Update to 2021-12-01 19:13

2025-07-27 00:05:44 +02:00 · 2021-12-01 19:13:34 +01:00
commit 4c4556c660
2153 changed files with 60999 additions and 0 deletions
--- a/roles/squid/templates/c-icap.conf.j2
+++ b/roles/squid/templates/c-icap.conf.j2
@@ -0,0 +1,12 @@
+ServerAdmin {{ squid_admin_email | default(system_admin_email) | default('admin@' + ansible_domain) }}
+ServerName {{ inventory_hostname }}
+TmpDir /tmp
+MaxMemObject 1048576
+Module logger sys_logger.so
+Logger sys_logger
+DebugLevel 0
+Port 127.0.0.1:1344
+TemplateDir /usr/share/c_icap/templates/
+{% if squid_scan_av %}
+Service squidclamav squidclamav.so
+{% endif %}
--- a/roles/squid/templates/clamd.conf.j2
+++ b/roles/squid/templates/clamd.conf.j2
@@ -0,0 +1,8 @@
+LogSyslog yes
+LogVerbose yes
+ExtendedDetectionInfo yes
+LocalSocket /var/run/clamav/squid.sock
+LocalSocketMode 666
+ExitOnOOM yes
+Foreground yes
+DetectBrokenExecutables yes
--- a/roles/squid/templates/filebeat.yml.j2
+++ b/roles/squid/templates/filebeat.yml.j2
@@ -0,0 +1,8 @@
+- type: log
+  enabled: True
+  paths:
+    - /var/log/squid/*.log
+    - /var/log/ufdbGuard/*.log
+  exclude_files:
+    - '\.[gx]z$'
+    - '\d+$'
--- a/roles/squid/templates/local_blacklist.domains.j2
+++ b/roles/squid/templates/local_blacklist.domains.j2
@@ -0,0 +1,5 @@
+{% for item in squid_local_blacklist %}
+{% if not item is search('^(ht|f)tps?://') %}
+{{ item }}
+{% endif %}
+{% endfor %}
--- a/roles/squid/templates/local_blacklist.urls.j2
+++ b/roles/squid/templates/local_blacklist.urls.j2
@@ -0,0 +1,5 @@
+{% for item in squid_local_blacklist %}
+{% if item is search('^(ht|f)tps?://') %}
+{{ item }}
+{% endif %}
+{% endfor %}
--- a/roles/squid/templates/local_whitelist.domains.j2
+++ b/roles/squid/templates/local_whitelist.domains.j2
@@ -0,0 +1,5 @@
+{% for item in squid_local_whitelist %}
+{% if not item is search('^(ht|f)tps?://') %}
+{{ item }}
+{% endif %}
+{% endfor %}
--- a/roles/squid/templates/local_whitelist.urls.j2
+++ b/roles/squid/templates/local_whitelist.urls.j2
@@ -0,0 +1,5 @@
+{% for item in squid_local_whitelist %}
+{% if item is search('^(ht|f)tps?://') %}
+{{ item }}
+{% endif %}
+{% endfor %}
--- a/roles/squid/templates/squid-clamd.service.j2
+++ b/roles/squid/templates/squid-clamd.service.j2
@@ -0,0 +1,15 @@
+[Unit]
+Description=ClamAV antivirus daemon for squid
+After=syslog.target network.target
+
+[Service]
+Type=simple
+ExecStart=/usr/sbin/clamd -c /etc/clamd.d/squid.conf
+User=clamav
+Group=clamav
+Restart=on-failure
+PrivateTmp=true
+
+[Install]
+WantedBy=multi-user.target
+
--- a/roles/squid/templates/squid.conf.j2
+++ b/roles/squid/templates/squid.conf.j2
@@ -0,0 +1,96 @@
+{% for port in squid_http_ports %}
+http_port {% if port.ip is defined %}{{ port.ip }}:{% endif %}{{ port.port }}{% if port.mode is defined %} {{ port.mode }}{% endif %}{% if port.options is defined %} {{ port.options | join(' ') }}{% endif %}
+
+{% endfor %}
+{% for port in squid_https_ports %}
+https_port {% if port.ip is defined %}{{ port.ip }}:{% endif %}{{ port.port }}{% if port.mode is defined %} {{ port.mode }}{% endif %}{% if port.options is defined %} {{ port.options | join(' ') }}{% endif %}
+
+{% endfor %}
+
+logformat human %tl %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt
+access_log daemon:/var/log/squid/access.log human
+
+# Don't cache repo metadata
+acl repomd url_regex /repomd\.xml$
+cache deny repomd
+{% if squid_no_cache | length > 0 %}
+{% for item in squid_no_cache %}
+acl no_cache url_regex {{ item }}
+{% endfor %}
+# Disable cache for specific URL
+cache deny no_cache
+{% endif %}
+
+{% for acl in squid_acl %}
+{% if acl['items'] | length < 1 %}
+# Create an empty ACL
+acl {{ acl.name }} {{ acl.type }}
+{% else %}
+{% for item in acl['items'] %}
+acl {{ acl.name }} {{ acl.type }} {{ item }}
+{% endfor %}
+{% endif %}
+{% endfor %}
+
+{% for access in squid_http_access | sort(attribute='priority') %}
+http_access {{ access.policy }} {{ access.match is string | ternary(access.match,access.match | join(' ')) }}
+{% endfor %}
+
+# Default deny all access
+http_access deny all
+
+{% for rule in squid_ssl_bump | sort(attribute='priority') %}
+ssl_bump {{ rule.policy }} {{ rule.match is string | ternary(rule.match,rule.match | join(' ')) }}
+{% endfor %}
+
+cache_mgr {{ squid_admin_email | default(system_admin_email) | default('admin@' + ansible_domain) }}
+
+client_lifetime 60 minutes
+
+{% if squid_disk_cache %}
+cache_dir aufs /var/spool/squid {{ squid_disk_cache_size }} 16 256
+{% endif %}
+cache_mem {{ squid_mem_cache_size }} MB
+
+range_offset_limit 200 MB sys_domains sys_urls
+maximum_object_size {{ squid_max_object_size }} MB
+quick_abort_min -1
+
+max_filedesc 8192
+
+icap_enable on
+icap_send_client_ip on
+icap_send_client_username on
+icap_client_username_encode off
+icap_client_username_header X-Authenticated-User
+icap_preview_enable on
+icap_preview_size 1024
+
+{% if squid_scan_av %}
+icap_service service_avi_req reqmod_precache icap://127.0.0.1:1344/squidclamav bypass=off
+adaptation_access service_avi_req allow !admins_src !local_whitelist_domains !local_whitelist_urls !no_av_scan_req av_src
+icap_service service_avi_resp respmod_precache icap://127.0.0.1:1344/squidclamav bypass=on
+adaptation_access service_avi_resp allow !admins_src !local_whitelist_domains !local_whitelist_urls !no_av_scan_rep av_src
+{% endif %}
+
+{% if squid_filter_url %}
+url_rewrite_extras "%>a/%>A %un %>rm bump_mode=%ssl::bump_mode sni=\"%ssl::>sni\" referer=\"%{Referer}>h\""
+url_rewrite_program /usr/sbin/ufdbgclient -m 4 -l /var/log/squid/
+url_rewrite_children 16 startup=8 idle=2 concurrency=4
+{% endif %}
+
+# Refresh patterns
+# For package repo
+refresh_pattern (Release|Packages(.gz)?)$      0       20%     1440
+refresh_pattern ((sqlite.bz2)*)$               0       20%     1440
+refresh_pattern (\.deb|\.udeb)$                10080   100%    20160
+refresh_pattern (\.rpm|\.srpm)$                10080   100%    20160
+
+refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip)      4320 80% 43200 reload-into-ims
+refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip)  4320 80% 43200 reload-into-ims
+refresh_pattern -i windows.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip)        4320 80% 43200 reload-into-ims
+
+# Default refresh pattern
+refresh_pattern .                              0       20%     4320
+
+{{ squid_custom_config }}
--- a/roles/squid/templates/squidclamav.conf.j2
+++ b/roles/squid/templates/squidclamav.conf.j2
@@ -0,0 +1,15 @@
+maxsize {{ squid_av_max_size }}
+clamd_local /var/run/clamav/squid.sock
+dnslookup 0
+safebrowsing {{ squid_safebrowsing.stat.exists | ternary('1','0') }}
+
+abort ^.*\.(ico|gif|png|jpg)$
+abortcontent ^image\/.*$
+abort ^.*\.(css|xml)$
+abortcontent ^video\/x-flv$
+abortcontent ^video\/mp4$
+abortcontent ^.*application\/x-mms-framed.*$
+
+{% for wl in squid_local_whitelist %}
+whitelist {{ wl | regex_replace('\.','\\\.') }}
+{% endfor %}
--- a/roles/squid/templates/ufdbGuard.conf.j2
+++ b/roles/squid/templates/ufdbGuard.conf.j2
@@ -0,0 +1,92 @@
+logdir "/var/log/ufdbguard/"
+dbhome "/var/ufdbguard/blacklists"
+logall on
+squid-version "3.5"
+squid-uses-active-bumping off
+url-lookup-result-during-database-reload allow
+url-lookup-result-when-fatal-error deny
+check-proxy-tunnels {{ squid_ufdb_deny_tunnels | ternary('queue-checks','log-only') }}
+safe-search off
+lookup-reverse-ip on
+use-ipv6-on-wan off
+upload-crash-reports off
+max-logfile-size 200000000
+youtube-edufilter off
+
+source localhost {
+  ipv4 127.0.0.1/32
+}
+source workstations {
+{% for net in squid_workstations_ip %}
+  ipv4 {{ net }}
+{% endfor %}
+}
+source servers {
+{% for net in squid_servers_ip %}
+  ipv4 {{ net }}
+{% endfor %}
+}
+source vip {
+{% for net in squid_vip_ip %}
+  ipv4 {{ net }}
+{% endfor %}
+}
+source admins {
+{% for net in squid_admins_ip %}
+  ipv4 {{ net }}
+{% endfor %}
+}
+source guests {
+{% for net in squid_guests_ip %}
+  ipv4 {{ net }}
+{% endfor %}
+}
+
+{% for category in squid_ufdb_db.results %}
+category {{ category.item }} {
+  redirect        "302:{{ squid_ufdb_blocked_url }}"
+{% if category.stat.exists %}
+  domainlist      {{ category.item }}/domains
+{% endif %}
+{% if category.item == 'security' %}
+  cacerts         "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"
+  # TODO: options to turn on/off
+  option          enforce-https-with-hostname off
+  option          enforce-https-official-certificate off
+  option          https-prohibit-insecure-sslv2 on
+  option          https-prohibit-insecure-sslv3 off
+  option          allow-aim-over-https on
+  option          allow-gtalk-over-https on
+  option          allow-skype-over-https on
+  option          allow-yahoomsg-over-https on
+  option          allow-fb-chat-over-https on
+  option          allow-citrixonline-over-https on
+  option          allow-unknown-protocol-over-https on
+{% endif %}
+}
+{% endfor %}
+
+acl {
+  localhost {
+    pass any
+  }
+  admins {
+    pass any
+  }
+  vip {
+    pass local_whitelist {% if squid_ufdb_dangerous_categories | intersect(squid_ufdb_categories.stdout_lines) | length > 0 %}!{{ squid_ufdb_dangerous_categories | intersect(squid_ufdb_categories.stdout_lines) | unique | join(' !') }}{% endif %} any
+  }
+  servers {
+    pass local_whitelist !local_blacklist {% if squid_ufdb_dangerous_categories | intersect(squid_ufdb_categories.stdout_lines) | length > 0 %}!{{ squid_ufdb_dangerous_categories | intersect(squid_ufdb_categories.stdout_lines) | unique | join(' !') }}{% endif %} any
+  }
+  guests {
+    pass local_whitelist !local_blacklist {% if squid_ufdb_dangerous_categories | intersect(squid_ufdb_categories.stdout_lines) | length > 0 %}!{{ squid_ufdb_dangerous_categories | intersect(squid_ufdb_categories.stdout_lines) | unique | join(' !') }}{% endif %} {% if squid_ufdb_guests_blocked_categories | intersect(squid_ufdb_categories.stdout_lines) | length > 0 %}!{{ squid_ufdb_guests_blocked_categories | intersect(squid_ufdb_categories.stdout_lines) | join(' !') }}{% endif %} any
+  }
+  workstations {
+    pass local_whitelist !local_blacklist {% if squid_ufdb_dangerous_categories | intersect(squid_ufdb_categories.stdout_lines) | length > 0 %}!{{ squid_ufdb_dangerous_categories | intersect(squid_ufdb_categories.stdout_lines) | unique | join(' !') }}{% endif %} {% if squid_ufdb_blocked_categories | intersect(squid_ufdb_categories.stdout_lines) | length > 0 %}!{{ squid_ufdb_blocked_categories | intersect(squid_ufdb_categories.stdout_lines) | join(' !') }}{% endif %} any
+  }
+  default {
+    pass none
+    redirect        "302:{{ squid_ufdb_blocked_url }}"
+  }
+}
--- a/roles/squid/templates/ufdb_update.sh.j2
+++ b/roles/squid/templates/ufdb_update.sh.j2
@@ -0,0 +1,20 @@
+#!/bin/sh
+
+{% if squid_ufdb_update_from_univ %}
+/usr/bin/rsync -rzPq ftp.univ-tlse1.fr::blacklist/dest/ /var/ufdbguard/blacklists/
+{% endif %}
+
+find /var/ufdbguard/blacklists/ -mindepth 1 -maxdepth 1 -type d -exec basename "{}" \;| while read CATEGORY; do
+  if [ -e /var/ufdbguard/blacklists/$CATEGORY/domains -o -e /var/ufdbguard/blacklists/$CATEGORY/urls ]; then
+    CMD="ufdbGenTable -W -n -t $CATEGORY"
+    if [ -e /var/ufdbguard/blacklists/$CATEGORY/domains ]; then
+      CMD=$CMD" -d /var/ufdbguard/blacklists/$CATEGORY/domains"
+    fi
+    if [ -e /var/ufdbguard/blacklists/$CATEGORY/urls ]; then
+      CMD=$CMD" -u /var/ufdbguard/blacklists/$CATEGORY/urls"
+    fi
+    eval $CMD 2>/dev/null
+  fi
+done
+systemctl restart ufdb
+exit 0