "localhost" is a local user
-#http_access deny to_localhost
+http_access deny to_localhost
 
 #
 # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
@@ -1189,6 +1199,9 @@ http_access deny manager
 # from where browsing should be allowed
 #http_access allow localnet
 http_access allow localhost
+<%- $http_access.each |access_rule| { %>
+http_access <%= $access_rule %>
+<% } -%>
 
 # And finally deny all other access to this proxy
 http_access deny all
-- 
cgit v1.2.1