This role provides simple configuration for the Squid caching proxy server.
The only dependency is data-utilities for the package installation.
The configuration happens inside a YAML structure named proxy_squid.
Configures the visible hostname of the proxy server. It often is a good idea to have this set.
This can also be configured with the proxy_squid_hostname variable to allow sharing the main configuration structure between multiple proxis with different host names.
Configures the network protocol preferences. On networks with v4 only or bad v6 connectivity it makes sense to set this to true.
Configures the X-Forwarded-For header. To hide the proxy set this to delete. When using on (default) or off the YAML needs to be quoted to prevent automagic bool conversion.
A structure for configuring ACLs with an ACL type in type and a list of matching elements in elements. Options, if any, need to be specified in the type:
acl:
example-domain:
type: dstdomain
elements:
- .foo.example.com
example-net:
type: src
elements:
- 10.10.10.0/24
- 10.10.1.0/24There is special handling for the ACLs named localnet (type src), SSL_ports (type port), Safe_ports (type port) and CONNECT (type method). If any of those is omitted or defined with a different type the default squid ACL with this name is inserted instead.
Configures the effective user and effective group. Both default to squid.
A structure for configuring cache peers and cache peer access. Top level sub keys can all be omitted, and are type (default: parent), proxy_port (default: 3128), icp_port (default: 0) and options (default: ”).
Additionally the keys allow and deny take a list of ACL names to configure cache peer access. ACLs specified here but not configured will be ignored to avoid startup errors.
cache_peers:
10.11.12.13:
proxy_port: 80
options: noquery default
deny:
- example-domain
- example-net
192.168.0.1:
proxy_port: 3128
options: noquery default
deny:
- example-netA list of elements configuring always_direct and never_direct. Lines can start with never_direct or always_direct. If those keywords are omitted the entry is treated as always_direct:
cache_access:
- deny ilo-domain
- allow example-domain
- allow example-net
- never_direct allow allThe directory containing squid configuration files. Defaults to /etc/squid.
A list of firewalld to configure access for. Note that old ports need to be disabled separately when changing ports on a deployed squid instance.
A list of elements configuring http_access. When omitted the squid default configuration is used:
http_access:
- deny !Safe_ports
- deny CONNECT !SSL_ports
- allow localhost manager
- deny manager
- deny to_localhost
- allow localnet
- allow localhost
- deny allNo ACL verification is performed - specifying an invalid ACL will lead to squid not starting up.
Configures the port squid listens on. Defaults to 3128.
proxy_squid:
visible_hostname: my-proxy.example.com
dns_v4_first: true
forwarded_for: delete
http_access:
- deny !Safe_ports
- allow localhost manager
- deny manager
- deny to_localhost
- allow localnet
- allow localhost
- deny all
cache_access:
- deny ilo-domain
- allow example-domain
- allow example-net
- never_direct allow all
cache_peers:
10.11.12.13:
proxy_port: 80
options: noquery default
deny:
- example-domain
- example-net
192.168.0.1:
proxy_port: 3128
options: noquery default
deny:
- example-net
acl:
ilo-domain:
type: dstdomain
elements:
- .ilo.example.com
example-domain:
type: dstdomain
elements:
- .foo.example.com
example-net:
type: src
elements:
- 10.10.10.0/24
- 10.10.1.0/24