From b14356f5d09192265cd5241bd1010b86f9fac3a9 Mon Sep 17 00:00:00 2001 From: jaydee Date: Tue, 17 Feb 2026 13:06:07 +0100 Subject: [PATCH] build --- roles/squid/tasks/main.yml | 72 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100755 roles/squid/tasks/main.yml diff --git a/roles/squid/tasks/main.yml b/roles/squid/tasks/main.yml new file mode 100755 index 0000000..1f80e2c --- /dev/null +++ b/roles/squid/tasks/main.yml @@ -0,0 +1,72 @@ +--- +- name: Install and configure Squid proxy on Ubuntu 24 + hosts: squid_servers + become: true + vars: + squid_port: 3128 + squid_localnet: 192.168.77.0/24 # Change to match your LAN + + tasks: + + - name: Update apt cache + ansible.builtin.apt: + update_cache: yes + + - name: Install squid package + ansible.builtin.apt: + name: squid + state: present + + - name: Backup original squid.conf + ansible.builtin.copy: + src: /etc/squid/squid.conf + dest: /etc/squid/squid.conf.bak + remote_src: yes + backup: yes + when: not ansible_check_mode + + - name: Configure Squid for LAN access and HTTPS + ansible.builtin.blockinfile: + path: /etc/squid/squid.conf + marker: "# {mark} ANSIBLE MANAGED BLOCK" + block: | + # Define ACL for local network + acl localnet src {{ squid_localnet }} + + # Define safe ports + acl SSL_ports port 443 + acl Safe_ports port 80 + acl Safe_ports port 443 + acl CONNECT method CONNECT + + # Deny invalid ports + http_access deny !Safe_ports + http_access deny CONNECT !SSL_ports + + # Allow localhost + http_access allow localhost + + # Allow local network + http_access allow localnet + + # Deny everything else + http_access deny all + + # Listen port + http_port {{ squid_port }} + + coredump_dir /var/spool/squid + notify: + - restart squid + + - name: Ensure Squid service is enabled and running + ansible.builtin.service: + name: squid + state: started + enabled: true + + handlers: + - name: restart squid + ansible.builtin.service: + name: squid + state: restarted