build

roles/squid/tasks/main.yml

@@ -0,0 +1,72 @@
+---
+- name: Install and configure Squid proxy on Ubuntu 24
+  hosts: squid_servers
+  become: true
+  vars:
+    squid_port: 3128
+    squid_localnet: 192.168.77.0/24   # Change to match your LAN
+
+  tasks:
+
+    - name: Update apt cache
+      ansible.builtin.apt:
+        update_cache: yes
+
+    - name: Install squid package
+      ansible.builtin.apt:
+        name: squid
+        state: present
+
+    - name: Backup original squid.conf
+      ansible.builtin.copy:
+        src: /etc/squid/squid.conf
+        dest: /etc/squid/squid.conf.bak
+        remote_src: yes
+        backup: yes
+      when: not ansible_check_mode
+
+    - name: Configure Squid for LAN access and HTTPS
+      ansible.builtin.blockinfile:
+        path: /etc/squid/squid.conf
+        marker: "# {mark} ANSIBLE MANAGED BLOCK"
+        block: |
+          # Define ACL for local network
+          acl localnet src {{ squid_localnet }}
+
+          # Define safe ports
+          acl SSL_ports port 443
+          acl Safe_ports port 80
+          acl Safe_ports port 443
+          acl CONNECT method CONNECT
+
+          # Deny invalid ports
+          http_access deny !Safe_ports
+          http_access deny CONNECT !SSL_ports
+
+          # Allow localhost
+          http_access allow localhost
+
+          # Allow local network
+          http_access allow localnet
+
+          # Deny everything else
+          http_access deny all
+
+          # Listen port
+          http_port {{ squid_port }}
+
+          coredump_dir /var/spool/squid
+      notify:
+        - restart squid
+
+    - name: Ensure Squid service is enabled and running
+      ansible.builtin.service:
+        name: squid
+        state: started
+        enabled: true
+
+  handlers:
+    - name: restart squid
+      ansible.builtin.service:
+        name: squid
+        state: restarted