forked from mrlesmithjr/ansible-squid
-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.yml
147 lines (132 loc) · 3.07 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
---
# defaults file for ansible-squid
squid_auth_basic_enable: false
# squid_auth_basic_passwd_file: /etc/squid3/passwd
# squid_auth_basic_users:
# - name: user
# password: 123
# squid_auth_basic:
# - "program /usr/lib/squid3/ncsa_auth {{ squid_auth_basic_passwd_file }}"
# - "children 5"
# - "realm Squid proxy-caching web server"
# - "credentialsttl 2 hours"
# - "casesensitive off"
# acl aclname acltype argument
squid_acl:
- name: 'SSL_ports'
type: 'port'
arg: '443'
- name: 'CONNECT'
type: 'method'
arg: 'CONNECT'
# - name: 'auth'
# type: 'proxy_auth'
# arg: 'REQUIRED'
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
squid_acl_localnet:
- '10.0.0.0/8'
- '172.16.0.0/16'
- '192.168.0.0/16'
squid_acl_safeports:
- port: '21'
comment: 'ftp'
- port: '70'
comment: 'gopher'
- port: '80'
comment: 'http'
- port: '210'
comment: 'wais'
- port: '280'
comment: 'http-mgmt'
- port: '443'
comment: 'https'
- port: '488'
comment: 'gss-http'
- port: '591'
comment: 'filemaker'
- port: '777'
comment: 'multiling http'
- port: '1025-65535'
comment: 'unregistered ports'
# Defines squid peers to sync with
# #do not enter FQDN...It will be added
squid_cache_peer: []
# # do not enter FQDN...hostname only
# - host: squid-1
# #enter domain name for hostname above
# domain: '{{ squid_pri_domain_name }}'
# type: sibling
# proxy_port: '{{ squid_http_port }}'
# icp_port: '{{ squid_icp_port }}'
# options: default
# # do not enter FQDN...hostname only
# - host: squid-2
# # enter domain name for hostname above
# domain: '{{ squid_pri_domain_name }}'
# type: sibling
# proxy_port: '{{ squid_http_port }}'
# icp_port: '{{ squid_icp_port }}'
# options: default
squid_cache_peering: false
squid_http_access:
# - action: 'deny'
# acl:
# - '!auth'
- action: 'deny'
acl:
- '!Safe_ports'
- action: 'deny'
acl:
- 'CONNECT'
- '!SSL_ports'
- action: 'allow'
acl:
- 'localhost'
- 'manager'
- action: 'deny'
acl:
- 'manager'
- action: 'allow'
acl:
- 'localhost'
- action: 'allow'
acl:
- 'localnet'
- action: 'deny'
acl:
- 'all'
squid_http_port: '3128'
squid_icp_access: 'all'
squid_icp_port: '3130'
# Define primary domain name
squid_pri_domain_name: 'example.org'
squid_refresh_patterns:
- regex: '^ftp:'
min: '1440'
percent: '20%'
max: '10080'
- regex: '^gopher:'
min: '1440'
percent: '0%'
max: '1440'
- regex: '-i (/cgi-bin/|\?)'
min: '0'
percent: '0%'
max: '0'
- regex: '(Release|Packages(.gz)*)$'
min: '0'
percent: '20%'
max: '2880'
# - regex: '(\.deb|\.udeb)$'
# min: '129600'
# percent: '100%'
# max: '129600'
- regex: '.'
min: '0'
percent: '20%'
max: '4320'
# Defines if squid should function in transparent mode
squid_transparent_proxy: false
# Defines if squid transparent should configure ferm firewall for masquerading
squid_transparent_proxy_ferm: false