jpp/ansible-roles
1
0
Fork 0
mirror of https://git.lapiole.org/dani/ansible-roles.git synced 2025-07-30 11:15:42 +02:00
Code Issues Packages Projects Releases Wiki Activity

Update to 2021-12-01 19:13

Browse Source
This commit is contained in:
Daniel Berteaud
2021-12-01 19:13:34 +01:00
commit 4c4556c660
2153 changed files with 60999 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

305
roles/squid/defaults/main.yml Normal file
View File

@@ -0,0 +1,305 @@
---
squid_http_ports:
- port: 3128
- port: 3129
mode: intercept
squid_https_ports:
- port: 3130
mode: intercept
options:
- ssl-bump
- cert=/etc/squid/tls/cert.pem
- key=/etc/squid/tls/key.pem
- generate-host-certificates=off
squid_nat_http_ports: [80]
squid_nat_https_ports: [443,8006,8443]
squid_src_ip: "{{ squid_servers_ip + squid_workstations_ip + squid_admins_ip + squid_vip_ip + squid_guests_ip }}"
squid_safe_ports: [ 80, 443, 21 ]
squid_ssl_ports: [ 443, 8006, 8007, 8443, 8448 ]
# Admin email displayed on denied and error pages
# squid_admin_email: admin@example.com
# Should we scan content with ClamAV. Default is disabled
squid_scan_av: True
# Files bigger than (in bytes) this won't be scanned
squid_av_max_size: 5000000
squid_servers_ip:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
squid_workstations_ip:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
squid_vip_ip: []
squid_admins_ip: []
squid_guests_ip: []
squid_base_acl:
- name: safe_ports
type: port
items: "{{ squid_safe_ports }}"
- name: ssl_ports
type: port
items: "{{ squid_ssl_ports }}"
- name: servers_src
type: src
items: "{{ squid_servers_ip }}"
- name: workstations_src
type: src
items: "{{ squid_workstations_ip }}"
- name: guests_src
type: src
items: "{{ squid_guests_ip }}"
- name: vip_src
type: src
items: "{{ squid_vip_ip }}"
- name: admins_src
type: src
items: "{{ squid_admins_ip }}"
- name: av_src
type: src
items: "{{ (squid_vip_ip + squid_workstations_ip + squid_guests_ip + squid_servers_ip) | unique }}" # Everyone except admins will have AV scans. Admins might need to check suspucious stuff
- name: servers_dst
type: dst
items: "{{ squid_servers_ip }}"
- name: workstations_dst
type: dst
items: "{{ squid_workstations_ip }}"
- name: guests_dst
type: dst
items: "{{ squid_guests_ip }}"
- name: localnet_src
type: src
items: "{{ (squid_servers_ip + squid_workstations_ip + squid_vip_ip + squid_admins_ip + squid_guests_ip) | unique }}"
- name: localnet_dst
type: dst
items: "{{ (squid_servers_ip + squid_workstations_ip + squid_vip_ip + squid_admins_ip + squid_guests_ip) | unique }}"
- name: connect
type: method
items: [ CONNECT ]
- name: sys_urls
type: url_regex
items: []
- name: sys_domains
type: dstdomain
items:
- '"/etc/squid/acl/software_windows.domains"'
- '"/etc/squid/acl/service_fws.domains"'
- '"/etc/squid/acl/service_various.domains"'
- '"/etc/squid/acl/software_epel.domains"'
- '"/etc/squid/acl/software_centos.domains"'
- '"/etc/squid/acl/software_almalinux.domains"'
- '"/etc/squid/acl/software_debian.domains"'
- '"/etc/squid/acl/software_various.domains"'
- '"/etc/squid/acl/software_smeserver.domains"'
- '"/etc/squid/acl/software_remi.domains"'
- name: local_whitelist_domains
type: dstdomain
items:
- '"/etc/squid/acl/local_whitelist.domains"'
- name: local_blacklist_domains
type: dstdomain
items:
- '"/etc/squid/acl/local_blacklist.domains"'
- name: local_whitelist_urls
type: dstdomain
items:
- '"/etc/squid/acl/local_whitelist.urls"'
- name: local_blacklist_urls
type: dstdomain
items:
- '"/etc/squid/acl/local_blacklist.urls"'
- name: local_whitelist_sni
type: ssl::server_name
items:
- '"/etc/squid/acl/local_whitelist.domains"'
- name: local_blacklist_sni
type: ssl::server_name
items:
- '"/etc/squid/acl/local_blacklist.domains"'
- name: wuconnect
type: dstdomain
items:
- www.update.microsoft.com
- sls.microsoft.com
- name: no_av_scan_req
type: req_mime_type
items:
- '-i ^text/plain'
- '-i ^text/css'
- '-i ^application/xml'
- '-i ^application/json'
- '-i ^image/'
- '-i ^audio/'
- '-i ^video/'
- name: no_av_scan_rep
type: rep_mime_type
items:
- '-i ^text/plain'
- '-i ^text/css'
- '-i ^application/xml'
- '-i ^application/json'
- '-i ^image/'
- '-i ^audio/'
- '-i ^video/'
- name: sslbump_step1
type: at_step
items: [SslBump1]
- name: sslbump_step2
type: at_step
items: [SslBump2]
- name: sslbump_step3
type: at_step
items: [SslBump3]
# List of URL regex not to cache
squid_no_cache:
- 'https?://.*\.letsencrypt\.org/'
squid_extra_acl: []
squid_acl: "{{ squid_base_acl + squid_extra_acl }}"
squid_local_whitelist: []
squid_local_blacklist: []
# Access rules. There's always a last default deny all access rule
squid_base_http_access:
- policy: allow
match: "local_whitelist_domains"
priority: 10
- policy: allow
match: "local_whitelist_urls"
priority: 10
- policy: deny
match: "local_blacklist_domains"
priority: 20
- policy: deny
match: "local_blacklist_urls"
priority: 20
- policy: allow
match:
- "localhost"
- "manager"
priority: 100
- policy: deny
match: "manager"
priority: 200
- policy: deny
match:
- "!connect"
- "!safe_ports"
priority: 300
- policy: deny
match:
- "connect"
- "!ssl_ports"
priority: 400
- policy: allow
match:
- "localnet_src"
- "sys_urls"
priority: 500
- policy: allow
match:
- "localnet_src"
- "sys_domains"
priority: 500
- policy: allow
match:
- "CONNECT"
- "wuconnect"
- "localnet_src"
priority: 700
- policy: deny
match: "localnet_dst"
priority: 800
- policy: allow
match: "vip_src"
priority: 1300
- policy: allow
match: "admins_src"
priority: 1400
squid_extra_http_access: []
squid_http_access: "{{ squid_base_http_access + squid_extra_http_access }}"
squid_base_ssl_bump:
- policy: peek
match:
- "sslbump_step1"
- "all"
priority: 100
- policy: splice
match: "local_whitelist_sni"
priority: 200
- policy: terminate
match: "local_blacklist_sni"
priority: 300
- policy: splice
match: "all"
priority: 400
squid_extra_ssl_bump: []
squid_ssl_bump: "{{ squid_base_ssl_bump + squid_extra_ssl_bump }}"
# Should disk cache be enabled
squid_disk_cache: True
# Size of the on-disk cache, in MB
squid_disk_cache_size: 2048
# Size of the in-memory cache, in MB
squid_mem_cache_size: 200
# Max size of objects to cache, in MB
squid_max_object_size: 300
# Filter URL using ufdbGuard
squid_filter_url: True
squid_ufdb_deny_tunnels: True
squid_ufdb_blocked_url: http://{{ inventory_hostname }}/cgi-bin/URLblocked.cgi?admin=Le staff IT&color=orange&size=normal&clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&category=%t&url=%u
# Should we update blacklists from the university of Toulouse
squid_ufdb_update_from_univ: True
# Categories blocked for everyone, except admins (but including vip)
squid_ufdb_base_dangerous_categories:
- cryptojacking
- ddos
- malware
- phishing
squid_ufdb_extra_dangerous_categories: []
squid_ufdb_dangerous_categories: "{{ squid_ufdb_base_dangerous_categories + squid_ufdb_extra_dangerous_categories }}"
# Blocked for regular user (workstations)
squid_ufdb_base_blocked_categories:
- warez
- redirector
- strict_redirector
- strong_redirector
squid_ufdb_guests_blocked_categories:
- warez
- redirector
- strict_redirector
- strong_redirector
- adult
- agressif
- astrology
- arjel
- dangerous_material
- ddos
- download
- drogue
- gambling
- hacking
- malware
- marketingware
- mixed_adult
- mobile-phone
- phishing
squid_ufdb_extra_blocked_categories: []
squid_ufdb_blocked_categories: "{{ squid_ufdb_base_blocked_categories + squid_ufdb_extra_blocked_categories }}"
# If you need to write a custom configuration snippet
squid_custom_config: |
# No custom configuration defined

884
roles/squid/files/URLblocked.cgi Executable file
View File

@@ -0,0 +1,884 @@
#!/usr/bin/perl -wT
#
# URLblocked.cgi - explain to the user that the URL is blocked and by which rule set.
#
# Currently the error messages supports
# en (English),
# de (German),
# pl (Polish)
# sv (Swedisk)
# it (Italian)
# pt (Portuguese)
# fr (French)
# tr (Turkish)
# nl (Dutch).
# You can add a language yourself: search for all occurences of "NEWLANGUAGE"
# and add your language text.
use strict;
use Socket;
# This CGI script uses fastcgi and also requires Fcgid configured in Apache.
# Comment out the next line and the line with "while (new CGI::Fast)" (approximately at line 423)
# to revert this script to a regular CGI script.
### use CGI::Fast;
use constant {
CT_IMAGE => 1,
CT_JAVA => 2,
CT_HTML => 3,
CT_XML => 4,
CT_CSS => 5,
CT_TEXT => 6,
CT_JSON => 7,
CT_STREAM => 8,
CT_204 => 9
};
use vars qw( $admin $clientaddr $clientname $clientuser $clientgroup $category $targetgroup );
use vars qw( $color $size $mode $textcolor $bgcolor $titlesize $textsize $httpcode $url $origurl );
use vars qw( $ufdbhost $ufdbscripturi $ufdbredirscripturi $ufdbsni $ufdbservername $ufdbrequesturi $ufdbrefurl );
use vars qw( $escaped_ufdbrequesturi $escaped_url );
use vars qw( @day @month @languages $lang $protocol $address $port $path );
local $admin;
local $clientaddr;
local $clientname;
local $clientuser;
local $clientgroup;
local $targetgroup;
local $color;
local $size;
local $mode;
local $textcolor;
local $bgcolor;
local $titlesize;
local $textsize;
local $httpcode;
local $url;
local $origurl;
local $ufdbhost;
local $ufdbscripturi;
local $ufdbredirscripturi;
local $ufdbsni;
local $ufdbservername;
local $ufdbrequesturi;
local $ufdbrefurl;
local $lang;
local $protocol;
local $address;
local $port;
local $path;
local @day = ("Sunday","Monday","Tuesday","Wednesday","Thursday","Friday","Saturday");
local @month = ("Jan","Feb","Mar","Apr","May","Jun","Jul","Aug","Sep","Oct","Nov","Dec");
local @languages = (
"de (German),",
"nl (Dutch),",
"pl (Polish),",
"sv (Swedish),",
"es (Spanish),",
"it (Italian),",
"pt (Portuguese),",
"fr (French),",
"tr (Turkish),",
"NEW (NEWLANGUAGE),",
"en (English),",
);
my $html_comment = "<!--
generated by URLblocked.cgi :\n
this is a very long comment to signal
to MSIE and other browsers not to display their own 'user-friendly'
error message, but to display the one that is produced by this
program.\n
The rest of this message is bogus to make it longer
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx -->\n";
sub init();
sub session_reinit();
sub getPreferedLanguage(@);
sub parseURL($);
sub parseQuery($);
sub session_reinit ()
{
$admin = 'unknown';
$clientaddr = 'unknown';
$clientname = 'unknown';
$clientuser = 'unknown';
$clientgroup = 'unknown';
$targetgroup = 'unknown';
$color = 'orange';
$size = 'normal';
$mode = 'default';
$httpcode = '200';
$url = 'unknown';
$origurl = 'unknown';
$lang = 'unknown';
$ufdbrequesturi = '';
}
sub init ()
{
$lang = getPreferedLanguage( @languages );
( $httpcode, $admin, $clientaddr, $clientname, $clientuser, $clientgroup, $category, $url ) =
parseQuery( $ENV{"QUERY_STRING"} );
}
#
# Find the first supported language of the client.
#
sub getPreferedLanguage (@)
{
my @supported = @_;
my @clientLanguages = split(/\s*,\s*/,$ENV{"HTTP_ACCEPT_LANGUAGE"}) if(defined($ENV{"HTTP_ACCEPT_LANGUAGE"}));
my $lang;
my $supp;
### NO! push(@clientLanguages,$supported[0]);
for $lang (@clientLanguages)
{
$lang =~ s/\s.*//;
$lang =~ s/-.*//;
for $supp (@supported)
{
$supp =~ s/\s.*//;
return($lang) if ($lang eq $supp);
}
}
return 'en'; # default language is 'en'
}
sub parseQuery ($)
{
my $query = shift;
my $admin = 'The system administrator.';
my $clientaddr = '';
my $clientname = '';
my $clientuser = '';
my $clientgroup = '';
my $category = '';
my $httpcode = '200';
my $url = 'undefined';
my $therequest = '';
my $dummy;
$ufdbservername = '';
$ufdbhost = '';
$ufdbrequesturi = '';
if (defined($query))
{
while ($query =~ /^\&?([^\&=]+)=\"([^\"]*)\"(.*)/ ||
$query =~ /^\&?([^\&=]+)=([^\&=]*)(.*)/)
{
my $key = $1;
my $value = $2;
$value = '??' unless(defined($value) && $value && $value ne '??');
$query = $3;
if ($key =~ /^(admin|clientaddr|clientname|clientuser|clientident|clientgroup|category|targetgroup|color|size|source|srcclass|targetclass|mode|httpcode|ufdbhost|ufdbscripturi|ufdbredirscripturi|ufdbsni|ufdbservername|ufdbrequesturi|ufdbrefurl|url)$/)
{
$escaped_ufdbrequesturi = $value if ($key eq 'ufdbrequesturi');
$escaped_url = $value if ($key eq 'url');
$value =~ s/%20/ /g;
$value =~ s/%22/"/g;
$value =~ s/%23/#/g;
$value =~ s/%24/\$/g;
$value =~ s/%26/\&/g;
$value =~ s/%27/\?/g;
$value =~ s/%2B/\+/ig;
$value =~ s/%2C/,/ig;
$value =~ s/%2F/\//ig;
$value =~ s/%3A/:/ig;
$value =~ s/%3B/;/ig;
$value =~ s/%3C/</ig;
$value =~ s/%3D/=/ig;
$value =~ s/%3E/>/ig;
$value =~ s/%3F/?/ig;
$value =~ s/%40/\@/ig;
$value =~ s/%5C/\\/ig;
$value =~ s/%25/%/g; # must be last
$key = 'clientgroup' if ($key eq 'source' || $key eq 'srcclass');
$key = 'clientuser' if ($key eq 'clientident');
$key = 'category' if ($key eq 'targetgroup' || $key eq 'targetclass');
eval "\$$key = \$value";
}
if ($query =~ /^url=(.*)/)
{
$url = $1;
last;
}
}
}
$dummy = $ENV{'HTTP_X_BLOCKED_URL'};
$url = $dummy if defined $dummy;
$dummy = $ENV{'HTTP_X_BLOCKED_CATEGORY'};
$targetgroup = $dummy if defined $dummy;
if ($url eq 'undefined')
{
if ($ufdbservername ne '')
{
$url = 'https://' . $ufdbservername;
}
elsif ($ufdbhost ne '')
{
$url = 'https://' . $ufdbhost;
}
if ($url ne 'undefined' && $ufdbrequesturi ne '')
{
$ufdbrequesturi =~ s/\?.*//;
$url .= $ufdbrequesturi;
}
}
$origurl = $url;
$url = substr( $url, 0, 120 ) . '...' if (length($url) > 120);
$ufdbrefurl = $ENV{'HTTP_REFERER'};
if (1)
{
my $dbgf = '/tmp/debug-cgibin-cgi'; # '/local/websites/logs/cgidebug';
open DEBUG, ">> $dbgf";
print DEBUG "\n\nurl = $url\n";
print DEBUG "lang = $lang\n";
foreach my $key ('HTTP_HOST', 'HTTP_REFERER', 'HTTP_USER_AGENT', 'REMOTE_ADDR', 'REQUEST_METHOD',
'HTTP_ACCEPT_CHARSET', 'HTTP_ACCEPT_LANGUAGE', 'HTTP_CONTENT_TYPE', 'QUERY_STRING') {
my $value = $ENV{$key};
$value = 'undefined' if !defined($value);
print DEBUG "$key = $value\n";
}
if (0)
{
print DEBUG ":\n";
foreach my $key (sort(keys(%ENV))) {
print DEBUG "$key = $ENV{$key}\n";
}
close DEBUG;
}
}
return ( $httpcode, $admin, $clientaddr, $clientname, $clientuser, $clientgroup, $category, $url );
}
sub parseURL ($)
{
my $url = shift;
my $protocol = "";
my $address = "";
my $port = "";
my $path = "";
$url =~ /^([^\/:]+):\/\/([^\/:]+)(:\d*)?(.*)/;
$protocol = $1 if(defined($1));
$address = $2 if(defined($2));
$port = $3 if(defined($3));
$path = $4 if(defined($4));
return ( $protocol, $address, $port, $path );
}
sub getContentType( $ )
{
my $url = shift;
my $suffix;
my $path;
$url =~ s/[;\?\&].*//;
$url =~ s/^(ftp|http|https):\/\///;
$path = $url;
$path =~ s/^[^\/]*//;
$suffix = $path;
$suffix =~ s/.*\././;
return CT_IMAGE if ($suffix =~ /\.(bmp|gif|ico|jpg|jpeg|jpe|png|webp|tiff)$/i);
return CT_CSS if ($suffix =~ /\.css$/i);
return CT_JSON if ($suffix =~ /\.json$/i);
return CT_JAVA if ($suffix =~ /\.(js|jar)$/i);
return CT_TEXT if ($suffix =~ /\.(csv|txt)$/i);
return CT_HTML if ($suffix =~ /\.(htm|html|dhtml|shtml)$/i);
return CT_XML if ($suffix =~ /\.(xml|sxml|rss)$/i);
return CT_STREAM if ($suffix =~ /\.(bin|bz2|cab|class|dat|doc|gz|h264|mp3|mpg|mpeg|msi|mst|ppt|pdf|rar|tar|ttf|xls|zip|ogv|divx|xvid|qt|ra|ram|rv|wmv|avi|mov|swf|mp4|mv4|flv)$/i);
# no suffix found, now we start with the guesswork
return CT_HTML if ($path eq '/' || $path eq '');
return CT_IMAGE if ($url =~ /^googleadservices\.com\/pagead\/conversion\// );
return CT_TEXT if ($url =~ /^googleads\.g\.doubleclick\.net\/pagead\/ads\// );
return CT_JAVA if ($url =~ /^pubads\.g\.doubleclick\.net\/pagead\/ads\// );
return CT_JAVA if ($url eq 'a.analytics.yahoo.com/fpc.pl' );
return CT_IMAGE if ($url eq 'a.analytics.yahoo.com/p.pl' );
return CT_IMAGE if ($url eq 'ping.chartbeat.net/ping' );
if ($url =~ '^www\.youtube\.com')
{
return CT_STREAM if ($path =~ /^\/cp\// || $path =~ /^\/p\// ||
$path =~ /^\/v\// || $path =~ /^\/videoplayback/ );
}
return CT_204 if ($url =~ /^s\.youtube\.com\/api\/stats\//);
return CT_IMAGE if ($url =~ /^b\.scorecardresearch\.com\// );
return CT_JAVA if ($url =~ /\.doubleclick\.net\/adj\// ||
$url =~ /\.doubleclick\.net\/pfadj\// );
return CT_IMAGE if ($url =~ /\.doubleclick\.net\/imp/ );
return CT_IMAGE if ($url =~ /\.tradedoubler\.com\/imp/ );
if ($url =~ /^view\.atdmt\.com\//)
{
return CT_IMAGE if ($path =~ /^\/action\// );
return CT_JAVA if ($path =~ /^\/jview\// );
}
return CT_JAVA if ($url eq 'static.ak.connect.facebook.com/connect.php' );
return CT_IMAGE if ($url eq 'secure-us.imrworldwide.com/cgi-bin/m' );
return CT_IMAGE if ($url =~ /ftjcfx\.com\/image-/ );
return CT_IMAGE if ($url =~ /lduhtrp\.net\/image-/ );
return CT_IMAGE if ($url =~ /img\.pheedo\.com\/img\.phdo/ );
if ($path =~ /\/realmedia\/ads\//i )
{
return CT_JAVA if ($path =~ /\/adstream_jx/ || $path =~ /\/adstream_mjx/ );
return CT_IMAGE if ($path =~ /\/adstream_lx/ || $path =~ /\/adstream_nx/ );
return CT_IMAGE if ($path =~ /\/ads\/cap\.cgi/ );
}
return CT_JAVA if ($url =~ /overture\.com\/ls_js_/ );
return CT_IMAGE if ($path =~ /\/scripts\/beacon\.dll/ || $path =~ /\/scripts\/beacon2\.dll/ );
return CT_IMAGE if ($url eq 'rtd.tubemogul.com/upi/');
return CT_JAVA if ($path =~ /\/javascript\// || $path =~ /\/ajaxpro\// );
return CT_JAVA if ($path =~ /\/js\.php$/ || $path =~ /\/javascript\.php$/ );
return CT_CSS if ($path =~ /\/css\.php$/ );
return CT_IMAGE if ($path =~ /\/image\.php$/ || $path =~ /\/image\.php\// );
return CT_JAVA if ($path =~ /\/js\.ng\// || $path =~ /\/js\// );
return CT_JAVA if ($path =~ /\/scripts\// || $path =~ /\/script\// );
return CT_XML if ($url =~ /^xml\./ );
if ($path =~ /\/b\/ss\// )
{
return CT_IMAGE if ($path =~ /\/FAS/i || $path =~ /\/H\./i || $path =~ /\/G\./i );
}
return CT_JAVA if ($url =~ /\.channel\.facebook\.com\/x\// );
return CT_TEXT if ($url =~ /\.channel\.facebook\.com\/p/ );
return CT_IMAGE if ($url eq 'www.facebook.com/fr/u.php' );
return CT_IMAGE if ($url eq 'pixel.mathtag.com/event/img' );
return CT_JAVA if ($url eq 'pixel.mathtag.com/event/js' );
return CT_IMAGE if ($url eq 'x.bidswitch.net/ul_cb/sync' );
return CT_XML if ($path =~ /\/xml-rpc/ );
return CT_STREAM if ($path eq 'open/1');
return CT_IMAGE if ($url =~ /^pixel\./ || $path =~ /\/pixel$/ );
return CT_TEXT if ($url =~ /heatmap/ );
return CT_204 if ($url eq 'analytics.livestream.com/track');
return CT_HTML;
}
# comment out the next line if fastcgi is not configured
### while (new CGI::Fast)
{
my $time = time;
my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst);
my $root;
my $buffer;
session_reinit();
init();
# the default is english
my $forbidden = 'no access';
my $title = $forbidden;
my $explanation_prefix = 'URL blocked because it is';
my $explanation_suffix = '';
my $go_back = 'back';
my $more_info = 'More information about ufdbGuard is <a href="https://www.urlfilterdb.com">here</a>.';
my $contentType = getContentType( $origurl );
$contentType = CT_204 if ($httpcode eq '204');
if ($contentType == CT_IMAGE)
{
print "Content-Type: image/png\n";
($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = gmtime( $time + 180 );
printf "Expires: %s, %02d %s %04d %02d:%02d:%02d GMT\n",
$day[$wday], $mday, $month[$mon], $year+1900, $hour, $min, $sec;
print "\n";
my $imgfile;
if ($category eq 'ads')
{
$imgfile = "transparent.png";
$imgfile = "no-ads.png" if ($mode eq 'noads');
$imgfile = "smallcross.png" if ($mode eq 'cross');
$imgfile = "square.png" if ($mode eq 'square');
}
else
{
if ($mode eq 'cross') {
$imgfile = "smallcross.png" if ($mode eq 'cross');
}
elsif ($mode eq 'square') {
$imgfile = "square.png" if ($mode eq 'square');
}
elsif ($mode eq 'simple-red' || $mode eq 'transparent' || $mode eq 'transparant') {
$imgfile = "transparent.png";
}
else {
$imgfile = "forbidden-normal-" . $lang . ".png";
}
}
$root = $ENV{'DOCUMENT_ROOT'};
open( BLOCKEDPNG, "$root/images/$imgfile" ) || print "failed to open $root/images/$imgfile\n";
print $buffer while (read (BLOCKEDPNG,$buffer,8192));
close( BLOCKEDPNG );
}
elsif ($contentType == CT_204)
{
print "Status: 204 No Content\n";
($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = gmtime( $time + 180 );
print "Content-Type: text/plain\n";
printf "Expires: %s, %02d %s %04d %02d:%02d:%02d GMT\n",
$day[$wday], $mday, $month[$mon], $year+1900, $hour, $min, $sec;
printf "X-blocked-category: %s\n", $category;
printf "X-blocked-URL: %s\n", $url;
print "\n";
}
elsif ($contentType == CT_STREAM)
{
if (1)
{
print "Status: 204 no content\n";
print "Content-Type: text/plain\n";
($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = gmtime( $time + 180 );
printf "Expires: %s, %02d %s %04d %02d:%02d:%02d GMT\n",
$day[$wday], $mday, $month[$mon], $year+1900, $hour, $min, $sec;
printf "X-blocked-category: %s\n", $category;
printf "X-blocked-URL: %s\n", $url;
}
else
{
print "Content-Type: application/octet-stream\n";
($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = gmtime( $time + 180 );
printf "Expires: %s, %02d %s %04d %02d:%02d:%02d GMT\n",
$day[$wday], $mday, $month[$mon], $year+1900, $hour, $min, $sec;
}
print "\n";
}
elsif ($contentType == CT_JAVA)
{
print "Content-Type: application/x-javascript\n";
($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = gmtime( $time + 180 );
printf "Expires: %s, %02d %s %04d %02d:%02d:%02d GMT\n",
$day[$wday], $mday, $month[$mon], $year+1900, $hour, $min, $sec;
print "\n";
print "\n";
}
elsif ($contentType == CT_JSON)
{
print "Content-Type: application/json\n";
($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = gmtime( $time + 180 );
printf "Expires: %s, %02d %s %04d %02d:%02d:%02d GMT\n",
$day[$wday], $mday, $month[$mon], $year+1900, $hour, $min, $sec;
print "\n";
print "\n";
}
elsif ($contentType == CT_CSS)
{
print "Content-Type: text/css\n";
($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = gmtime( $time + 180 );
printf "Expires: %s, %02d %s %04d %02d:%02d:%02d GMT\n",
$day[$wday], $mday, $month[$mon], $year+1900, $hour, $min, $sec;
print "\n";
print "\n";
}
elsif ($contentType == CT_TEXT)
{
print "Content-Type: text/plain\n";
($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = gmtime( $time + 180 );
printf "Expires: %s, %02d %s %04d %02d:%02d:%02d GMT\n",
$day[$wday], $mday, $month[$mon], $year+1900, $hour, $min, $sec;
print "\n";
print "\n";
}
elsif ($contentType == CT_XML)
{
print "Content-Type: text/xml\n";
($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = gmtime( $time + 180 );
printf "Expires: %s, %02d %s %04d %02d:%02d:%02d GMT\n",
$day[$wday], $mday, $month[$mon], $year+1900, $hour, $min, $sec;
print "\n";
print "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n";
print "<cross-domain-policy>\n";
print " <allow-access-from domain=\"*\" />\n";
print "</cross-domain-policy>\n";
}
else # CT_HTML
{
if ($category eq 'fatal-error')
{
print "Content-Type: text/html\n";
($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = gmtime( $time + 180 );
printf "Expires: %s, %02d %s %04d %02d:%02d:%02d GMT\n",
$day[$wday], $mday, $month[$mon], $year+1900, $hour, $min, $sec;
print "Content-Language: $lang\n";
print "\n";
print "<html lang=\"$lang\">\n";
print "<head>\n";
print " <title>The URL filter has a fatal error</title>\n";
print " <meta name=\"description\" content=\"All URLs are blocked because the URL filter has a fatal error\" />\n";
print "</head>\n";
print "<body bgcolor=\"#e0e0e0\">\n";
print "<center>\n";
print "<font color=red><b>\n" .
"Access to the internet is blocked because<br>\n" .
"the URL filter has a fatal error. <br>\n" .
"Ask your helpdesk or web proxy administrator for assistance." .
"</b></font>\n";
print "</center>\n";
print "$html_comment";
print "</body>\n";
print "</html>\n";
}
elsif ($category eq 'loading-database')
{
print "Content-Type: text/html\n";
($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = gmtime( $time + 180 );
printf "Expires: %s, %02d %s %04d %02d:%02d:%02d GMT\n",
$day[$wday], $mday, $month[$mon], $year+1900, $hour, $min, $sec;
print "Content-Language: $lang\n";
print "\n";
print "<html lang=\"$lang\">\n";
print "<head>\n";
print " <title>a new URL database is being loaded</title>\n";
print " <meta name=\"description\" content=\"All URLs are blocked because the URL filter is loading a fresh database\" />\n";
print "</head>\n";
print "<body bgcolor=\"#e0e0e0\">\n";
print "<center>\n";
print "<font color=red><b>\n" .
"Access to the internet is temporarily blocked because<br>\n" .
"a new URL database is being loaded by the URL filter. <br>\n" .
"Wait one minute and try again." .
"</b></font>\n";
print "</center>\n";
print "$html_comment";
print "</body>\n";
print "</html>\n";
}
else
{
if ($lang eq 'de') {
$forbidden = 'Verboten';
$title = "zugriff verweigert ($category)";
$explanation_prefix = 'Zugriff verweigert weil die URL die Klassifizierung';
$explanation_suffix = 'hat.';
$more_info = 'Mehr Informationen &uuml;ber ufdbGuard ist <a href="https://www.urlfilterdb.com/blocking/">hier</a>.';
$go_back = 'Klicken Sie hier um zur&uuml;ck zu gehen.';
}
elsif ($lang eq 'pl') {
$forbidden = 'Pobranie tej strony jest zabronione!';
$title = "Cenzura, zakaz pobrania ($category)";
$explanation_prefix = 'Nie otworzysz tej strony bo jest ona sklasyfikowana jako';
$explanation_suffix = 'przez program kontroli ufdbGuard';
$more_info = 'Informacja (po angielsku) o tym programie kontroli jest na <a href="https://www.urlfilterdb.com/blocking/">stronie</a>.';
$go_back = 'Wycofaj do poprzedniej strony';
}
elsif ($lang eq 'sv') {
$forbidden = 'Sidan stoppad enligt landstingets riktlinjer';
$title = "F&ouml;rbjuden ($category)";
$explanation_prefix = 'Access till denna sida &auml;r stoppad:';
$explanation_suffix = '';
$more_info = 'Mer information om ufdbGuard &auml;r <a href="https://www.urlfilterdb.com/blocking/">h&auml;r</a>.';
$go_back = 'Klicka h&auml;r f&ouml;r att komma tillbaks';
}
elsif ($lang eq 'nl') {
$forbidden = 'Geen Toegang';
$title = "geen toegang ($category)";
$explanation_prefix = 'De toegang is geblokkeerd omdat de URL in de categorie';
$explanation_suffix = 'valt.';
$more_info = 'Meer informatie over ufdbGuard is <a href="https://www.urlfilterdb.com/blocking/">hier</a>.';
$go_back = 'Klik hier om terug te gaan';
}
elsif ($lang eq 'es') {
$forbidden = 'Ning&uacute;n acceso';
$title = "ning&uacute;n acceso ($category)";
$explanation_prefix = 'Se bloquea el acceso puesto que el URL se considera ser';
$explanation_suffix = '';
$more_info = 'M&aacute;s informaci&oacute;n sobre ufdbGuard est&aacute; <a href="https://www.urlfilterdb.com/blocking/">aqu&iacute;</a>.';
$go_back = 'ir detr&aacute;s';
}
elsif ($lang eq 'it') {
$forbidden = 'Accesso negato';
$title = "accesso negato ($category)";
$explanation_prefix = "L'accesso &egrave; negato poich&eacute; l'URL appartiene a none";
$explanation_suffix = '';
$more_info = 'Maggiori informazioni su ufdbGuard sono disponibili <a href="https://www.urlfilterdb.com/blocking">qui</a>.';
$go_back = 'tornare indietro';
}
elsif ($lang eq 'pt') {
$forbidden = 'Proibido';
$title = "Proibido ($category)";
$explanation_prefix = "O acesso a este site foi bloqueado porque o conte&uacute;do est&aacute;";
$explanation_suffix = '';
$more_info = 'Mais informa&ccedil;&atilde;o sobre ufdbGuard est&aacute; <a href="https://www.urlfilterdb.com/blocking">aqui</a>.';
$go_back = 'volte';
}
elsif ($lang eq 'fr') {
$forbidden = 'Interdit';
$title = "Accès Interdit ($category)";
$explanation_prefix = "L'accès est inderdit parce que le site est dans la catégorie ";
$explanation_suffix = '';
$more_info = "Pour plus d'information sur ufdbGuard cliquez <a href=\"https://www.urlfilterdb.com/blocking\">ici</a>.";
$go_back = 'retour';
}
elsif ($lang eq 'tr') {
$forbidden = 'Eri&#351;im engellendi';
$title = "Eri&#351;im engellendi ($category)";
$explanation_prefix = "Ula&#351;mak istedi&#287;iniz sayfaya eri&#351;im kapal&#305;d&#305;r. S&#305;n&#305;f&#305;:";
$explanation_suffix = '';
$more_info = "ufdbGuard hakk&#305;nda bilgi i&ccedil;in <a href=\"https://www.urlfilterdb.com/blocking\">t&#305;klay&#305;n&#305;z</a>.";
$go_back = '&Ouml;nceki sayfa';
}
elsif ($lang eq 'NEWLANGUAGE') {
$forbidden = 'Forbidden';
$title = "Forbidden ($category)";
$explanation_prefix = 'Access is blocked since the URL is considered to be';
$explanation_suffix = '';
$more_info = 'More information about ufdbGuard is <a href="https://www.urlfilterdb.com/blocking">here</a>.';
$go_back = 'Click here to go back';
}
else { # default (matches 'en')
$forbidden = 'Forbidden';
$title = "Forbidden ($category)";
$explanation_prefix = 'Access is blocked since the URL is considered to be';
$explanation_suffix = '';
$more_info = 'More information about ufdbGuard is <a href="https://www.urlfilterdb.com/blocking">here</a>.';
$go_back = 'Click here to go back';
$lang = 'en';
}
if ($color eq 'orange')
{
$textcolor = 'white';
$bgcolor = '#ee8811';
}
elsif ($color eq 'white')
{
$textcolor = '#3f003f';
$bgcolor = 'white';
}
elsif ($color eq 'black')
{
$textcolor = '#f0f0f0';
$bgcolor = 'black';
}
elsif ($color eq 'red')
{
$textcolor = '#f0f0f0';
$bgcolor = 'red';
}
elsif ($color eq 'grey' || $color eq 'gray')
{
$textcolor = '#111111';
$bgcolor = '#c2c2c2';
}
else # default color: orange
{
$textcolor = 'white';
$bgcolor = '#ee8811';
}
if ($size eq 'normal')
{
$titlesize = '+2';
$textsize = '+0';
}
elsif ($size eq 'small')
{
$titlesize = '+1';
$textsize = '-1';
}
elsif ($size eq 'large')
{
$titlesize = '+3';
$textsize = '+1';
}
else # default size: normal
{
$titlesize = '+2';
$textsize = '+0';
$size = 'normal';
}
$url =~ s/[?;&].*//;
print "Content-Type: text/html\n";
($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = gmtime( $time + 180 );
printf "Expires: %s, %02d %s %04d %02d:%02d:%02d GMT\n",
$day[$wday], $mday, $month[$mon], $year+1900, $hour, $min, $sec;
print "Content-Language: $lang\n";
print "\n";
if ($url eq 'https://blockedhttps.urlfilterdb.com')
{
print "<html lang=\"$lang\">\n";
print "<head>\n";
print " <title>$title</title>\n";
print " <meta name=\"description\" content=\"$title\" />\n";
print "</head>\n";
print "<body bgcolor=\"ffcccc\" link=\"red\" alink=\"red\" vlink=\"red\" text=\"red\">\n";
print "<p align=center>\n";
print "https://blockedhttps.urlfilterdb.com is used by ufdbGuard<br>\n";
print "to display messages about blocked URLs.<br>\n";
print "</p>\n";
print "$html_comment";
print "</body>\n";
print "</html>\n";
}
elsif ($category eq 'ads')
{
my $text;
$text = " "; # transparent
$text = " no ads " if $mode eq 'noads';
$text = " [] " if $mode eq 'square';
$text = " x " if $mode eq 'cross';
$text = "<font color=red><i>ads</i></font>" if $mode eq 'simple-red';
print "<html lang=\"$lang\">\n";
print "<head>\n";
print " <title>$title</title>\n";
print " <meta name=\"description\" content=\"The ad is blocked by the URL filter.\nURL: $ufdbhost$ufdbrequesturi\" />\n";
print "</head>\n";
print "<body>\n";
print "<font size=\"$textsize\">$text</font>\n";
print "$html_comment";
print "</body>\n";
print "</html>\n";
}
else # no ads
{
if ($mode eq 'simple-red')
{
my $whyblocked = "$explanation_prefix $category $explanation_suffix. URL = $url";
print "<html lang=\"$lang\">\n";
print "<head>\n";
print " <title>$title</title>\n";
print " <meta name=\"description\" content=\"The URL is blocked by the URL filter ($ufdbhost$escaped_ufdbrequesturi)\" />\n";
print "</head>\n";
print "<body bgcolor=\"ffe6e6\" link=\"blue\" alink=\"red\" vlink=\"black\" text=\"red\">\n";
print "<p align=center>\n";
print "<a title=\"$whyblocked\">$forbidden<br><i>$category</i></a>\n";
print "<a href=\"/cgi-bin/show_url_details.cgi?mode=$mode&url=$ufdbhost$escaped_ufdbrequesturi\">why is this URL blocked?</a>\n";
print "</p>\n";
print "$html_comment";
print "</body>\n";
print "</html>\n";
}
elsif ($category eq 'social-bdg' || $category eq 'socbadges' || $category eq 'social-badges' || $category eq 'social_badges')
{
print "<html lang=\"$lang\">\n";
print "<head>\n";
print " <title>block social networking badge</title>\n";
print " <meta name=\"description\" content=\"social networking badge is blocked by the URL filter\" />\n";
print "</head>\n";
# print "<body width=30 height=30 bgcolor=\"transparent\">\n";
print "<body bgcolor=#fafafa>\n";
print "<center>\n";
print "<font size=\"-1\" color=\"#1f1f1f\">\n" .
"<a title=\"The social networking badge is blocked.\"> B </a>\n" .
"</font>\n";
print "</center>\n";
print "$html_comment";
print "</body>\n";
print "</html>\n";
}
else
{
print "<html lang=\"$lang\">\n";
print "<head>\n";
print " <title>$title</title>\n";
print " <meta name=\"description\" content=\"The URL is blocked by the URL filter\" />\n";
print "</head>\n";
print "<body bgcolor=\"$bgcolor\" text=\"$textcolor\">\n";
print "<font size=\"$titlesize\">$forbidden</font> <br>\n";
print "<font size=\"$textsize\">\n";
print "$explanation_prefix <i>$category</i> $explanation_suffix <br>\n";
print "URL: $url <br>\n";
print "<p>\n";
print "<a href=\"javascript:history.go(-1);\">$go_back</a>. <br>\n";
print "$admin\n";
print "<p>\n";
print "$more_info\n";
print "<br>\n&nbsp;<p />\n";
print "</font>\n";
print "<font size=\"-3\">";
print "user=$clientuser &nbsp; " if (defined($clientuser) && length($clientuser)>0);
print "client=$clientaddr &nbsp; " if (defined($clientaddr) && length($clientaddr)>0);
print "group=$clientgroup &nbsp; " if (defined($clientgroup) && length($clientgroup)>0);
print "source=$clientname &nbsp; " if (defined($clientname) && length($clientname)>0);
print "</font>\n";
print "$html_comment";
print "<!-- color:$color size:$size mode:$mode lang:$lang category:$category -->\n";
print "</body>\n";
print "</html>\n";
}
}
}
}
}
exit 0;

3
roles/squid/files/acl/service_fws.domains Normal file
View File

@@ -0,0 +1,3 @@
.firewall-services.com
.fws.fr
iptek.biz

7
roles/squid/files/acl/service_various.domains Normal file
View File

@@ -0,0 +1,7 @@
.letsencrypt.org
.lencr.org
apps.identrust.com
dns.api.gandi.net
api.gandi.net
monip.org

11
roles/squid/files/acl/software_almalinux.domains Normal file
View File

@@ -0,0 +1,11 @@
mirrors.almalinux.org
repo.almalinux.org
mirror.crexio.com
mirror.almalinux.ikoula.com
almalinux.li
almalinux.mirrors.itworxx.de
almalinux.mirror.liteserver.nl
almalinux.uib.no
almalinux.slaskdatacenter.com
almalinux.mirror.katapult.io
alma.mirror.ate.info

15
roles/squid/files/acl/software_centos.domains Normal file
View File

@@ -0,0 +1,15 @@
www.centos.org
mirror.centos.org
debuginfo.centos.org
vault.centos.org
mirrorlist.centos.org
centos.mirrors.ovh.net
distrib-coffee.ipsl.jussieu.fr
centos.crazyfrogs.org
mirror.plusserver.com
mirrors.atosworldline.com
fr2.rpmfind.net
centos.mirror.fr.planethoster.net
miroir.univ-paris13.fr
centos.mirrors.proxad.net
mirrors.standaloneinstaller.com

1
roles/squid/files/acl/software_codeit.urls Normal file
View File

@@ -0,0 +1 @@
^https://repo.codeit.guru/packages/centos/

13
roles/squid/files/acl/software_debian.domains Normal file
View File

@@ -0,0 +1,13 @@
httpredir.debian.org
ftp.fr.debian.org
cdn-fastly.deb.debian.org
security.debian.org
ftp.debian.org
security-cdn.debian.org
cdimage.debian.org
deb.debian.org
# Ubuntu
ppa.launchpad.net
archive.ubuntu.com
security.ubuntu.com

12
roles/squid/files/acl/software_epel.domains Normal file
View File

@@ -0,0 +1,12 @@
mirrors.fedoraproject.org
download.fedoraproject.org
dl.fedoraproject.org
download.fedora.redhat.com
src.fedoraproject.org
mir01.syntis.net
mirrors.ircam.fr
mirror.in2p3.fr
mirror.speedpartner.de
ftp.uma.es
mirror.bytemark.co.uk
mirror.imt-systems.com

2
roles/squid/files/acl/software_fws.domains Normal file
View File

@@ -0,0 +1,2 @@
repo.firewall-services.com
rpms.fws.fr

2
roles/squid/files/acl/software_remi.domains Normal file
View File

@@ -0,0 +1,2 @@
rpms.remirepo.net
cdn.remirepo.net

19
roles/squid/files/acl/software_smeserver.domains Normal file
View File

@@ -0,0 +1,19 @@
mirrorlist.contribs.org
mirrorlist.koozali.org
mirror.canada.pialasse.com
smeserver.bhs.mirrors.ovh.net
mirror.mab974.re
ibsgaarden.dk
smeserver.de-labrusse.fr
mirror.pialasse.com
sme-mirror.firewall-services.com
mirrors.rbx.opencare.nl
smeserver.hkisl.net
smeserver.mirror.garr.it
ftp.nluug.nl
ftp.surfnet.nl
mirror.hakkers.com
www.mirrorservice.org
distro.ibiblio.org
sme-mirror.tw.co.nz

365
roles/squid/files/acl/software_various.domains Normal file
View File

@@ -0,0 +1,365 @@
# Dokuwiki
download.dokuwiki.org
# various
.github.com
raw.githubusercontent.com
objects.githubusercontent.com
github-releases.githubusercontent.com
packagecloud.io
.cloudfront.net
packagist.org
downloads.sourceforge.net
dl.bintray.com
publicsuffix.org
www.internic.net
tzurl.org
gitlab.com
.lapiole.org
archive.apache.org
ftp.gnu.org
# GLPI
github-production-release-asset-2e65be.s3.amazonaws.com
# phpMyAdmin
files.phpmyadmin.net
# Framasoft git server
git.framasoft.org
framagit.org
# Python
www.python.org
pypi.python.org
pypi.org
files.pythonhosted.org
# Ruby
api.rubygems.org
# Seadrive
download.seadrive.org
rpm.seadrive.org
linux-clients.seafile.com
s3.eu-central-1.amazonaws.com
# GLPI
forge.glpi-project.org
# Chrome on Linux
dl.google.com
# Hosts several things, including the Zabbix datasource for Grafana
.storage.googleapis.com
# And kubernetes packages
packages.cloud.google.com
# Grafana repo
grafanarel.s3.amazonaws.com
packages.grafana.com
grafana.com
# Lemonldap::NG repo
lemonldap-ng.org
# NodeJS
rpm.nodesource.com
deb.nodesource.com
nodejs.org
# Jenkins
updates.jenkins.io
get.jenkins.io
updates.jenkins-ci.org
mirrors.jenkins-ci.org
mirrors.tuna.tsinghua.edu.cn
ftp.yz.yamagata-u.ac.jp
mirror.esuni.jp
mirror.serverion.com
mirror.xmission.com
archives.jenkins-ci.org
ftp-chi.osuosl.org
ftp-nyc.osuosl.org
insights.cloudbees.com
mirror.gruenehoelle.nl
ftp.halifax.rwth-aachen.de
download.cypress.io
cdn.cypress.io
ftp.belnet.be
# nux dextop
li.nux.ro
mirror.li.nux.ro
# Onlyoffice
download.onlyoffice.com
# ClamAV
database.clamav.net
db.local.clamav.net
# SOGo
packages.inverse.ca
# spamassassin
spamassassin.apache.org
sa-update.spamassassin.org
sa-update.dnswl.org
sa-update.fossies.org
sa-update.secnap.net
sa-update.razx.cloud
sa-update.bitwell.fi
www.sa-update.pccc.com
sa-update.verein-clean.net
data.phishtank.com
cdn.phishtank.com
openphish.com
# Odoo
nightly.odoo.com
# Matomo
builds.matomo.org
# PostgreSQL
download.postgresql.org
ftp.postgresql.org
apt.postgresql.org
www.postgresql.org
# Java / Gradle / Maven
services.gradle.org
downloads.gradle.org
downloads.gradle-dn.com
plugins.gradle.org
plugins-artifacts.gradle.org
.maven.org
repo.maven.apache.org
www.ibibilio.net
mirrors.ibiblio.org
repo.exist.com
artifacts.alfresco.com
jcenter.bintray.com
repo.fusesource.com
repository.jboss.org
jcenter.bintray.com
repo.jenkins-ci.org
smslib.org
repox.sonarsource.com
oss.sonatype.org
repo.spring.io
maven.wso2.org
packages.confluent.io
maven.fabric.io
jitpack.io
miroir.univ-lorraine.fr
download.java.net
forumarchivebuilder.googlecode.com
maven.java.net
redshift-maven-repository.s3-website-us-east-1.amazonaws.com
# Unifi
www.ubnt.com
dl.ubnt.com
fw-update.ubnt.com
www.ui.com
# Perl
.plackperl.org
.metacpan.org
.cpan.org
.perl.org
# MariaDB
yum.mariadb.org
# OpenMediaVault
packages.openmediavault.org
openmediavault.github.io
# FusionInventory
debian.fusioninventory.org
# Proxmox
download.proxmox.com
enterprise.proxmox.com
# Bluemind
pkg.bluemind.net
download.bluemind.net
# TranquilIT
wapt.tranquil.it
samba.tranquil.it
# Gitea
dl.gitea.io
storage.gitea.io
# MongoDB
repo.mongodb.org
www.mongodb.org
# Elasticsearch
artifacts.elastic.co
# Graylog
packages.graylog2.org
graylog2-package-repository.s3.amazonaws.com
versioncheck.graylog.com
downloads.graylog.org
graylog-downloads.herokuapp.com
graylog2-releases.s3.amazonaws.com
graylog2-releases.s3.eu-west-1.amazonaws.com
# NPM / NodeJS
registry.npmjs.org
registry.npmjs.com
# Yarn
yarnpkg.com
registry.yarnpkg.com
classic.yarnpkg.com
dl.yarnpkg.com
# IOJS
iojs.org
# Asterisk / FreePBX
ast.tucny.com
.freepbx.org
katanafpbx.schmoozecom.com
sounds.sng7.com
# Elrepo
.elrepo.org
# Zimbra
repo.zimbra.com
files.zimbra.com
www.zimbra.com
# Zextras for Zimbra
openzal.org
update.zextras.com
download.zextras.com
# ZFS On Linux
download.zfsonlinux.org
# Funkwhale
dev.funkwhale.audio
coverartarchive.org
.archive.org
# Zabbix
repo.zabbix.com
git.zabbix.com
# Maxming GeoIP
updates.maxmind.com
# Docker
download.docker.com
apt.dockerproject.org
auth.docker.io
registry-1.docker.io
production.cloudflare.docker.com
docker.elastic.co
docker-auth.elastic.co
get.docker.com
# Artifactory (jfrog)
docker.bintray.io
akamai.bintray.com
service.jfrog.org
repo.jfrog.org
# Sonar
update.sonarsource.org
# RocketChat
marketplace.rocket.chat
releases.rocket.chat
# Openproject
dl.packager.io
# Alpine Linux
dl-cdn.alpinelinux.org
alpine-pkgs.sgerrand.com
# Psono
psono.jfrog.io
# RH UBI
cdn-ubi.redhat.com
# Various SF mirrors
.dl.sourceforge.net
# Rust lang
static.rust-lang.org
crates.io
static.crates.io
# Fontawesome
npm.fontawesome.com
dl.fontawesome.com
# Google fonts
fonts.googleapis.com
fonts.gstatic.com
# Jitsi
download.jitsi.org
# Needed to build Jitsi Meet
packages.matrix.org
gitlab.matrix.org
repository.apache.org
# Prosody
hg.prosody.im
# Wordpress
api.wordpress.org
downloads.wordpress.org
# Yubico
.yubico.com
# Openresty
openresty.org
# Tiny Tiny RSS
tt-rss.org
# RPM Fusion
rpmfusion.org
download1.rpmfusion.org
# Composer
getcomposer.org
# Sentry
downloads.sentry-cdn.com
# iTop cmd extension store
store.itophub.io
# Crowdsec
crowdsec-statics-assets.s3-eu-west-1.amazonaws.com
api.crowdsec.net
www.cloudflare.com
# Metabase
static.metabase.com
downloads.metabase.com
# Zimbra / Zextras
go.zextras.com
# Zulip
www.zulip.org
packages.groonga.org

47
roles/squid/files/acl/software_windows.domains Normal file
View File

@@ -0,0 +1,47 @@
# MS update &cie
windowsupdate.microsoft.com
.update.microsoft.com
.download.windowsupdate.com
redir.metaservices.microsoft.com
images.metaservices.microsoft.com
c.microsoft.com
wustat.windows.com
sls.microsoft.com
productactivation.one.microsoft.com
ntservicepack.microsoft.com
next-services.apps.microsoft.com
ctldl.windowsupdate.com
download.microsoft.com
www.msftncsi.com
www.msftconnecttest.com
ipv6.msftconnecttest.com
settings-win.data.microsoft.com
go.microsoft.com
dl.delivery.mp.microsoft.com
dmd.metaservices.microsoft.com
activation-v2.sls.microsoft.com
download.visualstudio.microsoft.com
activation.sls.microsoft.com
# comon CRL / OCSP
crl.microsoft.com
.digicert.com
.spice-space.org
ocsp.usertrust.com
crl.usertrust.com
ocsp.comodoca.com
crl.comodoca.com
.symcb.com
isrg.trustid.ocsp.identrust.com
crl.identrust.com
status.rapidssl.com
crl.certum.pl
ocsp.thawte.com
crl.thawte.com
ts-ocsp.ws.symantec.com
ts-crl.ws.symantec.com
ocsp.sectigo.com
# Common AV
.avast.com
.avcdn.net

BIN
roles/squid/files/ufdb.pp Normal file
View File

Binary file not shown.

15
roles/squid/files/ufdb.te Normal file
View File

@@ -0,0 +1,15 @@
module ufdb 1.2;
require {
type initrc_tmp_t;
type initrc_t;
type tmp_t;
type squid_t;
class sock_file write;
class unix_stream_socket connectto;
}
#============= squid_t ==============
allow squid_t initrc_t:unix_stream_socket connectto;
allow squid_t initrc_tmp_t:sock_file write;
allow squid_t tmp_t:sock_file write;

23
roles/squid/handlers/main.yml Normal file
View File

@@ -0,0 +1,23 @@
---
- name: reload squid
service: name=squid state=reloaded
- name: restart squid
service: name=squid state=restarted
- name: restart c-icap
service: name=c-icap state={{ squid_scan_av | ternary('restarted', 'stopped') }}
- name: restart squid-clamd
service: name=squid-clamd state={{ squid_scan_av | ternary('restarted', 'stopped') }}
- name: restart ufdb
service: name={{ squid_ufdb_unit.stat.exists | ternary('ufdbGuard','ufdb') }} state={{ squid_filter_url | ternary('restarted', 'stopped') }}
- name: update ufdb
command: /usr/local/bin/ufdb_update.sh
notify: restart ufdb
- name: restart ufdb
service: name={{ squid_ufdb_unit.stat.exists | ternary('ufdbGuard','ufdb') }} state={{ squid_filter_url | ternary('reloaded', 'stopped') }}

5
roles/squid/meta/main.yml Normal file
View File

@@ -0,0 +1,5 @@
---
dependencies:
- role: httpd_common
- role: clamav
- role: mkdir

5
roles/squid/tasks/filebeat.yml Normal file
View File

@@ -0,0 +1,5 @@
---
- name: Deploy filebeat configuration
template: src=filebeat.yml.j2 dest=/etc/filebeat/ansible_inputs.d/squid.yml
tags: proxy,log

258
roles/squid/tasks/main.yml Normal file
View File

@@ -0,0 +1,258 @@
---
- name: Install packages
yum:
name:
- squid
- c-icap
- squidclamav
- ufdbGuard
notify: restart squid
tags: proxy
- name: Identify intercept HTTP ports (if any)
set_fact: squid_intercept_http_ports={{ squid_http_ports | selectattr('port','defined') | selectattr('mode','defined') | selectattr('mode','equalto','intercept') | map(attribute='port') | list }}
tags: [firewall,proxy]
- name: Identify intercept HTTPS ports (if any)
set_fact: squid_intercept_https_ports={{ squid_https_ports | selectattr('port','defined') | selectattr('mode','defined') | selectattr('mode','equalto','intercept') | map(attribute='port') | list }}
tags: [firewall,proxy]
- name: List HTTP ports
set_fact: squid_http_ports_list={{ squid_http_ports | selectattr('port','defined') | map(attribute='port') | list }}
tags: [firewall,proxy]
- name: List HTTPS ports
set_fact: squid_https_ports_list={{ squid_https_ports | selectattr('port','defined') | map(attribute='port') | list }}
tags: [firewall,proxy]
- name: List TCP port to handle
set_fact: squid_ports={{ squid_http_ports_list + squid_https_ports_list }}
tags: [firewall,proxy]
- name: Add a NAT rule for transparent proxying of clear HTTP
iptables_raw:
name: squid_intercept_http_ports
state: "{{ (squid_intercept_http_ports | length > 0) | ternary('present','absent') }}"
table: nat
rules: "-A PREROUTING -p tcp -m multiport --dports {{ squid_nat_http_ports | join(',') }} ! -d {{ ansible_default_ipv4.address }} -j DNAT --to {{ ansible_default_ipv4.address }}:{{ squid_intercept_http_ports | first }}"
when: iptables_manage | default(True)
tags: [firewall,proxy]
- name: Add a NAT rule for transparent proxying of HTTPS
iptables_raw:
name: squid_intercept_https_ports
state: "{{ (squid_intercept_https_ports | length > 0) | ternary('present','absent') }}"
table: nat
rules: "-A PREROUTING -p tcp -m multiport --dports {{ squid_nat_https_ports | join(',') }} ! -d {{ ansible_default_ipv4.address }} -j DNAT --to {{ ansible_default_ipv4.address }}:{{ squid_intercept_https_ports | first }}"
when: iptables_manage | default(True)
tags: [firewall,proxy]
- name: Handle squid ports
iptables_raw:
name: squid_ports
state: "{{ (squid_src_ip | length > 0) | ternary('present','absent') }}"
rules: "-A INPUT -m state --state NEW -p tcp -m multiport --dports {{ squid_ports | join(',') }} -s {{ squid_src_ip | join(',') }} -j ACCEPT"
when: iptables_manage | default(True)
tags: [firewall,proxy]
- name: Create TLS directory
file: path=/etc/squid/tls state=directory group=squid mode=750
tags: proxy
- name: Check if the cert for squid exists
stat: path=/etc/squid/tls/cert.pem
register: squid_cert
tags: proxy
# Would be better to use openssl_certificate module, but requires pyOpenSSL >= 0.15 and we only have 0.13 on el7
- name: Create self signed certificate
shell: >
openssl req -x509 -newkey rsa:4096 -nodes -sha256 -subj
"/C=FR/ST=Aquitaine/L=Bordeaux/O=Firewall Services/OU=Web Security/CN={{ inventory_hostname }}"
-keyout /etc/squid/tls/key.pem -out /etc/squid/tls/cert.pem -days 3650
when: not squid_cert.stat.exists
tags: proxy
- name: Deploy squid main configuration
template: src=squid.conf.j2 dest=/etc/squid/squid.conf owner=squid group=squid mode=640
notify: reload squid
tags: proxy
- name: Create acl directory
file: path=/etc/squid/acl state=directory
tags: proxy
- name: Copy static ACL files
copy: src=acl/ dest=/etc/squid/acl/
notify: reload squid
tags: proxy
- name: Deploy local white and blacklists
template: src={{ item }}.j2 dest=/etc/squid/acl/{{ item }}
with_items:
- local_whitelist.urls
- local_blacklist.urls
- local_whitelist.domains
- local_blacklist.domains
notify: reload squid
tags: proxy
- name: Create local black and whitelist dirs
file: path=/var/ufdbguard/blacklists/{{ item }} state=directory
with_items:
- local_whitelist
- local_blacklist
tags: proxy
- name: Deploy local white and blacklists for ufdbGuard
template: src={{ item.src }}.j2 dest=/var/ufdbguard/blacklists/{{ item.dest }}
with_items:
- src: local_whitelist.urls
dest: local_whitelist/urls
- src: local_blacklist.urls
dest: local_blacklist/urls
- src: local_whitelist.domains
dest: local_whitelist/domains
- src: local_blacklist.domains
dest: local_blacklist/domains
notify: update ufdb
tags: proxy
- name: Check if safebrowsing available
stat: path=/var/lib/clamav/safebrowsing.cld
register: squid_safebrowsing
tags: proxy
- name: Deploy clamd config
template: src=clamd.conf.j2 dest=/etc/clamd.d/squid.conf
notify: restart squid-clamd
tags: proxy
- name: Deploy clamd systemd unit
template: src=squid-clamd.service.j2 dest=/etc/systemd/system/squid-clamd.service
register: squid_clam_unit
notify: restart squid-clamd
tags: proxy
- name: Deploy c-icap configuration
template: src=c-icap.conf.j2 dest=/etc/c-icap/c-icap.conf
notify: restart c-icap
tags: proxy
- name: Create systemd unit snippet dir
file: path=/etc/systemd/system/{{ item }}.service.d state=directory
loop:
- c-icap
- squid
tags: proxy
- name: Deploy a systemd unit snippet for c-icap
copy:
content: |
[Service]
User=c-icap
Group=c-icap
Restart=on-failure
StartLimitInterval=0
RestartSec=1
dest: /etc/systemd/system/c-icap.service.d/user.conf
register: squid_c_icap_unit
notify: restart c-icap
tags: proxy
- name: Deploy a systemd unit snipet for squid
copy:
content: |
[Service]
Restart=on-failure
StartLimitInterval=0
RestartSec=1
dest: /etc/systemd/system/squid.service.d/restart.conf
register: squid_unit
tags: proxy
- name: Deploy squidclamav configuration
template: src=squidclamav.conf.j2 dest=/etc/c-icap/squidclamav.conf mode=644
notify: restart c-icap
tags: proxy
- name: Reload systemd
command: systemctl daemon-reload
when: squid_clam_unit.changed or squid_c_icap_unit.changed or squid_unit.changed
tags: proxy
- include: selinux.yml
when: ansible_selinux.status == 'enabled'
- name: Create ufdbGuard log directory
file: path=/var/log/ufdbguard state=directory owner=ufdb group=ufdb mode=750
tags: proxy
- name: Remove old log dir
file: path=/var/log/ufdbGuard state=absent
tags: proxy
- name: Deploy ufdb_update script
template: src=ufdb_update.sh.j2 dest=/usr/local/bin/ufdb_update.sh mode=755
tags: proxy
- name: Add a cron task to update ufdbGuard databases
cron:
name: update_ufdbguard
special_time: daily
job: "/bin/sh /usr/local/bin/ufdb_update.sh > /dev/null 2>&1"
cron_file: update_ufdbguard
user: root
state: "{{ squid_filter_url | ternary('present','absent') }}"
tags: proxy
- name: Update ufdb databases
command: /usr/local/bin/ufdb_update.sh
changed_when: False
tags: proxy
- name: Check ufdbGuard categories
shell: find /var/ufdbguard/blacklists -maxdepth 1 -mindepth 1 -type d -exec basename "{}" \;
register: squid_ufdb_categories
changed_when: False
tags: proxy
- name: Check if the domains.ufdb file exist
stat: path=/var/ufdbguard/blacklists/{{ item }}/domains.ufdb
register: squid_ufdb_db
with_items: "{{ squid_ufdb_categories.stdout_lines }}"
tags: proxy
- name: Deploy ufdbGuard configuration
template: src=ufdbGuard.conf.j2 dest=/etc/ufdbguard/ufdbGuard.conf group=ufdb mode=640
notify: restart ufdb
tags: proxy
- name: Deploy URLBlocked script
copy: src=URLblocked.cgi dest=/var/www/html/default/cgi-bin/URLblocked.cgi mode=755
tags: proxy
- name: Start and enable squid
service: name=squid state=started enabled=True
tags: proxy
- name: Start and enable c-icap
service: name=c-icap state=started enabled=True
tags: proxy
- name: Handle squid-clamd daemon
service: name=squid-clamd state={{ squid_scan_av | ternary('started','stopped') }} enabled={{ squid_scan_av | ternary(True,False) }}
tags: proxy
# Before 1.34.6-3 provided by EPEL, the service was handled by a init script and the service was named ufdb
- name: Check if the systemd unit is installed
stat: path=/lib/systemd/system/ufdbGuard.service
register: squid_ufdb_unit
tags: proxy
- name: Handle ufdb daemon
service: name={{ squid_ufdb_unit.stat.exists | ternary('ufdbGuard','ufdb') }} state={{ squid_filter_url | ternary('started','stopped') }} enabled={{ squid_filter_url | ternary(True,False) }}
tags: proxy
- include: filebeat.yml

20
roles/squid/tasks/selinux.yml Normal file
View File

@@ -0,0 +1,20 @@
---
- name: Copy SELinux policy
copy: src=ufdb.te dest=/etc/selinux/targeted/local/
register: squid_ufdb_selinux_policy
tags: proxy
- name: Install needed packages
yum:
name: policycoreutils
tags: proxy
- name: Compile SELinux policy
shell: |
cd /etc/selinux/targeted/local/
checkmodule -M -m -o ufdb.mod ufdb.te
semodule_package -o ufdb.pp -m ufdb.mod
semodule -i /etc/selinux/targeted/local/ufdb.pp
when: squid_ufdb_selinux_policy.changed
tags: proxy

12
roles/squid/templates/c-icap.conf.j2 Normal file
View File

@@ -0,0 +1,12 @@
ServerAdmin {{ squid_admin_email | default(system_admin_email) | default('admin@' + ansible_domain) }}
ServerName {{ inventory_hostname }}
TmpDir /tmp
MaxMemObject 1048576
Module logger sys_logger.so
Logger sys_logger
DebugLevel 0
Port 127.0.0.1:1344
TemplateDir /usr/share/c_icap/templates/
{% if squid_scan_av %}
Service squidclamav squidclamav.so
{% endif %}

8
roles/squid/templates/clamd.conf.j2 Normal file
View File

@@ -0,0 +1,8 @@
LogSyslog yes
LogVerbose yes
ExtendedDetectionInfo yes
LocalSocket /var/run/clamav/squid.sock
LocalSocketMode 666
ExitOnOOM yes
Foreground yes
DetectBrokenExecutables yes

8
roles/squid/templates/filebeat.yml.j2 Normal file
View File

@@ -0,0 +1,8 @@
- type: log
enabled: True
paths:
- /var/log/squid/*.log
- /var/log/ufdbGuard/*.log
exclude_files:
- '\.[gx]z$'
- '\d+$'

5
roles/squid/templates/local_blacklist.domains.j2 Normal file
View File

@@ -0,0 +1,5 @@
{% for item in squid_local_blacklist %}
{% if not item is search('^(ht|f)tps?://') %}
{{ item }}
{% endif %}
{% endfor %}

5
roles/squid/templates/local_blacklist.urls.j2 Normal file
View File

@@ -0,0 +1,5 @@
{% for item in squid_local_blacklist %}
{% if item is search('^(ht|f)tps?://') %}
{{ item }}
{% endif %}
{% endfor %}

5
roles/squid/templates/local_whitelist.domains.j2 Normal file
View File

@@ -0,0 +1,5 @@
{% for item in squid_local_whitelist %}
{% if not item is search('^(ht|f)tps?://') %}
{{ item }}
{% endif %}
{% endfor %}

5
roles/squid/templates/local_whitelist.urls.j2 Normal file
View File

@@ -0,0 +1,5 @@
{% for item in squid_local_whitelist %}
{% if item is search('^(ht|f)tps?://') %}
{{ item }}
{% endif %}
{% endfor %}

15
roles/squid/templates/squid-clamd.service.j2 Normal file
View File

@@ -0,0 +1,15 @@
[Unit]
Description=ClamAV antivirus daemon for squid
After=syslog.target network.target
[Service]
Type=simple
ExecStart=/usr/sbin/clamd -c /etc/clamd.d/squid.conf
User=clamav
Group=clamav
Restart=on-failure
PrivateTmp=true
[Install]
WantedBy=multi-user.target

96
roles/squid/templates/squid.conf.j2 Normal file
View File

@@ -0,0 +1,96 @@
{% for port in squid_http_ports %}
http_port {% if port.ip is defined %}{{ port.ip }}:{% endif %}{{ port.port }}{% if port.mode is defined %} {{ port.mode }}{% endif %}{% if port.options is defined %} {{ port.options | join(' ') }}{% endif %}
{% endfor %}
{% for port in squid_https_ports %}
https_port {% if port.ip is defined %}{{ port.ip }}:{% endif %}{{ port.port }}{% if port.mode is defined %} {{ port.mode }}{% endif %}{% if port.options is defined %} {{ port.options | join(' ') }}{% endif %}
{% endfor %}
logformat human %tl %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt
access_log daemon:/var/log/squid/access.log human
# Don't cache repo metadata
acl repomd url_regex /repomd\.xml$
cache deny repomd
{% if squid_no_cache | length > 0 %}
{% for item in squid_no_cache %}
acl no_cache url_regex {{ item }}
{% endfor %}
# Disable cache for specific URL
cache deny no_cache
{% endif %}
{% for acl in squid_acl %}
{% if acl['items'] | length < 1 %}
# Create an empty ACL
acl {{ acl.name }} {{ acl.type }}
{% else %}
{% for item in acl['items'] %}
acl {{ acl.name }} {{ acl.type }} {{ item }}
{% endfor %}
{% endif %}
{% endfor %}
{% for access in squid_http_access | sort(attribute='priority') %}
http_access {{ access.policy }} {{ access.match is string | ternary(access.match,access.match | join(' ')) }}
{% endfor %}
# Default deny all access
http_access deny all
{% for rule in squid_ssl_bump | sort(attribute='priority') %}
ssl_bump {{ rule.policy }} {{ rule.match is string | ternary(rule.match,rule.match | join(' ')) }}
{% endfor %}
cache_mgr {{ squid_admin_email | default(system_admin_email) | default('admin@' + ansible_domain) }}
client_lifetime 60 minutes
{% if squid_disk_cache %}
cache_dir aufs /var/spool/squid {{ squid_disk_cache_size }} 16 256
{% endif %}
cache_mem {{ squid_mem_cache_size }} MB
range_offset_limit 200 MB sys_domains sys_urls
maximum_object_size {{ squid_max_object_size }} MB
quick_abort_min -1
max_filedesc 8192
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024
{% if squid_scan_av %}
icap_service service_avi_req reqmod_precache icap://127.0.0.1:1344/squidclamav bypass=off
adaptation_access service_avi_req allow !admins_src !local_whitelist_domains !local_whitelist_urls !no_av_scan_req av_src
icap_service service_avi_resp respmod_precache icap://127.0.0.1:1344/squidclamav bypass=on
adaptation_access service_avi_resp allow !admins_src !local_whitelist_domains !local_whitelist_urls !no_av_scan_rep av_src
{% endif %}
{% if squid_filter_url %}
url_rewrite_extras "%>a/%>A %un %>rm bump_mode=%ssl::bump_mode sni=\"%ssl::>sni\" referer=\"%{Referer}>h\""
url_rewrite_program /usr/sbin/ufdbgclient -m 4 -l /var/log/squid/
url_rewrite_children 16 startup=8 idle=2 concurrency=4
{% endif %}
# Refresh patterns
# For package repo
refresh_pattern (Release|Packages(.gz)?)$ 0 20% 1440
refresh_pattern ((sqlite.bz2)*)$ 0 20% 1440
refresh_pattern (\.deb|\.udeb)$ 10080 100% 20160
refresh_pattern (\.rpm|\.srpm)$ 10080 100% 20160
refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
refresh_pattern -i windows.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
# Default refresh pattern
refresh_pattern . 0 20% 4320
{{ squid_custom_config }}

15
roles/squid/templates/squidclamav.conf.j2 Normal file
View File

@@ -0,0 +1,15 @@
maxsize {{ squid_av_max_size }}
clamd_local /var/run/clamav/squid.sock
dnslookup 0
safebrowsing {{ squid_safebrowsing.stat.exists | ternary('1','0') }}
abort ^.*\.(ico|gif|png|jpg)$
abortcontent ^image\/.*$
abort ^.*\.(css|xml)$
abortcontent ^video\/x-flv$
abortcontent ^video\/mp4$
abortcontent ^.*application\/x-mms-framed.*$
{% for wl in squid_local_whitelist %}
whitelist {{ wl | regex_replace('\.','\\\.') }}
{% endfor %}

92
roles/squid/templates/ufdbGuard.conf.j2 Normal file
View File

@@ -0,0 +1,92 @@
logdir "/var/log/ufdbguard/"
dbhome "/var/ufdbguard/blacklists"
logall on
squid-version "3.5"
squid-uses-active-bumping off
url-lookup-result-during-database-reload allow
url-lookup-result-when-fatal-error deny
check-proxy-tunnels {{ squid_ufdb_deny_tunnels | ternary('queue-checks','log-only') }}
safe-search off
lookup-reverse-ip on
use-ipv6-on-wan off
upload-crash-reports off
max-logfile-size 200000000
youtube-edufilter off
source localhost {
ipv4 127.0.0.1/32
}
source workstations {
{% for net in squid_workstations_ip %}
ipv4 {{ net }}
{% endfor %}
}
source servers {
{% for net in squid_servers_ip %}
ipv4 {{ net }}
{% endfor %}
}
source vip {
{% for net in squid_vip_ip %}
ipv4 {{ net }}
{% endfor %}
}
source admins {
{% for net in squid_admins_ip %}
ipv4 {{ net }}
{% endfor %}
}
source guests {
{% for net in squid_guests_ip %}
ipv4 {{ net }}
{% endfor %}
}
{% for category in squid_ufdb_db.results %}
category {{ category.item }} {
redirect "302:{{ squid_ufdb_blocked_url }}"
{% if category.stat.exists %}
domainlist {{ category.item }}/domains
{% endif %}
{% if category.item == 'security' %}
cacerts "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"
# TODO: options to turn on/off
option enforce-https-with-hostname off
option enforce-https-official-certificate off
option https-prohibit-insecure-sslv2 on
option https-prohibit-insecure-sslv3 off
option allow-aim-over-https on
option allow-gtalk-over-https on
option allow-skype-over-https on
option allow-yahoomsg-over-https on
option allow-fb-chat-over-https on
option allow-citrixonline-over-https on
option allow-unknown-protocol-over-https on
{% endif %}
}
{% endfor %}
acl {
localhost {
pass any
}
admins {
pass any
}
vip {
pass local_whitelist {% if squid_ufdb_dangerous_categories | intersect(squid_ufdb_categories.stdout_lines) | length > 0 %}!{{ squid_ufdb_dangerous_categories | intersect(squid_ufdb_categories.stdout_lines) | unique | join(' !') }}{% endif %} any
}
servers {
pass local_whitelist !local_blacklist {% if squid_ufdb_dangerous_categories | intersect(squid_ufdb_categories.stdout_lines) | length > 0 %}!{{ squid_ufdb_dangerous_categories | intersect(squid_ufdb_categories.stdout_lines) | unique | join(' !') }}{% endif %} any
}
guests {
pass local_whitelist !local_blacklist {% if squid_ufdb_dangerous_categories | intersect(squid_ufdb_categories.stdout_lines) | length > 0 %}!{{ squid_ufdb_dangerous_categories | intersect(squid_ufdb_categories.stdout_lines) | unique | join(' !') }}{% endif %} {% if squid_ufdb_guests_blocked_categories | intersect(squid_ufdb_categories.stdout_lines) | length > 0 %}!{{ squid_ufdb_guests_blocked_categories | intersect(squid_ufdb_categories.stdout_lines) | join(' !') }}{% endif %} any
}
workstations {
pass local_whitelist !local_blacklist {% if squid_ufdb_dangerous_categories | intersect(squid_ufdb_categories.stdout_lines) | length > 0 %}!{{ squid_ufdb_dangerous_categories | intersect(squid_ufdb_categories.stdout_lines) | unique | join(' !') }}{% endif %} {% if squid_ufdb_blocked_categories | intersect(squid_ufdb_categories.stdout_lines) | length > 0 %}!{{ squid_ufdb_blocked_categories | intersect(squid_ufdb_categories.stdout_lines) | join(' !') }}{% endif %} any
}
default {
pass none
redirect "302:{{ squid_ufdb_blocked_url }}"
}
}

20
roles/squid/templates/ufdb_update.sh.j2 Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/sh
{% if squid_ufdb_update_from_univ %}
/usr/bin/rsync -rzPq ftp.univ-tlse1.fr::blacklist/dest/ /var/ufdbguard/blacklists/
{% endif %}
find /var/ufdbguard/blacklists/ -mindepth 1 -maxdepth 1 -type d -exec basename "{}" \;| while read CATEGORY; do
if [ -e /var/ufdbguard/blacklists/$CATEGORY/domains -o -e /var/ufdbguard/blacklists/$CATEGORY/urls ]; then
CMD="ufdbGenTable -W -n -t $CATEGORY"
if [ -e /var/ufdbguard/blacklists/$CATEGORY/domains ]; then
CMD=$CMD" -d /var/ufdbguard/blacklists/$CATEGORY/domains"
fi
if [ -e /var/ufdbguard/blacklists/$CATEGORY/urls ]; then
CMD=$CMD" -u /var/ufdbguard/blacklists/$CATEGORY/urls"
fi
eval $CMD 2>/dev/null
fi
done
systemctl restart ufdb
exit 0