Merge branch 'devel' (early part) into production

ca79144a · Klas Arvidsson · bb5ed94f · e89bb28b · ca79144a · ca79144a
Commit ca79144a authored 5 years ago by Klas Arvidsson
--- a/files/squid/squid.conf
+++ b/files/squid/squid.conf
+# klaar@ida 2015,2016,2019:
+#
+# Inititate cache dir:
+# /home/examadm/lsw/sbin/squid -z
+#
+# Rotate logs:
+# /home/examadm/lsw/sbin/squid -k rotate
+#
+# Starting: (ssl_crtd not running stable on nfs, locking problem)
+# ulimit -Sn 4096
+# mkdir -p /tmp/squid/var/lib
+# /home/examadm/lsw/libexec/ssl_crtd -c -s /tmp/squid/var/lib/ssl_db
+# /home/examadm/lsw/sbin/squid -YC
+#
+# Stopping:
+# /home/examadm/lsw/sbin/squid -k shutdown
+#
+# Manager-URL:
+# http://tentix.ida.liu.se:3128/squid-internal-mgr/info
+#
+# Yearly update of certificate:
+# 1. Generate certificate:
+#  openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -keyout myCA.pem -out myCA.pem
+#  openssl x509 -in myCA.pem -outform DER -out myCA.der
+#
+# 2. Change config option "http_port" below
+# 3. Add the "-----BEGIN CERTIFICATE-----" part from the PEM file to
+#  ~/.config/curl/curl_ca_bundle.crt
+#    to let curl know about the new CA (needed for RStudio HTTPS
+#    downloads, the module for RStudio will set CURL_CA_BUNDLE
+#    environment variable.)
+# 4. Change in exam environment, (after added in Chromium myCA.der end up "somewhere" in ~/.pki/*
+#    Use this command to edit chrome exam template settings:
+#  env -i XAUTHORITY=/home/examadm/.Xauthority DISPLAY=$DISPLAY HOME=/home/examadm/Version-3.1/sea/env/courses/template_student_home_files/owned_by_uid chromium-browser --proxy-server="exam.ida.liu.se:3128" --temp-profile
+
+#
+# Recommended minimum configuration:
+#
+
+# Example rule allowing access from your local networks.
+# Adapt to list your (internal) IP networks from where browsing
+# should be allowed
+acl localnet src 10.0.0.0/8	# RFC1918 possible internal network
+acl localnet src 172.16.0.0/12	# RFC1918 possible internal network
+acl localnet src 192.168.0.0/16	# RFC1918 possible internal network
+acl localnet src fc00::/7       # RFC 4193 local private network range
+acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
+acl ad srcdomain ad.liu.se
+acl edu srcdomain edu.liu.se
+acl ida srcdomain ida.liu.se
+acl isy srcdomain isy.liu.se
+
+acl SSL_ports port 443
+acl Safe_ports port 80		# http
+acl Safe_ports port 443		# https
+acl Safe_ports port 3128 	# squid cachemgr
+acl Safe_ports port 12000 	# opendsa
+# acl Safe_ports port 21		# ftp
+# acl Safe_ports port 70		# gopher
+# acl Safe_ports port 210		# wais
+# acl Safe_ports port 1025-65535	# unregistered ports
+# acl Safe_ports port 280		# http-mgmt
+# acl Safe_ports port 488		# gss-http
+# acl Safe_ports port 591		# filemaker
+# acl Safe_ports port 777		# multiling http
+acl CONNECT method CONNECT
+
+#
+# Recommended minimum Access Permission configuration:
+#
+# Deny requests to certain unsafe ports
+http_access deny !Safe_ports
+
+# Deny CONNECT to other than secure SSL ports
+http_access deny CONNECT !SSL_ports
+
+# Only allow cachemgr access from localhost
+http_access allow localhost manager
+http_access allow ida manager
+http_access deny manager
+
+# We strongly recommend the following be uncommented to protect innocent
+# web applications running on the proxy server who think the only
+# one who can access services on "localhost" is a local user
+http_access deny to_localhost
+
+#
+# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
+#
+url_rewrite_program /usr/libexec/squid/helpers/squid-url-rewrite.py
+logfile_rotate 6
+
+#auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth
+# auth_param basic program /usr/libexec/squid/helpers/squid-auth-param.py
+# auth_param basic children 5 startup=5 idle=1
+# auth_param basic realm Squid proxy-caching web server
+# auth_param basic credentialsttl 5 hours
+
+# acl student proxy_auth REQUIRED
+# http_access deny !student
+
+# Example rule allowing access from your local networks.
+# Adapt localnet in the ACL section to list your (internal) IP networks
+# from where browsing should be allowed
+http_access allow all
+http_access allow localnet
+http_access allow ad
+http_access allow edu
+http_access allow ida
+http_access allow isy
+http_access allow localhost
+
+# And finally deny all other access to this proxy
+http_access deny all
+
+# Squid normally listens to port 3128
+# http_port 3128
+http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/libexec/squid/helpers/certificate/Oct18-Oct19/myCA.pem
+always_direct allow all
+ssl_bump server-first all
+
+# Inititate with:
+# /usr/lib64/squid/ssl_crtd -c -s /var/lib/ssl_db
+sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
+sslcrtd_children 32 startup=5 idle=1
+
+# the following two options are unsafe and not always necessary:
+sslproxy_cert_error allow all
+sslproxy_flags DONT_VERIFY_PEER
+workers 8
+
+# Uncomment and adjust the following to add a disk cache directory.
+cache_dir ufs /var/cache/squid 128 16 256 max-size=4MB
+cache_mem 256 MB
+
+# Leave coredumps in the first cache dir
+coredump_dir /var/cache/squid
+
+#
+# Add any of your own refresh_pattern entries above these.
+#
+refresh_pattern ^ftp:		1440	20%	10080
+refresh_pattern ^gopher:	1440	0%	1440
+refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
+refresh_pattern .		0	20%	4320
--- a/manifests/init.pp
+++ b/manifests/init.pp
 class aes {
+  include aes::squid_filter
  include ::liurepo::centos_sclo_rh

  package {
@@ -32,12 +33,36 @@ class aes {
    sshkey     => 'AAAAB3NzaC1yc2EAAAABIwAAAQEAwq552ev0T5YyWDUoEi2hY8hhm6iZHoSnfXNjCpW8eeigSd66FMdaXfWCmwLP/u3Cmino/x5SQQuo1f1RbbHuRQ3iztT/+LIJdqIjCf5rlTKhWx4Goo+weWpNlikHB6A8A1JWbY7yq/sMCiLjO4yYQ606BzwOGY+D0Wsq6lIoadL8USQJU2WKIjHOoAqPdV4HpCk3VxI/KanjyUivXKHq6eVH4yc0m97w9B/5M2UGET5nF2hx5SsoWkd4V3rALGsD3iUwfqxgOaZv62qwldEjFCsBamQfaQGNCJFYdJkmpNTlO46ywV4IC1wFbv7xqPIL33HFK5Q2TepsvdMK3ZRpWQ==', # lint:ignore:140chars
  }

+  ::users::liu_user { 'vikol94':
+    commonname => 'Viktor Olsson',
+    shell      => '/bin/bash',
+    sshkey     => 'AAAAB3NzaC1yc2EAAAABIwAAAQEA0GeKSAjEV2RxxybyX6OYJ7ZcKS1g1lkv7XLsnEL9etQtNyKTS399XmYrBlBHZf7BTuZFzcwatDJ7YFdvFo0nCtU2P0HsS/Jgfy3Lv7/cXZFH+J52kw/3vOkMh9aEVLjfPGL6GNzICOtq0mpOXaxKR6zYBYaKH7JXU+oJnFUwW07iwopeW/eAwnxWDHIISGF9qcNkvmGcRod2EtnEbThz912prTFE6iZDtr/6QxcuJh5GxuhXgrebjHaVAS15kAJYoko+j2waPtSpT5+/SXb6S0/jA1M3GkF1dxLrwUE99pdwsPVff4D4uzIvFQaOx4jmLuxMDerbMgitEs9djGimFQ==', # lint:ignore:140chars
+  }
+
+  ::users::liu_user { 'magni54':
+    commonname => 'Magnus Nielsen',
+    shell      => '/bin/bash',
+    sshkey     => 'AAAAB3NzaC1yc2EAAAABIwAAAQEAvWbp0OXIj3hIHpv6J88TCEXq/Ne46VcM8XAC+A4bDIuL2rOtMjTy5OmcAQwMPmyOh2x9xla5gCsEeNNPIKp2ujzsHqjlwl+0QD1teEOF/dnm2M0bTLOEUZhysyGRtn09o+hInAlswlq+3AVIeUo5A9xK7B+VX5Ap9RA4CNaR3/nuMLrNLP/xVyLEGazIXmh0O/pGhQV6KorJlyNYMtHCakLRzKWyP63Bs7uAGsotBntxyueKXa/RqAkMCnrlPT+z3UfxTmT0cjBCuvVdiEEhQ6MfIMzXaoqRBmbq42EpmSVZrXyTcR6s6Cz5/jSxSi17GcbH9twhRSXm+XfYFIhv9w==', # lint:ignore:140chars
+  }
+
+  ::users::liu_user { 'torjo38':
+    commonname => 'Torbjörn Jonsson',
+    shell      => '/bin/bash',
+    sshkey     => 'AAAAB3NzaC1yc2EAAAADAQABAAACAQDbYFQ5iuox4ZxjleyIR4Pebp045xV1AhcaGXLNsBAMEk08d5ExPVXdoTsNcV9aGDH3mMnhihe4d3bY8xh919n5f500VY6TI1BQKDYUq5HXxbgfl6AG96WntcRc8OIKo31hjMc4o+GPawgvpit7cWs4tWBAxoenJcB43m99AaVH6xd8e6DYC6os6Zv69hu+hD/01aFzJEnANAAsDRqr5b+LUy/qKeRWzT1zGSzWUOeJBHS9rGXHIPmgoOs7FMCtT3w/lzoehxDNCsOUG8aBBb4jH7zDB59fYE3bp55lxjx176AraFHv/H/hcB6EGkqyOyMppHi2B0uPRxlTFOtNVSHptqKINh9NMYAniv+ZUGylJZMSWSQkRSI7U65EvfOaLFTHB/+IBfWAaXjcA0fNcm3lG0tCRXg3rbpumQ2ikq23FpFzNHG+T+383pJjeOjvZB26ij5C+vZ+jEJyXyL528OjO8sOmHEeR6lyc2UjAeHbf7//+gv/bo7wDTSMZVySLKXVwxY+eCEAwh8aVQHCmwx/qWmfE9FuKYZ6AZfdCPpCSQOZY97aQTMMAcSgLV2sYrMim9QpylkH0h4RLhBo76w+83Cg1uprv1ypag0RXIOu+BV0gOHAa3DxhCgWtf9JR3B4YDAq8GaYuVRq9Q6c9+iPo+EmQEdbU+7X4Loj34auOw==', # lint:ignore:140chars
+  }
+
  ::server_firewall::rules_file { '45-permit_squid.rules':
    content => @(EOF),
    service squid is tcp/3128
+    service sclogin is tcp/23431
+    service aesms is tcp/23816
+
    policy chain INPUT is
      accept service:squid from class:liu-nets
+      accept service:sclogin from class:liu-nets
+      accept service:aesms from class:liu-nets
    end policy
    |-EOF
  }
+
 }
--- a/manifests/squid_filter.pp
+++ b/manifests/squid_filter.pp
+class aes::squid_filter {
+
+  package { "squid" :
+    ensure => "present",
+  }
+
+  file { '/etc/squid/squid.conf':
+    ensure => file,
+    mode   => '0644',
+    owner  => root,
+    group  => root,
+    content => file("${module_name}/squid/squid.conf"),
+  }
+  
+  file { '/usr/libexec/squid/helpers':
+    ensure => directory,
+    recurse => true,
+    purge => true,
+    force => true,
+    owner  => squid,
+    group  => squid,
+    mode => '0644',
+    source => "puppet:///modules/${module_name}/squid/helpers",
+  }
+
+  file { '/usr/libexec/squid/helpers/squid-url-rewrite.py':
+    ensure => file,
+    owner  => squid,
+    group  => squid,
+    mode => '0755',
+    source => "puppet:///modules/${module_name}/squid/helpers/squid-url-rewrite.py",
+  }
+
+  file { '/var/cache/squid' :
+    ensure => directory,
+    mode   => '0750',
+    owner  => squid,
+    group  => squid,
+  }
+
+  file { '/var/log/squid' :
+    ensure => directory,
+    mode   => '0750',
+    owner  => squid,
+    group  => squid,
+  }
+
+  file { '/var/lib/ssl_db' :
+    ensure => directory,
+    mode   => '0750',
+    owner  => squid,
+    group  => squid,
+  }
+
+  exec { '/usr/lib64/squid/ssl_crtd -c -s /var/lib/ssl_db' : 
+    user => "squid",
+    group => "squid",
+    creates => '/var/lib/ssl_db/certs',
+  }
+
+  service { "squid" : 
+    ensure => "running",
+  }
+
+}