Update to 2021-12-01 19:13

2025-10-31 10:51:27 +01:00 · 2021-12-01 19:13:34 +01:00
commit 4c4556c660
2153 changed files with 60999 additions and 0 deletions
--- a/roles/squid/tasks/filebeat.yml
+++ b/roles/squid/tasks/filebeat.yml
@@ -0,0 +1,5 @@
+---
+
+- name: Deploy filebeat configuration
+  template: src=filebeat.yml.j2 dest=/etc/filebeat/ansible_inputs.d/squid.yml
+  tags: proxy,log
--- a/roles/squid/tasks/main.yml
+++ b/roles/squid/tasks/main.yml
@@ -0,0 +1,258 @@
+---
+
+- name: Install packages
+  yum:
+    name:
+      - squid
+      - c-icap
+      - squidclamav
+      - ufdbGuard
+  notify: restart squid
+  tags: proxy
+
+- name: Identify intercept HTTP ports (if any)
+  set_fact: squid_intercept_http_ports={{ squid_http_ports | selectattr('port','defined') | selectattr('mode','defined') | selectattr('mode','equalto','intercept') | map(attribute='port') | list }}
+  tags: [firewall,proxy]
+
+- name: Identify intercept HTTPS ports (if any)
+  set_fact: squid_intercept_https_ports={{ squid_https_ports | selectattr('port','defined') | selectattr('mode','defined') | selectattr('mode','equalto','intercept') | map(attribute='port') | list }}
+  tags: [firewall,proxy]
+
+- name: List HTTP ports
+  set_fact: squid_http_ports_list={{ squid_http_ports | selectattr('port','defined') | map(attribute='port') | list }}
+  tags: [firewall,proxy]
+
+- name: List HTTPS ports
+  set_fact: squid_https_ports_list={{ squid_https_ports | selectattr('port','defined') | map(attribute='port') | list }}
+  tags: [firewall,proxy]
+
+- name: List TCP port to handle
+  set_fact: squid_ports={{ squid_http_ports_list + squid_https_ports_list }}
+  tags: [firewall,proxy]
+
+- name: Add a NAT rule for transparent proxying of clear HTTP
+  iptables_raw:
+    name: squid_intercept_http_ports
+    state: "{{ (squid_intercept_http_ports | length > 0) | ternary('present','absent') }}"
+    table: nat
+    rules: "-A PREROUTING -p tcp -m multiport --dports {{ squid_nat_http_ports | join(',') }} ! -d {{ ansible_default_ipv4.address }} -j DNAT --to {{ ansible_default_ipv4.address }}:{{ squid_intercept_http_ports | first }}"
+  when: iptables_manage | default(True)
+  tags: [firewall,proxy]
+
+- name: Add a NAT rule for transparent proxying of HTTPS
+  iptables_raw:
+    name: squid_intercept_https_ports
+    state: "{{ (squid_intercept_https_ports | length > 0) | ternary('present','absent') }}"
+    table: nat
+    rules: "-A PREROUTING -p tcp -m multiport --dports {{ squid_nat_https_ports | join(',') }} ! -d {{ ansible_default_ipv4.address }} -j DNAT --to {{ ansible_default_ipv4.address }}:{{ squid_intercept_https_ports | first }}"
+  when: iptables_manage | default(True)
+  tags: [firewall,proxy]
+
+- name: Handle squid ports
+  iptables_raw:
+    name: squid_ports
+    state: "{{ (squid_src_ip | length > 0) | ternary('present','absent') }}"
+    rules: "-A INPUT -m state --state NEW -p tcp -m multiport --dports {{ squid_ports | join(',') }} -s {{ squid_src_ip | join(',') }} -j ACCEPT"
+  when: iptables_manage | default(True)
+  tags: [firewall,proxy]
+
+- name: Create TLS directory
+  file: path=/etc/squid/tls state=directory group=squid mode=750
+  tags: proxy
+
+- name: Check if the cert for squid exists
+  stat: path=/etc/squid/tls/cert.pem
+  register: squid_cert
+  tags: proxy
+
+  # Would be better to use openssl_certificate module, but requires pyOpenSSL >= 0.15 and we only have 0.13 on el7
+- name: Create self signed certificate
+  shell: >
+    openssl req -x509 -newkey rsa:4096 -nodes -sha256 -subj
+    "/C=FR/ST=Aquitaine/L=Bordeaux/O=Firewall Services/OU=Web Security/CN={{ inventory_hostname }}"
+    -keyout /etc/squid/tls/key.pem -out /etc/squid/tls/cert.pem -days 3650
+  when: not squid_cert.stat.exists
+  tags: proxy
+
+- name: Deploy squid main configuration
+  template: src=squid.conf.j2 dest=/etc/squid/squid.conf owner=squid group=squid mode=640
+  notify: reload squid
+  tags: proxy
+
+- name: Create acl directory
+  file: path=/etc/squid/acl state=directory
+  tags: proxy
+
+- name: Copy static ACL files
+  copy: src=acl/ dest=/etc/squid/acl/
+  notify: reload squid
+  tags: proxy
+
+- name: Deploy local white and blacklists
+  template: src={{ item }}.j2 dest=/etc/squid/acl/{{ item }}
+  with_items:
+    - local_whitelist.urls
+    - local_blacklist.urls
+    - local_whitelist.domains
+    - local_blacklist.domains
+  notify: reload squid
+  tags: proxy
+
+- name: Create local black and whitelist dirs
+  file: path=/var/ufdbguard/blacklists/{{ item }} state=directory
+  with_items:
+    - local_whitelist
+    - local_blacklist
+  tags: proxy
+
+- name: Deploy local white and blacklists for ufdbGuard
+  template: src={{ item.src }}.j2 dest=/var/ufdbguard/blacklists/{{ item.dest }}
+  with_items:
+    - src: local_whitelist.urls
+      dest: local_whitelist/urls
+    - src: local_blacklist.urls
+      dest: local_blacklist/urls
+    - src: local_whitelist.domains
+      dest: local_whitelist/domains
+    - src: local_blacklist.domains
+      dest: local_blacklist/domains
+  notify: update ufdb
+  tags: proxy
+
+- name: Check if safebrowsing available
+  stat: path=/var/lib/clamav/safebrowsing.cld
+  register: squid_safebrowsing
+  tags: proxy
+
+- name: Deploy clamd config
+  template: src=clamd.conf.j2 dest=/etc/clamd.d/squid.conf
+  notify: restart squid-clamd
+  tags: proxy
+
+- name: Deploy clamd systemd unit
+  template: src=squid-clamd.service.j2 dest=/etc/systemd/system/squid-clamd.service
+  register: squid_clam_unit
+  notify: restart squid-clamd
+  tags: proxy
+
+- name: Deploy c-icap configuration
+  template: src=c-icap.conf.j2 dest=/etc/c-icap/c-icap.conf
+  notify: restart c-icap
+  tags: proxy
+
+- name: Create systemd unit snippet dir
+  file: path=/etc/systemd/system/{{ item }}.service.d state=directory
+  loop:
+    - c-icap
+    - squid
+  tags: proxy
+
+- name: Deploy a systemd unit snippet for c-icap
+  copy:
+    content: |
+      [Service]
+      User=c-icap
+      Group=c-icap
+      Restart=on-failure
+      StartLimitInterval=0
+      RestartSec=1
+    dest: /etc/systemd/system/c-icap.service.d/user.conf
+  register: squid_c_icap_unit
+  notify: restart c-icap
+  tags: proxy
+
+- name: Deploy a systemd unit snipet for squid
+  copy:
+    content: |
+      [Service]
+      Restart=on-failure
+      StartLimitInterval=0
+      RestartSec=1
+    dest: /etc/systemd/system/squid.service.d/restart.conf
+  register: squid_unit
+  tags: proxy
+
+- name: Deploy squidclamav configuration
+  template: src=squidclamav.conf.j2 dest=/etc/c-icap/squidclamav.conf mode=644
+  notify: restart c-icap
+  tags: proxy
+
+- name: Reload systemd
+  command: systemctl daemon-reload
+  when: squid_clam_unit.changed or squid_c_icap_unit.changed or squid_unit.changed
+  tags: proxy
+
+- include: selinux.yml
+  when: ansible_selinux.status == 'enabled'
+
+- name: Create ufdbGuard log directory
+  file: path=/var/log/ufdbguard state=directory owner=ufdb group=ufdb mode=750
+  tags: proxy
+
+- name: Remove old log dir
+  file: path=/var/log/ufdbGuard state=absent
+  tags: proxy
+
+- name: Deploy ufdb_update script
+  template: src=ufdb_update.sh.j2 dest=/usr/local/bin/ufdb_update.sh mode=755
+  tags: proxy
+
+- name: Add a cron task to update ufdbGuard databases
+  cron:
+    name: update_ufdbguard
+    special_time: daily
+    job: "/bin/sh /usr/local/bin/ufdb_update.sh > /dev/null 2>&1"
+    cron_file: update_ufdbguard
+    user: root
+    state: "{{ squid_filter_url | ternary('present','absent') }}"
+  tags: proxy
+
+- name: Update ufdb databases
+  command: /usr/local/bin/ufdb_update.sh
+  changed_when: False
+  tags: proxy
+
+- name: Check ufdbGuard categories
+  shell: find /var/ufdbguard/blacklists -maxdepth 1 -mindepth 1 -type d -exec basename "{}" \;
+  register: squid_ufdb_categories
+  changed_when: False
+  tags: proxy
+
+- name: Check if the domains.ufdb file exist
+  stat: path=/var/ufdbguard/blacklists/{{ item }}/domains.ufdb
+  register: squid_ufdb_db
+  with_items: "{{ squid_ufdb_categories.stdout_lines }}"
+  tags: proxy
+
+- name: Deploy ufdbGuard configuration
+  template: src=ufdbGuard.conf.j2 dest=/etc/ufdbguard/ufdbGuard.conf group=ufdb mode=640
+  notify: restart ufdb
+  tags: proxy
+
+- name: Deploy URLBlocked script
+  copy: src=URLblocked.cgi dest=/var/www/html/default/cgi-bin/URLblocked.cgi mode=755
+  tags: proxy
+
+- name: Start and enable squid
+  service: name=squid state=started enabled=True
+  tags: proxy
+
+- name: Start and enable c-icap
+  service: name=c-icap state=started enabled=True
+  tags: proxy
+
+- name: Handle squid-clamd daemon
+  service: name=squid-clamd state={{ squid_scan_av | ternary('started','stopped') }} enabled={{ squid_scan_av | ternary(True,False) }}
+  tags: proxy
+
+  # Before 1.34.6-3 provided by EPEL, the service was handled by a init script and the service was named ufdb
+- name: Check if the systemd unit is installed
+  stat: path=/lib/systemd/system/ufdbGuard.service
+  register: squid_ufdb_unit
+  tags: proxy
+
+- name: Handle ufdb daemon
+  service: name={{ squid_ufdb_unit.stat.exists | ternary('ufdbGuard','ufdb') }} state={{ squid_filter_url | ternary('started','stopped') }} enabled={{ squid_filter_url | ternary(True,False) }}
+  tags: proxy
+
+- include: filebeat.yml
--- a/roles/squid/tasks/selinux.yml
+++ b/roles/squid/tasks/selinux.yml
@@ -0,0 +1,20 @@
+---
+
+- name: Copy SELinux policy
+  copy: src=ufdb.te dest=/etc/selinux/targeted/local/
+  register: squid_ufdb_selinux_policy
+  tags: proxy
+
+- name: Install needed packages
+  yum:
+    name: policycoreutils
+  tags: proxy
+
+- name: Compile SELinux policy
+  shell: |
+    cd /etc/selinux/targeted/local/
+    checkmodule -M -m -o ufdb.mod ufdb.te
+    semodule_package -o ufdb.pp -m ufdb.mod
+    semodule -i /etc/selinux/targeted/local/ufdb.pp
+  when: squid_ufdb_selinux_policy.changed
+  tags: proxy