mirror of
https://gitlab.sectorq.eu/jaydee/ansible.git
synced 2026-03-12 21:32:48 +01:00
73 lines
1.7 KiB
YAML
Executable File
73 lines
1.7 KiB
YAML
Executable File
---
|
|
- name: Install and configure Squid proxy on Ubuntu 24
|
|
hosts: squid_servers
|
|
become: true
|
|
vars:
|
|
squid_port: 3128
|
|
squid_localnet: 192.168.77.0/24 # Change to match your LAN
|
|
|
|
tasks:
|
|
|
|
- name: Update apt cache
|
|
ansible.builtin.apt:
|
|
update_cache: yes
|
|
|
|
- name: Install squid package
|
|
ansible.builtin.apt:
|
|
name: squid
|
|
state: present
|
|
|
|
- name: Backup original squid.conf
|
|
ansible.builtin.copy:
|
|
src: /etc/squid/squid.conf
|
|
dest: /etc/squid/squid.conf.bak
|
|
remote_src: yes
|
|
backup: yes
|
|
when: not ansible_check_mode
|
|
|
|
- name: Configure Squid for LAN access and HTTPS
|
|
ansible.builtin.blockinfile:
|
|
path: /etc/squid/squid.conf
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK"
|
|
block: |
|
|
# Define ACL for local network
|
|
acl localnet src {{ squid_localnet }}
|
|
|
|
# Define safe ports
|
|
acl SSL_ports port 443
|
|
acl Safe_ports port 80
|
|
acl Safe_ports port 443
|
|
acl CONNECT method CONNECT
|
|
|
|
# Deny invalid ports
|
|
http_access deny !Safe_ports
|
|
http_access deny CONNECT !SSL_ports
|
|
|
|
# Allow localhost
|
|
http_access allow localhost
|
|
|
|
# Allow local network
|
|
http_access allow localnet
|
|
|
|
# Deny everything else
|
|
http_access deny all
|
|
|
|
# Listen port
|
|
http_port {{ squid_port }}
|
|
|
|
coredump_dir /var/spool/squid
|
|
notify:
|
|
- restart squid
|
|
|
|
- name: Ensure Squid service is enabled and running
|
|
ansible.builtin.service:
|
|
name: squid
|
|
state: started
|
|
enabled: true
|
|
|
|
handlers:
|
|
- name: restart squid
|
|
ansible.builtin.service:
|
|
name: squid
|
|
state: restarted
|