Commit cd8b01bd authored by Simone Piccardi's avatar Simone Piccardi
Browse files

Correction for squid and dansguardian (web_proxy) roles

parent f6d9884b
......@@ -30,5 +30,5 @@
- { role: ldap-auth, uri: 'ldap://127.0.0.1' }
- samba
- bind
- dhcp
# - dhcp
- web_proxy
......@@ -35,6 +35,13 @@
path: "{{ cred_dir }}"
state: directory
recurse: yes
- debug:
msg: |
Next operation needs random numbers and will stop until enough entropy is obtained.
You need to press random key on a console, or to make disk activity to speed up
the operations (note: pressing key over an SSH session is not taken into account)
- name: Generate DNS / DHCP key
command: dnssec-keygen -a HMAC-MD5 -b 512 -n HOST truelite
args:
......
# default variables for slapd role
---
#samba_data_share: "{{cred_dir}}/"
#samba_data_share: "{{cred_dir}}/"
# uncomment to enable password policies for samba
#smb_pass_policy: yes
samba_dir: /home/SAMBA
......@@ -22,13 +22,28 @@
- name: Setting Samba to LDAP password
command: smbpasswd -w {{pass}}
- name: Restarting services
service: name={{item}} state=started
with_items:
- smbd
- nmbd
# these are created, but at the moment unused in smb.conf
- name: Creating netlogon directory (just in case)
file:
path: "{{samba_dir}}/netlogon"
state: directory
recurse: yes
- name: Creating profiles directory (just in case)
file:
path: "{{samba_dir}}/profiles"
state: directory
recurse: yes
mode: 01777
- name: Wait a little, otherwise next commands can fail
pause: seconds=2
- name: Give full privileges to 'Domain Admins' group
command: net rpc rights grant 'Domain Admins' {{item}} -U admin%{{pass}}
with_items:
......@@ -49,3 +64,12 @@
- SeDiskOperatorPrivilege
- SeTakeOwnershipPrivilege
# define smb_pass_policy var in defaults if you want to enable this
- name: Setup samba password policy
command: pdbedit -P "{{item.key}}" -C "{{item.value}}"
when: smb_pass_policy is defined
with_items:
- { key: 'maximum password age', value: 175 }
- { key: 'password history', value: 3 }
- { key: 'min password length', value: 9 }
corriere.it #
dansguardian.org #
debian.org #
fuss.bz.it #
invalsi.it #
mail.yahoo.com #
login.live.com #
hotmail.com #
webmail.aruba.it #
edscuola.com #
microsoft.com #
repubblica.it #
ubuntu.com #
windowsupdate.com #
windowsupdate.microsoft.com #
repubblica.it #
istruzione.it #
wstreaming.zdf.de #
mdr.de #
radio-download.dw.de #
mp3-download.swr.de #
download.rbb-online.de #
c22033-o.p.core.cdn.streamfarm.net #
tvthek.orf.at #
cp50792.edgefcs.net #
ardmediathek.de #
wdr.de #
## elenco scuole provincia
spc-bz-europa1.it #
ipcdobbiaco.it #
ipclaives.it #
ipc-vipiteno.it #
ic-bassa-atesina.it #
ic-bz-europa2.it #
icbolzano2.it #
icbz4.it #
icbz5.it #
icbz6.it #
icbressanone.it #
icbz1.it #
iclaives1.it #
icmerano2.it #
icmerano1.it #
icbz3.it #
torricelli.bz.it #
ipscteliceodibressanone.it #
liceopascolibz.it #
licei-merano.it #
liceocarducci.bz.it #
itcbz.it #
itgdelai.it #
iisgalilei.bz.it #
ipcbrunico.it #
ipsct-demedici.it #
provincia.bz.it/intendenza-scolastica/strutture/struttura-convitto.asp #
rainerum.it #
toniolo-online.it #
itasbz.it #
istitutowalther.it #
marcellinebolzano #
# slapd handlers
---
- name: restart {{squid}}
service: name={{squid}} state=restarted
- name: restart dansguardian
service: name=dansguardian state=restarted
......@@ -33,15 +33,12 @@
include: "{{ includes }}/install-package-apt.yml"
with_items: "{{ squid }},dansguardian"
- name: stop squid
service:
name: "{{ squid }}"
state: stopped
- name: retreive available disk space
# TODO: check if we have to use {{ squid }} instead of squid3 here
shell: "df -m /var/spool/squid3 | tail -n1 | awk '{print $2}'"
register: available_disk_for_squid
changed_when: False
- name: set disk and memory space for squid
set_fact:
squid_disk_space: "{{ available_disk_for_squid.stdout | int // 4 }}"
......@@ -52,36 +49,37 @@
backup: yes
src: squid.conf
dest: '/etc/{{ squid }}/squid.conf'
register: results
notify:
- restart {{squid}}
- name: create missing swap and cache_dir directories
command: '{{ squid }} -z'
- name: start squid
service:
name: '{{ squid }}'
state: started
when: results.changed
- name: internet group for access control
group:
name: internet
system: yes
state: present
- name: stop dansguardian
service:
name: "dansguardian"
state: stopped
- name: configure dansguardian
template:
backup: yes
src: dansguardian.conf
dest: /etc/dansguardian/dansguardian.conf
- name: configure dansguadian1
notify:
- restart dansguardian
- name: configure dansguardian1
template:
backup: yes
src: dansguardianf1.conf
dest: /etc/dansguardian/dansguardianf1.conf
- name: copy additional dansguardian configuration
notify:
- restart dansguardian
- name: Copy additional dansguardian configuration
copy:
backup: yes
src: '{{ item }}'
......@@ -91,8 +89,12 @@
- bannedmimetypelist
- exceptionsitelist
- exceptionurllist
notify:
- restart dansguardian
- name: start dansguardian
service:
name: "dansguardian"
state: started
- name: copy fuss-server specific rules
copy:
src: content-filter-allowed-sites
dest: /etc/fuss-server/
notify:
- restart dansguardian
......@@ -176,8 +176,6 @@
# Remove this line. All valid methods for HTTP are accepted by default.
#Default:
# none
# reported as obsolete
#extension_methods REPORT MERGE MKACTIVITY CHECKOUT
# TAG: zero_buffers
#Default:
......@@ -756,7 +754,7 @@ auth_param basic credentialsttl 30 minutes
#Default:
# none
#external_acl_type ldap_group %LOGIN /usr/lib/{{ squid }}/squid_ldap_group -b "ou=Groups,{{ basedn }}" -B "ou=Users,{{ basedn }}" -f "(&(memberUid=%u)(cn=%g))" -h localhost
external_acl_type unix_group %LOGIN /usr/lib/{{ squid }}/squid_unix_group -p
external_acl_type unix_group %LOGIN /usr/lib/{{ squid }}/ext_unix_group_acl -p
# TAG: acl
# Defining an Access List
......@@ -1040,6 +1038,16 @@ external_acl_type unix_group %LOGIN /usr/lib/{{ squid }}/squid_unix_group -p
# Recommended minimum configuration:
#
### added acl and no-cache directives
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
#acl fuss.bz.it url_regex ^http://archive.fuss.bz.it/
#no_cache deny fuss.bz.it
acl localserver url_regex ^http://{{ host }}
no_cache deny localserver
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
......@@ -1207,10 +1215,72 @@ http_access deny manager
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
### TODO: verify why this rule was enabled and if it is still needed
http_access allow to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
### begin added ACL and access restriction
##
## BEGIN: OS check/block from useragent
##
acl nowindows browser Windows
# Block access from Windows for any user, group, time, etc.
http_access deny nowindows
deny_info ERR_NO_WINDOWS nowindows
##
## END: OS check/block from useragent
##
#
# list of allowed unauthenticated access
#
# repositories used by distributions
acl repositories url_regex ^http://archive.fuss.bz.it/
acl repositories url_regex ^http://.*.debian.org/
acl repositories url_regex ^http://security.debian.org/
acl repositories url_regex ^http://security.ubuntu.com/
acl repositories url_regex ^http://.*.ubuntu.com/ubuntu/
acl repositories url_regex ^http://changelogs.ubuntu.com/
acl repositories url_regex ^http://.*.sourceforge.net/.*/corefonts
acl repositories url_regex ^http://.*.sourceforge.net/corefonts
acl repositories url_regex oracle.com
acl repositories url_regex devel.fuss.bz.it
acl repositories url_regex archive.canonical.com
acl repositories url_regex ^http://launchpadlibrarian.net/
acl repositories url_regex ^http://windowsupdate.microsoft.com
http_access allow repositories
# firefox addons and components
acl firefox url_regex ^services.addons.mozilla.org
acl firefox url_regex ^versioncheck.addons.mozilla.org
acl firefox url_regex ^addons.mozilla.org
acl firefox url_regex ^it.add-ons.mozilla.com
http_access allow firefox
# access to server itself
acl itself dst {{ serverip }}
http_access allow itself
#
# Decomment last line to enable timed access
#
acl orario time M T W H F 7:00-22:00 A 7:00-14:00
acl our_networks src {{ localnet }}
#acl internet external ldap_group internet
acl internet external unix_group internet
acl password proxy_auth REQUIRED
http_access allow password internet
#http_access allow password internet orario our_networks
### END ADDED CONFIGURATIONS
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
......@@ -1267,6 +1337,9 @@ http_access deny all
#Default:
# Deny, unless rules exist in squid.conf.
### TODO: Verify is really needed (probably not)
icp_access allow all
# TAG: htcp_access
# Allowing or Denying access to the HTCP port based on defined
# access lists
......@@ -2961,7 +3034,6 @@ cache_mem {{ squid_memory }} MB
# enough to keep larger objects from hoarding cache_mem.
#Default:
# maximum_object_size_in_memory 512 KB
maximum_object_size_in_memory 32 KB
# TAG: memory_cache_shared on|off
# Controls whether the memory cache is shared among SMP workers.
......@@ -3244,7 +3316,7 @@ maximum_object_size 200 MB
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid3 100 16 256
cache_dir ufs /var/spool/squid {{ squid_disk_space }} 16 256
cache_dir aufs /var/spool/{{squid}} {{ squid_disk_space }} 16 256
# TAG: store_dir_select_algorithm
# How Squid selects which cache_dir to use when the response
......@@ -3985,8 +4057,7 @@ access_log daemon:/var/log/{{ squid }}/useragent.log useragent
#
# Leave coredumps in the first cache dir
#coredump_dir /var/spool/squid3
coredump_dir /var/spool/{{ squid }}
coredump_dir /var/spool/squid3
# OPTIONS FOR FTP GATEWAYING
# -----------------------------------------------------------------------------
......@@ -7672,99 +7743,3 @@ error_directory /usr/share/{{ squid }}/errors/Italian
# See also: workers
#Default:
# Let operating system decide.
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
#acl fuss.bz.it url_regex ^http://archive.fuss.bz.it/
#no_cache deny fuss.bz.it
acl localserver url_regex ^http://{{ host }}
no_cache deny localserver
acl all src all
#acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563 # https, snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
##
## BEGIN: OS check/block from useragent
##
acl nowindows browser Windows
# Block access from Windows for any user, group, time, etc.
http_access deny nowindows
deny_info ERR_NO_WINDOWS nowindows
##
## END: OS check/block from useragent
##
#
# list of allowed unauthenticated access
#
# repositories used by distributions
acl repositories url_regex ^http://archive.fuss.bz.it/
acl repositories url_regex ^http://.*.debian.org/
acl repositories url_regex ^http://security.debian.org/
acl repositories url_regex ^http://security.ubuntu.com/
acl repositories url_regex ^http://.*.ubuntu.com/ubuntu/
acl repositories url_regex ^http://changelogs.ubuntu.com/
acl repositories url_regex ^http://.*.sourceforge.net/.*/corefonts
acl repositories url_regex ^http://.*.sourceforge.net/corefonts
acl repositories url_regex oracle.com
acl repositories url_regex devel.fuss.bz.it
acl repositories url_regex archive.canonical.com
acl repositories url_regex ^http://launchpadlibrarian.net/
acl repositories url_regex ^http://windowsupdate.microsoft.com
http_access allow repositories
# firefox addons and components
acl firefox url_regex ^services.addons.mozilla.org
acl firefox url_regex ^versioncheck.addons.mozilla.org
acl firefox url_regex ^addons.mozilla.org
acl firefox url_regex ^it.add-ons.mozilla.com
http_access allow firefox
# localhost
http_access allow to_localhost
# access to server itself
acl itself dst {{ serverip }}
http_access allow itself
#
# Decomment last line to enable timed access
#
acl orario time M T W H F 7:00-22:00 A 7:00-14:00
acl our_networks src {{ localnet }}
#acl internet external ldap_group internet
acl internet external unix_group internet
acl password proxy_auth REQUIRED
http_access allow password internet
#http_access allow password internet orario our_networks
http_access deny all
http_reply_access allow all
icp_access allow all
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment