diff --git a/README.md b/README.md index a994ddb..4a9ef50 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,63 @@ # gsb2023 +Environnement et playbooks ansible pour le projet GSB 2023 + +## Quickstart +prérequis : une machine Debian Bullseye + + +## Les machines + * s-adm + * s-infra + * r-int + * r-ext + * s-proxy + + +## Les playbooks + + +## Installation + +On utilisera l'image de machine virtuelle suivante : + * **debian-bullseye-2023a.ova** (2022-05-07) + * Debian Bullseye 11 - 2 cartes - 1 Go - stockage 20 Go + + +### Machine s-adm + * créer la machine virtuelle **s-adm** en important l'image ova décrite plus haut + * renommer la machine puis redémarrer + * taper : +```shell + mkdir -p tools/ansible ; cd tools/ansible + git clone https://gitea.lyc-lecastel.fr/gadmin/gsb2023.git + cd gsb2023/pre + bash inst-depl + cd /var/www/html/gsbstore + bash getall + cd /root/tools/ansible/gsb022/pre + bash gsbboot + cd .. ; bash pull-config +``` + - redémarrer + +### Pour chaque machine + + - importer la machine à partir du fichier **.ova** + - définir les cartes réseau en accord avec le plan d'adressage et le schéma + - donner le nom adapté (avec sed -i …) + - redémarrer + - mettre à jour les paquets : apt update && apt upgrade + - cloner le dépot : +```shell +mkdir -p tools/ansible ; cd tools/ansible +git clone https://gitea.lyc-lecastel.fr/gadmin/gsb2022.git +cd gsb2023/pre +export DEPL=192.168.99.99 +bash gsbboot +cd ../.. +bash pull-config +``` + - **Remarque** : une machine doit avoir été redémarrée pour prendre en charge la nouvelle configuration + + diff --git a/agoss b/agoss new file mode 100755 index 0000000..83988e1 --- /dev/null +++ b/agoss @@ -0,0 +1,11 @@ +#!/bin/bash +HOST=$(hostname) +FHOST=$(pwd)/goss/$HOST +if [ -r "$FHOST".yaml ] ; then + #goss -gossfile "$FHOST".yaml v --no-color + goss -gossfile "$FHOST".yaml v "$@" +else + echo $0 : erreur lecture fichier "$FHOST".yaml + exit 1 +fi + diff --git a/changelog b/changelog new file mode 100644 index 0000000..6bf1759 --- /dev/null +++ b/changelog @@ -0,0 +1,7 @@ +v5.0.2.j : 2019-01-25 -kb + ejout role s-nas-cliet et s-nas-server +v5.0.1 : 2019-01-24 - ps + reorganisation : anciens playbooks et roles deplaces dans repertoire old +v3.2.0 : 2017-11-16 - ps + ajout changelog + diff --git a/confwireguard/r-ext/r-ext.ip b/confwireguard/r-ext/r-ext.ip new file mode 100644 index 0000000..82ed3a5 --- /dev/null +++ b/confwireguard/r-ext/r-ext.ip @@ -0,0 +1,36 @@ +1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 + link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 + inet 127.0.0.1/8 scope host lo + valid_lft forever preferred_lft forever + inet6 ::1/128 scope host + valid_lft forever preferred_lft forever +2: enp0s3: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 + link/ether 08:00:27:03:d3:28 brd ff:ff:ff:ff:ff:ff + inet 192.168.99.13/24 brd 192.168.99.255 scope global enp0s3 + valid_lft forever preferred_lft forever + inet6 fe80::a00:27ff:fe03:d328/64 scope link + valid_lft forever preferred_lft forever +3: enp0s8: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 + link/ether 08:00:27:63:40:ea brd ff:ff:ff:ff:ff:ff + inet 192.168.100.254/24 brd 192.168.100.255 scope global enp0s8 + valid_lft forever preferred_lft forever + inet6 fe80::a00:27ff:fe63:40ea/64 scope link + valid_lft forever preferred_lft forever +4: enp0s9: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 + link/ether 08:00:27:4f:29:27 brd ff:ff:ff:ff:ff:ff + inet 192.168.0.20/24 brd 192.168.0.255 scope global dynamic enp0s9 + valid_lft 77233sec preferred_lft 77233sec + inet6 fe80::a00:27ff:fe4f:2927/64 scope link + valid_lft forever preferred_lft forever +5: enp0s10: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 + link/ether 08:00:27:9d:16:f8 brd ff:ff:ff:ff:ff:ff + inet 192.168.1.1/24 brd 192.168.1.255 scope global enp0s10 + valid_lft forever preferred_lft forever + inet6 fe80::a00:27ff:fe9d:16f8/64 scope link + valid_lft forever preferred_lft forever +6: enp0s16: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 + link/ether 08:00:27:07:c1:0f brd ff:ff:ff:ff:ff:ff + inet 192.168.200.253/24 brd 192.168.200.255 scope global enp0s16 + valid_lft forever preferred_lft forever + inet6 fe80::a00:27ff:fe07:c10f/64 scope link + valid_lft forever preferred_lft forever diff --git a/confwireguard/r-ext/r-ext.routes b/confwireguard/r-ext/r-ext.routes new file mode 100644 index 0000000..b9b7d78 --- /dev/null +++ b/confwireguard/r-ext/r-ext.routes @@ -0,0 +1,9 @@ +default via 192.168.0.1 dev enp0s9 +169.254.0.0/16 dev enp0s3 scope link metric 1000 +172.16.0.0/24 via 192.168.200.254 dev enp0s16 +172.16.128.0/24 via 192.168.1.2 dev enp0s10 +192.168.0.0/24 dev enp0s9 proto kernel scope link src 192.168.0.20 +192.168.1.0/24 dev enp0s10 proto kernel scope link src 192.168.1.1 +192.168.99.0/24 dev enp0s3 proto kernel scope link src 192.168.99.13 +192.168.100.0/24 dev enp0s8 proto kernel scope link src 192.168.100.254 +192.168.200.0/24 dev enp0s16 proto kernel scope link src 192.168.200.253 diff --git a/confwireguard/r-int/r-int.ip b/confwireguard/r-int/r-int.ip new file mode 100644 index 0000000..737fbc5 --- /dev/null +++ b/confwireguard/r-int/r-int.ip @@ -0,0 +1,36 @@ +1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 + link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 + inet 127.0.0.1/8 scope host lo + valid_lft forever preferred_lft forever + inet6 ::1/128 scope host + valid_lft forever preferred_lft forever +2: enp0s3: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 + link/ether 08:00:27:c9:4e:0b brd ff:ff:ff:ff:ff:ff + inet 192.168.99.12/24 brd 192.168.99.255 scope global enp0s3 + valid_lft forever preferred_lft forever + inet6 fe80::a00:27ff:fec9:4e0b/64 scope link + valid_lft forever preferred_lft forever +3: enp0s8: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 + link/ether 08:00:27:34:ef:8f brd ff:ff:ff:ff:ff:ff + inet 192.168.200.254/24 brd 192.168.200.255 scope global enp0s8 + valid_lft forever preferred_lft forever + inet6 fe80::a00:27ff:fe34:ef8f/64 scope link + valid_lft forever preferred_lft forever +4: enp0s9: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 + link/ether 08:00:27:56:72:01 brd ff:ff:ff:ff:ff:ff + inet 172.16.65.254/24 brd 172.16.65.255 scope global enp0s9 + valid_lft forever preferred_lft forever + inet6 fe80::a00:27ff:fe56:7201/64 scope link + valid_lft forever preferred_lft forever +5: enp0s10: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 + link/ether 08:00:27:7c:d7:5b brd ff:ff:ff:ff:ff:ff + inet 172.16.64.254/24 brd 172.16.64.255 scope global enp0s10 + valid_lft forever preferred_lft forever + inet6 fe80::a00:27ff:fe7c:d75b/64 scope link + valid_lft forever preferred_lft forever +6: enp0s16: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 + link/ether 08:00:27:e6:59:3d brd ff:ff:ff:ff:ff:ff + inet 172.16.0.254/24 brd 172.16.0.255 scope global enp0s16 + valid_lft forever preferred_lft forever + inet6 fe80::a00:27ff:fee6:593d/64 scope link + valid_lft forever preferred_lft forever diff --git a/confwireguard/r-int/r-int.routes b/confwireguard/r-int/r-int.routes new file mode 100644 index 0000000..720ce08 --- /dev/null +++ b/confwireguard/r-int/r-int.routes @@ -0,0 +1,7 @@ +default via 192.168.200.253 dev enp0s8 onlink +169.254.0.0/16 dev enp0s9 scope link metric 1000 +172.16.0.0/24 dev enp0s16 proto kernel scope link src 172.16.0.254 +172.16.64.0/24 dev enp0s10 proto kernel scope link src 172.16.64.254 +172.16.65.0/24 dev enp0s9 proto kernel scope link src 172.16.65.254 +192.168.99.0/24 dev enp0s3 proto kernel scope link src 192.168.99.12 +192.168.200.0/24 dev enp0s8 proto kernel scope link src 192.168.200.254 diff --git a/confwireguard/r-vp1/r-vp1.ip b/confwireguard/r-vp1/r-vp1.ip new file mode 100644 index 0000000..1e76fe4 --- /dev/null +++ b/confwireguard/r-vp1/r-vp1.ip @@ -0,0 +1,20 @@ +1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 + link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 + inet 127.0.0.1/8 scope host lo + valid_lft forever preferred_lft forever +2: enp0s3: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 + link/ether 08:00:27:53:62:8c brd ff:ff:ff:ff:ff:ff + inet 192.168.99.112/24 brd 192.168.99.255 scope global enp0s3 + valid_lft forever preferred_lft forever +3: enp0s8: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 + link/ether 08:00:27:b0:5e:11 brd ff:ff:ff:ff:ff:ff + inet 192.168.1.2/24 brd 192.168.1.255 scope global enp0s8 + valid_lft forever preferred_lft forever +4: enp0s9: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 + link/ether 08:00:27:28:10:4c brd ff:ff:ff:ff:ff:ff + inet 192.168.0.51/24 brd 192.168.0.255 scope global enp0s9 + valid_lft forever preferred_lft forever +12: wg0: mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000 + link/none + inet 10.0.0.1/32 scope global wg0 + valid_lft forever preferred_lft forever diff --git a/confwireguard/r-vp1/r-vp1.routes b/confwireguard/r-vp1/r-vp1.routes new file mode 100644 index 0000000..dc7cff3 --- /dev/null +++ b/confwireguard/r-vp1/r-vp1.routes @@ -0,0 +1,8 @@ +10.0.0.2 dev wg0 scope link +169.254.0.0/16 dev enp0s3 scope link metric 1000 +172.16.0.0/24 via 192.168.1.1 dev enp0s8 +172.16.128.0/24 dev wg0 scope link +192.168.0.0/24 dev enp0s9 proto kernel scope link src 192.168.0.51 +192.168.1.0/24 dev enp0s8 proto kernel scope link src 192.168.1.2 +192.168.99.0/24 dev enp0s3 proto kernel scope link src 192.168.99.112 +192.168.200.0/24 via 192.168.1.1 dev enp0s8 diff --git a/confwireguard/r-vp2/r-vp2.ip b/confwireguard/r-vp2/r-vp2.ip new file mode 100644 index 0000000..90ee303 --- /dev/null +++ b/confwireguard/r-vp2/r-vp2.ip @@ -0,0 +1,18 @@ +1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 + link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 + inet 127.0.0.1/8 scope host lo + valid_lft forever preferred_lft forever +2: enp0s3: mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000 + link/ether 08:00:27:46:2b:0a brd ff:ff:ff:ff:ff:ff +3: enp0s8: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 + link/ether 08:00:27:99:b7:7f brd ff:ff:ff:ff:ff:ff + inet 172.16.128.254/24 brd 172.16.128.255 scope global enp0s8 + valid_lft forever preferred_lft forever +4: enp0s9: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 + link/ether 08:00:27:34:71:77 brd ff:ff:ff:ff:ff:ff + inet 192.168.0.52/24 brd 192.168.0.255 scope global enp0s9 + valid_lft forever preferred_lft forever +7: wg0: mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000 + link/none + inet 10.0.0.2/32 scope global wg0 + valid_lft forever preferred_lft forever diff --git a/confwireguard/r-vp2/r-vp2.routes b/confwireguard/r-vp2/r-vp2.routes new file mode 100644 index 0000000..80afa3f --- /dev/null +++ b/confwireguard/r-vp2/r-vp2.routes @@ -0,0 +1,7 @@ +10.0.0.1 dev wg0 scope link +169.254.0.0/16 dev enp0s9 scope link metric 1000 +172.16.0.0/24 dev wg0 scope link +172.16.128.0/24 dev enp0s8 proto kernel scope link src 172.16.128.254 +192.168.0.0/24 dev enp0s9 proto kernel scope link src 192.168.0.52 +192.168.1.0/24 dev wg0 scope link +192.168.200.0/24 dev wg0 scope link diff --git a/confwireguard/s-infra/s-infra.ip b/confwireguard/s-infra/s-infra.ip new file mode 100644 index 0000000..4e7304a --- /dev/null +++ b/confwireguard/s-infra/s-infra.ip @@ -0,0 +1,12 @@ +1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 + link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 + inet 127.0.0.1/8 scope host lo + valid_lft forever preferred_lft forever +2: enp0s3: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 + link/ether 08:00:27:4a:25:54 brd ff:ff:ff:ff:ff:ff + inet 192.168.99.1/24 brd 192.168.99.255 scope global enp0s3 + valid_lft forever preferred_lft forever +3: enp0s8: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 + link/ether 08:00:27:ee:b4:01 brd ff:ff:ff:ff:ff:ff + inet 172.16.0.1/24 brd 172.16.0.255 scope global enp0s8 + valid_lft forever preferred_lft forever diff --git a/confwireguard/s-infra/s-infra.routes b/confwireguard/s-infra/s-infra.routes new file mode 100644 index 0000000..eccc16d --- /dev/null +++ b/confwireguard/s-infra/s-infra.routes @@ -0,0 +1,7 @@ +default via 192.168.99.99 dev enp0s3 onlink +169.254.0.0/16 dev enp0s3 scope link metric 1000 +172.16.0.0/24 dev enp0s8 proto kernel scope link src 172.16.0.1 +172.16.64.0/24 via 172.16.0.254 dev enp0s8 +172.16.128.0/24 via 172.16.0.254 dev enp0s8 +192.168.0.0/16 via 172.16.0.254 dev enp0s8 +192.168.99.0/24 dev enp0s3 proto kernel scope link src 192.168.99.1 diff --git a/doc/Docker-openvas.txt b/doc/Docker-openvas.txt new file mode 100644 index 0000000..92d4638 --- /dev/null +++ b/doc/Docker-openvas.txt @@ -0,0 +1,38 @@ +Fichier de documentation fait par Adnan Baljic, le 31/01/2019 + +Configuration machine: +Système: Carte Mère: Mémoire Vive: 2048 +Stockage: Contrôleur SATA: Ajouter un disque dur VDI de 8Go +Réseau 1: n-adm +Réseau 2: n-infra +USB: Décocher "Activer le contrôleur USB" + +Important: Avant exécution du playbook, veillez à ne pas oublier de créer une partition sur /dev/sdb: +-fdisk /dev/sdb +-o +-n +-p +-1 +-w + +La configuration de docker se fait automatiquement via le playbook s-docker.yml +De base, s-docker.yml installera seulement docker-openvas-ab. Cependant, vous pouvez aussi installer docker-iredmail-ab en décommentant sa ligne et en +commentant la ligne docker-openvas-ab. (Tous les 2 sont accessible depuis le port 443, si les 2 sont installés en même temps, il pourrait y avoir conflit. + +Manipulation à faire pour la mise en place d'Openvas via Docker: +Après exécution de gsbboot et du pull-config, il faudra redémarrer la machine (prise en compte des modifications telles que +les interfaces...) et exécuter la commande ci-dessous: +docker run -d -p 443:443 -e PUBLIC_HOSTNAME=172.16.0.19 --name openvas mikesplain/openvas + +Manipulation à faire pour la mise en place d'Openvas via Docker: +Après exécution de gsbboot et du pull-config, il faudra redémarrer la machine (prise en compte des modifications telles que +les interfaces...) et exécuter la commande ci-dessous: +docker run -d -p 443:443 -e PUBLIC_HOSTNAME=172.16.0.19 --name openvas lejmr/iredmail + +Ensuite, il faudra faire: "docker start nom_du_container" pour le démarrer. +L'accès au container se fait via une machine virtuelle windows 7 avec Mozilla Firefox à jour, via https://172.16.0.19:443. + +Le changement du système de fichier de /dev/sdb1 et le montage sur /var/lib/docker se fera automatiquement via le playbook. + +Les tests effectués: +Jeudi 31 janvier 2019, 15:38 par Adnan Baljic= TEST OpenVAS OK \ No newline at end of file diff --git a/doc/icinga.txt b/doc/icinga.txt new file mode 100644 index 0000000..a9457f7 --- /dev/null +++ b/doc/icinga.txt @@ -0,0 +1,3 @@ +Roles fait par Adnan Baljic, le 17/01/2019 +Installation de icinga, nagios3-plugins, copie des fichiers de configuration vers /etc/icinga/ (=commands.cfg, hostgroups.cfg) +et /etc/icinga/objects/ (=namevm.cfg, services_icinga.cfg, contacts_icinga.cfg) \ No newline at end of file diff --git a/doc/pics/e4-SAN-V2.dia b/doc/pics/e4-SAN-V2.dia new file mode 100644 index 0000000..b163443 Binary files /dev/null and b/doc/pics/e4-SAN-V2.dia differ diff --git a/doc/pics/e4-adm.dia b/doc/pics/e4-adm.dia new file mode 100644 index 0000000..198cfe5 Binary files /dev/null and b/doc/pics/e4-adm.dia differ diff --git a/doc/pics/e4-adm.png b/doc/pics/e4-adm.png new file mode 100644 index 0000000..a7937af Binary files /dev/null and b/doc/pics/e4-adm.png differ diff --git a/doc/pics/e4-agence.dia b/doc/pics/e4-agence.dia new file mode 100644 index 0000000..1513680 Binary files /dev/null and b/doc/pics/e4-agence.dia differ diff --git a/doc/pics/e4-agence.png b/doc/pics/e4-agence.png new file mode 100644 index 0000000..9f8b6a1 Binary files /dev/null and b/doc/pics/e4-agence.png differ diff --git a/doc/pics/e4-dmz-ab.png b/doc/pics/e4-dmz-ab.png new file mode 100644 index 0000000..cd5a539 Binary files /dev/null and b/doc/pics/e4-dmz-ab.png differ diff --git a/doc/pics/e4-dmz-ha.dia b/doc/pics/e4-dmz-ha.dia new file mode 100644 index 0000000..35dcb4a Binary files /dev/null and b/doc/pics/e4-dmz-ha.dia differ diff --git a/doc/pics/e4-dmz-ha.png b/doc/pics/e4-dmz-ha.png new file mode 100644 index 0000000..ce3d64d Binary files /dev/null and b/doc/pics/e4-dmz-ha.png differ diff --git a/doc/pics/e4-dmz-old.png b/doc/pics/e4-dmz-old.png new file mode 100644 index 0000000..d9a8940 Binary files /dev/null and b/doc/pics/e4-dmz-old.png differ diff --git a/doc/pics/e4-dmz-tl.dia b/doc/pics/e4-dmz-tl.dia new file mode 100644 index 0000000..99f5627 Binary files /dev/null and b/doc/pics/e4-dmz-tl.dia differ diff --git a/doc/pics/e4-dmz-tl.png b/doc/pics/e4-dmz-tl.png new file mode 100644 index 0000000..0c2d9a2 Binary files /dev/null and b/doc/pics/e4-dmz-tl.png differ diff --git a/doc/pics/e4-dmz.dia b/doc/pics/e4-dmz.dia new file mode 100644 index 0000000..480f6dd Binary files /dev/null and b/doc/pics/e4-dmz.dia differ diff --git a/doc/pics/e4-dmz.png b/doc/pics/e4-dmz.png new file mode 100644 index 0000000..80f542c Binary files /dev/null and b/doc/pics/e4-dmz.png differ diff --git a/doc/pics/e4-v2.3.dia b/doc/pics/e4-v2.3.dia new file mode 100644 index 0000000..1850c57 Binary files /dev/null and b/doc/pics/e4-v2.3.dia differ diff --git a/doc/pics/e4-v2.3.png b/doc/pics/e4-v2.3.png new file mode 100644 index 0000000..5bec9ce Binary files /dev/null and b/doc/pics/e4-v2.3.png differ diff --git a/doc/pics/e4-v2.3x.dia b/doc/pics/e4-v2.3x.dia new file mode 100644 index 0000000..fe64d5c Binary files /dev/null and b/doc/pics/e4-v2.3x.dia differ diff --git a/doc/pics/e4-v2.dia b/doc/pics/e4-v2.dia new file mode 100644 index 0000000..8dc3c40 Binary files /dev/null and b/doc/pics/e4-v2.dia differ diff --git a/doc/pics/e4-vpn-infra-v1.2.dia b/doc/pics/e4-vpn-infra-v1.2.dia new file mode 100644 index 0000000..7c7c70c Binary files /dev/null and b/doc/pics/e4-vpn-infra-v1.2.dia differ diff --git a/doc/pics/e4-vpn-infra-v1.2.png b/doc/pics/e4-vpn-infra-v1.2.png new file mode 100644 index 0000000..db97574 Binary files /dev/null and b/doc/pics/e4-vpn-infra-v1.2.png differ diff --git a/doc/pics/e4-vpn-infra.dia b/doc/pics/e4-vpn-infra.dia new file mode 100644 index 0000000..a61f87f Binary files /dev/null and b/doc/pics/e4-vpn-infra.dia differ diff --git a/doc/pics/e4.dia b/doc/pics/e4.dia new file mode 100644 index 0000000..8dc3c40 Binary files /dev/null and b/doc/pics/e4.dia differ diff --git a/doc/pics/e4.png b/doc/pics/e4.png new file mode 100644 index 0000000..64603db Binary files /dev/null and b/doc/pics/e4.png differ diff --git a/doc/r-vp.txt b/doc/r-vp.txt new file mode 100644 index 0000000..bf1c939 --- /dev/null +++ b/doc/r-vp.txt @@ -0,0 +1,23 @@ +Fichier de documentation fait par Adnan Baljic, le 24/01/2019 + +Manipulation à faire pour la mise en place de r-vp1 et r-vp2: +Après exécution de gsbboot et du pull-config, il faudra désactiver l'interface +de n-adm pour éviter une boucle. Pour cela, il suffit de faire "ifdown enp0sx" + +Pour ce qui est des tests pour vérifier que l'agence passe bien par le tunnel +chiffré, vous pouvez stopper le service ipsec ou strongswan ("service +strongswan stop" ou "service ipsec stop", cela revient à faire la même chose) + +Important: sur r-vp2, si la route par défaut est celui de s-adm, veuillez +supprimer cette route en faisant "route del default" sinon l'agence ne passera +pas par le tunnel chiffré mais vers s-adm +cf. Schéma GSB/E4 - VPN/Infra - Version 1.2 - 2019-01-23 + +La mise en place de strongswan via les certificats se fait via le playbook +r-vpx-x509.yml. La manipulation ci-dessus n'est pas à faire pour les vpn avec +certificat si r-vp2-x509 et r-vp1-x509 n'ont pas de route par défaut. Si ils ont +une route par défaut, veuillez effectuer la même manipulation que pour r-vp2. +Il faudra tout de même désactiver l'interface de n-adm sur les 2 r-vpx-x509. + +Les tests effectués: +Jeudi 24 janvier 2019, 14:45 par Adnan Baljic= TEST OK \ No newline at end of file diff --git a/doc/s-fog.txt b/doc/s-fog.txt new file mode 100644 index 0000000..a4eff88 --- /dev/null +++ b/doc/s-fog.txt @@ -0,0 +1,11 @@ +fichier de documentation réalier par Olivier Soares et Gaetan Maillard, le 25/01/2019 + +Pour mettre en oeuvre le serveur fog, il faut déployer une machine virtuel debian (une ova), de la mettre à jour, de la renommer (s-fog), puis de récupérer gsbboot et faire un bash pull-config. + +Après avoir avoir fait l'installation de base, il suffit d'éxécuter le playbook "s-fog.yml" avec la commande ansible-playbooks -i hosts s-fog.yml". Ce playbook va récupérer le fichier d'installation de fog, le décompacter et configurer les différentes cartes réseaux de s-fog sachant qu'il y en a trois: + +L'interface enp0s3 permet d'avoir accès internet via le réseau "n-adm" +L'interface enp0s8 permet de communiquer avec le réseau "n-infra" +L'interface enp0s9 permet d'avoir accès et deployer des postes sur le réseau "n-user" + +Maintenant le serveur fog est prêt à être installer, avant de commencer l'installation il faut tout d'abord vérifier que l'accès à tous les réseaux soit correcte. Pour ça il suffit d'éxécuter le fichier de test goss diff --git a/goss/r-ext.yaml b/goss/r-ext.yaml new file mode 100644 index 0000000..3bacf0c --- /dev/null +++ b/goss/r-ext.yaml @@ -0,0 +1,42 @@ +command: + sysctl net.ipv4.ip_forward: + exit-status: 0 + stdout: + - net.ipv4.ip_forward = 1 + stderr: [] + timeout: 10000 + ping -c 4 172.16.0.1: + exit-status: 0 + stdout: + - 0% packet loss + stderr: [] + timeout: 10000 + ping -c 4 172.16.0.254: + exit-status: 0 + stdout: + - 0% packet loss + stderr: [] + timeout: 10000 + ping -c 4 192.168.200.254: + exit-status: 0 + stdout: + - 0% packet loss + stderr: [] + timeout: 10000 +interface: + enp0s3: + exists: true + addrs: + - 192.168.99.13/24 + enp0s8: + exists: true + addrs: + - 192.168.100.254/24 + enp0s9: + exists: true + addrs: + - 192.168.0.38/24 + enp0s16: + exists: true + addrs: + - 192.168.200.253/24 diff --git a/goss/r-int.yaml b/goss/r-int.yaml new file mode 100644 index 0000000..7726a62 --- /dev/null +++ b/goss/r-int.yaml @@ -0,0 +1,35 @@ +package: + isc-dhcp-server: + installed: true +service: + isc-dhcp-server: + enabled: true + running: true +command: + sysctl net.ipv4.ip_forward: + exit-status: 0 + stdout: + - net.ipv4.ip_forward = 1 + stderr: [] + timeout: 10000 +interface: + enp0s3: + exists: true + addrs: + - 192.168.99.12/24 + enp0s8: + exists: true + addrs: + - 192.168.200.254/24 + enp0s9: + exists: true + addrs: + - 172.16.65.254/24 + enp0s10: + exists: true + addrs: + - 172.16.64.254/24 + enp0s16: + exists: true + addrs: + - 172.16.0.254/24 diff --git a/goss/r-vp1-cs.yaml b/goss/r-vp1-cs.yaml new file mode 100644 index 0000000..916495d --- /dev/null +++ b/goss/r-vp1-cs.yaml @@ -0,0 +1,106 @@ +file: + /etc/ipsec.d/cacerts/strongswanCert.pem: + exists: true + mode: "0644" + size: 1834 + owner: root + group: root + filetype: file + contains: [] + /etc/ipsec.d/certs/r-vp1Cert.pem: + exists: true + mode: "0644" + size: 1509 + owner: root + group: root + filetype: file + contains: [] + /etc/ipsec.d/certs/r-vp2Cert.pem: + exists: true + mode: "0644" + size: 1509 + owner: root + group: root + filetype: file + contains: [] + /etc/ipsec.d/private/r-vp1Key.pem: + exists: true + mode: "0600" + size: 1675 + owner: root + group: root + filetype: file + contains: [] + /etc/ipsec.d/private/r-vp2Key.pem: + exists: true + mode: "0600" + size: 1679 + owner: root + group: root + filetype: file + contains: [] +package: + strongswan: + installed: true + versions: + - 5.2.1-6+deb8u2 +service: + strongswan: + enabled: true + running: true +user: + strongswan: + exists: true + uid: 112 + gid: 65534 + groups: + - nogroup + home: /var/lib/strongswan + shell: /usr/sbin/nologin +command: + Associations: + exit-status: 127 + stdout: [] + stderr: + - 'sh: 1: Associations: not found' + timeout: 10000 + ip r|grep default: + exit-status: 0 + stdout: + - default via 192.168.1.1 dev enp0s9 + stderr: [] + timeout: 10000 + ipsec listcacerts|grep subject: + exit-status: 0 + stdout: + - 'subject: "C=CH, O=GSB, CN=Root CA"' + stderr: [] + timeout: 10000 + ipsec listcerts|grep subject: + exit-status: 0 + stdout: + - 'subject: "C=CH, O=GSB, CN=r-vp1"' + - 'subject: "C=CH, O=GSB, CN=r-vp2"' + stderr: [] + timeout: 10000 + ipsec statusall|grep Security: + exit-status: 0 + stdout: + - 'Security Associations (1 up, 0 connecting):' + stderr: [] + timeout: 10000 + sysctl net.ipv4.ip_forward: + exit-status: 0 + stdout: + - net.ipv4.ip_forward = 1 + stderr: [] + timeout: 10000 +interface: + enp0s8: + exists: true + addrs: + - 192.168.0.51/24 + enp0s9: + exists: true + addrs: + - 192.168.1.2/24 diff --git a/goss/r-vp1-old.yaml b/goss/r-vp1-old.yaml new file mode 100644 index 0000000..916495d --- /dev/null +++ b/goss/r-vp1-old.yaml @@ -0,0 +1,106 @@ +file: + /etc/ipsec.d/cacerts/strongswanCert.pem: + exists: true + mode: "0644" + size: 1834 + owner: root + group: root + filetype: file + contains: [] + /etc/ipsec.d/certs/r-vp1Cert.pem: + exists: true + mode: "0644" + size: 1509 + owner: root + group: root + filetype: file + contains: [] + /etc/ipsec.d/certs/r-vp2Cert.pem: + exists: true + mode: "0644" + size: 1509 + owner: root + group: root + filetype: file + contains: [] + /etc/ipsec.d/private/r-vp1Key.pem: + exists: true + mode: "0600" + size: 1675 + owner: root + group: root + filetype: file + contains: [] + /etc/ipsec.d/private/r-vp2Key.pem: + exists: true + mode: "0600" + size: 1679 + owner: root + group: root + filetype: file + contains: [] +package: + strongswan: + installed: true + versions: + - 5.2.1-6+deb8u2 +service: + strongswan: + enabled: true + running: true +user: + strongswan: + exists: true + uid: 112 + gid: 65534 + groups: + - nogroup + home: /var/lib/strongswan + shell: /usr/sbin/nologin +command: + Associations: + exit-status: 127 + stdout: [] + stderr: + - 'sh: 1: Associations: not found' + timeout: 10000 + ip r|grep default: + exit-status: 0 + stdout: + - default via 192.168.1.1 dev enp0s9 + stderr: [] + timeout: 10000 + ipsec listcacerts|grep subject: + exit-status: 0 + stdout: + - 'subject: "C=CH, O=GSB, CN=Root CA"' + stderr: [] + timeout: 10000 + ipsec listcerts|grep subject: + exit-status: 0 + stdout: + - 'subject: "C=CH, O=GSB, CN=r-vp1"' + - 'subject: "C=CH, O=GSB, CN=r-vp2"' + stderr: [] + timeout: 10000 + ipsec statusall|grep Security: + exit-status: 0 + stdout: + - 'Security Associations (1 up, 0 connecting):' + stderr: [] + timeout: 10000 + sysctl net.ipv4.ip_forward: + exit-status: 0 + stdout: + - net.ipv4.ip_forward = 1 + stderr: [] + timeout: 10000 +interface: + enp0s8: + exists: true + addrs: + - 192.168.0.51/24 + enp0s9: + exists: true + addrs: + - 192.168.1.2/24 diff --git a/goss/r-vp1.yaml b/goss/r-vp1.yaml new file mode 100644 index 0000000..08f1581 --- /dev/null +++ b/goss/r-vp1.yaml @@ -0,0 +1,67 @@ +package: +# ferm: +# installed: true + strongswan: + installed: true +port: + udp:68: + listening: true +service: +# dnsmasq: +# enabled: true +# running: true + strongswan: + enabled: true + running: true + ssh: + enabled: true + running: true +command: + sysctl net.ipv4.ip_forward: + exit-status: 0 + stdout: + - net.ipv4.ip_forward = 1 + stderr: [] + timeout: 10000 +command: + ping -c 4 192.168.0.52: + exit-status: 0 + stdout: + - 4 received = 1 + stderr: [] + timeout: 10000 +command: + ping -c 4 192.168.1.1: + exit-status: 0 + stdout: + - 4 received = 1 + stderr: [] + timeout: 10000 +command: + ping -c 4 192.168.200.254: + exit-status: 0 + stdout: + - 4 received = 1 + stderr: [] + timeout: 10000 +command: + ping -c 4 172.16.0.1: + exit-status: 0 + stdout: + - 4 received = 1 + stderr: [] + timeout: 10000 +#process: +# dnsmasq: +# running: true +# squid: +# running: true +interface: + enp0s8: + exists: true + addrs: + - 192.168.0.51/24 + enp0s9: + exists: true + addrs: + - 192.168.1.2/24 \ No newline at end of file diff --git a/goss/r-vp2-cs.yaml b/goss/r-vp2-cs.yaml new file mode 100644 index 0000000..40cd178 --- /dev/null +++ b/goss/r-vp2-cs.yaml @@ -0,0 +1,105 @@ +file: + /etc/ipsec.d/cacerts/strongswanCert.pem: + exists: true + mode: "0644" + size: 1834 + owner: root + group: root + filetype: file + contains: [] + /etc/ipsec.d/certs/r-vp1Cert.pem: + exists: true + mode: "0644" + size: 1509 + owner: root + group: root + filetype: file + contains: [] + /etc/ipsec.d/certs/r-vp2Cert.pem: + exists: true + mode: "0644" + size: 1509 + owner: root + group: root + filetype: file + contains: [] + /etc/ipsec.d/private/r-vp1Key.pem: + exists: true + mode: "0600" + size: 1675 + owner: root + group: root + filetype: file + contains: [] + /etc/ipsec.d/private/r-vp2Key.pem: + exists: true + mode: "0600" + size: 1679 + owner: root + group: root + filetype: file + contains: [] +package: + strongswan: + installed: true + versions: + - 5.2.1-6+deb8u2 +service: + strongswan: + enabled: true + running: true +user: + strongswan: + exists: true + gid: 65534 + groups: + - nogroup + home: /var/lib/strongswan + shell: /usr/sbin/nologin +command: + Associations: + exit-status: 127 + stdout: [] + stderr: + - 'sh: 1: Associations: not found' + timeout: 10000 + ip r|grep default: + exit-status: 0 + stdout: + - default via 192.168.99.99 dev enp0s3 + stderr: [] + timeout: 10000 + ipsec listcacerts|grep subject: + exit-status: 0 + stdout: + - 'subject: "C=CH, O=GSB, CN=Root CA"' + stderr: [] + timeout: 10000 + ipsec listcerts|grep subject: + exit-status: 0 + stdout: + - 'subject: "C=CH, O=GSB, CN=r-vp2"' + - 'subject: "C=CH, O=GSB, CN=r-vp1"' + stderr: [] + timeout: 10000 + ipsec statusall|grep Security: + exit-status: 0 + stdout: + - 'Security Associations (1 up, 0 connecting):' + stderr: [] + timeout: 10000 + sysctl net.ipv4.ip_forward: + exit-status: 0 + stdout: + - net.ipv4.ip_forward = 1 + stderr: [] + timeout: 10000 +interface: + enp0s8: + exists: true + addrs: + - 172.16.128.254/24 + enp0s9: + exists: true + addrs: + - 192.168.0.52/24 diff --git a/goss/r-vp2-old.yaml b/goss/r-vp2-old.yaml new file mode 100644 index 0000000..40cd178 --- /dev/null +++ b/goss/r-vp2-old.yaml @@ -0,0 +1,105 @@ +file: + /etc/ipsec.d/cacerts/strongswanCert.pem: + exists: true + mode: "0644" + size: 1834 + owner: root + group: root + filetype: file + contains: [] + /etc/ipsec.d/certs/r-vp1Cert.pem: + exists: true + mode: "0644" + size: 1509 + owner: root + group: root + filetype: file + contains: [] + /etc/ipsec.d/certs/r-vp2Cert.pem: + exists: true + mode: "0644" + size: 1509 + owner: root + group: root + filetype: file + contains: [] + /etc/ipsec.d/private/r-vp1Key.pem: + exists: true + mode: "0600" + size: 1675 + owner: root + group: root + filetype: file + contains: [] + /etc/ipsec.d/private/r-vp2Key.pem: + exists: true + mode: "0600" + size: 1679 + owner: root + group: root + filetype: file + contains: [] +package: + strongswan: + installed: true + versions: + - 5.2.1-6+deb8u2 +service: + strongswan: + enabled: true + running: true +user: + strongswan: + exists: true + gid: 65534 + groups: + - nogroup + home: /var/lib/strongswan + shell: /usr/sbin/nologin +command: + Associations: + exit-status: 127 + stdout: [] + stderr: + - 'sh: 1: Associations: not found' + timeout: 10000 + ip r|grep default: + exit-status: 0 + stdout: + - default via 192.168.99.99 dev enp0s3 + stderr: [] + timeout: 10000 + ipsec listcacerts|grep subject: + exit-status: 0 + stdout: + - 'subject: "C=CH, O=GSB, CN=Root CA"' + stderr: [] + timeout: 10000 + ipsec listcerts|grep subject: + exit-status: 0 + stdout: + - 'subject: "C=CH, O=GSB, CN=r-vp2"' + - 'subject: "C=CH, O=GSB, CN=r-vp1"' + stderr: [] + timeout: 10000 + ipsec statusall|grep Security: + exit-status: 0 + stdout: + - 'Security Associations (1 up, 0 connecting):' + stderr: [] + timeout: 10000 + sysctl net.ipv4.ip_forward: + exit-status: 0 + stdout: + - net.ipv4.ip_forward = 1 + stderr: [] + timeout: 10000 +interface: + enp0s8: + exists: true + addrs: + - 172.16.128.254/24 + enp0s9: + exists: true + addrs: + - 192.168.0.52/24 diff --git a/goss/r-vp2goss.yaml b/goss/r-vp2goss.yaml new file mode 100644 index 0000000..0035b48 --- /dev/null +++ b/goss/r-vp2goss.yaml @@ -0,0 +1,67 @@ +package: + ferm: + installed: true + ipsec: + installed: true +port: + tcp:53: + listening: true + udp:67: + listening: true + udp:68: + listening: true +service: + dnsmasq: + enabled: true + running: true + ferm: + enabled: true + running: true + ssh: + enabled: true + running: true +command: + sysctl net.ipv4.ip_forward: + exit-status: 0 + stdout: + - net.ipv4.ip_forward = 1 + stderr: [] + timeout: 10000 + sysctl ping -c 4 192.168.0.51: + exit-status: 0 + stdout: + - 4 received = 1 + stderr: [] + timeout: 10000 + sysctl ping -c 4 192.168.1.1: + exit-status: 0 + stdout: + - 4 received = 1 + stderr: [] + timeout: 10000 + sysctl ping -c 4 192.168.200.254: + exit-status: 0 + stdout: + - 4 received = 1 + stderr: [] + timeout: 10000 + sysctl ping -c 4 172.16.0.1: + exit-status: 0 + stdout: + - 4 received = 1 + stderr: [] + timeout: 10000 +process: + dnsmasq: + running: true + squid3: + running: true +interface: + enp0s8: + exists: true + addrs: + - 172.16.128.254/24 + enp0s9: + exists: true + addrs: + - 192.168.0.52/24 \ No newline at end of file diff --git a/goss/s-adm.yaml b/goss/s-adm.yaml new file mode 100644 index 0000000..a675b76 --- /dev/null +++ b/goss/s-adm.yaml @@ -0,0 +1,80 @@ +package: + dnsmasq: + installed: true + squid: + installed: true +addr: + tcp://depl.sio.lan:80: + reachable: true + timeout: 500 +port: + tcp:53: + listening: true + ip: + - 0.0.0.0 + tcp6:53: + listening: true + ip: + - '::' + tcp6:8080: + listening: true + ip: + - '::' + udp:53: + listening: true + ip: + - 0.0.0.0 + udp:67: + listening: true + ip: + - 0.0.0.0 + udp6:53: + listening: true + ip: + - '::' +service: + dnsmasq: + enabled: true + running: true + squid: + enabled: true + running: true + ssh: + enabled: true + running: true +user: + dnsmasq: + exists: true + uid: 109 + gid: 65534 + groups: + - nogroup + home: /var/lib/misc + shell: /usr/sbin/nologin +group: + ssh: + exists: true + gid: 111 +command: + /sbin/sysctl net.ipv4.ip_forward: + exit-status: 0 + stdout: + - net.ipv4.ip_forward = 1 + stderr: [] + timeout: 10000 +dns: + depl.sio.lan: + resolveable: true + addrs: + - 10.121.38.10 + timeout: 500 +process: + dnsmasq: + running: true + squid: + running: true +interface: + enp0s8: + exists: true + addrs: + - 192.168.99.99/24 diff --git a/goss/s-agence.yaml b/goss/s-agence.yaml new file mode 100644 index 0000000..5ed9d25 --- /dev/null +++ b/goss/s-agence.yaml @@ -0,0 +1,39 @@ +command: + ip r: + exit-status: 0 + stdout: + - default via 172.16.128.254 dev enp0s8 + - 172.16.128.0/24 + - 192.168.99.0/24 + stderr: [] + timeout: 10000 + ping -c 2 172.16.128.254: + exit-status: 0 + stdout: + - 0% packet loss + stderr: [] + timeout: 10000 + ping -c 2 192.168.1.2: + exit-status: 0 + stdout: + - 0% packet loss + stderr: [] + timeout: 10000 + ping -c 2 192.168.1.1: + exit-status: 0 + stdout: + - 0% packet loss + stderr: [] + timeout: 10000 + ping -c 2 192.168.200.254: + exit-status: 0 + stdout: + - 0% packet loss + stderr: [] + timeout: 10000 + ping -c 2 172.16.0.1: + exit-status: 0 + stdout: + - 0% packet loss + stderr: [] + timeout: 10000 diff --git a/goss/s-appli.yaml b/goss/s-appli.yaml new file mode 100644 index 0000000..350ac9a --- /dev/null +++ b/goss/s-appli.yaml @@ -0,0 +1,35 @@ +service: + mariadb: + enabled: true + running: true + + apache2: + enabled: true + running: true + +file: + /var/www/html/wordpress: + exists: true + owner: www-data + group: www-data + filetype: directory + + /var/www/html/wordpress-5.8.2-fr_FR.tar.gz: + exists: true + + /var/www/html/wordpress/wp-config-sample.php: + exists: true + + /etc/apache2/sites-enabled/000-default.conf: + exists: true + +interface: + enp0s3: + exists: true + addrs: + - 192.168.99.3/24 + + enp0s8: + exists: true + addrs: + - 172.16.0.3/24 diff --git a/goss/s-fog.yaml b/goss/s-fog.yaml new file mode 100644 index 0000000..4929081 --- /dev/null +++ b/goss/s-fog.yaml @@ -0,0 +1,28 @@ +interface: + enp0s3: + exists: true + addrs: + - 192.168.99.16/24 +interface: + enp0s8: + exists: true + addrs: + - 172.16.0.16/24 +interface: + enp0s9: + exists: true + addrs: + - 172.16.64.16/24 +command: + ping -c 4 192.168.99.99: + exit-status: 0 + stdout: + - 0% packet loss + stderr: [] + timeout: 10000 + ping -c 4 google.fr: + exit-status: 0 + stdout: + - 0% packet loss + stderr: [] + timeout: 10000 diff --git a/goss/s-infra.yaml b/goss/s-infra.yaml new file mode 100644 index 0000000..99b2e5d --- /dev/null +++ b/goss/s-infra.yaml @@ -0,0 +1,90 @@ +package: + bind9: + installed: true + lighttpd: + installed: true +addr: + tcp://192.168.99.99:8080: + reachable: true + timeout: 500 +port: + tcp:80: + listening: true + ip: + - 0.0.0.0 + tcp6:80: + listening: true + ip: + - '::' +service: + bind9: + enabled: true + running: true + lighttpd: + enabled: true + running: true +command: + host 172.16.0.2: + exit-status: 0 + stdout: + - 2.0.16.172.in-addr.arpa domain name pointer s-proxy.gsb.lan. + stderr: [] + timeout: 10000 + host 172.16.0.9: + exit-status: 0 + stdout: + - 9.0.16.172.in-addr.arpa domain name pointer s-itil.gsb.lan. + stderr: [] + timeout: 10000 + host free.fr: + exit-status: 0 + stdout: + - free.fr has address 212.27.48.10 + - free.fr has IPv6 address 2a01:e0c:1::1 + - free.fr mail is handled by 10 mx1.free.fr. + - free.fr mail is handled by 20 mx2.free.fr. + stderr: [] + timeout: 10000 + host s-infra: + exit-status: 0 + stdout: + - s-infra.gsb.lan has address 172.16.0.1 + stderr: [] + timeout: 10000 + host s-infra.gsb.lan: + exit-status: 0 + stdout: + - s-infra.gsb.lan has address 172.16.0.1 + stderr: [] + timeout: 10000 + host s-mon: + exit-status: 0 + stdout: + - s-mon.gsb.lan has address 172.16.0.8 + stderr: [] + timeout: 10000 + host s-mon.gsb.lan: + exit-status: 0 + stdout: + - s-mon.gsb.lan has address 172.16.0.8 + stderr: [] + timeout: 10000 +process: + lighttpd: + running: true +interface: + enp0s3: + exists: true + addrs: + - 192.168.99.1/24 + enp0s8: + exists: true + addrs: + - 172.16.0.1/24 +http: + http://localhost/wpad.dat: + status: 200 + allow-insecure: false + no-follow-redirects: false + timeout: 5000 + body: [] diff --git a/goss/s-itil.yaml b/goss/s-itil.yaml new file mode 100644 index 0000000..1fa5904 --- /dev/null +++ b/goss/s-itil.yaml @@ -0,0 +1,36 @@ +file: + /var/www/html/glpi: + exists: true + mode: "0755" + owner: www-data + group: www-data + filetype: directory + + /var/www/html/ficlients: + exists: true + mode: "0775" + owner: www-data + group: www-data + filetype: directory + + /var/www/html/glpi/plugins: + exists: true + mode: "0777" + filetype: directory + + /var/www/html/index.nginx-debian.html: + exists: true + mode: "0775" + owner: www-data + group: www-data + filetype: file + +service: + mariadb: + enabled: true + running: true + + nginx: + enabled: true + running: true + diff --git a/goss/s-lb-bd.yaml b/goss/s-lb-bd.yaml new file mode 100644 index 0000000..3e9710f --- /dev/null +++ b/goss/s-lb-bd.yaml @@ -0,0 +1,21 @@ +package: + mysql-server: + installed: true + versions: + - 5.5.54-0+deb8u1 +command: + egrep "#bind-address" /etc/mysql/my.cnf: + exit-status: 0 + stdout: + - "#bind-address\t\t= 127.0.0.1" + stderr: [] + timeout: 10000 +interface: + enp0s3: + exists: true + addrs: + - 192.168.99.13/24 + enp0s8: + exists: true + addrs: + - 192.168.102.50/24 diff --git a/goss/s-lb-web1.yaml b/goss/s-lb-web1.yaml new file mode 100644 index 0000000..368118f --- /dev/null +++ b/goss/s-lb-web1.yaml @@ -0,0 +1,63 @@ +package: + apache2: + installed: true + versions: + - 2.4.10-10+deb8u7 + php5: + installed: true + versions: + - 5.6.29+dfsg-0+deb8u1 +port: + tcp:22: + listening: true + ip: + - 0.0.0.0 + tcp6:22: + listening: true + ip: + - '::' + tcp6:80: + listening: true + ip: + - '::' +service: + apache2: + enabled: true + running: true + sshd: + enabled: true + running: true +user: + sshd: + exists: true + uid: 105 + gid: 65534 + groups: + - nogroup + home: /var/run/sshd + shell: /usr/sbin/nologin +command: + egrep 192.168.102.14:/export/www /etc/fstab: + exit-status: 0 + stdout: + - 192.168.102.14:/export/www /var/www/html nfs _netdev rw 0 0 + stderr: [] + timeout: 10000 +process: + apache2: + running: true + sshd: + running: true +interface: + enp0s3: + exists: true + addrs: + - 192.168.99.11/24 + enp0s8: + exists: true + addrs: + - 192.168.101.1/24 + enp0s9: + exists: true + addrs: + - 192.168.102.1/24 diff --git a/goss/s-lb-web2.yaml b/goss/s-lb-web2.yaml new file mode 100644 index 0000000..8df18aa --- /dev/null +++ b/goss/s-lb-web2.yaml @@ -0,0 +1,63 @@ +package: + apache2: + installed: true + versions: + - 2.4.10-10+deb8u7 + php5: + installed: true + versions: + - 5.6.29+dfsg-0+deb8u1 +port: + tcp:22: + listening: true + ip: + - 0.0.0.0 + tcp6:22: + listening: true + ip: + - '::' + tcp6:80: + listening: true + ip: + - '::' +service: + apache2: + enabled: true + running: true + sshd: + enabled: true + running: true +user: + sshd: + exists: true + uid: 105 + gid: 65534 + groups: + - nogroup + home: /var/run/sshd + shell: /usr/sbin/nologin +command: + egrep 192.168.102.14:/export/www /etc/fstab: + exit-status: 0 + stdout: + - 192.168.102.14:/export/www /var/www/html nfs _netdev rw 0 0 + stderr: [] + timeout: 10000 +process: + apache2: + running: true + sshd: + running: true +interface: + enp0s3: + exists: true + addrs: + - 192.168.99.12/24 + enp0s8: + exists: true + addrs: + - 192.168.101.2/24 + enp0s9: + exists: true + addrs: + - 192.168.102.2/24 diff --git a/goss/s-lb.yaml b/goss/s-lb.yaml new file mode 100644 index 0000000..ad0a150 --- /dev/null +++ b/goss/s-lb.yaml @@ -0,0 +1,28 @@ +port: + tcp:80: + listening: true + ip: + - 192.168.100.11 +service: + haproxy: + enabled: true + running: true + sshd: + enabled: true + running: true +interface: + enp0s3: + exists: true + addrs: + - 192.168.99.100/24 + mtu: 1500 + enp0s8: + exists: true + addrs: + - 192.168.100.11/24 + mtu: 1500 + enp0s9: + exists: true + addrs: + - 192.168.101.254/24 + mtu: 1500 diff --git a/goss/s-lb.yaml.old b/goss/s-lb.yaml.old new file mode 100644 index 0000000..3f723ed --- /dev/null +++ b/goss/s-lb.yaml.old @@ -0,0 +1,65 @@ +file: + /etc/haproxy/haproxy.cfg: + exists: true + mode: "0644" + size: 1518 + owner: root + group: root + filetype: file + contains: [] +package: + haproxy: + installed: true +port: + tcp:80: + listening: true + ip: + - 192.168.100.10 +service: + haproxy: + enabled: true + running: true +user: + haproxy: + exists: true + uid: 111 + gid: 117 + groups: + - haproxy + home: /var/lib/haproxy + shell: /bin/false +group: + haproxy: + exists: true + gid: 117 +command: + egrep "balance\s+roundrobin" /etc/haproxy/haproxy.cfg: + exit-status: 0 + stdout: + - balance roundrobin + stderr: [] + timeout: 10000 + egrep "bind\s+192.168.100.10:80" /etc/haproxy/haproxy.cfg: + exit-status: 0 + stdout: + - bind 192.168.100.10:80 + stderr: [] + timeout: 10000 + egrep "mode\s+http" /etc/haproxy/haproxy.cfg: + exit-status: 0 + stdout: + - "mode\thttp" + stderr: [] + timeout: 10000 +process: + haproxy: + running: true +interface: + enp0s3: + exists: true + addrs: + - 192.168.99.10/24 + enp0s8: + exists: true + addrs: + - 192.168.100.10/24 diff --git a/goss/s-mon.yaml b/goss/s-mon.yaml new file mode 100644 index 0000000..10c5be1 --- /dev/null +++ b/goss/s-mon.yaml @@ -0,0 +1,62 @@ +file: + /etc/icinga/htpasswd.users: + exists: true + mode: "0644" + size: 26 + owner: root + group: root + filetype: file + contains: [] +package: + apache2: + installed: true + nagios-snmp-plugins: + installed: true + icinga: + installed: true + snmp: + installed: true +port: + tcp6:80: + listening: true + ip: + - '::' + udp:514: + listening: true + ip: + - 0.0.0.0 +service: + apache2: + enabled: true + running: true + icinga: + enabled: true + running: true +command: + sysctl net.ipv4.ip_forward: + exit-status: 0 + stdout: + - net.ipv4.ip_forward = 0 + stderr: [] + timeout: 10000 +process: + apache2: + running: true + icinga: + running: true +interface: + enp0s3: + exists: true + addrs: + - 192.168.99.8/24 + enp0s8: + exists: true + addrs: + - 172.16.0.8/24 +http: + http://localhost/icinga: + status: 401 + allow-insecure: false + no-follow-redirects: false + timeout: 5000 + body: [] diff --git a/goss/s-proxy.yaml b/goss/s-proxy.yaml new file mode 100644 index 0000000..cff71fc --- /dev/null +++ b/goss/s-proxy.yaml @@ -0,0 +1,30 @@ +package: + squid: + installed: true +port: + tcp:8080: + listening: true + ip: + - '0.0.0.0' +service: + squid: + enabled: true + running: true +command: + host 172.16.0.2: + exit-status: 0 + stdout: + - 2.0.16.172.in-addr.arpa domain name pointer s-proxy.gsb.lan. + stderr: [] + timeout: 10000 +interface: + enp0s3: + exists: true + addrs: + - 192.168.99.2/24 + mtu: 1500 + enp0s8: + exists: true + addrs: + - 172.16.0.2/24 + mtu: 1500 diff --git a/graylog-pont.yml b/graylog-pont.yml new file mode 100644 index 0000000..901115d --- /dev/null +++ b/graylog-pont.yml @@ -0,0 +1,8 @@ +--- +- hosts: localhost + connection: local + + roles: + - goss + - docker-graylog-pont + - post \ No newline at end of file diff --git a/gsbchk b/gsbchk new file mode 100755 index 0000000..f9f5e51 --- /dev/null +++ b/gsbchk @@ -0,0 +1,14 @@ +#!/bin/bash + +filename=/root/tools/ansible/gsb/goss/$HOSTNAME.yaml + +if ! [ -e $filename ] ; then + echo gsbchk : erreur ouverture $filename + exit 1 + +fi +if [ $# == 1] ; then + goss -g $filename v +else + goss $* +fi diff --git a/gsbstart b/gsbstart new file mode 100755 index 0000000..84a0feb --- /dev/null +++ b/gsbstart @@ -0,0 +1,179 @@ +#!/usr/bin/perl + +#use strict; +#use warnings; +#SCRIPT PERMETTANT DE METTRE LES INTERFACES APPROPRIEES POUR LA MACHINE ENTREE EN PARAMETRE ET DE LA DEMARRER +my %machines = ( + 's-infra' => { + netif1 => 'n-adm', + netif2 => 'n-infra' + }, + 's-proxy' => { + netif1 => 'n-adm', + netif2 => 'n-infra' + }, + 's-spec' => { + netif1 => 'n-adm', + netif2 => 'n-infra' + }, + 's-mon' => { + netif1 => 'n-adm', + netif2 => 'n-infra' + }, + 's-mess' => { + netif1 => 'n-adm', + netif2 => 'n-infra' + }, + 's-itil' => { + netif1 => 'n-adm', + netif2 => 'n-infra' + }, + 's-proxy' => { + netif1 => 'n-adm', + netif2 => 'n-infra' + }, + 's-backup' => { + netif1 => 'n-adm', + netif2 => 'n-infra' + }, + 's-appli' => { + netif1 => 'n-adm', + netif2 => 'n-infra' + }, + 'r-int' => { + netif1 => 'n-adm', + netif2 => 'n-link', + netif3 => 'n-wifi', + netif4 => 'n-user', + netif5 => 'n-infra' + }, + 'r-ext' => { + netif1 => 'n-adm', + netif2 => 'n-dmz', + netif3 => 'enp0s3', + netif4 => 'n-linkv', + netif5 => 'n-link' + }, + 'r-vp2' => { + netif1 => 'n-adm', + netif2 => 'n-agence', + netif3 => 'enp0s3' + }, + 'r-vp1' => { + netif1 => 'n-adm', + netif2 => 'enp0s3', + netif3 => 'n-linkv' + }, + 's-lb' => { + netif1 => 'n-adm', + netif2 => 'n-dmz', + netif3 => 'n-dmz-lb' + }, + 's-lb-bd' => { + netif1 => 'n-adm', + netif2 => 'n-dmz-db' + + }, + 's-lb-web1' => { + netif1 => 'n-adm', + netif2 => 'n-dmz-lb', + netif3 => 'n-dmz-db' + }, + 's-lb-web2' => { + netif1 => 'n-adm', + netif2 => 'n-dmz-lb', + netif3 => 'n-dmz-db' + }, + 's-nas' => { + netif1 => 'n-adm', + netif2 => 'n-dmz-db', + } + + + + + + + +); + + +my ($net1, $net2, $net3, $net4, $net5); + +my $machine = shift; +die "usage : gsbstart " unless ( $machine); + +#print $machines { $machine } "\n"; +if (%{$machines{$machine}}) { +# print $machines { $machine } {netif1}, "\n"; + $net1 = $machines { $machine } {netif1}; + $net2 = $machines { $machine } {netif2}; + $net3 = $machines { $machine } {netif3}; + $net4 = $machines { $machine } {netif4}; + $net5 = $machines { $machine } {netif5}; + + + +} else { + print "machine $machine inconnue\n"; +} +# + +my $ninfra = "VBoxManage modifyvm ".$machine. " --nic1 intnet\nVBoxManage modifyvm ".$machine. " --intnet1 \"". $net1."\"\nVBoxManage modifyvm ".$machine. " --nic2 intnet\nVBoxManage modifyvm ".$machine. " --intnet2 \"". $net2."\""; + +my $rint = "VBoxManage modifyvm ".$machine. " --nic1 intnet\nVBoxManage modifyvm ".$machine. " --intnet1 \"". $net1."\"\nVBoxManage modifyvm ".$machine. " --nic2 intnet\nVBoxManage modifyvm ".$machine. " --intnet2 \"". $net2."\"\nVBoxManage modifyvm ".$machine. " --nic3 intnet\nVBoxManage modifyvm ".$machine. " --intnet3 \"". $net3."\"\nVBoxManage modifyvm ".$machine. " --nic4 intnet\nVBoxManage modifyvm ".$machine. " --intnet4 \"". $net4."\"\nVBoxManage modifyvm ".$machine. " --nic5 intnet\nVBoxManage modifyvm ".$machine. " --intnet5 \"". $net5."\""; + +my $rext = "VBoxManage modifyvm ".$machine. " --nic1 intnet\nVBoxManage modifyvm ".$machine. " --intnet1 \"". $net1."\"\nVBoxManage modifyvm ".$machine. " --nic2 intnet\nVBoxManage modifyvm ".$machine. " --intnet2 \"". $net2."\"\nVBoxManage modifyvm ".$machine. " --nic3 bridged\nVBoxManage modifyvm ".$machine. " --bridgeadapter1 ". $net3."\nVBoxManage modifyvm ".$machine. " --nic4 intnet\nVBoxManage modifyvm ".$machine. " --intnet4 \"". $net4."\"\nVBoxManage modifyvm ".$machine. " --nic5 intnet\nVBoxManage modifyvm ".$machine. " --intnet5 \"". $net5."\""; + +my $rvp2 = "VBoxManage modifyvm ".$machine. " --nic1 intnet\nVBoxManage modifyvm ".$machine. " --intnet1 \"". $net1."\"\nVBoxManage modifyvm ".$machine. " --nic2 intnet\nVBoxManage modifyvm ".$machine. " --intnet2 \"". $net2."\"\nVBoxManage modifyvm ".$machine. " --nic3 bridged\nVBoxManage modifyvm ".$machine. " --bridgeadapter1 ". $net3."\n"; + +my $rvp1 = "VBoxManage modifyvm ".$machine. " --nic1 intnet\nVBoxManage modifyvm ".$machine. " --intnet1 \"". $net1."\"\nVBoxManage modifyvm ".$machine. " --nic2 bridged\nVBoxManage modifyvm ".$machine. " --bridgeadapter1 ". $net2 ."\nVBoxManage modifyvm ".$machine. " --nic3 intnet\nVBoxManage modifyvm ".$machine. " --intnet3 \"". $net3."\"\n"; + +my $lb = "VBoxManage modifyvm ".$machine. " --nic1 intnet\nVBoxManage modifyvm ".$machine. " --intnet1 \"". $net1."\"\nVBoxManage modifyvm ".$machine. " --nic2 intnet\nVBoxManage modifyvm ".$machine. " --intnet2 \"". $net2."\"\nVBoxManage modifyvm ".$machine. " --nic3 intnet\nVBoxManage modifyvm ".$machine. " --intnet3 ". $net3."\n"; + +my $lbbd ="VBoxManage modifyvm ".$machine. " --nic1 intnet\nVBoxManage modifyvm ".$machine. " --intnet1 \"". $net1."\"\nVBoxManage modifyvm ".$machine. " --nic2 intnet\nVBoxManage modifyvm ".$machine. " --intnet2 \"". $net2."\"\n"; + +my $lbweb = "VBoxManage modifyvm ".$machine. " --nic1 intnet\nVBoxManage modifyvm ".$machine. " --intnet1 \"". $net1."\"\nVBoxManage modifyvm ".$machine. " --nic2 intnet\nVBoxManage modifyvm ".$machine. " --intnet2 \"". $net2."\"\nVBoxManage modifyvm ".$machine. " --nic3 intnet\nVBoxManage modifyvm ".$machine. " --intnet3 \"". $net3."\"\n"; + +my $snas ="VBoxManage modifyvm ".$machine. " --nic1 intnet\nVBoxManage modifyvm ".$machine. " --intnet1 \"". $net1."\"\nVBoxManage modifyvm ".$machine. " --nic2 intnet\nVBoxManage modifyvm ".$machine. " --intnet2 \"". $net2."\"\n"; + +#print $routeur; + + +if ($machine eq "r-int") { + qx($rint); + print "la création des interfaces du routeur $machine a fonctionné!\n"; +}else{ + if ($machine eq "r-ext") { + qx($rext); + }else{ + qx($ninfra); + print "la création des interfaces de $machine a fonctionné!\n"; + } +} +if ($machine eq "r-vp2") { + qx($rvp2); +} +if ($machine eq "r-vp1") { + qx($rvp1); +} +if ($machine eq "s-lb"){ + qx($lb); +} +if ($machine eq "s-lb-web1"){ + qx($lbweb); +} +if ($machine eq "s-lb-web2"){ + qx($lbweb); +} +if ($machine eq "s-lb-bd"){ + qx($lbbd); +} +if ($machine eq "s-nas"){ + qx($snas); +} + +qx(VBoxManage startvm $machine); + + + diff --git a/gsbstartl b/gsbstartl new file mode 100755 index 0000000..11da13b --- /dev/null +++ b/gsbstartl @@ -0,0 +1,28 @@ +#!/usr/bin/perl + +use strict; +use warnings; + +while ($_ = shift @ARGV) { + if ($_ eq "-a"){ + qx(./gsbstart s-infra); + qx(./gsbstart s-spec); + qx(./gsbstart s-proxy); + qx(./gsbstart s-mon); + qx(./gsbstart s-mess); + qx(./gsbstart s-itil); + qx(./gsbstart s-backup); + qx(./gsbstart s-appli); + qx(./gsbstart r-vp1); + qx(./gsbstart r-vp2); + qx(./gsbstart r-int); + qx(./gsbstart r-ext); + qx(./gsbstart s-lb); + qx(./gsbstart s-lb-web-1); + qx(./gsbstart s-lb-web-2); + qx(./gsbstart s-lb-bd); + + }else{ + qx(./gsbstart $_); + } +} diff --git a/lisezmoi.txt b/lisezmoi.txt new file mode 100644 index 0000000..c14a693 --- /dev/null +++ b/lisezmoi.txt @@ -0,0 +1,14 @@ +lisezmoi.txt +------------ + +Ce document décrit les divers élements du projet GSB du BTS SIO utilisé pour l'Epreuve E4 + + +Le projet GSB décrit les diférents playbooks permttant d'installer les +machines du projet GSB + +Les répertoires : + +- roles : les roles +- goss : les outils de test + diff --git a/ping-agence.sh b/ping-agence.sh new file mode 100644 index 0000000..d675295 --- /dev/null +++ b/ping-agence.sh @@ -0,0 +1,14 @@ +#!/bin/bash +ping -c3 172.16.128.254 + +ping -c3 192.168.1.2 + +ping -c3 192.168.1.1 + +ping -c3 192.168.200.253 + +ping -c3 192.168.200.254 + +ping -c3 172.16.0.254 + +ping -c3 172.16.0.1 diff --git a/ping-rext.sh b/ping-rext.sh new file mode 100755 index 0000000..e42f779 --- /dev/null +++ b/ping-rext.sh @@ -0,0 +1,14 @@ +#!/bin/bash +ping -c3 172.16.0.1 + +ping -c3 172.16.0.254 + +ping -c3 192.168.200.254 + +ping -c3 192.168.1.1 + +ping -c3 192.168.1.2 + +ping -c3 172.16.128.254 + +ping -c3 172.16.128.10 diff --git a/ping-rint.sh b/ping-rint.sh new file mode 100644 index 0000000..99e92aa --- /dev/null +++ b/ping-rint.sh @@ -0,0 +1,12 @@ +#!/bin/bash +ping -c3 172.16.0.1 + +ping -c3 192.168.200.253 + +ping -c3 192.168.1.1 + +ping -c3 192.168.1.2 + +ping -c3 172.16.128.254 + +ping -c3 172.16.128.10 diff --git a/ping-sinfra.sh b/ping-sinfra.sh new file mode 100644 index 0000000..8a9c1d3 --- /dev/null +++ b/ping-sinfra.sh @@ -0,0 +1,14 @@ +#!/bin/bash +ping -c3 172.16.0.254 + +ping -c3 192.168.200.254 + +ping -c3 192.168.200.253 + +ping -c3 192.168.1.1 + +ping -c3 192.168.1.2 + +ping -c3 172.16.125.254 + +ping -c3 172.16.128.10 diff --git a/pre/Vagrantfile-s-adm b/pre/Vagrantfile-s-adm new file mode 100644 index 0000000..ab1ecee --- /dev/null +++ b/pre/Vagrantfile-s-adm @@ -0,0 +1,77 @@ +# -*- mode: ruby -*- +# vi: set ft=ruby : + +# All Vagrant configuration is done below. The "2" in Vagrant.configure +# configures the configuration version (we support older styles for +# backwards compatibility). Please don't change it unless you know what +# you're doing. +Vagrant.configure("2") do |config| + # The most common configuration options are documented and commented below. + # For a complete reference, please see the online documentation at + # https://docs.vagrantup.com. + + # Every Vagrant development environment requires a box. You can search for + # boxes at https://vagrantcloud.com/search. + config.vm.box = "debian/buster64" + config.vm.hostname = "s-adm" + config.vm.define "s-adm" + config.vm.provider :virtualbox do |vb| + vb.name = "s-adm" + end + # Disable automatic box update checking. If you disable this, then + # boxes will only be checked for updates when the user runs + # `vagrant box outdated`. This is not recommended. + # config.vm.box_check_update = false + + # Create a forwarded port mapping which allows access to a specific port + # within the machine from a port on the host machine. In the example below, + # accessing "localhost:8080" will access port 80 on the guest machine. + # NOTE: This will enable public access to the opened port + # config.vm.network "forwarded_port", guest: 80, host: 8080 + + # Create a forwarded port mapping which allows access to a specific port + # within the machine from a port on the host machine and only allow access + # via 127.0.0.1 to disable public access + # config.vm.network "forwarded_port", guest: 80, host: 8080, host_ip: "127.0.0.1" + + # Create a private network, which allows host-only access to the machine + # using a specific IP. + config.vm.network "public_network", ip: "192.168.1.91" + config.vm.network "private_network", ip: "192.168.99.99" + + # Create a public network, which generally matched to bridged network. + # Bridged networks make the machine appear as another physical device on + # your network. + # config.vm.network "public_network" + + # Share an additional folder to the guest VM. The first argument is + # the path on the host to the actual folder. The second argument is + # the path on the guest to mount the folder. And the optional third + # argument is a set of non-required options. + # config.vm.synced_folder "../data", "/vagrant_data" + + # Provider-specific configuration so you can fine-tune various + # backing providers for Vagrant. These expose provider-specific options. + # Example for VirtualBox: + # + # config.vm.provider "virtualbox" do |vb| + # # Display the VirtualBox GUI when booting the machine + # vb.gui = true + # + # # Customize the amount of memory on the VM: + # vb.memory = "1024" + # end + # + # View the documentation for the provider you are using for more + # information on available options. + + # Enable provisioning with a shell script. Additional provisioners such as + # Ansible, Chef, Docker, Puppet and Salt are also available. Please see the + # documentation for more information about their specific syntax and use. + config.vm.provision "shell", inline: <<-SHELL + apt-get update + apt-get upgrade + apt-get install -y vim wget curl + # apt-get install -y apache2 + SHELL +end diff --git a/pre/gsbboot b/pre/gsbboot new file mode 100644 index 0000000..b462f70 --- /dev/null +++ b/pre/gsbboot @@ -0,0 +1,54 @@ +#!/bin/bash +version="1.8" +__dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +__file="${__dir}/$(basename "${BASH_SOURCE[0]}")" +__base="$(basename ${__file})" +__root="$(cd "$(dirname "${__dir}")" && pwd)" +echo "dir : ${__dir}" +echo "file : ${__file}" +echo "base : ${__base}" +echo "root : ${__root}" + +# version 1.8 +# install git si besoin +# install ansible si besoin + backports si wheezy + +readonly base=/root/tools/ansible +readonly slist=/etc/apt/sources.list +readonly host=depl +if [[ -z ${DEPL+x} ]]; then + echo "erreur : DEPL indefini" + echo " DEPL : adresse serveur deploiement" + echo "export DEPL=xyzt ; ./$0" + exit 1 +fi + +hostf="${host}.local" +prj=gsb2022 +APT=apt + +which git >> /dev/null +if [[ $? != 0 ]]; then + ${APT} update + echo "installation de git ..." + ${APT} install -y git-core +fi +${APT} update +${APT} upgrade -y + +which ansible >> /dev/null +if [[ $? != 0 ]]; then + echo "installation de ansible ..." + ${APT} install -y ansible +fi + +[ -e "${base}" ] || mkdir -p "${base}" + +grep "${hostf}" /etc/hosts > /dev/null || echo "${DEPL} ${hostf} ${host}" >> /etc/hosts +cd "${base}" + +cp ${prj}/pull-config ${base} + +#echo "N'oubliez pasz d'indiquer l'adresse DEPL dans '/root/tools/ansible/pull-config'" +echo "Vous pouvez lancer 'bash pull-config' depuis ${base} ..." + diff --git a/pre/inst-depl b/pre/inst-depl new file mode 100644 index 0000000..69312fe --- /dev/null +++ b/pre/inst-depl @@ -0,0 +1,93 @@ +#!/bin/bash +## ps : 2021-04-01 15:25 + +set -o errexit +set -o pipefail +GITUSR=gitgsb +GITPRJ=gsb2022 +apt update && apt upgrade +apt install -y apache2 git +STOREREP="/var/www/html/gsbstore" + +GLPIREL=9.5.6 +str="wget -nc https://github.com/glpi-project/glpi/releases/download/${GLPIREL}/glpi-${GLPIREL}.tgz" + +FIREL=9.5 +str2="https://github.com/fusioninventory/fusioninventory-for-glpi/releases/download/glpi9.5%2B3.0/fusioninventory-9.5+3.0.tar.bz2" + +FIAGREL=2.6 +str31="wget -nc https://github.com/fusioninventory/fusioninventory-agent/releases/download/${FIAGREL}/fusioninventory-agent_windows-x64_${FIAGREL}.exe" + +str32="wget -nc https://github.com/fusioninventory/fusioninventory-agent/releases/download/${FIAGREL}/fusioninventory-agent_windows-x86_${FIAGREL}.exe" + +FOGREL=1.5.9 +str4="wget -nc https://github.com/FOGProject/fogproject/archive/${FOGREL}.tar.gz -O fogproject-${FOGREL}.tar.gz" + +WPREL=5.8.2 +str5="wget -nc https://fr.wordpress.org/wordpress-${WPREL}-fr_FR.tar.gz" + +GOSSVER=v0.3.16 +str6="curl -L https://github.com/aelsabbahy/goss/releases/download/${GOSSVER}/goss-linux-amd64 -o goss" + +DOCKERREL=1.29.2 +str7="curl -L https://github.com/docker/compose/releases/download/${DOCKERREL}/docker-compose-$(uname -s)-$(uname -m) -o docker-compose" + +GESTSUPREL=3.2.15 +str8="wget -nc https://gestsup.fr/downloads/versions/current/version/gestsup_${GESTSUPREL}.zip" + +ELKREL=7.16.3 +str81="wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${ELKREL}-amd64.deb" + +str82="wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${ELKREL}-windows-x86_64.zip" + +str83="wget https://artifacts.elastic.co/downloads/beats/metricbeat/metricbeat-${ELKREL}-windows-x86_64.zip" + +str84="wget https://artifacts.elastic.co/downloads/beats/metricbeat/metricbeat-${ELKREL}-amd64.deb" + + +[[ -d "${STOREREP}" ]]|| mkdir "${STOREREP}" + +(cat < "${STOREREP}/getall" +#!/bin/bash + +${str} + +${str2} + +${str31} + +${str32} + +${str4} + +${str5} + +${str6} + +chmod +x ./goss + +curl -L https://get.docker.com -o getdocker.sh + +chmod +x ./getdocker.sh + +${str7} + +chmod +x ./docker-compose + + +wget -nc https://github.com/FiloSottile/mkcert/releases/download/v1.4.3/mkcert-v1.4.3-linux-amd64 -O mkcert + +chmod +x ./mkcert + +${str8} + +${str81} +${str82} +${str83} +${str84} + +EOT +) + +cat "${STOREREP}/getall" + diff --git a/pre/inst-depl.old b/pre/inst-depl.old new file mode 100644 index 0000000..a1610db --- /dev/null +++ b/pre/inst-depl.old @@ -0,0 +1,48 @@ +#!/bin/bash +set -o errexit +set -o pipefail +GITUSR=gitgsb +GITPRJ=gsb +apt update && apt upgrade +apt install -y apache2 git +getent passwd "${GITUSR}" >> /dev/null +if [[ $? != 0 ]]; then + echo "creation utilisateur "${GITUSR}" ..." + /sbin/useradd -m -d /home/"${GITUSR}" -s /bin/bash "${GITUSR}" + echo "${GITUSR}:${GITUSR}" | /sbin/chpasswd +else + echo "utilisateur "${GITUSR}" existant..." +fi +su -c "git init --share --bare /home/${GITUSR}/${GITPRJ}.git" "${GITUSR}" +su -c "cd ${GITPRJ}.git/.git/hooks && mv post-update.sample post-update" "${GITUSR}" +[[ -h /var/www/html/"${GITPRJ}".git ]]|| ln -s /home/"${GITUSR}"/"${GITPRJ}".git /var/www/html/"${GITPRJ}".git +[[ -d /var/www/html/gsbstore ]]|| mkdir /var/www/html/gsbstore + +(cat < /var/www/html/gsbstore/getall + +#!/bin/bash + +set -o errexit +set -o pipefail + +GLPIREL=9.4.5 +wget -nc https://github.com/glpi-project/glpi/releases/download/\${GLPIREL}/glpi-\${GLPIREL}.tgz + +FIREL=9.4+2.4 +wget -nc -O fusioninventory-glpi\${FIREL}.tag.gz https://github.com/fusioninventory/fusioninventory-for-glpi/archive/glpi\${FIREL}.tar.gz +#https://github.com/fusioninventory/fusioninventory-for-glpi/archive/glpi9.4+2.4.tar.g + +FIAGREL=2.5.2 +wget -nc https://github.com/fusioninventory/fusioninventory-agent/releases/download/\${FIAGREL}/fusioninventory-agent_windows-x64_\${FIAGREL}.exe + +wget -nc https://github.com/fusioninventory/fusioninventory-agent/releases/download/\$FIAGREL/fusioninventory-agent_windows-x86_\${FIAGREL}.exe + +FOGREL=1.5.7 +wget -nc https://github.com/FOGProject/fogproject/archive/\${FOGREL}.tar.gz -O fogproject-\${FOGREL}.tar.gz + +wget -nc https://fr.wordpress.org/wordpress-5.3.2-fr_FR.tar.gz + +EOT +) +cat /var/www/html/gsbstore/getall + diff --git a/pre/pull-config b/pre/pull-config new file mode 100644 index 0000000..4566973 --- /dev/null +++ b/pre/pull-config @@ -0,0 +1,16 @@ +#!/bin/bash + +if [ -z ${UREP+x} ]; then + UREP=https://gitea.lyc-lecastel.fr/gadmin/gsb2022.git +fi + +dir=/root/tools/ansible + +[ -e "${dir}" ] || mkdir -p "${dir}" + +cd "${dir}" || exit 1 + +hostname > hosts +ansible-pull -i "${dir}/hosts" -U "${UREP}" + +exit 0 diff --git a/proxy b/proxy new file mode 120000 index 0000000..3f32243 --- /dev/null +++ b/proxy @@ -0,0 +1 @@ +/etc/nginx/sites-availables/proxy \ No newline at end of file diff --git a/pull-config b/pull-config new file mode 100644 index 0000000..4566973 --- /dev/null +++ b/pull-config @@ -0,0 +1,16 @@ +#!/bin/bash + +if [ -z ${UREP+x} ]; then + UREP=https://gitea.lyc-lecastel.fr/gadmin/gsb2022.git +fi + +dir=/root/tools/ansible + +[ -e "${dir}" ] || mkdir -p "${dir}" + +cd "${dir}" || exit 1 + +hostname > hosts +ansible-pull -i "${dir}/hosts" -U "${UREP}" + +exit 0 diff --git a/r-ext.yml b/r-ext.yml new file mode 100644 index 0000000..3a16f4b --- /dev/null +++ b/r-ext.yml @@ -0,0 +1,12 @@ +--- +- hosts: localhost + connection: local + + roles: + - base + - goss + - r-ext + - snmp-agent + - ssh-cli + - syslog-cli + - post diff --git a/r-int.yml b/r-int.yml new file mode 100644 index 0000000..32fde49 --- /dev/null +++ b/r-int.yml @@ -0,0 +1,13 @@ +--- +- hosts: localhost + connection: local + + roles: + - base + - goss + - r-int + - ssh-cli + - syslog-cli + - dhcp + - snmp-agent + - post diff --git a/r-vp1.yml b/r-vp1.yml new file mode 100644 index 0000000..2ffe142 --- /dev/null +++ b/r-vp1.yml @@ -0,0 +1,20 @@ +--- +- hosts: localhost + connection: local + + vars: + - ip1: 192.168.0.51 + - remip: 192.168.0.52 + - mynet: 192.168.1.0 + - remnet: 172.16.128.0 + + roles: + - base + - goss +# - snmp-agent +# - firewall-vpn-r + - wireguard-r +# - x509-r + - ssh-cli + - syslog-cli + - post diff --git a/r-vp2.yml b/r-vp2.yml new file mode 100644 index 0000000..3c78dbf --- /dev/null +++ b/r-vp2.yml @@ -0,0 +1,23 @@ +--- +- hosts: localhost + connection: local + + vars: + - ip1: 192.168.0.52 + - remip: 192.168.0.51 + - mynet: 172.16.128.0 + - remnet: 192.168.1.0 + + roles: + - base + - goss + - dhcp-ag + - dns-agence + - ssh-root-access +# - snmp-agent +# - firewall-vpn-l + - wireguard-l +# - x509-l + - ssh-cli + - syslog-cli + - post diff --git a/roles/apache2/handlers/main.yml b/roles/apache2/handlers/main.yml new file mode 100644 index 0000000..645ca3a --- /dev/null +++ b/roles/apache2/handlers/main.yml @@ -0,0 +1,6 @@ +--- + - name: restart apache2 + service: name=apache2 state=restarted + + - name: restart mysql-server + service: name=mysql-server state=restarted diff --git a/roles/apache2/tasks/main.yml b/roles/apache2/tasks/main.yml new file mode 100644 index 0000000..b122969 --- /dev/null +++ b/roles/apache2/tasks/main.yml @@ -0,0 +1,14 @@ +--- +- name: Update apt cache + apt: update_cache=yes cache_valid_time=3600 + +- name: Install required software + apt: name={{ item }} state=present + with_items: + - apache2 + - mariadb-server + - php-mysql + - php + - libapache2-mod-php + - php-mcrypt + - python-mysqldb diff --git a/roles/appli/README.md b/roles/appli/README.md new file mode 100644 index 0000000..f343482 --- /dev/null +++ b/roles/appli/README.md @@ -0,0 +1,4 @@ +## Fonctionnement du rôle appli + +Ce rôle permet de créer un serveur wordpress avec MariaDB et apache. +Ce rôle permet aussi de créer la base de donnée nécessaire pour wordpress. diff --git a/roles/appli/handlers/main.yml b/roles/appli/handlers/main.yml new file mode 100644 index 0000000..f041d80 --- /dev/null +++ b/roles/appli/handlers/main.yml @@ -0,0 +1,4 @@ +--- +- name: restart apache + service: name=apache2 state=restarted + become: yes diff --git a/roles/appli/tasks/main.yml b/roles/appli/tasks/main.yml new file mode 100644 index 0000000..36697f3 --- /dev/null +++ b/roles/appli/tasks/main.yml @@ -0,0 +1,72 @@ + +--- +- name: Installation des packets + apt: + state: present + name: + - php + - php-fpm + - php-mbstring + - php-ssh2 + - php-gd + - php-mysql + - python3-mysqldb + - libapache2-mod-php + - mariadb-server + - apache2 + - python3 + +- name: Création du répertoire pour wordpress + file: + path: /var/www/html/wordpress + state: directory + +- name: Téléchargement de wordpress + get_url: + url: http://s-adm.gsb.adm/gsbstore/wordpress-5.8.2-fr_FR.tar.gz + dest: /var/www/html + +- name: Extraction du fichier wordpress + unarchive: + src: /var/www/html/wordpress-5.8.2-fr_FR.tar.gz + dest: /var/www/html + +- name: Fix permissions owner + shell: chown -R www-data /var/www/html/wordpress + +- name: Fix permissions groups + shell: chgrp -R www-data /var/www/html/wordpress + +- name: Mettre à jour le site Apache par défaut + lineinfile: + dest: /etc/apache2/sites-enabled/000-default.conf + regexp: "(.)+DocumentRoot /var/www/html" + line: "DocumentRoot /var/www/html/wordpress" + +- name: restart apache2 + service: + name: apache2 + state: restarted + +- name: Mettre à jour le fichier de configuration WordPress + lineinfile: + dest: /var/www/html/wordpress/wp-config-sample.php + backup: yes + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + with_items: + - {'regexp': "define\\('DB_NAME', '(.)+'\\);", 'line': "define('DB_NAME', 'wordpress');"} + - {'regexp': "define\\('DB_HOST', '(.)+'\\);", 'line': "define('DB_HOST', 'localhost');"} + - {'regexp': "define\\('DB_USER', '(.)+'\\);", 'line': "define('DB_USER', 'wp');"} + - {'regexp': "define\\('DB_PASSWORD', '(.)+'\\);", 'line': "define('DB_PASSWORD', 'wp');"} + +- name: Création de la base de donnée mysql + mysql_db: + name: wordpress + state: present + +- name: Création de l'utilisateur mysql + mysql_user: + name: wordpress + password: wp + priv: "*.*:ALL" diff --git a/roles/base/files/apt.conf b/roles/base/files/apt.conf new file mode 100644 index 0000000..def8cbb --- /dev/null +++ b/roles/base/files/apt.conf @@ -0,0 +1 @@ +Acquire::http::Proxy "http://192.168.99.99:8080"; diff --git a/roles/base/files/resolv.conf b/roles/base/files/resolv.conf new file mode 100644 index 0000000..afafa6b --- /dev/null +++ b/roles/base/files/resolv.conf @@ -0,0 +1,4 @@ +domain gsb.lan +search gsb.lan +nameserver 192.168.99.99 + diff --git a/roles/base/files/sources.list b/roles/base/files/sources.list new file mode 100644 index 0000000..9fa923c --- /dev/null +++ b/roles/base/files/sources.list @@ -0,0 +1,10 @@ +# + +deb http://ftp.fr.debian.org/debian/ wheezy main contrib non-free + +deb http://security.debian.org/ wheezy/updates main + +deb http://ftp.fr.debian.org/debian/ wheezy-updates main + +deb http://http.debian.net/debian wheezy-backports main + diff --git a/roles/base/files/sources.list.Debian b/roles/base/files/sources.list.Debian new file mode 100644 index 0000000..a5fb8a1 --- /dev/null +++ b/roles/base/files/sources.list.Debian @@ -0,0 +1,4 @@ +deb http://deb.debian.org/debian/ bullseye main non-free contrib +deb http://security.debian.org/debian-security bullseye-security main contrib non-free +deb http://deb.debian.org/debian/ bullseye-updates main contrib non-free + diff --git a/roles/base/files/sources.list.Ubuntu b/roles/base/files/sources.list.Ubuntu new file mode 100644 index 0000000..8d1643a --- /dev/null +++ b/roles/base/files/sources.list.Ubuntu @@ -0,0 +1,13 @@ +#------------------------------------------------------------------------------# +# OFFICIAL UBUNTU REPOS # +#------------------------------------------------------------------------------# + + +###### Ubuntu Main Repos +deb http://fr.archive.ubuntu.com/ubuntu/ wily main restricted universe + +###### Ubuntu Update Repos +deb http://fr.archive.ubuntu.com/ubuntu/ wily-security main restricted universe +deb http://fr.archive.ubuntu.com/ubuntu/ wily-updates main restricted universe + + diff --git a/roles/base/files/sources.list.buster b/roles/base/files/sources.list.buster new file mode 100644 index 0000000..520e104 --- /dev/null +++ b/roles/base/files/sources.list.buster @@ -0,0 +1,9 @@ + +#deb http://ftp.fr.debian.org/debian/ stretch main contrib non-free +#deb http://security.debian.org/ stretch/updates main +#deb http://ftp.fr.debian.org/debian/ stretch-updates main + +deb http://deb.debian.org/debian/ buster main contrib non-free +deb http://security.debian.org/debian-security buster/updates main contrib non-free +deb http://deb.debian.org/debian/ buster-updates main contrib non-free + diff --git a/roles/base/files/sources.list.jessie b/roles/base/files/sources.list.jessie new file mode 100644 index 0000000..cad9227 --- /dev/null +++ b/roles/base/files/sources.list.jessie @@ -0,0 +1,22 @@ +# + +# deb cdrom:[Debian GNU/Linux 6.0.0 _Squeeze_ - Official i386 NETINST Binary-1 20110205-14:34]/ jessie main + +#deb cdrom:[Debian GNU/Linux 6.0.0 _Squeeze_ - Official i386 NETINST Binary-1 20110205-14:34]/ jessie main + + +deb http://ftp.fr.debian.org/debian/ jessie main contrib non-free +#deb-src http://ftp.fr.debian.org/debian/ jessie main + +deb http://security.debian.org/ jessie/updates main +#deb-src http://security.debian.org/ jessie/updates main + +deb http://ftp.fr.debian.org/debian/ jessie-updates main +#deb-src http://ftp.fr.debian.org/debian/ jessie-updates main +#deb http://backports.debian.org/debian-backports jessie-backports main +#deb http://packages.steve.org.uk/slaughter/jessie/ ./ +#deb https://rex.linux-files.org/debian/ jessie rex + + +#deb http://http.debian.net/debian jessie-backports main + diff --git a/roles/base/files/sources.list.wheezy b/roles/base/files/sources.list.wheezy new file mode 100644 index 0000000..e8a28d8 --- /dev/null +++ b/roles/base/files/sources.list.wheezy @@ -0,0 +1,22 @@ +# + +# deb cdrom:[Debian GNU/Linux 6.0.0 _Squeeze_ - Official i386 NETINST Binary-1 20110205-14:34]/ wheezy main + +#deb cdrom:[Debian GNU/Linux 6.0.0 _Squeeze_ - Official i386 NETINST Binary-1 20110205-14:34]/ wheezy main + + +deb http://ftp.fr.debian.org/debian/ wheezy main contrib non-free +#deb-src http://ftp.fr.debian.org/debian/ wheezy main + +deb http://security.debian.org/ wheezy/updates main +#deb-src http://security.debian.org/ wheezy/updates main + +deb http://ftp.fr.debian.org/debian/ wheezy-updates main +#deb-src http://ftp.fr.debian.org/debian/ wheezy-updates main +#deb http://backports.debian.org/debian-backports wheezy-backports main +#deb http://packages.steve.org.uk/slaughter/wheezy/ ./ +#deb https://rex.linux-files.org/debian/ wheezy rex + + +deb http://http.debian.net/debian wheezy-backports main + diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml new file mode 100644 index 0000000..0e1498f --- /dev/null +++ b/roles/base/tasks/main.yml @@ -0,0 +1,76 @@ +--- + +- name: Copie sources.list + copy: + src: sources.list.{{ ansible_distribution }} + dest: /etc/apt/sources.list + +- name: Copie apt.conf pour proxy + copy: + src: apt.conf + dest: /etc/apt/apt.conf + when: ansible_hostname != "s-adm" + +#- name: Sysctl desactive ipv6 +# sysctl: +# name: net.ipv6.conf.all.disable_ipv6 +# value: 1 +# sysctl_set: yes +# state: present +# reload: yes + +- name: Update + Upgrade + apt: + upgrade: yes + update_cache: yes + cache_valid_time: 86400 #One day + +- name: Install paquets + apt: + state: present + name: + - vim + - ntp + - mc + - tcpdump + - curl + - net-tools + - rsync + - sudo + - iptables + +- name: Desinstall paquets + apt: + state: absent + name: + - nfs-common + - rpcbind + - bluetooth + +- name: Configure Vim + alternatives: + name: editor + path: /usr/bin/vim + +- name: Generation /etc/hosts + template: + src: hosts.j2 + dest: /etc/hosts + when: ansible_hostname != "s-proxy" + +- name: Generation /etc/hosts pour s-proxy + template: + src: hosts.s-proxy.j2 + dest: /etc/hosts + when: ansible_hostname == "s-proxy" + +- name: Desactive IPV6 avec sysctl + sysctl: + name: "{{ item }}" + value: 1 + state: present + reload: yes + with_items: + - net.ipv6.conf.all.disable_ipv6 + - net.ipv6.conf.default.disable_ipv6 + - net.ipv6.conf.lo.disable_ipv6 diff --git a/roles/base/templates/hosts.j2 b/roles/base/templates/hosts.j2 new file mode 100644 index 0000000..2ab74e6 --- /dev/null +++ b/roles/base/templates/hosts.j2 @@ -0,0 +1,27 @@ +127.0.0.1 localhost +127.0.1.1 {{ ansible_nodename }}.gsb.lan {{ ansible_hostname }} +127.0.0.1 localhost ip6-localhost ip6-loopback + +#10.121.38.10 depl.sio.lan depl + +192.168.99.99 s-adm.gsb.adm depl.sio.lan depl +192.168.99.1 s-infra.gsb.adm +192.168.99.2 s-proxy.gsb.adm +192.168.99.3 s-appli.gsb.adm +192.168.99.4 s-backup.gsb.adm +192.168.99.5 s-puppet.gsb.adm +192.168.99.6 s-win.gsb.adm +192.168.99.7 s-nxc.gsb.adm +192.168.99.8 s-mon.gsb.adm +192.168.99.9 s-itil.gsb.adm +192.168.99.10 s-sspec.gsb.adm +192.168.99.11 s-web-ext.gsb.adm +192.168.99.10 s-dns.gsb.adm +192.168.99.12 r-int.gsb.adm +192.168.99.13 r-ext.gsb.adm +192.168.99.14 s-nas.gsb.adm +192.168.99.15 s-san.gsb.adm +192.168.99.16 s-fog.gsb.adm + +192.168.99.8 syslog.gsb.adm + diff --git a/roles/base/templates/hosts.s-proxy.j2 b/roles/base/templates/hosts.s-proxy.j2 new file mode 100644 index 0000000..e18d15e --- /dev/null +++ b/roles/base/templates/hosts.s-proxy.j2 @@ -0,0 +1,26 @@ +127.0.0.1 localhost +127.0.1.1 {{ ansible_nodename }} {{ ansible_hostname }} +127.0.0.1 localhost ip6-localhost ip6-loopback +172.16.0.2 s-proxy.gsb.lan s-proxy + +#10.121.38.10 depl + +192.168.99.99 s-adm.gsb.adm depl +192.168.99.1 s-infra.gsb.adm +192.168.99.2 s-proxy.gsb.adm +192.168.99.3 s-appli.gsb.adm +192.168.99.4 s-backup.gsb.adm +192.168.99.5 s-puppet.gsb.adm +192.168.99.6 s-win.gsb.adm +192.168.99.7 s-nxc.gsb.adm +192.168.99.8 s-mon.gsb.adm +192.168.99.9 s-itil.gsb.adm +192.168.99.10 s-sspec.gsb.adm +192.168.99.11 s-web-ext.gsb.adm +192.168.99.10 s-dns.gsb.adm +192.168.99.12 r-int.gsb.adm +192.168.99.13 r-ext.gsb.adm +192.168.99.14 s-nas.gsb.adm + +192.168.99.8 syslog.gsb.adm + diff --git a/roles/db-user/files/resolv.conf b/roles/db-user/files/resolv.conf new file mode 100644 index 0000000..b018c3b --- /dev/null +++ b/roles/db-user/files/resolv.conf @@ -0,0 +1,3 @@ +search gsb.lan +domain gsb.lan +nameserver 172.16.0.1 diff --git a/roles/db-user/tasks/main.yml b/roles/db-user/tasks/main.yml new file mode 100644 index 0000000..81d6d85 --- /dev/null +++ b/roles/db-user/tasks/main.yml @@ -0,0 +1,12 @@ +--- +- name: Create mysql user + mysql_user: + host: "{{ cli_ip }}" + name: "{{ maria_dbuser }}" + password: "{{ maria_dbpasswd }}" + priv: "*.*:ALL" + +- name: Copie du fichier resolv.conf + copy: + src: resolv.conf + dest: /etc/resolv.conf \ No newline at end of file diff --git a/roles/dhcp-ag/files/dhcpd.conf b/roles/dhcp-ag/files/dhcpd.conf new file mode 100644 index 0000000..caca080 --- /dev/null +++ b/roles/dhcp-ag/files/dhcpd.conf @@ -0,0 +1,152 @@ +# +# Sample configuration file for ISC dhcpd for Debian +# +# + +# The ddns-updates-style parameter controls whether or not the server will +# attempt to do a DNS update when a lease is confirmed. We default to the +# behavior of the version 2 packages ('none', since DHCP v2 didn't +# have support for DDNS.) +ddns-update-style none; + +# option definitions common to all supported networks... +option domain-name "gsb.lan"; +option domain-name-servers 172.16.0.1; + +default-lease-time 86400; +max-lease-time 86400; + +# If this DHCP server is the official DHCP server for the local +# network, the authoritative directive should be uncommented. +#authoritative; + +# Use this to send dhcp log messages to a different log file (you also +# have to hack syslog.conf to complete the redirection). +log-facility local7; + +# No service will be given on this subnet, but declaring it helps the +# DHCP server to understand the network topology. + +#subnet 10.152.187.0 netmask 255.255.255.0 { +#} + +# This is a very basic subnet declaration. + +#subnet 10.254.239.0 netmask 255.255.255.224 { +# range 10.254.239.10 10.254.239.20; +# option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org; +#} + +# This declaration allows BOOTP clients to get dynamic addresses, +# which we don't really recommend. + +#subnet 10.254.239.32 netmask 255.255.255.224 { +# range dynamic-bootp 10.254.239.40 10.254.239.60; +# option broadcast-address 10.254.239.31; +# option routers rtr-239-32-1.example.org; +#} + +# A slightly different configuration for an internal subnet. +#subnet 10.5.5.0 netmask 255.255.255.224 { +# range 10.5.5.26 10.5.5.30; +# option domain-name-servers ns1.internal.example.org; +# option domain-name "internal.example.org"; +# option routers 10.5.5.1; +# option broadcast-address 10.5.5.31; +# default-lease-time 600; +# max-lease-time 7200; +#} + +# Hosts which require special configuration options can be listed in +# host statements. If no address is specified, the address will be +# allocated dynamically (if possible), but the host-specific information +# will still come from the host declaration. + +#host passacaglia { +# hardware ethernet 0:0:c0:5d:bd:95; +# filename "vmunix.passacaglia"; +# server-name "toccata.fugue.com"; +#} + +# Fixed IP addresses can also be specified for hosts. These addresses +# should not also be listed as being available for dynamic assignment. +# Hosts for which fixed IP addresses have been specified can boot using +# BOOTP or DHCP. Hosts for which no fixed address is specified can only +# be booted with DHCP, unless there is an address range on the subnet +# to which a BOOTP client is connected which has the dynamic-bootp flag +# set. +#host fantasia { +# hardware ethernet 08:00:07:26:c0:a5; +# fixed-address fantasia.fugue.com; +#} + +# You can declare a class of clients and then do address allocation +# based on that. The example below shows a case where all clients +# in a certain class get addresses on the 10.17.224/24 subnet, and all +# other clients get addresses on the 10.0.29/24 subnet. + +#class "foo" { +# match if substring (option vendor-class-identifier, 0, 4) = "SUNW"; +#} + +#shared-network 224-29 { +# subnet 10.17.224.0 netmask 255.255.255.0 { +# option routers rtr-224.example.org; +# } +# subnet 10.0.29.0 netmask 255.255.255.0 { +# option routers rtr-29.example.org; +# } +# pool { +# allow members of "foo"; +# range 10.17.224.10 10.17.224.250; +# } +# pool { +# deny members of "foo"; +# range 10.0.29.10 10.0.29.230; +# } +#} + +#DHCP pour le réseau wifi +#subnet 172.16.65.0 netmask 255.255.255.0 { +# range 172.16.65.1 172.16.65.100; +# option domain-name-servers ns1.internal.example.org; +# option domain-name "internal.example.org"; +# option routers 10.5.5.1; +# option broadcast-address 10.5.5.31; +# default-lease-time 600; +# max-lease-time 7200; +#} + +#DHCP pour le réseau USER + +#subnet 172.16.64.0 netmask 255.255.255.0 { +# range 172.16.64.20 172.16.64.120; +# option domain-name-servers 172.16.0.6, 172.16.0.1 ; +# option routers 172.16.64.254; +# option broadcast-address 172.16.64.255; +# default-lease-time 600; +# max-lease-time 7200; +#} + +#DHCP pour le réseau INFRA + +#subnet 172.16.0.0 netmask 255.255.255.0 { +# range 172.16.0.1 172.16.0.100; +# option domain-name-servers ns1.internal.example.org; +# option domain-name "internal.example.org"; +# option routers 10.5.5.1; +# option broadcast-address 10.5.5.31; +# default-lease-time 600; +# max-lease-time 7200; +#} + +#DHCP pour le réseau AGENCE + +subnet 172.16.128.0 netmask 255.255.255.0 { + range 172.16.128.10 172.16.128.50; + option domain-name-servers 172.16.0.1; + option routers 172.16.128.254; + option broadcast-address 172.16.128.255; + default-lease-time 86400; + max-lease-time 86400; +} diff --git a/roles/dhcp-ag/files/isc-dhcp-server b/roles/dhcp-ag/files/isc-dhcp-server new file mode 100644 index 0000000..26ec0d9 --- /dev/null +++ b/roles/dhcp-ag/files/isc-dhcp-server @@ -0,0 +1,18 @@ +# Defaults for isc-dhcp-server (sourced by /etc/init.d/isc-dhcp-server) + +# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf). +DHCPDv4_CONF=/etc/dhcp/dhcpd.conf +#DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf + +# Path to dhcpd's PID file (default: /var/run/dhcpd.pid). +DHCPDv4_PID=/var/run/dhcpd.pid +#DHCPDv6_PID=/var/run/dhcpd6.pid + +# Additional options to start dhcpd with. +# Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead +#OPTIONS="" + +# On what interfaces should the DHCP server (dhcpd) serve DHCP requests? +# Separate multiple interfaces with spaces, e.g. "eth0 eth1". +INTERFACESv4="enp0s8" +INTERFACESv6="" diff --git a/roles/dhcp-ag/handlers/main.yml b/roles/dhcp-ag/handlers/main.yml new file mode 100644 index 0000000..27f226d --- /dev/null +++ b/roles/dhcp-ag/handlers/main.yml @@ -0,0 +1,3 @@ +--- + - name: restart dhcp + service: name=isc-dhcp-server state=restarted diff --git a/roles/dhcp-ag/tasks/main.yml b/roles/dhcp-ag/tasks/main.yml new file mode 100644 index 0000000..063a625 --- /dev/null +++ b/roles/dhcp-ag/tasks/main.yml @@ -0,0 +1,11 @@ +--- + - name: Installation serveur dhcp + apt: name=isc-dhcp-server state=present update_cache=yes + + - name: copie dhcpd.conf + copy: src=dhcpd.conf dest=/etc/dhcp + # notify: restart dhcp + + - name: copie conf isc-dhcp-server + copy: src=isc-dhcp-server dest=/etc/default/isc-dhcp-server + # notify: restart dhcp diff --git a/roles/dhcp-fog/files/dhcpd.conf b/roles/dhcp-fog/files/dhcpd.conf new file mode 100644 index 0000000..4371dc6 --- /dev/null +++ b/roles/dhcp-fog/files/dhcpd.conf @@ -0,0 +1,142 @@ +# +# Sample configuration file for ISC dhcpd for Debian +# +# + +# The ddns-updates-style parameter controls whether or not the server will +# attempt to do a DNS update when a lease is confirmed. We default to the +# behavior of the version 2 packages ('none', since DHCP v2 didn't +# have support for DDNS.) +ddns-update-style none; + +# option definitions common to all supported networks... +option domain-name "gsb.lan"; +option domain-name-servers 172.16.0.1; + +default-lease-time 86400; +max-lease-time 86400; + +# If this DHCP server is the official DHCP server for the local +# network, the authoritative directive should be uncommented. +#authoritative; + +# Use this to send dhcp log messages to a different log file (you also +# have to hack syslog.conf to complete the redirection). +log-facility local7; + +# No service will be given on this subnet, but declaring it helps the +# DHCP server to understand the network topology. + +#subnet 10.152.187.0 netmask 255.255.255.0 { +#} + +# This is a very basic subnet declaration. + +#subnet 10.254.239.0 netmask 255.255.255.224 { +# range 10.254.239.10 10.254.239.20; +# option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org; +#} + +# This declaration allows BOOTP clients to get dynamic addresses, +# which we don't really recommend. + +#subnet 10.254.239.32 netmask 255.255.255.224 { +# range dynamic-bootp 10.254.239.40 10.254.239.60; +# option broadcast-address 10.254.239.31; +# option routers rtr-239-32-1.example.org; +#} + +# A slightly different configuration for an internal subnet. +#subnet 10.5.5.0 netmask 255.255.255.224 { +# range 10.5.5.26 10.5.5.30; +# option domain-name-servers ns1.internal.example.org; +# option domain-name "internal.example.org"; +# option routers 10.5.5.1; +# option broadcast-address 10.5.5.31; +# default-lease-time 600; +# max-lease-time 7200; +#} + +# Hosts which require special configuration options can be listed in +# host statements. If no address is specified, the address will be +# allocated dynamically (if possible), but the host-specific information +# will still come from the host declaration. + +#host passacaglia { +# hardware ethernet 0:0:c0:5d:bd:95; +# filename "vmunix.passacaglia"; +# server-name "toccata.fugue.com"; +#} + +# Fixed IP addresses can also be specified for hosts. These addresses +# should not also be listed as being available for dynamic assignment. +# Hosts for which fixed IP addresses have been specified can boot using +# BOOTP or DHCP. Hosts for which no fixed address is specified can only +# be booted with DHCP, unless there is an address range on the subnet +# to which a BOOTP client is connected which has the dynamic-bootp flag +# set. +#host fantasia { +# hardware ethernet 08:00:07:26:c0:a5; +# fixed-address fantasia.fugue.com; +#} + +# You can declare a class of clients and then do address allocation +# based on that. The example below shows a case where all clients +# in a certain class get addresses on the 10.17.224/24 subnet, and all +# other clients get addresses on the 10.0.29/24 subnet. + +#class "foo" { +# match if substring (option vendor-class-identifier, 0, 4) = "SUNW"; +#} + +#shared-network 224-29 { +# subnet 10.17.224.0 netmask 255.255.255.0 { +# option routers rtr-224.example.org; +# } +# subnet 10.0.29.0 netmask 255.255.255.0 { +# option routers rtr-29.example.org; +# } +# pool { +# allow members of "foo"; +# range 10.17.224.10 10.17.224.250; +# } +# pool { +# deny members of "foo"; +# range 10.0.29.10 10.0.29.230; +# } +#} + +#DHCP pour le réseau wifi +#subnet 172.16.65.0 netmask 255.255.255.0 { +# range 172.16.65.1 172.16.65.100; +# option domain-name-servers ns1.internal.example.org; +# option domain-name "internal.example.org"; +# option routers 10.5.5.1; +# option broadcast-address 10.5.5.31; +# default-lease-time 600; +# max-lease-time 7200; +#} + +#DHCP pour le réseau USER + +subnet 172.16.64.0 netmask 255.255.255.0 { + range 172.16.64.20 172.16.64.120; + option domain-name-servers 172.16.0.1 ; + option routers 172.16.64.254; + option broadcast-address 172.16.64.255; +# default-lease-time 600; +# max-lease-time 7200; +} + +#DHCP pour le réseau INFRA + +#subnet 172.16.0.0 netmask 255.255.255.0 { +# range 172.16.0.1 172.16.0.100; +# option domain-name-servers ns1.internal.example.org; +# option domain-name "internal.example.org"; +# option routers 10.5.5.1; +# option broadcast-address 10.5.5.31; +# default-lease-time 600; +# max-lease-time 7200; +#} + diff --git a/roles/dhcp-fog/files/isc-dhcp-server b/roles/dhcp-fog/files/isc-dhcp-server new file mode 100644 index 0000000..a2f7704 --- /dev/null +++ b/roles/dhcp-fog/files/isc-dhcp-server @@ -0,0 +1,18 @@ +# Defaults for isc-dhcp-server (sourced by /etc/init.d/isc-dhcp-server) + +# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf). +DHCPDv4_CONF=/etc/dhcp/dhcpd.conf +#DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf + +# Path to dhcpd's PID file (default: /var/run/dhcpd.pid). +DHCPDv4_PID=/var/run/dhcpd.pid +#DHCPDv6_PID=/var/run/dhcpd6.pid + +# Additional options to start dhcpd with. +# Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead +#OPTIONS="" + +# On what interfaces should the DHCP server (dhcpd) serve DHCP requests? +# Separate multiple interfaces with spaces, e.g. "eth0 eth1". +INTERFACESv4="enp0s9" +INTERFACESv6="" diff --git a/roles/dhcp-fog/handlers/main.yml b/roles/dhcp-fog/handlers/main.yml new file mode 100644 index 0000000..e2bb399 --- /dev/null +++ b/roles/dhcp-fog/handlers/main.yml @@ -0,0 +1,3 @@ +--- + - name: restart isc-dhcp-server + service: name=isc-dhcp-server state=restarted diff --git a/roles/dhcp-fog/tasks/main.yml b/roles/dhcp-fog/tasks/main.yml new file mode 100644 index 0000000..9b51946 --- /dev/null +++ b/roles/dhcp-fog/tasks/main.yml @@ -0,0 +1,14 @@ +--- + +- name: Installation du dhcp + apt: name=isc-dhcp-server state=present + +- name: Copie du fichier isc-dhcp-server + copy: src=isc-dhcp-server dest=/etc/default/ + +- name: Copie du fichier dhcpd.conf + copy: src=dhcpd.conf dest=/etc/dhcp/ + notify: + - restart isc-dhcp-server + + diff --git a/roles/dhcp/files/dhcpd.conf b/roles/dhcp/files/dhcpd.conf new file mode 100644 index 0000000..0b565f1 --- /dev/null +++ b/roles/dhcp/files/dhcpd.conf @@ -0,0 +1,142 @@ +# +# Sample configuration file for ISC dhcpd for Debian +# +# + +# The ddns-updates-style parameter controls whether or not the server will +# attempt to do a DNS update when a lease is confirmed. We default to the +# behavior of the version 2 packages ('none', since DHCP v2 didn't +# have support for DDNS.) +ddns-update-style none; + +# option definitions common to all supported networks... +option domain-name "gsb.lan"; +option domain-name-servers 172.16.0.1; + +default-lease-time 86400; +max-lease-time 86400; + +# If this DHCP server is the official DHCP server for the local +# network, the authoritative directive should be uncommented. +#authoritative; + +# Use this to send dhcp log messages to a different log file (you also +# have to hack syslog.conf to complete the redirection). +log-facility local7; + +# No service will be given on this subnet, but declaring it helps the +# DHCP server to understand the network topology. + +#subnet 10.152.187.0 netmask 255.255.255.0 { +#} + +# This is a very basic subnet declaration. + +#subnet 10.254.239.0 netmask 255.255.255.224 { +# range 10.254.239.10 10.254.239.20; +# option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org; +#} + +# This declaration allows BOOTP clients to get dynamic addresses, +# which we don't really recommend. + +#subnet 10.254.239.32 netmask 255.255.255.224 { +# range dynamic-bootp 10.254.239.40 10.254.239.60; +# option broadcast-address 10.254.239.31; +# option routers rtr-239-32-1.example.org; +#} + +# A slightly different configuration for an internal subnet. +#subnet 10.5.5.0 netmask 255.255.255.224 { +# range 10.5.5.26 10.5.5.30; +# option domain-name-servers ns1.internal.example.org; +# option domain-name "internal.example.org"; +# option routers 10.5.5.1; +# option broadcast-address 10.5.5.31; +# default-lease-time 600; +# max-lease-time 7200; +#} + +# Hosts which require special configuration options can be listed in +# host statements. If no address is specified, the address will be +# allocated dynamically (if possible), but the host-specific information +# will still come from the host declaration. + +#host passacaglia { +# hardware ethernet 0:0:c0:5d:bd:95; +# filename "vmunix.passacaglia"; +# server-name "toccata.fugue.com"; +#} + +# Fixed IP addresses can also be specified for hosts. These addresses +# should not also be listed as being available for dynamic assignment. +# Hosts for which fixed IP addresses have been specified can boot using +# BOOTP or DHCP. Hosts for which no fixed address is specified can only +# be booted with DHCP, unless there is an address range on the subnet +# to which a BOOTP client is connected which has the dynamic-bootp flag +# set. +#host fantasia { +# hardware ethernet 08:00:07:26:c0:a5; +# fixed-address fantasia.fugue.com; +#} + +# You can declare a class of clients and then do address allocation +# based on that. The example below shows a case where all clients +# in a certain class get addresses on the 10.17.224/24 subnet, and all +# other clients get addresses on the 10.0.29/24 subnet. + +#class "foo" { +# match if substring (option vendor-class-identifier, 0, 4) = "SUNW"; +#} + +#shared-network 224-29 { +# subnet 10.17.224.0 netmask 255.255.255.0 { +# option routers rtr-224.example.org; +# } +# subnet 10.0.29.0 netmask 255.255.255.0 { +# option routers rtr-29.example.org; +# } +# pool { +# allow members of "foo"; +# range 10.17.224.10 10.17.224.250; +# } +# pool { +# deny members of "foo"; +# range 10.0.29.10 10.0.29.230; +# } +#} + +#DHCP pour le réseau wifi +subnet 172.16.65.0 netmask 255.255.255.0 { + range 172.16.65.1 172.16.65.100; +# option domain-name-servers ns1.internal.example.org; +# option domain-name "internal.example.org"; +# option routers 10.5.5.1; +# option broadcast-address 10.5.5.31; +# default-lease-time 600; +# max-lease-time 7200; +} + +#DHCP pour le réseau USER + +subnet 172.16.64.0 netmask 255.255.255.0 { + range 172.16.64.20 172.16.64.120; + option domain-name-servers 172.16.0.1 ; + option routers 172.16.64.254; + option broadcast-address 172.16.64.255; +# default-lease-time 600; +# max-lease-time 7200; +} + +#DHCP pour le réseau INFRA + +subnet 172.16.0.0 netmask 255.255.255.0 { +# range 172.16.0.1 172.16.0.100; +# option domain-name-servers ns1.internal.example.org; +# option domain-name "internal.example.org"; +# option routers 10.5.5.1; +# option broadcast-address 10.5.5.31; +# default-lease-time 600; +# max-lease-time 7200; +} + diff --git a/roles/dhcp/files/isc-dhcp-server b/roles/dhcp/files/isc-dhcp-server new file mode 100644 index 0000000..3930248 --- /dev/null +++ b/roles/dhcp/files/isc-dhcp-server @@ -0,0 +1,18 @@ +# Defaults for isc-dhcp-server (sourced by /etc/init.d/isc-dhcp-server) + +# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf). +DHCPDv4_CONF=/etc/dhcp/dhcpd.conf +#DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf + +# Path to dhcpd's PID file (default: /var/run/dhcpd.pid). +DHCPDv4_PID=/var/run/dhcpd.pid +#DHCPDv6_PID=/var/run/dhcpd6.pid + +# Additional options to start dhcpd with. +# Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead +#OPTIONS="" + +# On what interfaces should the DHCP server (dhcpd) serve DHCP requests? +# Separate multiple interfaces with spaces, e.g. "eth0 eth1". +INTERFACESv4="enp0s9 enp0s10" +INTERFACESv6="" diff --git a/roles/dhcp/handlers/main.yml b/roles/dhcp/handlers/main.yml new file mode 100644 index 0000000..e2bb399 --- /dev/null +++ b/roles/dhcp/handlers/main.yml @@ -0,0 +1,3 @@ +--- + - name: restart isc-dhcp-server + service: name=isc-dhcp-server state=restarted diff --git a/roles/dhcp/tasks/main.yml b/roles/dhcp/tasks/main.yml new file mode 100644 index 0000000..46121f4 --- /dev/null +++ b/roles/dhcp/tasks/main.yml @@ -0,0 +1,20 @@ +--- + +- name: Installation serveur DHCP - isc-dhcp-server + apt: + name: isc-dhcp-server + state: present + +- name: Copie du fichier isc-dhcp-server dans /etc/default + copy: + src: isc-dhcp-server + dest: /etc/default/ + +- name: Copie du fichier dhcpd.conf dans /etc + copy: + src: dhcpd.conf + dest: /etc/dhcp/ + notify: + - restart isc-dhcp-server + + diff --git a/roles/dns-ag-cs/files/named.conf.options b/roles/dns-ag-cs/files/named.conf.options new file mode 100644 index 0000000..d0daf3f --- /dev/null +++ b/roles/dns-ag-cs/files/named.conf.options @@ -0,0 +1,23 @@ +// 0.2 - putconf - vendredi 12 avril 2013, 08:54:33 (UTC+0200) + +options { + directory "/var/cache/bind"; + + // If there is a firewall between you and nameservers you want + // to talk to, you may need to fix the firewall to allow multiple + // ports to talk. See http://www.kb.cert.org/vuls/id/800113 + + // If your ISP provided one or more IP addresses for stable + // nameservers, you probably want to use them as forwarders. + // Uncomment the following block, and insert the addresses replacing + // the all-0's placeholder. + + forwarders { + 172.16.0.1; + + }; + + auth-nxdomain no; # conform to RFC1035 + listen-on-v6 { any; }; +}; + diff --git a/roles/dns-ag-cs/handlers/main.yml b/roles/dns-ag-cs/handlers/main.yml new file mode 100644 index 0000000..33d4f98 --- /dev/null +++ b/roles/dns-ag-cs/handlers/main.yml @@ -0,0 +1,4 @@ +--- + - name: restart bind9 + service: name=bind9 state=restarted + diff --git a/roles/dns-ag-cs/tasks/main.yml b/roles/dns-ag-cs/tasks/main.yml new file mode 100644 index 0000000..d3a88a6 --- /dev/null +++ b/roles/dns-ag-cs/tasks/main.yml @@ -0,0 +1,11 @@ +--- + +- name: Installation bind9 + apt: name=bind9 state=present update_cache=yes + +- name: Copie named.conf.options + copy: src=named.conf.options dest=/etc/bind + notify: + - restart bind9 + + diff --git a/roles/dns-agence/files/named.conf.options b/roles/dns-agence/files/named.conf.options new file mode 100644 index 0000000..d0daf3f --- /dev/null +++ b/roles/dns-agence/files/named.conf.options @@ -0,0 +1,23 @@ +// 0.2 - putconf - vendredi 12 avril 2013, 08:54:33 (UTC+0200) + +options { + directory "/var/cache/bind"; + + // If there is a firewall between you and nameservers you want + // to talk to, you may need to fix the firewall to allow multiple + // ports to talk. See http://www.kb.cert.org/vuls/id/800113 + + // If your ISP provided one or more IP addresses for stable + // nameservers, you probably want to use them as forwarders. + // Uncomment the following block, and insert the addresses replacing + // the all-0's placeholder. + + forwarders { + 172.16.0.1; + + }; + + auth-nxdomain no; # conform to RFC1035 + listen-on-v6 { any; }; +}; + diff --git a/roles/dns-agence/handlers/main.yml b/roles/dns-agence/handlers/main.yml new file mode 100644 index 0000000..33d4f98 --- /dev/null +++ b/roles/dns-agence/handlers/main.yml @@ -0,0 +1,4 @@ +--- + - name: restart bind9 + service: name=bind9 state=restarted + diff --git a/roles/dns-agence/tasks/main.yml b/roles/dns-agence/tasks/main.yml new file mode 100644 index 0000000..d3a88a6 --- /dev/null +++ b/roles/dns-agence/tasks/main.yml @@ -0,0 +1,11 @@ +--- + +- name: Installation bind9 + apt: name=bind9 state=present update_cache=yes + +- name: Copie named.conf.options + copy: src=named.conf.options dest=/etc/bind + notify: + - restart bind9 + + diff --git a/roles/dns-master/files/db.gsb.lan b/roles/dns-master/files/db.gsb.lan new file mode 100644 index 0000000..93f62a5 --- /dev/null +++ b/roles/dns-master/files/db.gsb.lan @@ -0,0 +1,38 @@ +; 0.2 - putconf - vendredi 12 avril 2013, 08:54:33 (UTC+0200) + +; +; BIND data file for local loopback interface +; +$TTL 604800 +@ IN SOA s-infra.gsb.lan. root.s-infra.gsb.lan. ( + 2022041200 ; Serial + 7200 ; Refresh + 86400 ; Retry + 8419200 ; Expire + 604800 ) ; Negative Cache TTL +; +@ IN NS s-infra.gsb.lan. +@ IN NS s-backup.gsb.lan. +@ IN A 127.0.0.1 +@ IN AAAA ::1 +s-infra IN A 172.16.0.1 +s-backup IN A 172.16.0.4 +s-proxy IN A 172.16.0.2 +s-appli IN A 172.16.0.3 +s-win IN A 172.16.0.6 +s-mess IN A 172.16.0.7 +s-nxc IN A 172.16.0.7 +s-docker IN A 172.16.0.7 +s-mon IN A 172.16.0.8 +s-itil IN A 172.16.0.9 +s-elk IN A 172.16.0.10 +s-gestsup IN A 172.16.0.17 +r-int IN A 172.16.0.254 +r-int-lnk IN A 192.168.200.254 +r-ext IN A 192.168.200.253 +s-lb IN A 192.168.100.10 +s-web1 IN A 192.168.101.1 +s-web2 IN A 192.168.101.2 +s-lb.gsb.lan IN A 192.168.100.10 +ns IN CNAME s-infra.gsb.lan. +wpad IN CNAME s-infra.gsb.lan. diff --git a/roles/dns-master/files/db.gsb.lan.rev b/roles/dns-master/files/db.gsb.lan.rev new file mode 100644 index 0000000..92a6bcc --- /dev/null +++ b/roles/dns-master/files/db.gsb.lan.rev @@ -0,0 +1,31 @@ +; 0.2 - putconf - vendredi 12 avril 2013, 08:54:33 (UTC+0200) + +; +; BIND data file for local loopback interface +; +$TTL 604800 +@ IN SOA s-infra.gsb.lan. root.s-infra.gsb.lan. ( + 2022041200 ; Serial + 7200 ; Refresh + 86400 ; Retry + 8419200 ; Expire + 604800 ) ; Negative Cache TTL +; +@ IN NS s-infra.gsb.lan. +@ IN NS s-backup.gsb.lan. +1.0 IN PTR s-infra.gsb.lan. +4.0 IN PTR s-backup.gsb.lan. +2.0 IN PTR s-proxy.gsb.lan. +3.0 IN PTR s-appli.gsb.lan. +6.0 IN PTR s-win.gsb.lan. +7.0 IN PTR s-nxc.gsb.lan. +8.0 IN PTR s-mon.gsb.lan. +9.0 IN PTR s-itil.gsb.lan. +101.1 IN PTR s-web1 +101.2 IN PTR s-web2 +100.10 IN PTR s-lb +100.10 IN PTR s-lb.gsb.lan +10.0 IN PTR s-elk.gsb.lan. +17.0 IN PTR s-gestsup.lan +254.0 IN PTR r-int.gsb.lan. + diff --git a/roles/dns-master/files/forbidden.html b/roles/dns-master/files/forbidden.html new file mode 100644 index 0000000..648fafc --- /dev/null +++ b/roles/dns-master/files/forbidden.html @@ -0,0 +1,2 @@ +
Bloque
+

Vous n'avez pas les droits requis pour acceder a cette page, veuillez contacter votre Administrateur.

diff --git a/roles/dns-master/files/hosts b/roles/dns-master/files/hosts new file mode 100644 index 0000000..3c35fbd --- /dev/null +++ b/roles/dns-master/files/hosts @@ -0,0 +1,7 @@ +127.0.0.1 localhost +127.0.1.1 s-infra + +# The following lines are desirable for IPv6 capable hosts +::1 localhost ip6-localhost ip6-loopback +ff02::1 ip6-allnodes +ff02::2 ip6-allrouters diff --git a/roles/dns-master/files/named.conf.local b/roles/dns-master/files/named.conf.local new file mode 100644 index 0000000..28e3aaa --- /dev/null +++ b/roles/dns-master/files/named.conf.local @@ -0,0 +1,20 @@ +// 0.2 - putconf - vendredi 12 avril 2013, 08:54:33 (UTC+0200) + +// +// Do any local configuration here +// + +// Consider adding the 1918 zones here, if they are not used in your +// organization +//include "/etc/bind/zones.rfc1918"; + +zone "gsb.lan" { + type master; + file "/etc/bind/db.gsb.lan"; +}; + +zone "16.172.in-addr.arpa"{ + type master; + notify no; + file "/etc/bind/db.gsb.lan.rev"; +}; diff --git a/roles/dns-master/files/named.conf.options b/roles/dns-master/files/named.conf.options new file mode 100644 index 0000000..cc3b575 --- /dev/null +++ b/roles/dns-master/files/named.conf.options @@ -0,0 +1,26 @@ +// 0.2 - putconf - vendredi 12 avril 2013, 08:54:33 (UTC+0200) + +options { + directory "/var/cache/bind"; + + // If there is a firewall between you and nameservers you want + // to talk to, you may need to fix the firewall to allow multiple + // ports to talk. See http://www.kb.cert.org/vuls/id/800113 + + // If your ISP provided one or more IP addresses for stable + // nameservers, you probably want to use them as forwarders. + // Uncomment the following block, and insert the addresses replacing + // the all-0's placeholder. + + forwarders { + 192.168.99.99; + + }; + + auth-nxdomain no; # conform to RFC1035 + listen-on-v6 { none; }; + allow-query { 172.16.0.0/16; } ; + allow-recursion { 172.16.0.0/16; } ; + dnssec-validation no; +}; + diff --git a/roles/dns-master/files/resolv.conf b/roles/dns-master/files/resolv.conf new file mode 100644 index 0000000..13b8bd5 --- /dev/null +++ b/roles/dns-master/files/resolv.conf @@ -0,0 +1,4 @@ +domain gsb.lan +search gsb.lan +nameserver 127.0.0.1 + diff --git a/roles/dns-master/handlers/main.yml b/roles/dns-master/handlers/main.yml new file mode 100644 index 0000000..33d4f98 --- /dev/null +++ b/roles/dns-master/handlers/main.yml @@ -0,0 +1,4 @@ +--- + - name: restart bind9 + service: name=bind9 state=restarted + diff --git a/roles/dns-master/tasks/main.yml b/roles/dns-master/tasks/main.yml new file mode 100644 index 0000000..81e0ac5 --- /dev/null +++ b/roles/dns-master/tasks/main.yml @@ -0,0 +1,48 @@ +--- + +- name: Installation bind9 + apt: + name: bind9 + state: present + update_cache: yes + +- name: Copie named.conf.options + copy: + src: named.conf.options + dest: /etc/bind + notify: + - restart bind9 + +- name: Copie named.conf.local + copy: + src: named.conf.local + dest: /etc/bind + notify: + - restart bind9 + +- name: Copie fichier zone directe db.gsb.lan + copy: + src: db.gsb.lan + dest: /etc/bind + notify: + - restart bind9 + +- name: Copie fichier zone inverse db.gsb.lan.rev + copy: + src: db.gsb.lan.rev + dest: /etc/bind + notify: + - restart bind9 + +- name: Copie resolv.conf + copy: + src: resolv.conf + dest: /etc + notify: + - restart bind9 + +- name: Copie page squidguard + copy: + src: forbidden.html + dest: /var/www/ + diff --git a/roles/dns-slave/files/hosts b/roles/dns-slave/files/hosts new file mode 100644 index 0000000..3c35fbd --- /dev/null +++ b/roles/dns-slave/files/hosts @@ -0,0 +1,7 @@ +127.0.0.1 localhost +127.0.1.1 s-infra + +# The following lines are desirable for IPv6 capable hosts +::1 localhost ip6-localhost ip6-loopback +ff02::1 ip6-allnodes +ff02::2 ip6-allrouters diff --git a/roles/dns-slave/files/named.conf.local b/roles/dns-slave/files/named.conf.local new file mode 100644 index 0000000..0149cf9 --- /dev/null +++ b/roles/dns-slave/files/named.conf.local @@ -0,0 +1,28 @@ +// +// Do any local configuration here +// + +// Consider adding the 1918 zones here, if they are not used in your +// organization +//include "/etc/bind/zones.rfc1918"; + +//zone direct + zone "gsb.lan" { + type slave; + file "/etc/bind/db.gsb.lan"; + masters { 172.16.0.1; }; + masterfile-format text; + +}; + +//zone inverse + zone "16.172.in-addr.arpa" { + type slave; + notify no; + file "/etc/bind/db.gsb.lan.rev"; + masters { 172.16.0.1; }; + masterfile-format text; + +}; + + diff --git a/roles/dns-slave/files/named.conf.options b/roles/dns-slave/files/named.conf.options new file mode 100644 index 0000000..cc3b575 --- /dev/null +++ b/roles/dns-slave/files/named.conf.options @@ -0,0 +1,26 @@ +// 0.2 - putconf - vendredi 12 avril 2013, 08:54:33 (UTC+0200) + +options { + directory "/var/cache/bind"; + + // If there is a firewall between you and nameservers you want + // to talk to, you may need to fix the firewall to allow multiple + // ports to talk. See http://www.kb.cert.org/vuls/id/800113 + + // If your ISP provided one or more IP addresses for stable + // nameservers, you probably want to use them as forwarders. + // Uncomment the following block, and insert the addresses replacing + // the all-0's placeholder. + + forwarders { + 192.168.99.99; + + }; + + auth-nxdomain no; # conform to RFC1035 + listen-on-v6 { none; }; + allow-query { 172.16.0.0/16; } ; + allow-recursion { 172.16.0.0/16; } ; + dnssec-validation no; +}; + diff --git a/roles/dns-slave/files/resolv.conf b/roles/dns-slave/files/resolv.conf new file mode 100644 index 0000000..13b8bd5 --- /dev/null +++ b/roles/dns-slave/files/resolv.conf @@ -0,0 +1,4 @@ +domain gsb.lan +search gsb.lan +nameserver 127.0.0.1 + diff --git a/roles/dns-slave/handlers/main.yml b/roles/dns-slave/handlers/main.yml new file mode 100644 index 0000000..33d4f98 --- /dev/null +++ b/roles/dns-slave/handlers/main.yml @@ -0,0 +1,4 @@ +--- + - name: restart bind9 + service: name=bind9 state=restarted + diff --git a/roles/dns-slave/tasks/main.yml b/roles/dns-slave/tasks/main.yml new file mode 100644 index 0000000..780af40 --- /dev/null +++ b/roles/dns-slave/tasks/main.yml @@ -0,0 +1,38 @@ +- name: Installation bind9 + apt: + name: bind9 + state: present + +- name: Copie named.conf.options + copy: + src: named.conf.options + dest: /etc/bind + notify: + - restart bind9 + +- name: Copie named.conf.local + copy: + src: named.conf.local + dest: /etc/bind + notify: + - restart bind9 + +- name: Copie resolv.conf + copy: + src: resolv.conf + dest: /etc + notify: + - restart bind9 + +- name: Changement de droit pour le répertoire /etc/bind + ansible.builtin.lineinfile: + path: /etc/apparmor.d/usr.sbin.named + regexp: ' /etc/bind/\*\* r,' + line: ' /etc/bind/** rw,' + + +- name: Changement de permission pour le groupe de /etc/bind + ansible.builtin.file: + path: /etc/bind/ + state: directory + mode: g=rwx diff --git a/roles/dnsmasq/files/dnsmasq.conf b/roles/dnsmasq/files/dnsmasq.conf new file mode 100644 index 0000000..bb3077c --- /dev/null +++ b/roles/dnsmasq/files/dnsmasq.conf @@ -0,0 +1,531 @@ +# Configuration file for dnsmasq. +# +# Format is one option per line, legal options are the same +# as the long options legal on the command line. See +# "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details. + +# Listen on this specific port instead of the standard DNS port +# (53). Setting this to zero completely disables DNS function, +# leaving only DHCP and/or TFTP. +#port=5353 + +# The following two options make you a better netizen, since they +# tell dnsmasq to filter out queries which the public DNS cannot +# answer, and which load the servers (especially the root servers) +# unnecessarily. If you have a dial-on-demand link they also stop +# these requests from bringing up the link unnecessarily. + +# Never forward plain names (without a dot or domain part) +#domain-needed +# Never forward addresses in the non-routed address spaces. +#bogus-priv + +# Uncomment these to enable DNSSEC validation and caching: +# (Requires dnsmasq to be built with DNSSEC option.) +#conf-file=%%PREFIX%%/share/dnsmasq/trust-anchors.conf +#dnssec + +# Replies which are not DNSSEC signed may be legitimate, because the domain +# is unsigned, or may be forgeries. Setting this option tells dnsmasq to +# check that an unsigned reply is OK, by finding a secure proof that a DS +# record somewhere between the root and the domain does not exist. +# The cost of setting this is that even queries in unsigned domains will need +# one or more extra DNS queries to verify. +#dnssec-check-unsigned + +# Uncomment this to filter useless windows-originated DNS requests +# which can trigger dial-on-demand links needlessly. +# Note that (amongst other things) this blocks all SRV requests, +# so don't use it if you use eg Kerberos, SIP, XMMP or Google-talk. +# This option only affects forwarding, SRV records originating for +# dnsmasq (via srv-host= lines) are not suppressed by it. +#filterwin2k + +# Change this line if you want dns to get its upstream servers from +# somewhere other that /etc/resolv.conf +#resolv-file= + +# By default, dnsmasq will send queries to any of the upstream +# servers it knows about and tries to favour servers to are known +# to be up. Uncommenting this forces dnsmasq to try each query +# with each server strictly in the order they appear in +# /etc/resolv.conf +#strict-order + +# If you don't want dnsmasq to read /etc/resolv.conf or any other +# file, getting its servers from this file instead (see below), then +# uncomment this. +#no-resolv + +# If you don't want dnsmasq to poll /etc/resolv.conf or other resolv +# files for changes and re-read them then uncomment this. +#no-poll + +# Add other name servers here, with domain specs if they are for +# non-public domains. +#server=/localnet/192.168.0.1 + +# Example of routing PTR queries to nameservers: this will send all +# address->name queries for 192.168.3/24 to nameserver 10.1.2.3 +#server=/3.168.192.in-addr.arpa/10.1.2.3 + +# Add local-only domains here, queries in these domains are answered +# from /etc/hosts or DHCP only. +#local=/localnet/ + +# Add domains which you want to force to an IP address here. +# The example below send any host in double-click.net to a local +# web-server. +#address=/double-click.net/127.0.0.1 + +# --address (and --server) work with IPv6 addresses too. +#address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83 + +# Add the IPs of all queries to yahoo.com, google.com, and their +# subdomains to the vpn and search ipsets: +#ipset=/yahoo.com/google.com/vpn,search + +# You can control how dnsmasq talks to a server: this forces +# queries to 10.1.2.3 to be routed via enp0s8 +# server=10.1.2.3@enp0s8 + +# and this sets the source (ie local) address used to talk to +# 10.1.2.3 to 192.168.1.1 port 55 (there must be a interface with that +# IP on the machine, obviously). +# server=10.1.2.3@192.168.1.1#55 + +# If you want dnsmasq to change uid and gid to something other +# than the default, edit the following lines. +#user= +#group= + +# If you want dnsmasq to listen for DHCP and DNS requests only on +# specified interfaces (and the loopback) give the name of the +# interface (eg enp0s3) here. +# Repeat the line for more than one interface. +interface=enp0s8 +# Or you can specify which interface _not_ to listen on +#except-interface= +# Or which to listen on by address (remember to include 127.0.0.1 if +# you use this.) +#listen-address= +# If you want dnsmasq to provide only DNS service on an interface, +# configure it as shown above, and then use the following line to +# disable DHCP and TFTP on it. +#no-dhcp-interface=enp0s3 + +# On systems which support it, dnsmasq binds the wildcard address, +# even when it is listening on only some interfaces. It then discards +# requests that it shouldn't reply to. This has the advantage of +# working even when interfaces come and go and change address. If you +# want dnsmasq to really bind only the interfaces it is listening on, +# uncomment this option. About the only time you may need this is when +# running another nameserver on the same machine. +#bind-interfaces + +# If you don't want dnsmasq to read /etc/hosts, uncomment the +# following line. +#no-hosts +# or if you want it to read another file, as well as /etc/hosts, use +# this. +#addn-hosts=/etc/banner_add_hosts + +# Set this (and domain: see below) if you want to have a domain +# automatically added to simple names in a hosts-file. +#expand-hosts + +# Set the domain for dnsmasq. this is optional, but if it is set, it +# does the following things. +# 1) Allows DHCP hosts to have fully qualified domain names, as long +# as the domain part matches this setting. +# 2) Sets the "domain" DHCP option thereby potentially setting the +# domain of all systems configured by DHCP +# 3) Provides the domain part for "expand-hosts" +#domain=thekelleys.org.uk + +# Set a different domain for a particular subnet +#domain=wireless.thekelleys.org.uk,192.168.2.0/24 + +# Same idea, but range rather then subnet +#domain=reserved.thekelleys.org.uk,192.68.3.100,192.168.3.200 + +# Uncomment this to enable the integrated DHCP server, you need +# to supply the range of addresses available for lease and optionally +# a lease time. If you have more than one network, you will need to +# repeat this for each network on which you want to supply DHCP +# service. +#dhcp-range=192.168.0.50,192.168.0.150,12h + +# This is an example of a DHCP range where the netmask is given. This +# is needed for networks we reach the dnsmasq DHCP server via a relay +# agent. If you don't know what a DHCP relay agent is, you probably +# don't need to worry about this. +#dhcp-range=192.168.0.50,192.168.0.150,255.255.255.0,12h +dhcp-range=192.168.99.100,192.168.99.120,255.255.255.0,12h + +# This is an example of a DHCP range which sets a tag, so that +# some DHCP options may be set only for this network. +#dhcp-range=set:red,192.168.0.50,192.168.0.150 + +# Use this DHCP range only when the tag "green" is set. +#dhcp-range=tag:green,192.168.0.50,192.168.0.150,12h + +# Specify a subnet which can't be used for dynamic address allocation, +# is available for hosts with matching --dhcp-host lines. Note that +# dhcp-host declarations will be ignored unless there is a dhcp-range +# of some type for the subnet in question. +# In this case the netmask is implied (it comes from the network +# configuration on the machine running dnsmasq) it is possible to give +# an explicit netmask instead. +#dhcp-range=192.168.0.0,static + +# Enable DHCPv6. Note that the prefix-length does not need to be specified +# and defaults to 64 if missing/ +#dhcp-range=1234::2, 1234::500, 64, 12h + +# Do Router Advertisements, BUT NOT DHCP for this subnet. +#dhcp-range=1234::, ra-only + +# Do Router Advertisements, BUT NOT DHCP for this subnet, also try and +# add names to the DNS for the IPv6 address of SLAAC-configured dual-stack +# hosts. Use the DHCPv4 lease to derive the name, network segment and +# MAC address and assume that the host will also have an +# IPv6 address calculated using the SLAAC alogrithm. +#dhcp-range=1234::, ra-names + +# Do Router Advertisements, BUT NOT DHCP for this subnet. +# Set the lifetime to 46 hours. (Note: minimum lifetime is 2 hours.) +#dhcp-range=1234::, ra-only, 48h + +# Do DHCP and Router Advertisements for this subnet. Set the A bit in the RA +# so that clients can use SLAAC addresses as well as DHCP ones. +#dhcp-range=1234::2, 1234::500, slaac + +# Do Router Advertisements and stateless DHCP for this subnet. Clients will +# not get addresses from DHCP, but they will get other configuration information. +# They will use SLAAC for addresses. +#dhcp-range=1234::, ra-stateless + +# Do stateless DHCP, SLAAC, and generate DNS names for SLAAC addresses +# from DHCPv4 leases. +#dhcp-range=1234::, ra-stateless, ra-names + +# Do +# default (1, 3, 6, 12, 28) the same line will send a zero-length option +# for all other option numbers. +#dhcp-option=3 + +# Set the NTP time server addresses to 192.168.0.4 and 10.10.0.5 +#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5 + +# Send DHCPv6 option. Note [] around IPv6 addresses. +#dhcp-option=option6:dns-server,[1234::77],[1234::88] + +# Send DHCPv6 option for namservers as the machine running +# dnsmasq and another. +#dhcp-option=option6:dns-server,[::],[1234::88] + +# Ask client to poll for option changes every six hours. (RFC4242) +#dhcp-option=option6:information-refresh-time,6h + +# Set the NTP time server address to be the same machine as +# is running dnsmasq +#dhcp-option=42,0.0.0.0 + +# Set the NIS domain name to "welly" +#dhcp-option=40,welly + +# Set the default time-to-live to 50 +#dhcp-option=23,50 + +# Set the "all subnets are local" flag +#dhcp-option=27,1 + +# Send the etherboot magic flag and then etherboot options (a string). +#dhcp-option=128,e4:45:74:68:00:00 +#dhcp-option=129,NIC=eepro100 + +# Specify an option which will only be sent to the "red" network +# (see dhcp-range for the declaration of the "red" network) +# Note that the tag: part must precede the option: part. +#dhcp-option = tag:red, option:ntp-server, 192.168.1.1 + +# The following DHCP options set up dnsmasq in the same way as is specified +# for the ISC dhcpcd in +# http://www.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt +# adapted for a typical dnsmasq installation where the host running +# dnsmasq is also the host running samba. +# you may want to uncomment some or all of them if you use +# Windows clients and Samba. +#dhcp-option=19,0 # option ip-forwarding off +#dhcp-option=44,0.0.0.0 # set netbios-over-TCP/IP nameserver(s) aka WINS server(s) +#dhcp-option=45,0.0.0.0 # netbios datagram distribution server +#dhcp-option=46,8 # netbios node type + +# Send an empty WPAD option. This may be REQUIRED to get windows 7 to behave. +#dhcp-option=252,"\n" + +# Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client +# probably doesn't support this...... +#dhcp-option=option:domain-search,eng.apple.com,marketing.apple.com + +# Send RFC-3442 classless static routes (note the netmask encoding) +#dhcp-option=121,192.168.1.0/24,1.2.3.4,10.0.0.0/8,5.6.7.8 + +# Send vendor-class specific options encapsulated in DHCP option 43. +# The meaning of the options is defined by the vendor-class so +# options are sent only when the client supplied vendor class +# matches the class given here. (A substring match is OK, so "MSFT" +# matches "MSFT" and "MSFT 5.0"). This example sets the +# mtftp address to 0.0.0.0 for PXEClients. +#dhcp-option=vendor:PXEClient,1,0.0.0.0 + +# Send microsoft-specific option to tell windows to release the DHCP lease +# when it shuts down. Note the "i" flag, to tell dnsmasq to send the +# value as a four-byte integer - that's what microsoft wants. See +# http://technet2.microsoft.com/WindowsServer/en/library/a70f1bb7-d2d4-49f0-96d6-4b7414ecfaae1033.mspx?mfr=true +#dhcp-option=vendor:MSFT,2,1i + +# Send the Encapsulated-vendor-class ID needed by some configurations of +# Etherboot to allow is to recognise the DHCP server. +#dhcp-option=vendor:Etherboot,60,"Etherboot" + +# Send options to PXELinux. Note that we need to send the options even +# though they don't appear in the parameter request list, so we need +# to use dhcp-option-force here. +# See http://syslinux.zytor.com/pxe.php#special for details. +# Magic number - needed before anything else is recognised +#dhcp-option-force=208,f1:00:74:7e +# Configuration file name +#dhcp-option-force=209,configs/common +# Path prefix +#dhcp-option-force=210,/tftpboot/pxelinux/files/ +# Reboot time. (Note 'i' to send 32-bit value) +#dhcp-option-force=211,30i + +# Set the boot filename for netboot/PXE. You will only need +# this is you want to boot machines over the network and you will need +# a TFTP server; either dnsmasq's built in TFTP server or an +# external one. (See below for how to enable the TFTP server.) +#dhcp-boot=pxelinux.0 + +# The same as above, but use custom tftp-server instead machine running dnsmasq +#dhcp-boot=pxelinux,server.name,192.168.1.100 + +# Boot for Etherboot gPXE. The idea is to send two different +# filenames, the first loads gPXE, and the second tells gPXE what to +# load. The dhcp-match sets the gpxe tag for requests from gPXE. +#dhcp-match=set:gpxe,175 # gPXE sends a 175 option. +#dhcp-boot=tag:!gpxe,undionly.kpxe +#dhcp-boot=mybootimage + +# Encapsulated options for Etherboot gPXE. All the options are +# encapsulated within option 175 +#dhcp-option=encap:175, 1, 5b # priority code +#dhcp-option=encap:175, 176, 1b # no-proxydhcp +#dhcp-option=encap:175, 177, string # bus-id +#dhcp-option=encap:175, 189, 1b # BIOS drive code +#dhcp-option=encap:175, 190, user # iSCSI username +#dhcp-option=encap:175, 191, pass # iSCSI password + +# Test for the architecture of a netboot client. PXE clients are +# supposed to send their architecture as option 93. (See RFC 4578) +#dhcp-match=peecees, option:client-arch, 0 #x86-32 +#dhcp-match=itanics, option:client-arch, 2 #IA64 +#dhcp-match=hammers, option:client-arch, 6 #x86-64 +#dhcp-match=mactels, option:client-arch, 7 #EFI x86-64 + +# Do real PXE, rather than just booting a single file, this is an +# alternative to dhcp-boot. +#pxe-prompt="What system shall I netboot?" +# or with timeout before first available action is taken: +#pxe-prompt="Press F8 for menu.", 60 + +# Available boot services. for PXE. +#pxe-service=x86PC, "Boot from local disk" + +# Loads /pxelinux.0 from dnsmasq TFTP server. +#pxe-service=x86PC, "Install Linux", pxelinux + +# Loads /pxelinux.0 from TFTP server at 1.2.3.4. +# Beware this fails on old PXE ROMS. +#pxe-service=x86PC, "Install Linux", pxelinux, 1.2.3.4 + +# Use bootserver on network, found my multicast or broadcast. +#pxe-service=x86PC, "Install windows from RIS server", 1 + +# Use bootserver at a known IP address. +#pxe-service=x86PC, "Install windows from RIS server", 1, 1.2.3.4 + +# If you have multicast-FTP available, +# information for that can be passed in a similar way using options 1 +# to 5. See page 19 of +# http://download.intel.com/design/archives/wfm/downloads/pxespec.pdf + + +# Enable dnsmasq's built-in TFTP server +#enable-tftp + +# Set the root directory for files available via FTP. +#tftp-root=/var/ftpd + +# Make the TFTP server more secure: with this set, only files owned by +# the user dnsmasq is running as will be send over the net. +#tftp-secure + +# This option stops dnsmasq from negotiating a larger blocksize for TFTP +# transfers. It will slow things down, but may rescue some broken TFTP +# clients. +#tftp-no-blocksize + +# Set the boot file name only when the "red" tag is set. +#dhcp-boot=tag:red,pxelinux.red-net + +# An example of dhcp-boot with an external TFTP server: the name and IP +# address of the server are given after the filename. +# Can fail with old PXE ROMS. Overridden by --pxe-service. +#dhcp-boot=/var/ftpd/pxelinux.0,boothost,192.168.0.3 + +# If there are multiple external tftp servers having a same name +# (using /etc/hosts) then that name can be specified as the +# tftp_servername (the third option to dhcp-boot) and in that +# case dnsmasq resolves this name and returns the resultant IP +# addresses in round robin fasion. This facility can be used to +# load balance the tftp load among a set of servers. +#dhcp-boot=/var/ftpd/pxelinux.0,boothost,tftp_server_name + +# Set the limit on DHCP leases, the default is 150 +#dhcp-lease-max=150 + +# The DHCP server needs somewhere on disk to keep its lease database. +# This defaults to a sane location, but if you want to change it, use +# the line below. +#dhcp-leasefile=/var/lib/misc/dnsmasq.leases + +# Set the DHCP server to authoritative mode. In this mode it will barge in +# and take over the lease for any client which broadcasts on the network, +# whether it has a record of the lease or not. This avoids long timeouts +# when a machine wakes up on a new network. DO NOT enable this if there's +# the slightest chance that you might end up accidentally configuring a DHCP +# server for your campus/company accidentally. The ISC server uses +# the same option, and this URL provides more information: +# http://www.isc.org/files/auth.html +#dhcp-authoritative + +# Run an executable when a DHCP lease is created or destroyed. +# The arguments sent to the script are "add" or "del", +# then the MAC address, the IP address and finally the hostname +# if there is one. +#dhcp-script=/bin/echo + +# Set the cachesize here. +#cache-size=150 + +# If you want to disable negative caching, uncomment this. +#no-negcache + +# Normally responses which come from /etc/hosts and the DHCP lease +# file have Time-To-Live set as zero, which conventionally means +# do not cache further. If you are happy to trade lower load on the +# server for potentially stale date, you can set a time-to-live (in +# seconds) here. +#local-ttl= + +# If you want dnsmasq to detect attempts by Verisign to send queries +# to unregistered .com and .net hosts to its sitefinder service and +# have dnsmasq instead return the correct NXDOMAIN response, uncomment +# this line. You can add similar lines to do the same for other +# registries which have implemented wildcard A records. +#bogus-nxdomain=64.94.110.11 + +# If you want to fix up DNS results from upstream servers, use the +# alias option. This only works for IPv4. +# This alias makes a result of 1.2.3.4 appear as 5.6.7.8 +#alias=1.2.3.4,5.6.7.8 +# and this maps 1.2.3.x to 5.6.7.x +#alias=1.2.3.0,5.6.7.0,255.255.255.0 +# and this maps 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40 +#alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0 + +# Change these lines if you want dnsmasq to serve MX records. + +# Return an MX record named "maildomain.com" with target +# servermachine.com and preference 50 +#mx-host=maildomain.com,servermachine.com,50 + +# Set the default target for MX records created using the localmx option. +#mx-target=servermachine.com + +# Return an MX record pointing to the mx-target for all local +# machines. +#localmx + +# Return an MX record pointing to itself for all local machines. +#selfmx + +# Change the following lines if you want dnsmasq to serve SRV +# records. These are useful if you want to serve ldap requests for +# Active Directory and other windows-originated DNS requests. +# See RFC 2782. +# You may add multiple srv-host lines. +# The fields are ,,,, +# If the domain part if missing from the name (so that is just has the +# service and protocol sections) then the domain given by the domain= +# config option is used. (Note that expand-hosts does not need to be +# set for this to work.) + +# A SRV record sending LDAP for the example.com domain to +# ldapserver.example.com port 389 +#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389 + +# A SRV record sending LDAP for the example.com domain to +# ldapserver.example.com port 389 (using domain=) +#domain=example.com +#srv-host=_ldap._tcp,ldapserver.example.com,389 + +# Two SRV records for LDAP, each with different priorities +#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,1 +#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,2 + +# A SRV record indicating that there is no LDAP server for the domain +# example.com +#srv-host=_ldap._tcp.example.com + +# The following line shows how to make dnsmasq serve an arbitrary PTR +# record. This is useful for DNS-SD. (Note that the +# domain-name expansion done for SRV records _does_not +# occur for PTR records.) +#ptr-record=_http._tcp.dns-sd-services,"New Employee Page._http._tcp.dns-sd-services" + +# Change the following lines to enable dnsmasq to serve TXT records. +# These are used for things like SPF and zeroconf. (Note that the +# domain-name expansion done for SRV records _does_not +# occur for TXT records.) + +#Example SPF. +#txt-record=example.com,"v=spf1 a -all" + +#Example zeroconf +#txt-record=_http._tcp.example.com,name=value,paper=A4 + +# Provide an alias for a "local" DNS name. Note that this _only_ works +# for targets which are names from DHCP or /etc/hosts. Give host +# "bert" another name, bertrand +#cname=bertand,bert + +# For debugging purposes, log each DNS query as it passes through +# dnsmasq. +#log-queries + +# Log lots of extra information about DHCP transactions. +#log-dhcp + +# Include another lot of configuration options. +#conf-file=/etc/dnsmasq.more.conf +#conf-dir=/etc/dnsmasq.d + +# Include all the files in a directory except those ending in .bak +#conf-dir=/etc/dnsmasq.d,.bak + +# Include all files in a directory which end in .conf +#conf-dir=/etc/dnsmasq.d/*.conf diff --git a/roles/dnsmasq/handlers/main.yml b/roles/dnsmasq/handlers/main.yml new file mode 100644 index 0000000..a9d7c7f --- /dev/null +++ b/roles/dnsmasq/handlers/main.yml @@ -0,0 +1,3 @@ +--- + - name: restart dnsmasq + service: name=dnsmasq state=restarted diff --git a/roles/dnsmasq/tasks/main.yml b/roles/dnsmasq/tasks/main.yml new file mode 100644 index 0000000..0a8132e --- /dev/null +++ b/roles/dnsmasq/tasks/main.yml @@ -0,0 +1,11 @@ +--- + +- name: Installation dnsmasq + apt: name=dnsmasq state=present + +- name: Copie du fichier dnsmasq.conf + copy: src=dnsmasq.conf dest=/etc/ + notify: + - restart dnsmasq + + diff --git a/roles/docker-nextcloud/files/config.php b/roles/docker-nextcloud/files/config.php new file mode 100644 index 0000000..4a8a5c3 --- /dev/null +++ b/roles/docker-nextcloud/files/config.php @@ -0,0 +1,48 @@ + '/', + 'memcache.local' => '\\OC\\Memcache\\APCu', + 'apps_paths' => + array ( + 0 => + array ( + 'path' => '/var/www/html/apps', + 'url' => '/apps', + 'writable' => false, + ), + 1 => + array ( + 'path' => '/var/www/html/custom_apps', + 'url' => '/custom_apps', + 'writable' => true, + ), + ), + 'instanceid' => 'ocvc4q2htemf', + 'passwordsalt' => 'stdJZMx4C5hz85Kqt8XdZIzx8kVOHI', + 'secret' => 'II1BBgzlx70WUYCapAt/m/Bt1ZEk/n11n0DVq3zynyU8F/bU', + 'trusted_domains' => + array ( + 0 => '172.16.0.7:5678', + 1 => '172.16.0.7:8080', + 2 => 's-mess', + 3 => 's-mess.gsb.lan', + 4 => 'localhost:8080', + 5 => 's-nxec.gsb.lan', + ), + 'trusted_proxies' => ['172.16.0.7'], + 'overwriteprotocol' => 'http', + 'overwritehost' => '172.16.0.7:8080', + 'proxy' => '172.16.0.7:8080', + 'datadirectory' => '/var/www/html/data', + 'dbtype' => 'mysql', + 'version' => '20.0.6.1', + 'overwrite.cli.url' => 'http://172.16.0.7:5678', + 'dbname' => 'nextcloud', + 'dbhost' => 'db', + 'dbport' => '', + 'dbtableprefix' => 'oc_', + 'mysql.utf8mb4' => true, + 'dbuser' => 'nextcloud', + 'dbpassword' => 'root', + 'installed' => true, +); diff --git a/roles/docker-nextcloud/files/dhparam.pem b/roles/docker-nextcloud/files/dhparam.pem new file mode 100644 index 0000000..30b44e5 --- /dev/null +++ b/roles/docker-nextcloud/files/dhparam.pem @@ -0,0 +1,13 @@ +-----BEGIN DH PARAMETERS----- +MIICCAKCAgEA9YcWlg90PgLB2PS31Tv8mxn6cyRZd4GvX6tkqwOfXhdBZYzgoEnJ +17U+hDqpT5utQpUbfR0//uXr53mpu3ufxCNJ9gSsCIAbmhTIT3qwLwUis3Etb8PA +4LCTbVHvua5W7/pdM0s8PIOAWK7ah09p+mzwZqx5tKZWtbdERQKIAGE6Xmd4845/ +9oBWTj2g5t83Gt/fZDy+NVRy5ePb/KGix4bEmfnZ5htC/16VFPVrSZUALoxn8HtC +3nn4eqBrZeAxY6UHuW0ZPkRmpLs3GCILa+gze+wDlKlhC+RQU/f8Fijo6SsQPzNf +6BzJdoyeeE9OyyhhWu4Mihr39RnShk1ABO2eZrA1TE7L5X3YuCeIO09j99hkEsPr +mX1zh+v4sx2FFMZLebu+5KYf+ROOOYtMy6AJQq55avccTPrs0S+pxswypbzMD4ym +BYtPO46XYkRhrX47TfVHLW9oonDmMxPKNidNMrFtKW0b6f09iOcN9iEA/EM0s+3n +uQ2h+bQrwGqo5aMSUuJ3w8EjFySIqKgU5ZxJzPGSndsqS7zd2hUxNx7EZueHXX5N +CJ7kWRhIFv8YHHx0J/VFJieyr7DAUATu7chu4aGhwf2AoGYzmI0tjSh+3rQiDh7O +h+JtKr+wifr9P2vBqIWFQltOC2srRs+EB+5/qN1iIjYmq52MkUbFLfMCAQI= +-----END DH PARAMETERS----- diff --git a/roles/docker-nextcloud/files/docker-compose.yml b/roles/docker-nextcloud/files/docker-compose.yml new file mode 100755 index 0000000..1278464 --- /dev/null +++ b/roles/docker-nextcloud/files/docker-compose.yml @@ -0,0 +1,35 @@ +version: '2' + +volumes: + nextcloud: + db: + +services: + db: + image: mariadb + restart: always + command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW + volumes: + - db:/var/lib/mysql + environment: + - MYSQL_ROOT_PASSWORD=root + - MYSQL_PASSWORD=root + - MYSQL_DATABASE=nextcloud + - MYSQL_USER=nextcloud + - TZ=Europe/Paris + + app: + image: nextcloud + restart: always + ports: + - 5678:80 + links: + - db + volumes: + - ./nextcloud:/var/www/html + environment: + - MYSQL_PASSWORD=root + - MYSQL_DATABASE=nextcloud + - MYSQL_USER=nextcloud + - MYSQL_HOST=db + - TZ=Europe/Paris diff --git a/roles/docker-nextcloud/files/get_docker.sh b/roles/docker-nextcloud/files/get_docker.sh new file mode 100755 index 0000000..6397546 --- /dev/null +++ b/roles/docker-nextcloud/files/get_docker.sh @@ -0,0 +1,502 @@ +#!/bin/sh +set -e +# Docker CE for Linux installation script +# +# See https://docs.docker.com/install/ for the installation steps. +# +# This script is meant for quick & easy install via: +# $ curl -fsSL https://get.docker.com -o get-docker.sh +# $ sh get-docker.sh +# +# For test builds (ie. release candidates): +# $ curl -fsSL https://test.docker.com -o test-docker.sh +# $ sh test-docker.sh +# +# NOTE: Make sure to verify the contents of the script +# you downloaded matches the contents of install.sh +# located at https://github.com/docker/docker-install +# before executing. +# +# Git commit from https://github.com/docker/docker-install when +# the script was uploaded (Should only be modified by upload job): +SCRIPT_COMMIT_SHA="3d8fe77c2c46c5b7571f94b42793905e5b3e42e4" + + +# The channel to install from: +# * nightly +# * test +# * stable +# * edge (deprecated) +DEFAULT_CHANNEL_VALUE="stable" +if [ -z "$CHANNEL" ]; then + CHANNEL=$DEFAULT_CHANNEL_VALUE +fi + +DEFAULT_DOWNLOAD_URL="https://download.docker.com" +if [ -z "$DOWNLOAD_URL" ]; then + DOWNLOAD_URL=$DEFAULT_DOWNLOAD_URL +fi + +DEFAULT_REPO_FILE="docker-ce.repo" +if [ -z "$REPO_FILE" ]; then + REPO_FILE="$DEFAULT_REPO_FILE" +fi + +mirror='' +DRY_RUN=${DRY_RUN:-} +while [ $# -gt 0 ]; do + case "$1" in + --mirror) + mirror="$2" + shift + ;; + --dry-run) + DRY_RUN=1 + ;; + --*) + echo "Illegal option $1" + ;; + esac + shift $(( $# > 0 ? 1 : 0 )) +done + +case "$mirror" in + Aliyun) + DOWNLOAD_URL="https://mirrors.aliyun.com/docker-ce" + ;; + AzureChinaCloud) + DOWNLOAD_URL="https://mirror.azure.cn/docker-ce" + ;; +esac + +command_exists() { + command -v "$@" > /dev/null 2>&1 +} + +is_dry_run() { + if [ -z "$DRY_RUN" ]; then + return 1 + else + return 0 + fi +} + +is_wsl() { + case "$(uname -r)" in + *microsoft* ) true ;; # WSL 2 + *Microsoft* ) true ;; # WSL 1 + * ) false;; + esac +} + +is_darwin() { + case "$(uname -s)" in + *darwin* ) true ;; + *Darwin* ) true ;; + * ) false;; + esac +} + +deprecation_notice() { + distro=$1 + date=$2 + echo + echo "DEPRECATION WARNING:" + echo " The distribution, $distro, will no longer be supported in this script as of $date." + echo " If you feel this is a mistake please submit an issue at https://github.com/docker/docker-install/issues/new" + echo + sleep 10 +} + +get_distribution() { + lsb_dist="" + # Every system that we officially support has /etc/os-release + if [ -r /etc/os-release ]; then + lsb_dist="$(. /etc/os-release && echo "$ID")" + fi + # Returning an empty string here should be alright since the + # case statements don't act unless you provide an actual value + echo "$lsb_dist" +} + +add_debian_backport_repo() { + debian_version="$1" + backports="deb http://ftp.debian.org/debian $debian_version-backports main" + if ! grep -Fxq "$backports" /etc/apt/sources.list; then + (set -x; $sh_c "echo \"$backports\" >> /etc/apt/sources.list") + fi +} + +echo_docker_as_nonroot() { + if is_dry_run; then + return + fi + if command_exists docker && [ -e /var/run/docker.sock ]; then + ( + set -x + $sh_c 'docker version' + ) || true + fi + your_user=your-user + [ "$user" != 'root' ] && your_user="$user" + # intentionally mixed spaces and tabs here -- tabs are stripped by "<<-EOF", spaces are kept in the output + echo "If you would like to use Docker as a non-root user, you should now consider" + echo "adding your user to the \"docker\" group with something like:" + echo + echo " sudo usermod -aG docker $your_user" + echo + echo "Remember that you will have to log out and back in for this to take effect!" + echo + echo "WARNING: Adding a user to the \"docker\" group will grant the ability to run" + echo " containers which can be used to obtain root privileges on the" + echo " docker host." + echo " Refer to https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface" + echo " for more information." + +} + +# Check if this is a forked Linux distro +check_forked() { + + # Check for lsb_release command existence, it usually exists in forked distros + if command_exists lsb_release; then + # Check if the `-u` option is supported + set +e + lsb_release -a -u > /dev/null 2>&1 + lsb_release_exit_code=$? + set -e + + # Check if the command has exited successfully, it means we're in a forked distro + if [ "$lsb_release_exit_code" = "0" ]; then + # Print info about current distro + cat <<-EOF + You're using '$lsb_dist' version '$dist_version'. + EOF + + # Get the upstream release info + lsb_dist=$(lsb_release -a -u 2>&1 | tr '[:upper:]' '[:lower:]' | grep -E 'id' | cut -d ':' -f 2 | tr -d '[:space:]') + dist_version=$(lsb_release -a -u 2>&1 | tr '[:upper:]' '[:lower:]' | grep -E 'codename' | cut -d ':' -f 2 | tr -d '[:space:]') + + # Print info about upstream distro + cat <<-EOF + Upstream release is '$lsb_dist' version '$dist_version'. + EOF + else + if [ -r /etc/debian_version ] && [ "$lsb_dist" != "ubuntu" ] && [ "$lsb_dist" != "raspbian" ]; then + if [ "$lsb_dist" = "osmc" ]; then + # OSMC runs Raspbian + lsb_dist=raspbian + else + # We're Debian and don't even know it! + lsb_dist=debian + fi + dist_version="$(sed 's/\/.*//' /etc/debian_version | sed 's/\..*//')" + case "$dist_version" in + 10) + dist_version="buster" + ;; + 9) + dist_version="stretch" + ;; + 8|'Kali Linux 2') + dist_version="jessie" + ;; + esac + fi + fi + fi +} + +semverParse() { + major="${1%%.*}" + minor="${1#$major.}" + minor="${minor%%.*}" + patch="${1#$major.$minor.}" + patch="${patch%%[-.]*}" +} + +do_install() { + echo "# Executing docker install script, commit: $SCRIPT_COMMIT_SHA" + + if command_exists docker; then + docker_version="$(docker -v | cut -d ' ' -f3 | cut -d ',' -f1)" + MAJOR_W=1 + MINOR_W=10 + + semverParse "$docker_version" + + shouldWarn=0 + if [ "$major" -lt "$MAJOR_W" ]; then + shouldWarn=1 + fi + + if [ "$major" -le "$MAJOR_W" ] && [ "$minor" -lt "$MINOR_W" ]; then + shouldWarn=1 + fi + + cat >&2 <<-'EOF' + Warning: the "docker" command appears to already exist on this system. + + If you already have Docker installed, this script can cause trouble, which is + why we're displaying this warning and provide the opportunity to cancel the + installation. + + If you installed the current Docker package using this script and are using it + EOF + + if [ $shouldWarn -eq 1 ]; then + cat >&2 <<-'EOF' + again to update Docker, we urge you to migrate your image store before upgrading + to v1.10+. + + You can find instructions for this here: + https://github.com/docker/docker/wiki/Engine-v1.10.0-content-addressability-migration + EOF + else + cat >&2 <<-'EOF' + again to update Docker, you can safely ignore this message. + EOF + fi + + cat >&2 <<-'EOF' + + You may press Ctrl+C now to abort this script. + EOF + ( set -x; sleep 20 ) + fi + + user="$(id -un 2>/dev/null || true)" + + sh_c='sh -c' + if [ "$user" != 'root' ]; then + if command_exists sudo; then + sh_c='sudo -E sh -c' + elif command_exists su; then + sh_c='su -c' + else + cat >&2 <<-'EOF' + Error: this installer needs the ability to run commands as root. + We are unable to find either "sudo" or "su" available to make this happen. + EOF + exit 1 + fi + fi + + if is_dry_run; then + sh_c="echo" + fi + + # perform some very rudimentary platform detection + lsb_dist=$( get_distribution ) + lsb_dist="$(echo "$lsb_dist" | tr '[:upper:]' '[:lower:]')" + + if is_wsl; then + echo + echo "WSL DETECTED: We recommend using Docker Desktop for Windows." + echo "Please get Docker Desktop from https://www.docker.com/products/docker-desktop" + echo + cat >&2 <<-'EOF' + + You may press Ctrl+C now to abort this script. + EOF + ( set -x; sleep 20 ) + fi + + case "$lsb_dist" in + + ubuntu) + if command_exists lsb_release; then + dist_version="$(lsb_release --codename | cut -f2)" + fi + if [ -z "$dist_version" ] && [ -r /etc/lsb-release ]; then + dist_version="$(. /etc/lsb-release && echo "$DISTRIB_CODENAME")" + fi + ;; + + debian|raspbian) + dist_version="$(sed 's/\/.*//' /etc/debian_version | sed 's/\..*//')" + case "$dist_version" in + 10) + dist_version="buster" + ;; + 9) + dist_version="stretch" + ;; + 8) + dist_version="jessie" + ;; + esac + ;; + + centos|rhel) + if [ -z "$dist_version" ] && [ -r /etc/os-release ]; then + dist_version="$(. /etc/os-release && echo "$VERSION_ID")" + fi + ;; + + *) + if command_exists lsb_release; then + dist_version="$(lsb_release --release | cut -f2)" + fi + if [ -z "$dist_version" ] && [ -r /etc/os-release ]; then + dist_version="$(. /etc/os-release && echo "$VERSION_ID")" + fi + ;; + + esac + + # Check if this is a forked Linux distro + check_forked + + # Run setup for each distro accordingly + case "$lsb_dist" in + ubuntu|debian|raspbian) + pre_reqs="apt-transport-https ca-certificates curl" + if [ "$lsb_dist" = "debian" ]; then + # libseccomp2 does not exist for debian jessie main repos for aarch64 + if [ "$(uname -m)" = "aarch64" ] && [ "$dist_version" = "jessie" ]; then + add_debian_backport_repo "$dist_version" + fi + fi + + if ! command -v gpg > /dev/null; then + pre_reqs="$pre_reqs gnupg" + fi + apt_repo="deb [arch=$(dpkg --print-architecture)] $DOWNLOAD_URL/linux/$lsb_dist $dist_version $CHANNEL" + ( + if ! is_dry_run; then + set -x + fi + $sh_c 'apt-get update -qq >/dev/null' + $sh_c "DEBIAN_FRONTEND=noninteractive apt-get install -y -qq $pre_reqs >/dev/null" + $sh_c "curl -fsSL \"$DOWNLOAD_URL/linux/$lsb_dist/gpg\" | apt-key add -qq - >/dev/null" + $sh_c "echo \"$apt_repo\" > /etc/apt/sources.list.d/docker.list" + $sh_c 'apt-get update -qq >/dev/null' + ) + pkg_version="" + if [ -n "$VERSION" ]; then + if is_dry_run; then + echo "# WARNING: VERSION pinning is not supported in DRY_RUN" + else + # Will work for incomplete versions IE (17.12), but may not actually grab the "latest" if in the test channel + pkg_pattern="$(echo "$VERSION" | sed "s/-ce-/~ce~.*/g" | sed "s/-/.*/g").*-0~$lsb_dist" + search_command="apt-cache madison 'docker-ce' | grep '$pkg_pattern' | head -1 | awk '{\$1=\$1};1' | cut -d' ' -f 3" + pkg_version="$($sh_c "$search_command")" + echo "INFO: Searching repository for VERSION '$VERSION'" + echo "INFO: $search_command" + if [ -z "$pkg_version" ]; then + echo + echo "ERROR: '$VERSION' not found amongst apt-cache madison results" + echo + exit 1 + fi + search_command="apt-cache madison 'docker-ce-cli' | grep '$pkg_pattern' | head -1 | awk '{\$1=\$1};1' | cut -d' ' -f 3" + # Don't insert an = for cli_pkg_version, we'll just include it later + cli_pkg_version="$($sh_c "$search_command")" + pkg_version="=$pkg_version" + fi + fi + ( + if ! is_dry_run; then + set -x + fi + if [ -n "$cli_pkg_version" ]; then + $sh_c "apt-get install -y -qq --no-install-recommends docker-ce-cli=$cli_pkg_version >/dev/null" + fi + $sh_c "apt-get install -y -qq --no-install-recommends docker-ce$pkg_version >/dev/null" + ) + echo_docker_as_nonroot + exit 0 + ;; + centos|fedora|rhel) + yum_repo="$DOWNLOAD_URL/linux/$lsb_dist/$REPO_FILE" + if ! curl -Ifs "$yum_repo" > /dev/null; then + echo "Error: Unable to curl repository file $yum_repo, is it valid?" + exit 1 + fi + if [ "$lsb_dist" = "fedora" ]; then + pkg_manager="dnf" + config_manager="dnf config-manager" + enable_channel_flag="--set-enabled" + disable_channel_flag="--set-disabled" + pre_reqs="dnf-plugins-core" + pkg_suffix="fc$dist_version" + else + pkg_manager="yum" + config_manager="yum-config-manager" + enable_channel_flag="--enable" + disable_channel_flag="--disable" + pre_reqs="yum-utils" + pkg_suffix="el" + fi + ( + if ! is_dry_run; then + set -x + fi + $sh_c "$pkg_manager install -y -q $pre_reqs" + $sh_c "$config_manager --add-repo $yum_repo" + + if [ "$CHANNEL" != "stable" ]; then + $sh_c "$config_manager $disable_channel_flag docker-ce-*" + $sh_c "$config_manager $enable_channel_flag docker-ce-$CHANNEL" + fi + $sh_c "$pkg_manager makecache" + ) + pkg_version="" + if [ -n "$VERSION" ]; then + if is_dry_run; then + echo "# WARNING: VERSION pinning is not supported in DRY_RUN" + else + pkg_pattern="$(echo "$VERSION" | sed "s/-ce-/\\\\.ce.*/g" | sed "s/-/.*/g").*$pkg_suffix" + search_command="$pkg_manager list --showduplicates 'docker-ce' | grep '$pkg_pattern' | tail -1 | awk '{print \$2}'" + pkg_version="$($sh_c "$search_command")" + echo "INFO: Searching repository for VERSION '$VERSION'" + echo "INFO: $search_command" + if [ -z "$pkg_version" ]; then + echo + echo "ERROR: '$VERSION' not found amongst $pkg_manager list results" + echo + exit 1 + fi + search_command="$pkg_manager list --showduplicates 'docker-ce-cli' | grep '$pkg_pattern' | tail -1 | awk '{print \$2}'" + # It's okay for cli_pkg_version to be blank, since older versions don't support a cli package + cli_pkg_version="$($sh_c "$search_command" | cut -d':' -f 2)" + # Cut out the epoch and prefix with a '-' + pkg_version="-$(echo "$pkg_version" | cut -d':' -f 2)" + fi + fi + ( + if ! is_dry_run; then + set -x + fi + # install the correct cli version first + if [ -n "$cli_pkg_version" ]; then + $sh_c "$pkg_manager install -y -q docker-ce-cli-$cli_pkg_version" + fi + $sh_c "$pkg_manager install -y -q docker-ce$pkg_version" + ) + echo_docker_as_nonroot + exit 0 + ;; + *) + if [ -z "$lsb_dist" ]; then + if is_darwin; then + echo + echo "ERROR: Unsupported operating system 'macOS'" + echo "Please get Docker Desktop from https://www.docker.com/products/docker-desktop" + echo + exit 1 + fi + fi + echo + echo "ERROR: Unsupported distribution '$lsb_dist'" + echo + exit 1 + ;; + esac + exit 1 +} + +# wrapped up in a function so that we have some protection against only getting +# half the file during "curl | sh" +do_install diff --git a/roles/docker-nextcloud/files/nginx-selfsigned.crt b/roles/docker-nextcloud/files/nginx-selfsigned.crt new file mode 100644 index 0000000..c7548de --- /dev/null +++ b/roles/docker-nextcloud/files/nginx-selfsigned.crt @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEAzCCAuugAwIBAgIUAr99SgfwQjW0wJSay5rL7I8V6G4wDQYJKoZIhvcNAQEL +BQAwgZAxCzAJBgNVBAYTAkZSMRIwEAYDVQQIDAlCb3VyZ29nbmUxDjAMBgNVBAcM +BURpam9uMQwwCgYDVQQKDANHU0IxDjAMBgNVBAsMBWluZnJhMRcwFQYDVQQDDA5z +LW54ZWMuZ3NiLmxhbjEmMCQGCSqGSIb3DQEJARYXYXhlbC5tcmwuc2NvbEBnbWFp +bC5jb20wHhcNMjEwMzI5MDkzMTIxWhcNMjIwMzI5MDkzMTIxWjCBkDELMAkGA1UE +BhMCRlIxEjAQBgNVBAgMCUJvdXJnb2duZTEOMAwGA1UEBwwFRGlqb24xDDAKBgNV +BAoMA0dTQjEOMAwGA1UECwwFaW5mcmExFzAVBgNVBAMMDnMtbnhlYy5nc2IubGFu +MSYwJAYJKoZIhvcNAQkBFhdheGVsLm1ybC5zY29sQGdtYWlsLmNvbTCCASIwDQYJ +KoZIhvcNAQEBBQADggEPADCCAQoCggEBAK+iB7H1clY8gwX6CQfBqU+V4gF4ZMmg +HMbnoPvWV0WOJlgyODh5xdE11iJBBby8VNdiruGNJCeLeI4WWUUkJJXMyeWNTM6/ +JIZhVZI0UF042S/s8WdP+jls4aASkp0QH+XDs+758y5D9lRoX+At+bRZSC/Fz/tL +Y16e15F1+BxZeSWUEajHZIJZ79gm0UQxA9HdHAHpoWR05P74Fy6rnOsQNtBW4Jkt +xDb9CHRWNVjvbBuPsDwPTEOvMq94r5yWspHDhA3edvtAAJke5N9od4mN8KTJQouJ +O0ZzvOYIofr8iQM3981p9MuBUwtDNT7+ns22lDXeORoliOCG1gE25DsCAwEAAaNT +MFEwHQYDVR0OBBYEFJgtmIFxdyFe3vZ/a3UwxORCZiLiMB8GA1UdIwQYMBaAFJgt +mIFxdyFe3vZ/a3UwxORCZiLiMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL +BQADggEBAJm7oJOJev7hh/G1xCPPyASWn9s9C9sb5zbxyq1gF5P6Br8Xof9OJ1ZE +XJaH1MwxxR+2Qhok6gERBSqpwe6jnreImOpqhHEQGdMWJvIRlvTPQmEj/mCoLGKf +DsIvl3ug4OfNqMojwYlGhsfQH92Qz2pnE88pLIT13y85c8TJHti2+GOxOTSxYLrs +lt3fYYjnSZ2mm9fLBcP/XgdCSTeN6XwpJr2b56sVh0uehFXnkgzjDd+PTGkIgnfT +/eXtX8+VbQIOSEOrIt0GneBZ3n37FSgz/y9TR5HgNKyt74oxbLsYR0qWpbCcEjw+ +ex/v7vE3bXgPGE56NzhlM1Pjh90R9hI= +-----END CERTIFICATE----- diff --git a/roles/docker-nextcloud/files/nginx-selfsigned.key b/roles/docker-nextcloud/files/nginx-selfsigned.key new file mode 100644 index 0000000..e5eca2f --- /dev/null +++ b/roles/docker-nextcloud/files/nginx-selfsigned.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCvogex9XJWPIMF ++gkHwalPleIBeGTJoBzG56D71ldFjiZYMjg4ecXRNdYiQQW8vFTXYq7hjSQni3iO +FllFJCSVzMnljUzOvySGYVWSNFBdONkv7PFnT/o5bOGgEpKdEB/lw7Pu+fMuQ/ZU +aF/gLfm0WUgvxc/7S2NenteRdfgcWXkllBGox2SCWe/YJtFEMQPR3RwB6aFkdOT+ ++Bcuq5zrEDbQVuCZLcQ2/Qh0VjVY72wbj7A8D0xDrzKveK+clrKRw4QN3nb7QACZ +HuTfaHeJjfCkyUKLiTtGc7zmCKH6/IkDN/fNafTLgVMLQzU+/p7NtpQ13jkaJYjg +htYBNuQ7AgMBAAECggEAfyHLbi7cL74nnZjrFnlBpIE7EpNiaWyDyBr8ta7mh0up +R+g6N+81mQXeVfc5PvAYfbxKGKyBAjr77eYRgnHyJZkSgB5y/ajwuHEWbvl9Pq2a +0Q0zhPQojY7aF3O6OwTkAf5Sbebx94hsc5cF55GAEeMa1LHcpethJ6nVIs8A5QtP +ZgGlfFkgGXp1GQPmeX1jQePSp8nqCftIwFPOuLcuQnisc282NCRHl3M+VlnUIZNL +fgRxalurrnaKf5P9DRvxiGlUJzoH1h0tgYbfUMpoRXdYYK3wjVbWWPROrS1c1yrl +17W004k8Fb++rUmQucQEtsiID/ymAMZPtiCG2IqvwQKBgQDjQGf8GFt04ypvoux/ +acOMtHXaA1k1Fa6Gtvr3dCfhlm4dCxvHfAqWawW2GXrSajhVRe+vcqBMyKAY5G3a +O3nZNpFliMqbftzKkF6AThIgaDaGAzfr+I88urvX0od1+wzjzievOHOlbil3OriD +HrGmfO/xnnXkgHCQK2YjmhFeoQKBgQDF2fEp5HZAZFWy55LVlS6DIDFfK2DShCNf +ENcDp1YWz/PCbHTY0xXZ6T4TOX14YYmeZVZFCUcpWGQrfL+ogJhoM9iQFuzYrzMz +iYjgICeTJPLGQawC6CKVFcE7i6kjNie66IjEIZj1rS2zG/+WVTl95M8JxJO2U7a/ +7JiYJiehWwKBgQCqxb6euisYJpHAPL3ebbtO5Fnf0D5cXwO9JopoJHjH1ITA/JUO +jo9iQ+CR3Inoz3uv0RNyVABUUzvEGPzYT3OcoJ4Yn/gpa+c9rcnmP0Tt54J5qLeA +c1QofeclI4c6SMOB+WznBtQZEDTG7XC0z/8OLrsdZkgPw9lS7doejOvaoQKBgGbV +azp561h2jfBp2nC2lDFFN0Qe2LkyQuwzZX4ZqG488ZZZJrZXqGDVkRUO6X77Ozsf +sqI5O0prDc1ojnk3NX/birEBqWLKVRNxZboQHGGnb6PKGGx+WRMh9ohLg8KwcB/+ +oq9GQylWNI2GfOaXL0WW+mE6UggPJMpGX92c3zZHAoGAMOFoxUjjzsB0oJLTuYax +VKE7Jno24o5JeDRm69WS3E6boSZsIY/9r4jWtYiTbhwlTZpZMqad3h/zM/swHvVq +hh1BaHXBik/9rpnyTMZ9vo6UNyYo/TJPH3yrKwZbF4Cn2uWQoJCfDeo9VXdIEbEn +SwyeWd4Zkt/wvqmocF5KVqI= +-----END PRIVATE KEY----- diff --git a/roles/docker-nextcloud/files/proxy b/roles/docker-nextcloud/files/proxy new file mode 100644 index 0000000..7e5abec --- /dev/null +++ b/roles/docker-nextcloud/files/proxy @@ -0,0 +1,121 @@ +## +# You should look at the following URL's in order to grasp a solid understanding +# of Nginx configuration files in order to fully unleash the power of Nginx. +# https://www.nginx.com/resources/wiki/start/ +# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/ +# https://wiki.debian.org/Nginx/DirectoryStructure +# +# In most cases, administrators will remove this file from sites-enabled/ and +# leave it as reference inside of sites-available where it will continue to be +# updated by the nginx packaging team. +# +# This file will automatically load configuration files provided by other +# applications, such as Drupal or Wordpress. These applications will be made +# available underneath a path with that package name, such as /drupal8. +# +# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples. +## + +# Default server configuration +# +server { + listen 8080 default_server; + listen [::]:8080 default_server; + + server_name s-nxec.gsb.lan; + + return 302 https://$server_name$request_uri; +} +# location / { +# proxy_set_header Host $host; +# proxy_set_header X-Real-IP $remote_addr; +# proxy_pass http://localhost:5678; +# proxy_connect_timeout 900; +# proxy_send_timeout 900; +# proxy_read_timeout 900; + +server { + listen 443 ssl default_server; + listen [::]:443 ssl default_server; + server_name s-nxec.gsb.lan; + + include snippets/self-signed.conf; + include snippets/ssl-params.conf; + + location / { + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_pass http://localhost:5678; + proxy_connect_timeout 900; + proxy_send_timeout 900; + proxy_read_timeout 900; + } + +} + # SSL configuration + # + # listen 443 ssl default_server; + # listen [::]:443 ssl default_server; + # + # Note: You should disable gzip for SSL traffic. + # See: https://bugs.debian.org/773332 + # + # Read up on ssl_ciphers to ensure a secure configuration. + # See: https://bugs.debian.org/765782 + # + # Self signed certs generated by the ssl-cert package + # Don't use them in a production server! + # + # include snippets/snakeoil.conf; + +# root /var/www/html; + + # Add index.php to the list if you are using PHP +# index index.html index.htm index.nginx-debian.html; + +# server_name _; + +# location / { + # First attempt to serve request as file, then + # as directory, then fall back to displaying a 404. +# try_files $uri $uri/ =404; +# } + + # pass PHP scripts to FastCGI server + # + #location ~ \.php$ { + # include snippets/fastcgi-php.conf; + # + # # With php-fpm (or other unix sockets): + # fastcgi_pass unix:/run/php/php7.3-fpm.sock; + # # With php-cgi (or other tcp sockets): + # fastcgi_pass 127.0.0.1:9000; + #} + + # deny access to .htaccess files, if Apache's document root + # concurs with nginx's one + # + #location ~ /\.ht { + # deny all; + #} + + + +# Virtual Host configuration for example.com +# +# You can move that to a different file under sites-available/ and symlink that +# to sites-enabled/ to enable it. +# +#server { +# listen 80; +# listen [::]:80; +# +# server_name example.com; +# +# root /var/www/example.com; +# index index.html; +# +# location / { +# try_files $uri $uri/ =404; +# } +#} diff --git a/roles/docker-nextcloud/files/proxy.bak b/roles/docker-nextcloud/files/proxy.bak new file mode 100644 index 0000000..534e71e --- /dev/null +++ b/roles/docker-nextcloud/files/proxy.bak @@ -0,0 +1,100 @@ +## +# You should look at the following URL's in order to grasp a solid understanding +# of Nginx configuration files in order to fully unleash the power of Nginx. +# https://www.nginx.com/resources/wiki/start/ +# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/ +# https://wiki.debian.org/Nginx/DirectoryStructure +# +# In most cases, administrators will remove this file from sites-enabled/ and +# leave it as reference inside of sites-available where it will continue to be +# updated by the nginx packaging team. +# +# This file will automatically load configuration files provided by other +# applications, such as Drupal or Wordpress. These applications will be made +# available underneath a path with that package name, such as /drupal8. +# +# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples. +## + +# Default server configuration +# +server { + listen 8080 default_server; + listen [::]:8080 default_server; + + location / { + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_pass http://localhost:5678; + proxy_connect_timeout 900; + proxy_send_timeout 900; + proxy_read_timeout 900; + } + + # SSL configuration + # + # listen 443 ssl default_server; + # listen [::]:443 ssl default_server; + # + # Note: You should disable gzip for SSL traffic. + # See: https://bugs.debian.org/773332 + # + # Read up on ssl_ciphers to ensure a secure configuration. + # See: https://bugs.debian.org/765782 + # + # Self signed certs generated by the ssl-cert package + # Don't use them in a production server! + # + # include snippets/snakeoil.conf; + +# root /var/www/html; + + # Add index.php to the list if you are using PHP +# index index.html index.htm index.nginx-debian.html; + +# server_name _; + +# location / { + # First attempt to serve request as file, then + # as directory, then fall back to displaying a 404. +# try_files $uri $uri/ =404; +# } + + # pass PHP scripts to FastCGI server + # + #location ~ \.php$ { + # include snippets/fastcgi-php.conf; + # + # # With php-fpm (or other unix sockets): + # fastcgi_pass unix:/run/php/php7.3-fpm.sock; + # # With php-cgi (or other tcp sockets): + # fastcgi_pass 127.0.0.1:9000; + #} + + # deny access to .htaccess files, if Apache's document root + # concurs with nginx's one + # + #location ~ /\.ht { + # deny all; + #} +} + + +# Virtual Host configuration for example.com +# +# You can move that to a different file under sites-available/ and symlink that +# to sites-enabled/ to enable it. +# +#server { +# listen 80; +# listen [::]:80; +# +# server_name example.com; +# +# root /var/www/example.com; +# index index.html; +# +# location / { +# try_files $uri $uri/ =404; +# } +#} diff --git a/roles/docker-nextcloud/files/self-signed.conf b/roles/docker-nextcloud/files/self-signed.conf new file mode 100644 index 0000000..d9017ca --- /dev/null +++ b/roles/docker-nextcloud/files/self-signed.conf @@ -0,0 +1,2 @@ +ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt; +ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key; diff --git a/roles/docker-nextcloud/files/ssl-params.conf b/roles/docker-nextcloud/files/ssl-params.conf new file mode 100644 index 0000000..473862a --- /dev/null +++ b/roles/docker-nextcloud/files/ssl-params.conf @@ -0,0 +1,18 @@ +ssl_protocols TLSv1.2; +ssl_prefer_server_ciphers on; +ssl_dhparam /etc/nginx/dhparam.pem; +ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; +ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 +ssl_session_timeout 10m; +ssl_session_cache shared:SSL:10m; +ssl_session_tickets off; # Requires nginx >= 1.5.9 +ssl_stapling on; # Requires nginx >= 1.3.7 +ssl_stapling_verify on; # Requires nginx => 1.3.7 +resolver 172.16.0.1 valid=300s; +resolver_timeout 5s; +# Disable strict transport security for now. You can uncomment the following +# line if you understand the implications. +# add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; +add_header X-Frame-Options DENY; +add_header X-Content-Type-Options nosniff; +add_header X-XSS-Protection "1; mode=block"; diff --git a/roles/docker-nextcloud/tasks/main.yml b/roles/docker-nextcloud/tasks/main.yml new file mode 100644 index 0000000..08c877b --- /dev/null +++ b/roles/docker-nextcloud/tasks/main.yml @@ -0,0 +1,89 @@ +--- +- name: Creation du repertoire nextcloud + file: + path: /root/nextcloud + state: directory + +- name: Copie du script get_docker + copy: + src: get_docker.sh + dest: /root/nextcloud + +- name: Execution du script get_docker + script: /root/nextcloud/get_docker.sh + +- name: Installation de docker-compose + shell: curl -L "https://github.com/docker/compose/releases/download/1.28.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose + +- name: Attribution des droits de docker compose + file: + path: /usr/local/bin/docker-compose + mode: '755' + +- name: Copie de docker-compose.yml + copy: + src: /root/tools/ansible/gsb2021/roles/docker-nextcloud/files/docker-compose.yml + dest: /root/nextcloud + +- name: Execution du fichier docker-compose.yml + shell: docker-compose up -d + args: + chdir: /root/nextcloud + +- name: Installation de Nginx + package: + name: nginx + state: present + +- name: Copie de config.php dans /root/nextcloud/nextcloud/config + copy: + src: /root/tools/ansible/gsb2021/roles/docker-nextcloud/files/config.php + dest: /root/nextcloud/nextcloud/config + +- name: Copie de nginx-selfsigned.key + copy: + src: /root/tools/ansible/gsb2021/roles/docker-nextcloud/files/nginx-selfsigned.key + dest: /etc/ssl/private + +- name: Copie nginx-selfsigned.crt + copy: + src: /root/tools/ansible/gsb2021/roles/docker-nextcloud/files/nginx-selfsigned.crt + dest: /etc/ssl/certs + +- name: Copie de dhparam.pem + copy: + src: /root/tools/ansible/gsb2021/roles/docker-nextcloud/files/dhparam.pem + dest: /etc/nginx + +- name: Copie de self-signed.conf + copy: + src: /root/tools/ansible/gsb2021/roles/docker-nextcloud/files/self-signed.conf + dest: /etc/nginx/snippets + +- name: Copie de ssl-params.conf + copy: + src: /root/tools/ansible/gsb2021/roles/docker-nextcloud/files/ssl-params.conf + dest: /etc/nginx/snippets + +- name: Copie de /etc/nginx/site-availables/proxy + copy: + src: /root/tools/ansible/gsb2021/roles/docker-nextcloud/files/proxy + dest: /etc/nginx/sites-available + +- name: Suppression de /etc/nginx/sites-enabled/default + file: + path: /etc/nginx/sites-enabled/default + state: absent + +- name: Creation de lien symbolique avec /etc/nginx/sites-available/proxy dans /etc/n$ + file: + src: /etc/nginx/sites-available/proxy + dest: /etc/nginx/sites-enabled/proxy + owner: root + group: root + state: link + +- name: Redemarage de Nginx + service: + name: nginx + state: restarted diff --git a/roles/docker/README.md b/roles/docker/README.md new file mode 100644 index 0000000..9f2c60b --- /dev/null +++ b/roles/docker/README.md @@ -0,0 +1,10 @@ +# Installation de docker + +Pour assurer l'installation de docker il vous faut lancer le script getall depuis s-adm. +Chemin de getall : /var/www/html/gsbstore/ + +#### Fonctionnement du playbook + +Le playbook va télécharger getdocker.sh et le placer dans tmp. +Il va donc lancer docker.sh et ensuite installer docker-compose, suite à cela, l'installation +est terminée. diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml new file mode 100644 index 0000000..506392b --- /dev/null +++ b/roles/docker/tasks/main.yml @@ -0,0 +1,16 @@ +--- +- name: Téléchargement getdocker.sh + ansible.builtin.get_url: + url: http://s-adm.gsb.adm/gsbstore/getdocker.sh + dest: /tmp + mode: '0755' + +- name: Execution du script getdocker + ansible.builtin.script: + cmd: /tmp/getdocker.sh + +- name: Téléchargement docker-compose + ansible.builtin.get_url: + url: http://s-adm.gsb.adm/gsbstore/docker-compose + dest: /usr/local/bin + mode: '0755' diff --git a/roles/elk/README.md b/roles/elk/README.md new file mode 100644 index 0000000..bb8cdd8 --- /dev/null +++ b/roles/elk/README.md @@ -0,0 +1,8 @@ +## Principe du rôle elk + +Ce rôle permet de créer un serveur ELK pour centraliser les logs et d'avoir des métriques pour simplifier la gestion du parc informatique GSB. +Le principe de se rôle est d'installer docker, les différentes tâches de se rôle est de : +Vérifier si ELK est déjà installé, +Installer ELK sur github, +Changer la configuration +Lancer ELK avec docker-compose diff --git a/roles/elk/files/get_docker.sh b/roles/elk/files/get_docker.sh new file mode 100755 index 0000000..6397546 --- /dev/null +++ b/roles/elk/files/get_docker.sh @@ -0,0 +1,502 @@ +#!/bin/sh +set -e +# Docker CE for Linux installation script +# +# See https://docs.docker.com/install/ for the installation steps. +# +# This script is meant for quick & easy install via: +# $ curl -fsSL https://get.docker.com -o get-docker.sh +# $ sh get-docker.sh +# +# For test builds (ie. release candidates): +# $ curl -fsSL https://test.docker.com -o test-docker.sh +# $ sh test-docker.sh +# +# NOTE: Make sure to verify the contents of the script +# you downloaded matches the contents of install.sh +# located at https://github.com/docker/docker-install +# before executing. +# +# Git commit from https://github.com/docker/docker-install when +# the script was uploaded (Should only be modified by upload job): +SCRIPT_COMMIT_SHA="3d8fe77c2c46c5b7571f94b42793905e5b3e42e4" + + +# The channel to install from: +# * nightly +# * test +# * stable +# * edge (deprecated) +DEFAULT_CHANNEL_VALUE="stable" +if [ -z "$CHANNEL" ]; then + CHANNEL=$DEFAULT_CHANNEL_VALUE +fi + +DEFAULT_DOWNLOAD_URL="https://download.docker.com" +if [ -z "$DOWNLOAD_URL" ]; then + DOWNLOAD_URL=$DEFAULT_DOWNLOAD_URL +fi + +DEFAULT_REPO_FILE="docker-ce.repo" +if [ -z "$REPO_FILE" ]; then + REPO_FILE="$DEFAULT_REPO_FILE" +fi + +mirror='' +DRY_RUN=${DRY_RUN:-} +while [ $# -gt 0 ]; do + case "$1" in + --mirror) + mirror="$2" + shift + ;; + --dry-run) + DRY_RUN=1 + ;; + --*) + echo "Illegal option $1" + ;; + esac + shift $(( $# > 0 ? 1 : 0 )) +done + +case "$mirror" in + Aliyun) + DOWNLOAD_URL="https://mirrors.aliyun.com/docker-ce" + ;; + AzureChinaCloud) + DOWNLOAD_URL="https://mirror.azure.cn/docker-ce" + ;; +esac + +command_exists() { + command -v "$@" > /dev/null 2>&1 +} + +is_dry_run() { + if [ -z "$DRY_RUN" ]; then + return 1 + else + return 0 + fi +} + +is_wsl() { + case "$(uname -r)" in + *microsoft* ) true ;; # WSL 2 + *Microsoft* ) true ;; # WSL 1 + * ) false;; + esac +} + +is_darwin() { + case "$(uname -s)" in + *darwin* ) true ;; + *Darwin* ) true ;; + * ) false;; + esac +} + +deprecation_notice() { + distro=$1 + date=$2 + echo + echo "DEPRECATION WARNING:" + echo " The distribution, $distro, will no longer be supported in this script as of $date." + echo " If you feel this is a mistake please submit an issue at https://github.com/docker/docker-install/issues/new" + echo + sleep 10 +} + +get_distribution() { + lsb_dist="" + # Every system that we officially support has /etc/os-release + if [ -r /etc/os-release ]; then + lsb_dist="$(. /etc/os-release && echo "$ID")" + fi + # Returning an empty string here should be alright since the + # case statements don't act unless you provide an actual value + echo "$lsb_dist" +} + +add_debian_backport_repo() { + debian_version="$1" + backports="deb http://ftp.debian.org/debian $debian_version-backports main" + if ! grep -Fxq "$backports" /etc/apt/sources.list; then + (set -x; $sh_c "echo \"$backports\" >> /etc/apt/sources.list") + fi +} + +echo_docker_as_nonroot() { + if is_dry_run; then + return + fi + if command_exists docker && [ -e /var/run/docker.sock ]; then + ( + set -x + $sh_c 'docker version' + ) || true + fi + your_user=your-user + [ "$user" != 'root' ] && your_user="$user" + # intentionally mixed spaces and tabs here -- tabs are stripped by "<<-EOF", spaces are kept in the output + echo "If you would like to use Docker as a non-root user, you should now consider" + echo "adding your user to the \"docker\" group with something like:" + echo + echo " sudo usermod -aG docker $your_user" + echo + echo "Remember that you will have to log out and back in for this to take effect!" + echo + echo "WARNING: Adding a user to the \"docker\" group will grant the ability to run" + echo " containers which can be used to obtain root privileges on the" + echo " docker host." + echo " Refer to https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface" + echo " for more information." + +} + +# Check if this is a forked Linux distro +check_forked() { + + # Check for lsb_release command existence, it usually exists in forked distros + if command_exists lsb_release; then + # Check if the `-u` option is supported + set +e + lsb_release -a -u > /dev/null 2>&1 + lsb_release_exit_code=$? + set -e + + # Check if the command has exited successfully, it means we're in a forked distro + if [ "$lsb_release_exit_code" = "0" ]; then + # Print info about current distro + cat <<-EOF + You're using '$lsb_dist' version '$dist_version'. + EOF + + # Get the upstream release info + lsb_dist=$(lsb_release -a -u 2>&1 | tr '[:upper:]' '[:lower:]' | grep -E 'id' | cut -d ':' -f 2 | tr -d '[:space:]') + dist_version=$(lsb_release -a -u 2>&1 | tr '[:upper:]' '[:lower:]' | grep -E 'codename' | cut -d ':' -f 2 | tr -d '[:space:]') + + # Print info about upstream distro + cat <<-EOF + Upstream release is '$lsb_dist' version '$dist_version'. + EOF + else + if [ -r /etc/debian_version ] && [ "$lsb_dist" != "ubuntu" ] && [ "$lsb_dist" != "raspbian" ]; then + if [ "$lsb_dist" = "osmc" ]; then + # OSMC runs Raspbian + lsb_dist=raspbian + else + # We're Debian and don't even know it! + lsb_dist=debian + fi + dist_version="$(sed 's/\/.*//' /etc/debian_version | sed 's/\..*//')" + case "$dist_version" in + 10) + dist_version="buster" + ;; + 9) + dist_version="stretch" + ;; + 8|'Kali Linux 2') + dist_version="jessie" + ;; + esac + fi + fi + fi +} + +semverParse() { + major="${1%%.*}" + minor="${1#$major.}" + minor="${minor%%.*}" + patch="${1#$major.$minor.}" + patch="${patch%%[-.]*}" +} + +do_install() { + echo "# Executing docker install script, commit: $SCRIPT_COMMIT_SHA" + + if command_exists docker; then + docker_version="$(docker -v | cut -d ' ' -f3 | cut -d ',' -f1)" + MAJOR_W=1 + MINOR_W=10 + + semverParse "$docker_version" + + shouldWarn=0 + if [ "$major" -lt "$MAJOR_W" ]; then + shouldWarn=1 + fi + + if [ "$major" -le "$MAJOR_W" ] && [ "$minor" -lt "$MINOR_W" ]; then + shouldWarn=1 + fi + + cat >&2 <<-'EOF' + Warning: the "docker" command appears to already exist on this system. + + If you already have Docker installed, this script can cause trouble, which is + why we're displaying this warning and provide the opportunity to cancel the + installation. + + If you installed the current Docker package using this script and are using it + EOF + + if [ $shouldWarn -eq 1 ]; then + cat >&2 <<-'EOF' + again to update Docker, we urge you to migrate your image store before upgrading + to v1.10+. + + You can find instructions for this here: + https://github.com/docker/docker/wiki/Engine-v1.10.0-content-addressability-migration + EOF + else + cat >&2 <<-'EOF' + again to update Docker, you can safely ignore this message. + EOF + fi + + cat >&2 <<-'EOF' + + You may press Ctrl+C now to abort this script. + EOF + ( set -x; sleep 20 ) + fi + + user="$(id -un 2>/dev/null || true)" + + sh_c='sh -c' + if [ "$user" != 'root' ]; then + if command_exists sudo; then + sh_c='sudo -E sh -c' + elif command_exists su; then + sh_c='su -c' + else + cat >&2 <<-'EOF' + Error: this installer needs the ability to run commands as root. + We are unable to find either "sudo" or "su" available to make this happen. + EOF + exit 1 + fi + fi + + if is_dry_run; then + sh_c="echo" + fi + + # perform some very rudimentary platform detection + lsb_dist=$( get_distribution ) + lsb_dist="$(echo "$lsb_dist" | tr '[:upper:]' '[:lower:]')" + + if is_wsl; then + echo + echo "WSL DETECTED: We recommend using Docker Desktop for Windows." + echo "Please get Docker Desktop from https://www.docker.com/products/docker-desktop" + echo + cat >&2 <<-'EOF' + + You may press Ctrl+C now to abort this script. + EOF + ( set -x; sleep 20 ) + fi + + case "$lsb_dist" in + + ubuntu) + if command_exists lsb_release; then + dist_version="$(lsb_release --codename | cut -f2)" + fi + if [ -z "$dist_version" ] && [ -r /etc/lsb-release ]; then + dist_version="$(. /etc/lsb-release && echo "$DISTRIB_CODENAME")" + fi + ;; + + debian|raspbian) + dist_version="$(sed 's/\/.*//' /etc/debian_version | sed 's/\..*//')" + case "$dist_version" in + 10) + dist_version="buster" + ;; + 9) + dist_version="stretch" + ;; + 8) + dist_version="jessie" + ;; + esac + ;; + + centos|rhel) + if [ -z "$dist_version" ] && [ -r /etc/os-release ]; then + dist_version="$(. /etc/os-release && echo "$VERSION_ID")" + fi + ;; + + *) + if command_exists lsb_release; then + dist_version="$(lsb_release --release | cut -f2)" + fi + if [ -z "$dist_version" ] && [ -r /etc/os-release ]; then + dist_version="$(. /etc/os-release && echo "$VERSION_ID")" + fi + ;; + + esac + + # Check if this is a forked Linux distro + check_forked + + # Run setup for each distro accordingly + case "$lsb_dist" in + ubuntu|debian|raspbian) + pre_reqs="apt-transport-https ca-certificates curl" + if [ "$lsb_dist" = "debian" ]; then + # libseccomp2 does not exist for debian jessie main repos for aarch64 + if [ "$(uname -m)" = "aarch64" ] && [ "$dist_version" = "jessie" ]; then + add_debian_backport_repo "$dist_version" + fi + fi + + if ! command -v gpg > /dev/null; then + pre_reqs="$pre_reqs gnupg" + fi + apt_repo="deb [arch=$(dpkg --print-architecture)] $DOWNLOAD_URL/linux/$lsb_dist $dist_version $CHANNEL" + ( + if ! is_dry_run; then + set -x + fi + $sh_c 'apt-get update -qq >/dev/null' + $sh_c "DEBIAN_FRONTEND=noninteractive apt-get install -y -qq $pre_reqs >/dev/null" + $sh_c "curl -fsSL \"$DOWNLOAD_URL/linux/$lsb_dist/gpg\" | apt-key add -qq - >/dev/null" + $sh_c "echo \"$apt_repo\" > /etc/apt/sources.list.d/docker.list" + $sh_c 'apt-get update -qq >/dev/null' + ) + pkg_version="" + if [ -n "$VERSION" ]; then + if is_dry_run; then + echo "# WARNING: VERSION pinning is not supported in DRY_RUN" + else + # Will work for incomplete versions IE (17.12), but may not actually grab the "latest" if in the test channel + pkg_pattern="$(echo "$VERSION" | sed "s/-ce-/~ce~.*/g" | sed "s/-/.*/g").*-0~$lsb_dist" + search_command="apt-cache madison 'docker-ce' | grep '$pkg_pattern' | head -1 | awk '{\$1=\$1};1' | cut -d' ' -f 3" + pkg_version="$($sh_c "$search_command")" + echo "INFO: Searching repository for VERSION '$VERSION'" + echo "INFO: $search_command" + if [ -z "$pkg_version" ]; then + echo + echo "ERROR: '$VERSION' not found amongst apt-cache madison results" + echo + exit 1 + fi + search_command="apt-cache madison 'docker-ce-cli' | grep '$pkg_pattern' | head -1 | awk '{\$1=\$1};1' | cut -d' ' -f 3" + # Don't insert an = for cli_pkg_version, we'll just include it later + cli_pkg_version="$($sh_c "$search_command")" + pkg_version="=$pkg_version" + fi + fi + ( + if ! is_dry_run; then + set -x + fi + if [ -n "$cli_pkg_version" ]; then + $sh_c "apt-get install -y -qq --no-install-recommends docker-ce-cli=$cli_pkg_version >/dev/null" + fi + $sh_c "apt-get install -y -qq --no-install-recommends docker-ce$pkg_version >/dev/null" + ) + echo_docker_as_nonroot + exit 0 + ;; + centos|fedora|rhel) + yum_repo="$DOWNLOAD_URL/linux/$lsb_dist/$REPO_FILE" + if ! curl -Ifs "$yum_repo" > /dev/null; then + echo "Error: Unable to curl repository file $yum_repo, is it valid?" + exit 1 + fi + if [ "$lsb_dist" = "fedora" ]; then + pkg_manager="dnf" + config_manager="dnf config-manager" + enable_channel_flag="--set-enabled" + disable_channel_flag="--set-disabled" + pre_reqs="dnf-plugins-core" + pkg_suffix="fc$dist_version" + else + pkg_manager="yum" + config_manager="yum-config-manager" + enable_channel_flag="--enable" + disable_channel_flag="--disable" + pre_reqs="yum-utils" + pkg_suffix="el" + fi + ( + if ! is_dry_run; then + set -x + fi + $sh_c "$pkg_manager install -y -q $pre_reqs" + $sh_c "$config_manager --add-repo $yum_repo" + + if [ "$CHANNEL" != "stable" ]; then + $sh_c "$config_manager $disable_channel_flag docker-ce-*" + $sh_c "$config_manager $enable_channel_flag docker-ce-$CHANNEL" + fi + $sh_c "$pkg_manager makecache" + ) + pkg_version="" + if [ -n "$VERSION" ]; then + if is_dry_run; then + echo "# WARNING: VERSION pinning is not supported in DRY_RUN" + else + pkg_pattern="$(echo "$VERSION" | sed "s/-ce-/\\\\.ce.*/g" | sed "s/-/.*/g").*$pkg_suffix" + search_command="$pkg_manager list --showduplicates 'docker-ce' | grep '$pkg_pattern' | tail -1 | awk '{print \$2}'" + pkg_version="$($sh_c "$search_command")" + echo "INFO: Searching repository for VERSION '$VERSION'" + echo "INFO: $search_command" + if [ -z "$pkg_version" ]; then + echo + echo "ERROR: '$VERSION' not found amongst $pkg_manager list results" + echo + exit 1 + fi + search_command="$pkg_manager list --showduplicates 'docker-ce-cli' | grep '$pkg_pattern' | tail -1 | awk '{print \$2}'" + # It's okay for cli_pkg_version to be blank, since older versions don't support a cli package + cli_pkg_version="$($sh_c "$search_command" | cut -d':' -f 2)" + # Cut out the epoch and prefix with a '-' + pkg_version="-$(echo "$pkg_version" | cut -d':' -f 2)" + fi + fi + ( + if ! is_dry_run; then + set -x + fi + # install the correct cli version first + if [ -n "$cli_pkg_version" ]; then + $sh_c "$pkg_manager install -y -q docker-ce-cli-$cli_pkg_version" + fi + $sh_c "$pkg_manager install -y -q docker-ce$pkg_version" + ) + echo_docker_as_nonroot + exit 0 + ;; + *) + if [ -z "$lsb_dist" ]; then + if is_darwin; then + echo + echo "ERROR: Unsupported operating system 'macOS'" + echo "Please get Docker Desktop from https://www.docker.com/products/docker-desktop" + echo + exit 1 + fi + fi + echo + echo "ERROR: Unsupported distribution '$lsb_dist'" + echo + exit 1 + ;; + esac + exit 1 +} + +# wrapped up in a function so that we have some protection against only getting +# half the file during "curl | sh" +do_install diff --git a/roles/elk/tasks/main.yml b/roles/elk/tasks/main.yml new file mode 100644 index 0000000..3c5959b --- /dev/null +++ b/roles/elk/tasks/main.yml @@ -0,0 +1,27 @@ +--- + - name: Création répertoire docker + file: + path: /root/elk + state: directory + + - name: Vérification d'ELK + stat: + path: /root/elk/docker-compose.yml + register: elk + + - name: Installation d'ELK + ansible.builtin.git: + repo: https://github.com/deviantony/docker-elk.git + dest: /root/elk/ + when: not elk.stat.exists + + - name: Configuration d'ELK + replace: + path: /root/elk/elasticsearch/config/elasticsearch.yml + regexp: 'xpack.license.self_generated.type: trial' + replace: 'xpack.license.self_generated.type: basic' + + - name: Execution du fichier docker-compose.yml + shell: docker-compose up -d + args: + chdir: /root/elk diff --git a/roles/filebeat-cli/README.md b/roles/filebeat-cli/README.md new file mode 100644 index 0000000..2e7f0cc --- /dev/null +++ b/roles/filebeat-cli/README.md @@ -0,0 +1,7 @@ +## Explication du rôle filebeat-cli + +Filebeat permet de centraliser et simplifier la gestion de logs pour ELK. +Ce rôle fonctionne en faisant : +Une installation de filebeat +Une configuration de filebeat +Une activation du module system(Logs système) diff --git a/roles/filebeat-cli/files/filebeat.yml b/roles/filebeat-cli/files/filebeat.yml new file mode 100644 index 0000000..bd7e41f --- /dev/null +++ b/roles/filebeat-cli/files/filebeat.yml @@ -0,0 +1,226 @@ +###################### Filebeat Configuration Example ######################### + +# This file is an example configuration file highlighting only the most common +# options. The filebeat.reference.yml file from the same directory contains all the +# supported options with more comments. You can use it as a reference. +# +# You can find the full configuration reference here: +# https://www.elastic.co/guide/en/beats/filebeat/index.html + +# For more available modules and options, please see the filebeat.reference.yml sample +# configuration file. + +# ============================== Filebeat inputs =============================== + +filebeat.inputs: + +# Each - is an input. Most options can be set at the input level, so +# you can use different inputs for various configurations. +# Below are the input specific configurations. + +# filestream is an input for collecting log messages from files. +- type: filestream + + # Change to true to enable this input configuration. + enabled: false + + # Paths that should be crawled and fetched. Glob based paths. + paths: + - /var/log/*.log + #- c:\programdata\elasticsearch\logs\* + + # Exclude lines. A list of regular expressions to match. It drops the lines that are + # matching any regular expression from the list. + #exclude_lines: ['^DBG'] + + # Include lines. A list of regular expressions to match. It exports the lines that are + # matching any regular expression from the list. + #include_lines: ['^ERR', '^WARN'] + + # Exclude files. A list of regular expressions to match. Filebeat drops the files that + # are matching any regular expression from the list. By default, no files are dropped. + #prospector.scanner.exclude_files: ['.gz$'] + + # Optional additional fields. These fields can be freely picked + # to add additional information to the crawled log files for filtering + #fields: + # level: debug + # review: 1 + +# ============================== Filebeat modules ============================== + +filebeat.config.modules: + # Glob pattern for configuration loading + path: ${path.config}/modules.d/*.yml + + # Set to true to enable config reloading + reload.enabled: false + + # Period on which files under path should be checked for changes + #reload.period: 10s + +# ======================= Elasticsearch template setting ======================= + +setup.template.settings: + index.number_of_shards: 1 + #index.codec: best_compression + #_source.enabled: false + + +# ================================== General =================================== + +# The name of the shipper that publishes the network data. It can be used to group +# all the transactions sent by a single shipper in the web interface. +#name: + +# The tags of the shipper are included in their own field with each +# transaction published. +#tags: ["service-X", "web-tier"] + +# Optional fields that you can specify to add additional information to the +# output. +#fields: +# env: staging + +# ================================= Dashboards ================================= +# These settings control loading the sample dashboards to the Kibana index. Loading +# the dashboards is disabled by default and can be enabled either by setting the +# options here or by using the `setup` command. +#setup.dashboards.enabled: false + +# The URL from where to download the dashboards archive. By default this URL +# has a value which is computed based on the Beat name and version. For released +# versions, this URL points to the dashboard archive on the artifacts.elastic.co +# website. +#setup.dashboards.url: + +# =================================== Kibana =================================== + +# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API. +# This requires a Kibana endpoint configuration. +setup.kibana: + + # Kibana Host + # Scheme and port can be left out and will be set to the default (http and 5601) + # In case you specify and additional path, the scheme is required: http://localhost:5601/path + # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601 + host: "s-elk.gsb.lan:5601" + + # Kibana Space ID + # ID of the Kibana Space into which the dashboards should be loaded. By default, + # the Default Space will be used. + #space.id: + +# =============================== Elastic Cloud ================================ + +# These settings simplify using Filebeat with the Elastic Cloud (https://cloud.elastic.co/). + +# The cloud.id setting overwrites the `output.elasticsearch.hosts` and +# `setup.kibana.host` options. +# You can find the `cloud.id` in the Elastic Cloud web UI. +#cloud.id: + +# The cloud.auth setting overwrites the `output.elasticsearch.username` and +# `output.elasticsearch.password` settings. The format is `:`. +#cloud.auth: + +# ================================== Outputs =================================== + +# Configure what output to use when sending the data collected by the beat. + +# ---------------------------- Elasticsearch Output ---------------------------- +output.elasticsearch: + # Array of hosts to connect to. + hosts: ["s-elk.gsb.lan:9200"] + + # Protocol - either `http` (default) or `https`. + #protocol: "https" + + # Authentication credentials - either API key or username/password. + #api_key: "id:api_key" + username: "elastic" + password: "changeme" + +# ------------------------------ Logstash Output ------------------------------- +#output.logstash: + # The Logstash hosts + #hosts: ["localhost:5044"] + + # Optional SSL. By default is off. + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + + # Certificate for SSL client authentication + #ssl.certificate: "/etc/pki/client/cert.pem" + + # Client Certificate Key + #ssl.key: "/etc/pki/client/cert.key" + +# ================================= Processors ================================= +processors: + - add_host_metadata: + when.not.contains.tags: forwarded + - add_cloud_metadata: ~ + - add_docker_metadata: ~ + - add_kubernetes_metadata: ~ + +# ================================== Logging =================================== + +# Sets log level. The default log level is info. +# Available log levels are: error, warning, info, debug +#logging.level: debug + +# At debug level, you can selectively enable logging only for some components. +# To enable all selectors use ["*"]. Examples of other selectors are "beat", +# "publisher", "service". +#logging.selectors: ["*"] + +# ============================= X-Pack Monitoring ============================== +# Filebeat can export internal metrics to a central Elasticsearch monitoring +# cluster. This requires xpack monitoring to be enabled in Elasticsearch. The +# reporting is disabled by default. + +# Set to true to enable the monitoring reporter. +#monitoring.enabled: false + +# Sets the UUID of the Elasticsearch cluster under which monitoring data for this +# Filebeat instance will appear in the Stack Monitoring UI. If output.elasticsearch +# is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch. +#monitoring.cluster_uuid: + +# Uncomment to send the metrics to Elasticsearch. Most settings from the +# Elasticsearch output are accepted here as well. +# Note that the settings should point to your Elasticsearch *monitoring* cluster. +# Any setting that is not set is automatically inherited from the Elasticsearch +# output configuration, so if you have the Elasticsearch output configured such +# that it is pointing to your Elasticsearch monitoring cluster, you can simply +# uncomment the following line. +#monitoring.elasticsearch: + +# ============================== Instrumentation =============================== + +# Instrumentation support for the filebeat. +#instrumentation: + # Set to true to enable instrumentation of filebeat. + #enabled: false + + # Environment in which filebeat is running on (eg: staging, production, etc.) + #environment: "" + + # APM Server hosts to report instrumentation results to. + #hosts: + # - http://localhost:8200 + + # API Key for the APM Server(s). + # If api_key is set then secret_token will be ignored. + #api_key: + + # Secret token for the APM Server(s). + #secret_token: + + +# ================================= Migration ================================== + +# This allows to enable 6.7 migration aliases +#migration.6_to_7.enabled: true + diff --git a/roles/filebeat-cli/handlers/main.yml b/roles/filebeat-cli/handlers/main.yml new file mode 100644 index 0000000..e1054ad --- /dev/null +++ b/roles/filebeat-cli/handlers/main.yml @@ -0,0 +1,5 @@ +- name: start filebeat + service: + name: filebeat + state: started + enabled: yes diff --git a/roles/filebeat-cli/tasks/main.yml b/roles/filebeat-cli/tasks/main.yml new file mode 100644 index 0000000..f9d8ff1 --- /dev/null +++ b/roles/filebeat-cli/tasks/main.yml @@ -0,0 +1,23 @@ +--- +- name: Récupération de filebeat + get_url: + url: http://s-adm.gsb.adm/gsbstore/filebeat-7.16.3-amd64.deb + dest: /tmp/ + +- name: Installation de filebeat + apt: + deb: /tmp/filebeat-7.16.3-amd64.deb + +- name: Changement du fichier de conf + copy: + src: filebeat.yml + dest: /etc/filebeat/filebeat.yml + +- name: Configuration de filebeat + shell: filebeat modules enable system + notify: start filebeat + +- name: Lancement de la configuration de filebeat + shell: filebeat setup -e + notify: start filebeat + diff --git a/roles/fog/defaults/main.yml b/roles/fog/defaults/main.yml new file mode 100644 index 0000000..0086a1a --- /dev/null +++ b/roles/fog/defaults/main.yml @@ -0,0 +1,3 @@ +depl_url: "http://s-adm.gsb.adm/gsbstore" +depl_fog: "fogproject-1.5.9.tar.gz" +instructions: "Pour lancer l'installateur Fog, faites : 'bash /root/tools/fog/bin/installfog.sh'. Suivez ensuite les instructions" diff --git a/roles/fog/tasks/main.yml b/roles/fog/tasks/main.yml new file mode 100644 index 0000000..c1452be --- /dev/null +++ b/roles/fog/tasks/main.yml @@ -0,0 +1,17 @@ +--- +- name: creation d'un repertoire fog + file: + path: /root/tools/fog + state: directory + +- name: recuperation de l'archive d'installation fog sur git + git: + repo: https://gitea.lyc-lecastel.fr/gadmin/fog.git + dest: /root/tools/fog/ + clone: yes + update: yes + +#- name: Instructions +# tags: msg +# debug: msg='{{instructions}}' + diff --git a/roles/gestsup/README.md b/roles/gestsup/README.md new file mode 100644 index 0000000..599ac30 --- /dev/null +++ b/roles/gestsup/README.md @@ -0,0 +1,6 @@ +# Rôle Gestsup + +Ce playbook installe Gestsup et ses dépendances, et remplace certains fichier pour certaines +configurations. Avant de lancer ce playbook, lancez "getall" sur la machine s-adm. + + diff --git a/roles/gestsup/files/apache2.conf b/roles/gestsup/files/apache2.conf new file mode 100644 index 0000000..94516e6 --- /dev/null +++ b/roles/gestsup/files/apache2.conf @@ -0,0 +1,234 @@ +# This is the main Apache server configuration file. It contains the +# configuration directives that give the server its instructions. +# See http://httpd.apache.org/docs/2.4/ for detailed information about +# the directives and /usr/share/doc/apache2/README.Debian about Debian specific +# hints. +# +# +# Summary of how the Apache 2 configuration works in Debian: +# The Apache 2 web server configuration in Debian is quite different to +# upstream's suggested way to configure the web server. This is because Debian's +# default Apache2 installation attempts to make adding and removing modules, +# virtual hosts, and extra configuration directives as flexible as possible, in +# order to make automating the changes and administering the server as easy as +# possible. + +# It is split into several files forming the configuration hierarchy outlined +# below, all located in the /etc/apache2/ directory: +# +# /etc/apache2/ +# |-- apache2.conf +# | `-- ports.conf +# |-- mods-enabled +# | |-- *.load +# | `-- *.conf +# |-- conf-enabled +# | `-- *.conf +# `-- sites-enabled +# `-- *.conf +# +# +# * apache2.conf is the main configuration file (this file). It puts the pieces +# together by including all remaining configuration files when starting up the +# web server. +# +# * ports.conf is always included from the main configuration file. It is +# supposed to determine listening ports for incoming connections which can be +# customized anytime. +# +# * Configuration files in the mods-enabled/, conf-enabled/ and sites-enabled/ +# directories contain particular configuration snippets which manage modules, +# global configuration fragments, or virtual host configurations, +# respectively. +# +# They are activated by symlinking available configuration files from their +# respective *-available/ counterparts. These should be managed by using our +# helpers a2enmod/a2dismod, a2ensite/a2dissite and a2enconf/a2disconf. See +# their respective man pages for detailed information. +# +# * The binary is called apache2. Due to the use of environment variables, in +# the default configuration, apache2 needs to be started/stopped with +# /etc/init.d/apache2 or apache2ctl. Calling /usr/bin/apache2 directly will not +# work with the default configuration. + + +# Global configuration +# + +# +# ServerRoot: The top of the directory tree under which the server's +# configuration, error, and log files are kept. +# +# NOTE! If you intend to place this on an NFS (or otherwise network) +# mounted filesystem then please read the Mutex documentation (available +# at ); +# you will save yourself a lot of trouble. +# +# Do NOT add a slash at the end of the directory path. +# +#ServerRoot "/etc/apache2" + +# +# The accept serialization lock file MUST BE STORED ON A LOCAL DISK. +# +#Mutex file:${APACHE_LOCK_DIR} default + +# +# The directory where shm and other runtime files will be stored. +# + +DefaultRuntimeDir ${APACHE_RUN_DIR} + +# +# PidFile: The file in which the server should record its process +# identification number when it starts. +# This needs to be set in /etc/apache2/envvars +# +PidFile ${APACHE_PID_FILE} + +# +# Timeout: The number of seconds before receives and sends time out. +# +Timeout 300 + +# +# KeepAlive: Whether or not to allow persistent connections (more than +# one request per connection). Set to "Off" to deactivate. +# +KeepAlive On + +# +# MaxKeepAliveRequests: The maximum number of requests to allow +# during a persistent connection. Set to 0 to allow an unlimited amount. +# We recommend you leave this number high, for maximum performance. +# +MaxKeepAliveRequests 100 + +# +# KeepAliveTimeout: Number of seconds to wait for the next request from the +# same client on the same connection. +# +KeepAliveTimeout 5 + + +# These need to be set in /etc/apache2/envvars +User ${APACHE_RUN_USER} +Group ${APACHE_RUN_GROUP} + +# +# HostnameLookups: Log the names of clients or just their IP addresses +# e.g., www.apache.org (on) or 204.62.129.132 (off). +# The default is off because it'd be overall better for the net if people +# had to knowingly turn this feature on, since enabling it means that +# each client request will result in AT LEAST one lookup request to the +# nameserver. +# +HostnameLookups Off + +# ErrorLog: The location of the error log file. +# If you do not specify an ErrorLog directive within a +# container, error messages relating to that virtual host will be +# logged here. If you *do* define an error logfile for a +# container, that host's errors will be logged there and not here. +# +ErrorLog ${APACHE_LOG_DIR}/error.log + +# +# LogLevel: Control the severity of messages logged to the error_log. +# Available values: trace8, ..., trace1, debug, info, notice, warn, +# error, crit, alert, emerg. +# It is also possible to configure the log level for particular modules, e.g. +# "LogLevel info ssl:warn" +# +LogLevel warn + +# Include module configuration: +IncludeOptional mods-enabled/*.load +IncludeOptional mods-enabled/*.conf + +# Include list of ports to listen on +Include ports.conf + + +# Sets the default security model of the Apache2 HTTPD server. It does +# not allow access to the root filesystem outside of /usr/share and /var/www. +# The former is used by web applications packaged in Debian, +# the latter may be used for local directories served by the web server. If +# your system is serving content from a sub-directory in /srv you must allow +# access here, or in any related virtual host. + + Options FollowSymLinks + AllowOverride None + Require all denied + + + + AllowOverride None + Require all granted + + + + Options Indexes FollowSymLinks + AllowOverride None + Require all granted + + + + Options -Indexes -ExecCGI + AllowOverride None + Require all granted + + + +# +# Options Indexes FollowSymLinks +# AllowOverride None +# Require all granted +# + + + + +# AccessFileName: The name of the file to look for in each directory +# for additional configuration directives. See also the AllowOverride +# directive. +# +AccessFileName .htaccess + +# +# The following lines prevent .htaccess and .htpasswd files from being +# viewed by Web clients. +# + + Require all denied + + + +# +# The following directives define some format nicknames for use with +# a CustomLog directive. +# +# These deviate from the Common Log Format definitions in that they use %O +# (the actual bytes sent including headers) instead of %b (the size of the +# requested file), because the latter makes it impossible to detect partial +# requests. +# +# Note that the use of %{X-Forwarded-For}i instead of %h is not recommended. +# Use mod_remoteip instead. +# +LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined +LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined +LogFormat "%h %l %u %t \"%r\" %>s %O" common +LogFormat "%{Referer}i -> %U" referer +LogFormat "%{User-agent}i" agent + +# Include of directories ignores editors' and dpkg's backup files, +# see README.Debian for details. + +# Include generic snippets of statements +IncludeOptional conf-enabled/*.conf + +# Include the virtual host configurations: +IncludeOptional sites-enabled/*.conf + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/roles/gestsup/files/php.ini b/roles/gestsup/files/php.ini new file mode 100644 index 0000000..953e062 --- /dev/null +++ b/roles/gestsup/files/php.ini @@ -0,0 +1,1947 @@ +[PHP] + +;;;;;;;;;;;;;;;;;;; +; About php.ini ; +;;;;;;;;;;;;;;;;;;; +; PHP's initialization file, generally called php.ini, is responsible for +; configuring many of the aspects of PHP's behavior. + +; PHP attempts to find and load this configuration from a number of locations. +; The following is a summary of its search order: +; 1. SAPI module specific location. +; 2. The PHPRC environment variable. (As of PHP 5.2.0) +; 3. A number of predefined registry keys on Windows (As of PHP 5.2.0) +; 4. Current working directory (except CLI) +; 5. The web server's directory (for SAPI modules), or directory of PHP +; (otherwise in Windows) +; 6. The directory from the --with-config-file-path compile time option, or the +; Windows directory (usually C:\windows) +; See the PHP docs for more specific information. +; http://php.net/configuration.file + +; The syntax of the file is extremely simple. Whitespace and lines +; beginning with a semicolon are silently ignored (as you probably guessed). +; Section headers (e.g. [Foo]) are also silently ignored, even though +; they might mean something in the future. + +; Directives following the section heading [PATH=/www/mysite] only +; apply to PHP files in the /www/mysite directory. Directives +; following the section heading [HOST=www.example.com] only apply to +; PHP files served from www.example.com. Directives set in these +; special sections cannot be overridden by user-defined INI files or +; at runtime. Currently, [PATH=] and [HOST=] sections only work under +; CGI/FastCGI. +; http://php.net/ini.sections + +; Directives are specified using the following syntax: +; directive = value +; Directive names are *case sensitive* - foo=bar is different from FOO=bar. +; Directives are variables used to configure PHP or PHP extensions. +; There is no name validation. If PHP can't find an expected +; directive because it is not set or is mistyped, a default value will be used. + +; The value can be a string, a number, a PHP constant (e.g. E_ALL or M_PI), one +; of the INI constants (On, Off, True, False, Yes, No and None) or an expression +; (e.g. E_ALL & ~E_NOTICE), a quoted string ("bar"), or a reference to a +; previously set variable or directive (e.g. ${foo}) + +; Expressions in the INI file are limited to bitwise operators and parentheses: +; | bitwise OR +; ^ bitwise XOR +; & bitwise AND +; ~ bitwise NOT +; ! boolean NOT + +; Boolean flags can be turned on using the values 1, On, True or Yes. +; They can be turned off using the values 0, Off, False or No. + +; An empty string can be denoted by simply not writing anything after the equal +; sign, or by using the None keyword: + +; foo = ; sets foo to an empty string +; foo = None ; sets foo to an empty string +; foo = "None" ; sets foo to the string 'None' + +; If you use constants in your value, and these constants belong to a +; dynamically loaded extension (either a PHP extension or a Zend extension), +; you may only use these constants *after* the line that loads the extension. + +;;;;;;;;;;;;;;;;;;; +; About this file ; +;;;;;;;;;;;;;;;;;;; +; PHP comes packaged with two INI files. One that is recommended to be used +; in production environments and one that is recommended to be used in +; development environments. + +; php.ini-production contains settings which hold security, performance and +; best practices at its core. But please be aware, these settings may break +; compatibility with older or less security conscience applications. We +; recommending using the production ini in production and testing environments. + +; php.ini-development is very similar to its production variant, except it is +; much more verbose when it comes to errors. We recommend using the +; development version only in development environments, as errors shown to +; application users can inadvertently leak otherwise secure information. + +; This is the php.ini-production INI file. + +;;;;;;;;;;;;;;;;;;; +; Quick Reference ; +;;;;;;;;;;;;;;;;;;; +; The following are all the settings which are different in either the production +; or development versions of the INIs with respect to PHP's default behavior. +; Please see the actual settings later in the document for more details as to why +; we recommend these changes in PHP's behavior. + +; display_errors +; Default Value: On +; Development Value: On +; Production Value: Off + +; display_startup_errors +; Default Value: Off +; Development Value: On +; Production Value: Off + +; error_reporting +; Default Value: E_ALL & ~E_NOTICE & ~E_STRICT & ~E_DEPRECATED +; Development Value: E_ALL +; Production Value: E_ALL & ~E_DEPRECATED & ~E_STRICT + +; log_errors +; Default Value: Off +; Development Value: On +; Production Value: On + +; max_input_time +; Default Value: -1 (Unlimited) +; Development Value: 60 (60 seconds) +; Production Value: 60 (60 seconds) + +; output_buffering +; Default Value: Off +; Development Value: 4096 +; Production Value: 4096 + +; register_argc_argv +; Default Value: On +; Development Value: Off +; Production Value: Off + +; request_order +; Default Value: None +; Development Value: "GP" +; Production Value: "GP" + +; session.gc_divisor +; Default Value: 100 +; Development Value: 1000 +; Production Value: 1000 + +; session.sid_bits_per_character +; Default Value: 4 +; Development Value: 5 +; Production Value: 5 + +; short_open_tag +; Default Value: On +; Development Value: Off +; Production Value: Off + +; variables_order +; Default Value: "EGPCS" +; Development Value: "GPCS" +; Production Value: "GPCS" + +;;;;;;;;;;;;;;;;;;;; +; php.ini Options ; +;;;;;;;;;;;;;;;;;;;; +; Name for user-defined php.ini (.htaccess) files. Default is ".user.ini" +;user_ini.filename = ".user.ini" + +; To disable this feature set this option to an empty value +;user_ini.filename = + +; TTL for user-defined php.ini files (time-to-live) in seconds. Default is 300 seconds (5 minutes) +;user_ini.cache_ttl = 300 + +;;;;;;;;;;;;;;;;;;;; +; Language Options ; +;;;;;;;;;;;;;;;;;;;; + +; Enable the PHP scripting language engine under Apache. +; http://php.net/engine +engine = On + +; This directive determines whether or not PHP will recognize code between +; tags as PHP source which should be processed as such. It is +; generally recommended that should be used and that this feature +; should be disabled, as enabling it may result in issues when generating XML +; documents, however this remains supported for backward compatibility reasons. +; Note that this directive does not control the would work. +; http://php.net/syntax-highlighting +;highlight.string = #DD0000 +;highlight.comment = #FF9900 +;highlight.keyword = #007700 +;highlight.default = #0000BB +;highlight.html = #000000 + +; If enabled, the request will be allowed to complete even if the user aborts +; the request. Consider enabling it if executing long requests, which may end up +; being interrupted by the user or a browser timing out. PHP's default behavior +; is to disable this feature. +; http://php.net/ignore-user-abort +;ignore_user_abort = On + +; Determines the size of the realpath cache to be used by PHP. This value should +; be increased on systems where PHP opens many files to reflect the quantity of +; the file operations performed. +; Note: if open_basedir is set, the cache is disabled +; http://php.net/realpath-cache-size +;realpath_cache_size = 4096k + +; Duration of time, in seconds for which to cache realpath information for a given +; file or directory. For systems with rarely changing files, consider increasing this +; value. +; http://php.net/realpath-cache-ttl +;realpath_cache_ttl = 120 + +; Enables or disables the circular reference collector. +; http://php.net/zend.enable-gc +zend.enable_gc = On + +; If enabled, scripts may be written in encodings that are incompatible with +; the scanner. CP936, Big5, CP949 and Shift_JIS are the examples of such +; encodings. To use this feature, mbstring extension must be enabled. +; Default: Off +;zend.multibyte = Off + +; Allows to set the default encoding for the scripts. This value will be used +; unless "declare(encoding=...)" directive appears at the top of the script. +; Only affects if zend.multibyte is set. +; Default: "" +;zend.script_encoding = + +; Allows to include or exclude arguments from stack traces generated for exceptions. +; In production, it is recommended to turn this setting on to prohibit the output +; of sensitive information in stack traces +; Default: Off +zend.exception_ignore_args = On + +;;;;;;;;;;;;;;;;; +; Miscellaneous ; +;;;;;;;;;;;;;;;;; + +; Decides whether PHP may expose the fact that it is installed on the server +; (e.g. by adding its signature to the Web server header). It is no security +; threat in any way, but it makes it possible to determine whether you use PHP +; on your server or not. +; http://php.net/expose-php +expose_php = Off + +;;;;;;;;;;;;;;;;;;; +; Resource Limits ; +;;;;;;;;;;;;;;;;;;; + +; Maximum execution time of each script, in seconds +; http://php.net/max-execution-time +; Note: This directive is hardcoded to 0 for the CLI SAPI +max_execution_time = 480 + +; Maximum amount of time each script may spend parsing request data. It's a good +; idea to limit this time on productions servers in order to eliminate unexpectedly +; long running scripts. +; Note: This directive is hardcoded to -1 for the CLI SAPI +; Default Value: -1 (Unlimited) +; Development Value: 60 (60 seconds) +; Production Value: 60 (60 seconds) +; http://php.net/max-input-time +max_input_time = 60 + +; Maximum input variable nesting level +; http://php.net/max-input-nesting-level +;max_input_nesting_level = 64 + +; How many GET/POST/COOKIE input variables may be accepted +;max_input_vars = 1000 + +; Maximum amount of memory a script may consume +; http://php.net/memory-limit +memory_limit = 512M + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +; Error handling and logging ; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + +; This directive informs PHP of which errors, warnings and notices you would like +; it to take action for. The recommended way of setting values for this +; directive is through the use of the error level constants and bitwise +; operators. The error level constants are below here for convenience as well as +; some common settings and their meanings. +; By default, PHP is set to take action on all errors, notices and warnings EXCEPT +; those related to E_NOTICE and E_STRICT, which together cover best practices and +; recommended coding standards in PHP. For performance reasons, this is the +; recommend error reporting setting. Your production server shouldn't be wasting +; resources complaining about best practices and coding standards. That's what +; development servers and development settings are for. +; Note: The php.ini-development file has this setting as E_ALL. This +; means it pretty much reports everything which is exactly what you want during +; development and early testing. +; +; Error Level Constants: +; E_ALL - All errors and warnings (includes E_STRICT as of PHP 5.4.0) +; E_ERROR - fatal run-time errors +; E_RECOVERABLE_ERROR - almost fatal run-time errors +; E_WARNING - run-time warnings (non-fatal errors) +; E_PARSE - compile-time parse errors +; E_NOTICE - run-time notices (these are warnings which often result +; from a bug in your code, but it's possible that it was +; intentional (e.g., using an uninitialized variable and +; relying on the fact it is automatically initialized to an +; empty string) +; E_STRICT - run-time notices, enable to have PHP suggest changes +; to your code which will ensure the best interoperability +; and forward compatibility of your code +; E_CORE_ERROR - fatal errors that occur during PHP's initial startup +; E_CORE_WARNING - warnings (non-fatal errors) that occur during PHP's +; initial startup +; E_COMPILE_ERROR - fatal compile-time errors +; E_COMPILE_WARNING - compile-time warnings (non-fatal errors) +; E_USER_ERROR - user-generated error message +; E_USER_WARNING - user-generated warning message +; E_USER_NOTICE - user-generated notice message +; E_DEPRECATED - warn about code that will not work in future versions +; of PHP +; E_USER_DEPRECATED - user-generated deprecation warnings +; +; Common Values: +; E_ALL (Show all errors, warnings and notices including coding standards.) +; E_ALL & ~E_NOTICE (Show all errors, except for notices) +; E_ALL & ~E_NOTICE & ~E_STRICT (Show all errors, except for notices and coding standards warnings.) +; E_COMPILE_ERROR|E_RECOVERABLE_ERROR|E_ERROR|E_CORE_ERROR (Show only errors) +; Default Value: E_ALL & ~E_NOTICE & ~E_STRICT & ~E_DEPRECATED +; Development Value: E_ALL +; Production Value: E_ALL & ~E_DEPRECATED & ~E_STRICT +; http://php.net/error-reporting +error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT + +; This directive controls whether or not and where PHP will output errors, +; notices and warnings too. Error output is very useful during development, but +; it could be very dangerous in production environments. Depending on the code +; which is triggering the error, sensitive information could potentially leak +; out of your application such as database usernames and passwords or worse. +; For production environments, we recommend logging errors rather than +; sending them to STDOUT. +; Possible Values: +; Off = Do not display any errors +; stderr = Display errors to STDERR (affects only CGI/CLI binaries!) +; On or stdout = Display errors to STDOUT +; Default Value: On +; Development Value: On +; Production Value: Off +; http://php.net/display-errors +display_errors = Off + +; The display of errors which occur during PHP's startup sequence are handled +; separately from display_errors. PHP's default behavior is to suppress those +; errors from clients. Turning the display of startup errors on can be useful in +; debugging configuration problems. We strongly recommend you +; set this to 'off' for production servers. +; Default Value: Off +; Development Value: On +; Production Value: Off +; http://php.net/display-startup-errors +display_startup_errors = Off + +; Besides displaying errors, PHP can also log errors to locations such as a +; server-specific log, STDERR, or a location specified by the error_log +; directive found below. While errors should not be displayed on productions +; servers they should still be monitored and logging is a great way to do that. +; Default Value: Off +; Development Value: On +; Production Value: On +; http://php.net/log-errors +log_errors = On + +; Set maximum length of log_errors. In error_log information about the source is +; added. The default is 1024 and 0 allows to not apply any maximum length at all. +; http://php.net/log-errors-max-len +log_errors_max_len = 1024 + +; Do not log repeated messages. Repeated errors must occur in same file on same +; line unless ignore_repeated_source is set true. +; http://php.net/ignore-repeated-errors +ignore_repeated_errors = Off + +; Ignore source of message when ignoring repeated messages. When this setting +; is On you will not log errors with repeated messages from different files or +; source lines. +; http://php.net/ignore-repeated-source +ignore_repeated_source = Off + +; If this parameter is set to Off, then memory leaks will not be shown (on +; stdout or in the log). This is only effective in a debug compile, and if +; error reporting includes E_WARNING in the allowed list +; http://php.net/report-memleaks +report_memleaks = On + +; This setting is on by default. +;report_zend_debug = 0 + +; Store the last error/warning message in $php_errormsg (boolean). Setting this value +; to On can assist in debugging and is appropriate for development servers. It should +; however be disabled on production servers. +; This directive is DEPRECATED. +; Default Value: Off +; Development Value: Off +; Production Value: Off +; http://php.net/track-errors +;track_errors = Off + +; Turn off normal error reporting and emit XML-RPC error XML +; http://php.net/xmlrpc-errors +;xmlrpc_errors = 0 + +; An XML-RPC faultCode +;xmlrpc_error_number = 0 + +; When PHP displays or logs an error, it has the capability of formatting the +; error message as HTML for easier reading. This directive controls whether +; the error message is formatted as HTML or not. +; Note: This directive is hardcoded to Off for the CLI SAPI +; http://php.net/html-errors +;html_errors = On + +; If html_errors is set to On *and* docref_root is not empty, then PHP +; produces clickable error messages that direct to a page describing the error +; or function causing the error in detail. +; You can download a copy of the PHP manual from http://php.net/docs +; and change docref_root to the base URL of your local copy including the +; leading '/'. You must also specify the file extension being used including +; the dot. PHP's default behavior is to leave these settings empty, in which +; case no links to documentation are generated. +; Note: Never use this feature for production boxes. +; http://php.net/docref-root +; Examples +;docref_root = "/phpmanual/" + +; http://php.net/docref-ext +;docref_ext = .html + +; String to output before an error message. PHP's default behavior is to leave +; this setting blank. +; http://php.net/error-prepend-string +; Example: +;error_prepend_string = "" + +; String to output after an error message. PHP's default behavior is to leave +; this setting blank. +; http://php.net/error-append-string +; Example: +;error_append_string = "" + +; Log errors to specified file. PHP's default behavior is to leave this value +; empty. +; http://php.net/error-log +; Example: +;error_log = php_errors.log +; Log errors to syslog (Event Log on Windows). +;error_log = syslog + +; The syslog ident is a string which is prepended to every message logged +; to syslog. Only used when error_log is set to syslog. +;syslog.ident = php + +; The syslog facility is used to specify what type of program is logging +; the message. Only used when error_log is set to syslog. +;syslog.facility = user + +; Set this to disable filtering control characters (the default). +; Some loggers only accept NVT-ASCII, others accept anything that's not +; control characters. If your logger accepts everything, then no filtering +; is needed at all. +; Allowed values are: +; ascii (all printable ASCII characters and NL) +; no-ctrl (all characters except control characters) +; all (all characters) +; raw (like "all", but messages are not split at newlines) +; http://php.net/syslog.filter +;syslog.filter = ascii + +;windows.show_crt_warning +; Default value: 0 +; Development value: 0 +; Production value: 0 + +;;;;;;;;;;;;;;;;; +; Data Handling ; +;;;;;;;;;;;;;;;;; + +; The separator used in PHP generated URLs to separate arguments. +; PHP's default setting is "&". +; http://php.net/arg-separator.output +; Example: +;arg_separator.output = "&" + +; List of separator(s) used by PHP to parse input URLs into variables. +; PHP's default setting is "&". +; NOTE: Every character in this directive is considered as separator! +; http://php.net/arg-separator.input +; Example: +;arg_separator.input = ";&" + +; This directive determines which super global arrays are registered when PHP +; starts up. G,P,C,E & S are abbreviations for the following respective super +; globals: GET, POST, COOKIE, ENV and SERVER. There is a performance penalty +; paid for the registration of these arrays and because ENV is not as commonly +; used as the others, ENV is not recommended on productions servers. You +; can still get access to the environment variables through getenv() should you +; need to. +; Default Value: "EGPCS" +; Development Value: "GPCS" +; Production Value: "GPCS"; +; http://php.net/variables-order +variables_order = "GPCS" + +; This directive determines which super global data (G,P & C) should be +; registered into the super global array REQUEST. If so, it also determines +; the order in which that data is registered. The values for this directive +; are specified in the same manner as the variables_order directive, +; EXCEPT one. Leaving this value empty will cause PHP to use the value set +; in the variables_order directive. It does not mean it will leave the super +; globals array REQUEST empty. +; Default Value: None +; Development Value: "GP" +; Production Value: "GP" +; http://php.net/request-order +request_order = "GP" + +; This directive determines whether PHP registers $argv & $argc each time it +; runs. $argv contains an array of all the arguments passed to PHP when a script +; is invoked. $argc contains an integer representing the number of arguments +; that were passed when the script was invoked. These arrays are extremely +; useful when running scripts from the command line. When this directive is +; enabled, registering these variables consumes CPU cycles and memory each time +; a script is executed. For performance reasons, this feature should be disabled +; on production servers. +; Note: This directive is hardcoded to On for the CLI SAPI +; Default Value: On +; Development Value: Off +; Production Value: Off +; http://php.net/register-argc-argv +register_argc_argv = Off + +; When enabled, the ENV, REQUEST and SERVER variables are created when they're +; first used (Just In Time) instead of when the script starts. If these +; variables are not used within a script, having this directive on will result +; in a performance gain. The PHP directive register_argc_argv must be disabled +; for this directive to have any effect. +; http://php.net/auto-globals-jit +auto_globals_jit = On + +; Whether PHP will read the POST data. +; This option is enabled by default. +; Most likely, you won't want to disable this option globally. It causes $_POST +; and $_FILES to always be empty; the only way you will be able to read the +; POST data will be through the php://input stream wrapper. This can be useful +; to proxy requests or to process the POST data in a memory efficient fashion. +; http://php.net/enable-post-data-reading +;enable_post_data_reading = Off + +; Maximum size of POST data that PHP will accept. +; Its value may be 0 to disable the limit. It is ignored if POST data reading +; is disabled through enable_post_data_reading. +; http://php.net/post-max-size +post_max_size = 8M + +; Automatically add files before PHP document. +; http://php.net/auto-prepend-file +auto_prepend_file = + +; Automatically add files after PHP document. +; http://php.net/auto-append-file +auto_append_file = + +; By default, PHP will output a media type using the Content-Type header. To +; disable this, simply set it to be empty. +; +; PHP's built-in default media type is set to text/html. +; http://php.net/default-mimetype +default_mimetype = "text/html" + +; PHP's default character set is set to UTF-8. +; http://php.net/default-charset +default_charset = "UTF-8" + +; PHP internal character encoding is set to empty. +; If empty, default_charset is used. +; http://php.net/internal-encoding +;internal_encoding = + +; PHP input character encoding is set to empty. +; If empty, default_charset is used. +; http://php.net/input-encoding +;input_encoding = + +; PHP output character encoding is set to empty. +; If empty, default_charset is used. +; See also output_buffer. +; http://php.net/output-encoding +;output_encoding = + +;;;;;;;;;;;;;;;;;;;;;;;;; +; Paths and Directories ; +;;;;;;;;;;;;;;;;;;;;;;;;; + +; UNIX: "/path1:/path2" +;include_path = ".:/usr/share/php" +; +; Windows: "\path1;\path2" +;include_path = ".;c:\php\includes" +; +; PHP's default setting for include_path is ".;/path/to/php/pear" +; http://php.net/include-path + +; The root of the PHP pages, used only if nonempty. +; if PHP was not compiled with FORCE_REDIRECT, you SHOULD set doc_root +; if you are running php as a CGI under any web server (other than IIS) +; see documentation for security issues. The alternate is to use the +; cgi.force_redirect configuration below +; http://php.net/doc-root +doc_root = + +; The directory under which PHP opens the script using /~username used only +; if nonempty. +; http://php.net/user-dir +user_dir = + +; Directory in which the loadable extensions (modules) reside. +; http://php.net/extension-dir +;extension_dir = "./" +; On windows: +;extension_dir = "ext" + +; Directory where the temporary files should be placed. +; Defaults to the system default (see sys_get_temp_dir) +;sys_temp_dir = "/tmp" + +; Whether or not to enable the dl() function. The dl() function does NOT work +; properly in multithreaded servers, such as IIS or Zeus, and is automatically +; disabled on them. +; http://php.net/enable-dl +enable_dl = Off + +; cgi.force_redirect is necessary to provide security running PHP as a CGI under +; most web servers. Left undefined, PHP turns this on by default. You can +; turn it off here AT YOUR OWN RISK +; **You CAN safely turn this off for IIS, in fact, you MUST.** +; http://php.net/cgi.force-redirect +;cgi.force_redirect = 1 + +; if cgi.nph is enabled it will force cgi to always sent Status: 200 with +; every request. PHP's default behavior is to disable this feature. +;cgi.nph = 1 + +; if cgi.force_redirect is turned on, and you are not running under Apache or Netscape +; (iPlanet) web servers, you MAY need to set an environment variable name that PHP +; will look for to know it is OK to continue execution. Setting this variable MAY +; cause security issues, KNOW WHAT YOU ARE DOING FIRST. +; http://php.net/cgi.redirect-status-env +;cgi.redirect_status_env = + +; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI. PHP's +; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not grok +; what PATH_INFO is. For more information on PATH_INFO, see the cgi specs. Setting +; this to 1 will cause PHP CGI to fix its paths to conform to the spec. A setting +; of zero causes PHP to behave as before. Default is 1. You should fix your scripts +; to use SCRIPT_FILENAME rather than PATH_TRANSLATED. +; http://php.net/cgi.fix-pathinfo +;cgi.fix_pathinfo=1 + +; if cgi.discard_path is enabled, the PHP CGI binary can safely be placed outside +; of the web tree and people will not be able to circumvent .htaccess security. +;cgi.discard_path=1 + +; FastCGI under IIS supports the ability to impersonate +; security tokens of the calling client. This allows IIS to define the +; security context that the request runs under. mod_fastcgi under Apache +; does not currently support this feature (03/17/2002) +; Set to 1 if running under IIS. Default is zero. +; http://php.net/fastcgi.impersonate +;fastcgi.impersonate = 1 + +; Disable logging through FastCGI connection. PHP's default behavior is to enable +; this feature. +;fastcgi.logging = 0 + +; cgi.rfc2616_headers configuration option tells PHP what type of headers to +; use when sending HTTP response code. If set to 0, PHP sends Status: header that +; is supported by Apache. When this option is set to 1, PHP will send +; RFC2616 compliant header. +; Default is zero. +; http://php.net/cgi.rfc2616-headers +;cgi.rfc2616_headers = 0 + +; cgi.check_shebang_line controls whether CGI PHP checks for line starting with #! +; (shebang) at the top of the running script. This line might be needed if the +; script support running both as stand-alone script and via PHP CGI<. PHP in CGI +; mode skips this line and ignores its content if this directive is turned on. +; http://php.net/cgi.check-shebang-line +;cgi.check_shebang_line=1 + +;;;;;;;;;;;;;;;; +; File Uploads ; +;;;;;;;;;;;;;;;; + +; Whether to allow HTTP file uploads. +; http://php.net/file-uploads +file_uploads = On + +; Temporary directory for HTTP uploaded files (will use system default if not +; specified). +; http://php.net/upload-tmp-dir +;upload_tmp_dir = + +; Maximum allowed size for uploaded files. +; http://php.net/upload-max-filesize +upload_max_filesize = 8M + +; Maximum number of files that can be uploaded via a single request +max_file_uploads = 20 + +;;;;;;;;;;;;;;;;;; +; Fopen wrappers ; +;;;;;;;;;;;;;;;;;; + +; Whether to allow the treatment of URLs (like http:// or ftp://) as files. +; http://php.net/allow-url-fopen +allow_url_fopen = On + +; Whether to allow include/require to open URLs (like http:// or ftp://) as files. +; http://php.net/allow-url-include +allow_url_include = Off + +; Define the anonymous ftp password (your email address). PHP's default setting +; for this is empty. +; http://php.net/from +;from="john@doe.com" + +; Define the User-Agent string. PHP's default setting for this is empty. +; http://php.net/user-agent +;user_agent="PHP" + +; Default timeout for socket based streams (seconds) +; http://php.net/default-socket-timeout +default_socket_timeout = 60 + +; If your scripts have to deal with files from Macintosh systems, +; or you are running on a Mac and need to deal with files from +; unix or win32 systems, setting this flag will cause PHP to +; automatically detect the EOL character in those files so that +; fgets() and file() will work regardless of the source of the file. +; http://php.net/auto-detect-line-endings +;auto_detect_line_endings = Off + +;;;;;;;;;;;;;;;;;;;;;; +; Dynamic Extensions ; +;;;;;;;;;;;;;;;;;;;;;; + +; If you wish to have an extension loaded automatically, use the following +; syntax: +; +; extension=modulename +; +; For example: +; +; extension=mysqli +; +; When the extension library to load is not located in the default extension +; directory, You may specify an absolute path to the library file: +; +; extension=/path/to/extension/mysqli.so +; +; Note : The syntax used in previous PHP versions ('extension=.so' and +; 'extension='php_.dll') is supported for legacy reasons and may be +; deprecated in a future PHP major version. So, when it is possible, please +; move to the new ('extension=) syntax. +; +; Notes for Windows environments : +; +; - Many DLL files are located in the extensions/ (PHP 4) or ext/ (PHP 5+) +; extension folders as well as the separate PECL DLL download (PHP 5+). +; Be sure to appropriately set the extension_dir directive. +; +;extension=bz2 +;extension=curl +;extension=ffi +;extension=ftp +;extension=fileinfo +;extension=gd2 +;extension=gettext +;extension=gmp +;extension=intl +;extension=imap +;extension=ldap +;extension=mbstring +;extension=exif ; Must be after mbstring as it depends on it +;extension=mysqli +;extension=oci8_12c ; Use with Oracle Database 12c Instant Client +;extension=odbc +;extension=openssl +;extension=pdo_firebird +;extension=pdo_mysql +;extension=pdo_oci +;extension=pdo_odbc +;extension=pdo_pgsql +;extension=pdo_sqlite +;extension=pgsql +;extension=shmop + +; The MIBS data available in the PHP distribution must be installed. +; See http://www.php.net/manual/en/snmp.installation.php +;extension=snmp + +;extension=soap +;extension=sockets +;extension=sodium +;extension=sqlite3 +;extension=tidy +;extension=xmlrpc +;extension=xsl + +;;;;;;;;;;;;;;;;;;; +; Module Settings ; +;;;;;;;;;;;;;;;;;;; + +[CLI Server] +; Whether the CLI web server uses ANSI color coding in its terminal output. +cli_server.color = On + +[Date] +; Defines the default timezone used by the date functions +; http://php.net/date.timezone +date.timezone = Europe/Paris + +; http://php.net/date.default-latitude +;date.default_latitude = 31.7667 + +; http://php.net/date.default-longitude +;date.default_longitude = 35.2333 + +; http://php.net/date.sunrise-zenith +;date.sunrise_zenith = 90.583333 + +; http://php.net/date.sunset-zenith +;date.sunset_zenith = 90.583333 + +[filter] +; http://php.net/filter.default +;filter.default = unsafe_raw + +; http://php.net/filter.default-flags +;filter.default_flags = + +[iconv] +; Use of this INI entry is deprecated, use global input_encoding instead. +; If empty, default_charset or input_encoding or iconv.input_encoding is used. +; The precedence is: default_charset < input_encoding < iconv.input_encoding +;iconv.input_encoding = + +; Use of this INI entry is deprecated, use global internal_encoding instead. +; If empty, default_charset or internal_encoding or iconv.internal_encoding is used. +; The precedence is: default_charset < internal_encoding < iconv.internal_encoding +;iconv.internal_encoding = + +; Use of this INI entry is deprecated, use global output_encoding instead. +; If empty, default_charset or output_encoding or iconv.output_encoding is used. +; The precedence is: default_charset < output_encoding < iconv.output_encoding +; To use an output encoding conversion, iconv's output handler must be set +; otherwise output encoding conversion cannot be performed. +;iconv.output_encoding = + +[imap] +; rsh/ssh logins are disabled by default. Use this INI entry if you want to +; enable them. Note that the IMAP library does not filter mailbox names before +; passing them to rsh/ssh command, thus passing untrusted data to this function +; with rsh/ssh enabled is insecure. +;imap.enable_insecure_rsh=0 + +[intl] +;intl.default_locale = +; This directive allows you to produce PHP errors when some error +; happens within intl functions. The value is the level of the error produced. +; Default is 0, which does not produce any errors. +;intl.error_level = E_WARNING +;intl.use_exceptions = 0 + +[sqlite3] +; Directory pointing to SQLite3 extensions +; http://php.net/sqlite3.extension-dir +;sqlite3.extension_dir = + +; SQLite defensive mode flag (only available from SQLite 3.26+) +; When the defensive flag is enabled, language features that allow ordinary +; SQL to deliberately corrupt the database file are disabled. This forbids +; writing directly to the schema, shadow tables (eg. FTS data tables), or +; the sqlite_dbpage virtual table. +; https://www.sqlite.org/c3ref/c_dbconfig_defensive.html +; (for older SQLite versions, this flag has no use) +;sqlite3.defensive = 1 + +[Pcre] +; PCRE library backtracking limit. +; http://php.net/pcre.backtrack-limit +;pcre.backtrack_limit=100000 + +; PCRE library recursion limit. +; Please note that if you set this value to a high number you may consume all +; the available process stack and eventually crash PHP (due to reaching the +; stack size limit imposed by the Operating System). +; http://php.net/pcre.recursion-limit +;pcre.recursion_limit=100000 + +; Enables or disables JIT compilation of patterns. This requires the PCRE +; library to be compiled with JIT support. +;pcre.jit=1 + +[Pdo] +; Whether to pool ODBC connections. Can be one of "strict", "relaxed" or "off" +; http://php.net/pdo-odbc.connection-pooling +;pdo_odbc.connection_pooling=strict + +;pdo_odbc.db2_instance_name + +[Pdo_mysql] +; Default socket name for local MySQL connects. If empty, uses the built-in +; MySQL defaults. +pdo_mysql.default_socket= + +[Phar] +; http://php.net/phar.readonly +;phar.readonly = On + +; http://php.net/phar.require-hash +;phar.require_hash = On + +;phar.cache_list = + +[mail function] +; For Win32 only. +; http://php.net/smtp +SMTP = localhost +; http://php.net/smtp-port +smtp_port = 25 + +; For Win32 only. +; http://php.net/sendmail-from +;sendmail_from = me@example.com + +; For Unix only. You may supply arguments as well (default: "sendmail -t -i"). +; http://php.net/sendmail-path +;sendmail_path = + +; Force the addition of the specified parameters to be passed as extra parameters +; to the sendmail binary. These parameters will always replace the value of +; the 5th parameter to mail(). +;mail.force_extra_parameters = + +; Add X-PHP-Originating-Script: that will include uid of the script followed by the filename +mail.add_x_header = Off + +; The path to a log file that will log all mail() calls. Log entries include +; the full path of the script, line number, To address and headers. +;mail.log = +; Log mail to syslog (Event Log on Windows). +;mail.log = syslog + +[ODBC] +; http://php.net/odbc.default-db +;odbc.default_db = Not yet implemented + +; http://php.net/odbc.default-user +;odbc.default_user = Not yet implemented + +; http://php.net/odbc.default-pw +;odbc.default_pw = Not yet implemented + +; Controls the ODBC cursor model. +; Default: SQL_CURSOR_STATIC (default). +;odbc.default_cursortype + +; Allow or prevent persistent links. +; http://php.net/odbc.allow-persistent +odbc.allow_persistent = On + +; Check that a connection is still valid before reuse. +; http://php.net/odbc.check-persistent +odbc.check_persistent = On + +; Maximum number of persistent links. -1 means no limit. +; http://php.net/odbc.max-persistent +odbc.max_persistent = -1 + +; Maximum number of links (persistent + non-persistent). -1 means no limit. +; http://php.net/odbc.max-links +odbc.max_links = -1 + +; Handling of LONG fields. Returns number of bytes to variables. 0 means +; passthru. +; http://php.net/odbc.defaultlrl +odbc.defaultlrl = 4096 + +; Handling of binary data. 0 means passthru, 1 return as is, 2 convert to char. +; See the documentation on odbc_binmode and odbc_longreadlen for an explanation +; of odbc.defaultlrl and odbc.defaultbinmode +; http://php.net/odbc.defaultbinmode +odbc.defaultbinmode = 1 + +[MySQLi] + +; Maximum number of persistent links. -1 means no limit. +; http://php.net/mysqli.max-persistent +mysqli.max_persistent = -1 + +; Allow accessing, from PHP's perspective, local files with LOAD DATA statements +; http://php.net/mysqli.allow_local_infile +;mysqli.allow_local_infile = On + +; Allow or prevent persistent links. +; http://php.net/mysqli.allow-persistent +mysqli.allow_persistent = On + +; Maximum number of links. -1 means no limit. +; http://php.net/mysqli.max-links +mysqli.max_links = -1 + +; Default port number for mysqli_connect(). If unset, mysqli_connect() will use +; the $MYSQL_TCP_PORT or the mysql-tcp entry in /etc/services or the +; compile-time value defined MYSQL_PORT (in that order). Win32 will only look +; at MYSQL_PORT. +; http://php.net/mysqli.default-port +mysqli.default_port = 3306 + +; Default socket name for local MySQL connects. If empty, uses the built-in +; MySQL defaults. +; http://php.net/mysqli.default-socket +mysqli.default_socket = + +; Default host for mysqli_connect() (doesn't apply in safe mode). +; http://php.net/mysqli.default-host +mysqli.default_host = + +; Default user for mysqli_connect() (doesn't apply in safe mode). +; http://php.net/mysqli.default-user +mysqli.default_user = + +; Default password for mysqli_connect() (doesn't apply in safe mode). +; Note that this is generally a *bad* idea to store passwords in this file. +; *Any* user with PHP access can run 'echo get_cfg_var("mysqli.default_pw") +; and reveal this password! And of course, any users with read access to this +; file will be able to reveal the password as well. +; http://php.net/mysqli.default-pw +mysqli.default_pw = + +; Allow or prevent reconnect +mysqli.reconnect = Off + +[mysqlnd] +; Enable / Disable collection of general statistics by mysqlnd which can be +; used to tune and monitor MySQL operations. +mysqlnd.collect_statistics = On + +; Enable / Disable collection of memory usage statistics by mysqlnd which can be +; used to tune and monitor MySQL operations. +mysqlnd.collect_memory_statistics = Off + +; Records communication from all extensions using mysqlnd to the specified log +; file. +; http://php.net/mysqlnd.debug +;mysqlnd.debug = + +; Defines which queries will be logged. +;mysqlnd.log_mask = 0 + +; Default size of the mysqlnd memory pool, which is used by result sets. +;mysqlnd.mempool_default_size = 16000 + +; Size of a pre-allocated buffer used when sending commands to MySQL in bytes. +;mysqlnd.net_cmd_buffer_size = 2048 + +; Size of a pre-allocated buffer used for reading data sent by the server in +; bytes. +;mysqlnd.net_read_buffer_size = 32768 + +; Timeout for network requests in seconds. +;mysqlnd.net_read_timeout = 31536000 + +; SHA-256 Authentication Plugin related. File with the MySQL server public RSA +; key. +;mysqlnd.sha256_server_public_key = + +[OCI8] + +; Connection: Enables privileged connections using external +; credentials (OCI_SYSOPER, OCI_SYSDBA) +; http://php.net/oci8.privileged-connect +;oci8.privileged_connect = Off + +; Connection: The maximum number of persistent OCI8 connections per +; process. Using -1 means no limit. +; http://php.net/oci8.max-persistent +;oci8.max_persistent = -1 + +; Connection: The maximum number of seconds a process is allowed to +; maintain an idle persistent connection. Using -1 means idle +; persistent connections will be maintained forever. +; http://php.net/oci8.persistent-timeout +;oci8.persistent_timeout = -1 + +; Connection: The number of seconds that must pass before issuing a +; ping during oci_pconnect() to check the connection validity. When +; set to 0, each oci_pconnect() will cause a ping. Using -1 disables +; pings completely. +; http://php.net/oci8.ping-interval +;oci8.ping_interval = 60 + +; Connection: Set this to a user chosen connection class to be used +; for all pooled server requests with Oracle 11g Database Resident +; Connection Pooling (DRCP). To use DRCP, this value should be set to +; the same string for all web servers running the same application, +; the database pool must be configured, and the connection string must +; specify to use a pooled server. +;oci8.connection_class = + +; High Availability: Using On lets PHP receive Fast Application +; Notification (FAN) events generated when a database node fails. The +; database must also be configured to post FAN events. +;oci8.events = Off + +; Tuning: This option enables statement caching, and specifies how +; many statements to cache. Using 0 disables statement caching. +; http://php.net/oci8.statement-cache-size +;oci8.statement_cache_size = 20 + +; Tuning: Enables statement prefetching and sets the default number of +; rows that will be fetched automatically after statement execution. +; http://php.net/oci8.default-prefetch +;oci8.default_prefetch = 100 + +; Compatibility. Using On means oci_close() will not close +; oci_connect() and oci_new_connect() connections. +; http://php.net/oci8.old-oci-close-semantics +;oci8.old_oci_close_semantics = Off + +[PostgreSQL] +; Allow or prevent persistent links. +; http://php.net/pgsql.allow-persistent +pgsql.allow_persistent = On + +; Detect broken persistent links always with pg_pconnect(). +; Auto reset feature requires a little overheads. +; http://php.net/pgsql.auto-reset-persistent +pgsql.auto_reset_persistent = Off + +; Maximum number of persistent links. -1 means no limit. +; http://php.net/pgsql.max-persistent +pgsql.max_persistent = -1 + +; Maximum number of links (persistent+non persistent). -1 means no limit. +; http://php.net/pgsql.max-links +pgsql.max_links = -1 + +; Ignore PostgreSQL backends Notice message or not. +; Notice message logging require a little overheads. +; http://php.net/pgsql.ignore-notice +pgsql.ignore_notice = 0 + +; Log PostgreSQL backends Notice message or not. +; Unless pgsql.ignore_notice=0, module cannot log notice message. +; http://php.net/pgsql.log-notice +pgsql.log_notice = 0 + +[bcmath] +; Number of decimal digits for all bcmath functions. +; http://php.net/bcmath.scale +bcmath.scale = 0 + +[browscap] +; http://php.net/browscap +;browscap = extra/browscap.ini + +[Session] +; Handler used to store/retrieve data. +; http://php.net/session.save-handler +session.save_handler = files + +; Argument passed to save_handler. In the case of files, this is the path +; where data files are stored. Note: Windows users have to change this +; variable in order to use PHP's session functions. +; +; The path can be defined as: +; +; session.save_path = "N;/path" +; +; where N is an integer. Instead of storing all the session files in +; /path, what this will do is use subdirectories N-levels deep, and +; store the session data in those directories. This is useful if +; your OS has problems with many files in one directory, and is +; a more efficient layout for servers that handle many sessions. +; +; NOTE 1: PHP will not create this directory structure automatically. +; You can use the script in the ext/session dir for that purpose. +; NOTE 2: See the section on garbage collection below if you choose to +; use subdirectories for session storage +; +; The file storage module creates files using mode 600 by default. +; You can change that by using +; +; session.save_path = "N;MODE;/path" +; +; where MODE is the octal representation of the mode. Note that this +; does not overwrite the process's umask. +; http://php.net/session.save-path +;session.save_path = "/var/lib/php/sessions" + +; Whether to use strict session mode. +; Strict session mode does not accept an uninitialized session ID, and +; regenerates the session ID if the browser sends an uninitialized session ID. +; Strict mode protects applications from session fixation via a session adoption +; vulnerability. It is disabled by default for maximum compatibility, but +; enabling it is encouraged. +; https://wiki.php.net/rfc/strict_sessions +session.use_strict_mode = 0 + +; Whether to use cookies. +; http://php.net/session.use-cookies +session.use_cookies = 1 + +; http://php.net/session.cookie-secure +;session.cookie_secure = + +; This option forces PHP to fetch and use a cookie for storing and maintaining +; the session id. We encourage this operation as it's very helpful in combating +; session hijacking when not specifying and managing your own session id. It is +; not the be-all and end-all of session hijacking defense, but it's a good start. +; http://php.net/session.use-only-cookies +session.use_only_cookies = 1 + +; Name of the session (used as cookie name). +; http://php.net/session.name +session.name = PHPSESSID + +; Initialize session on request startup. +; http://php.net/session.auto-start +session.auto_start = 0 + +; Lifetime in seconds of cookie or, if 0, until browser is restarted. +; http://php.net/session.cookie-lifetime +session.cookie_lifetime = 0 + +; The path for which the cookie is valid. +; http://php.net/session.cookie-path +session.cookie_path = / + +; The domain for which the cookie is valid. +; http://php.net/session.cookie-domain +session.cookie_domain = + +; Whether or not to add the httpOnly flag to the cookie, which makes it +; inaccessible to browser scripting languages such as JavaScript. +; http://php.net/session.cookie-httponly +session.cookie_httponly = + +; Add SameSite attribute to cookie to help mitigate Cross-Site Request Forgery (CSRF/XSRF) +; Current valid values are "Strict", "Lax" or "None". When using "None", +; make sure to include the quotes, as `none` is interpreted like `false` in ini files. +; https://tools.ietf.org/html/draft-west-first-party-cookies-07 +session.cookie_samesite = + +; Handler used to serialize data. php is the standard serializer of PHP. +; http://php.net/session.serialize-handler +session.serialize_handler = php + +; Defines the probability that the 'garbage collection' process is started on every +; session initialization. The probability is calculated by using gc_probability/gc_divisor, +; e.g. 1/100 means there is a 1% chance that the GC process starts on each request. +; Default Value: 1 +; Development Value: 1 +; Production Value: 1 +; http://php.net/session.gc-probability +session.gc_probability = 0 + +; Defines the probability that the 'garbage collection' process is started on every +; session initialization. The probability is calculated by using gc_probability/gc_divisor, +; e.g. 1/100 means there is a 1% chance that the GC process starts on each request. +; For high volume production servers, using a value of 1000 is a more efficient approach. +; Default Value: 100 +; Development Value: 1000 +; Production Value: 1000 +; http://php.net/session.gc-divisor +session.gc_divisor = 1000 + +; After this number of seconds, stored data will be seen as 'garbage' and +; cleaned up by the garbage collection process. +; http://php.net/session.gc-maxlifetime +session.gc_maxlifetime = 1440 + +; NOTE: If you are using the subdirectory option for storing session files +; (see session.save_path above), then garbage collection does *not* +; happen automatically. You will need to do your own garbage +; collection through a shell script, cron entry, or some other method. +; For example, the following script is the equivalent of setting +; session.gc_maxlifetime to 1440 (1440 seconds = 24 minutes): +; find /path/to/sessions -cmin +24 -type f | xargs rm + +; Check HTTP Referer to invalidate externally stored URLs containing ids. +; HTTP_REFERER has to contain this substring for the session to be +; considered as valid. +; http://php.net/session.referer-check +session.referer_check = + +; Set to {nocache,private,public,} to determine HTTP caching aspects +; or leave this empty to avoid sending anti-caching headers. +; http://php.net/session.cache-limiter +session.cache_limiter = nocache + +; Document expires after n minutes. +; http://php.net/session.cache-expire +session.cache_expire = 180 + +; trans sid support is disabled by default. +; Use of trans sid may risk your users' security. +; Use this option with caution. +; - User may send URL contains active session ID +; to other person via. email/irc/etc. +; - URL that contains active session ID may be stored +; in publicly accessible computer. +; - User may access your site with the same session ID +; always using URL stored in browser's history or bookmarks. +; http://php.net/session.use-trans-sid +session.use_trans_sid = 0 + +; Set session ID character length. This value could be between 22 to 256. +; Shorter length than default is supported only for compatibility reason. +; Users should use 32 or more chars. +; http://php.net/session.sid-length +; Default Value: 32 +; Development Value: 26 +; Production Value: 26 +session.sid_length = 26 + +; The URL rewriter will look for URLs in a defined set of HTML tags. +;
is special; if you include them here, the rewriter will +; add a hidden field with the info which is otherwise appended +; to URLs. tag's action attribute URL will not be modified +; unless it is specified. +; Note that all valid entries require a "=", even if no value follows. +; Default Value: "a=href,area=href,frame=src,form=" +; Development Value: "a=href,area=href,frame=src,form=" +; Production Value: "a=href,area=href,frame=src,form=" +; http://php.net/url-rewriter.tags +session.trans_sid_tags = "a=href,area=href,frame=src,form=" + +; URL rewriter does not rewrite absolute URLs by default. +; To enable rewrites for absolute paths, target hosts must be specified +; at RUNTIME. i.e. use ini_set() +; tags is special. PHP will check action attribute's URL regardless +; of session.trans_sid_tags setting. +; If no host is defined, HTTP_HOST will be used for allowed host. +; Example value: php.net,www.php.net,wiki.php.net +; Use "," for multiple hosts. No spaces are allowed. +; Default Value: "" +; Development Value: "" +; Production Value: "" +;session.trans_sid_hosts="" + +; Define how many bits are stored in each character when converting +; the binary hash data to something readable. +; Possible values: +; 4 (4 bits: 0-9, a-f) +; 5 (5 bits: 0-9, a-v) +; 6 (6 bits: 0-9, a-z, A-Z, "-", ",") +; Default Value: 4 +; Development Value: 5 +; Production Value: 5 +; http://php.net/session.hash-bits-per-character +session.sid_bits_per_character = 5 + +; Enable upload progress tracking in $_SESSION +; Default Value: On +; Development Value: On +; Production Value: On +; http://php.net/session.upload-progress.enabled +;session.upload_progress.enabled = On + +; Cleanup the progress information as soon as all POST data has been read +; (i.e. upload completed). +; Default Value: On +; Development Value: On +; Production Value: On +; http://php.net/session.upload-progress.cleanup +;session.upload_progress.cleanup = On + +; A prefix used for the upload progress key in $_SESSION +; Default Value: "upload_progress_" +; Development Value: "upload_progress_" +; Production Value: "upload_progress_" +; http://php.net/session.upload-progress.prefix +;session.upload_progress.prefix = "upload_progress_" + +; The index name (concatenated with the prefix) in $_SESSION +; containing the upload progress information +; Default Value: "PHP_SESSION_UPLOAD_PROGRESS" +; Development Value: "PHP_SESSION_UPLOAD_PROGRESS" +; Production Value: "PHP_SESSION_UPLOAD_PROGRESS" +; http://php.net/session.upload-progress.name +;session.upload_progress.name = "PHP_SESSION_UPLOAD_PROGRESS" + +; How frequently the upload progress should be updated. +; Given either in percentages (per-file), or in bytes +; Default Value: "1%" +; Development Value: "1%" +; Production Value: "1%" +; http://php.net/session.upload-progress.freq +;session.upload_progress.freq = "1%" + +; The minimum delay between updates, in seconds +; Default Value: 1 +; Development Value: 1 +; Production Value: 1 +; http://php.net/session.upload-progress.min-freq +;session.upload_progress.min_freq = "1" + +; Only write session data when session data is changed. Enabled by default. +; http://php.net/session.lazy-write +;session.lazy_write = On + +[Assertion] +; Switch whether to compile assertions at all (to have no overhead at run-time) +; -1: Do not compile at all +; 0: Jump over assertion at run-time +; 1: Execute assertions +; Changing from or to a negative value is only possible in php.ini! (For turning assertions on and off at run-time, see assert.active, when zend.assertions = 1) +; Default Value: 1 +; Development Value: 1 +; Production Value: -1 +; http://php.net/zend.assertions +zend.assertions = -1 + +; Assert(expr); active by default. +; http://php.net/assert.active +;assert.active = On + +; Throw an AssertionError on failed assertions +; http://php.net/assert.exception +;assert.exception = On + +; Issue a PHP warning for each failed assertion. (Overridden by assert.exception if active) +; http://php.net/assert.warning +;assert.warning = On + +; Don't bail out by default. +; http://php.net/assert.bail +;assert.bail = Off + +; User-function to be called if an assertion fails. +; http://php.net/assert.callback +;assert.callback = 0 + +; Eval the expression with current error_reporting(). Set to true if you want +; error_reporting(0) around the eval(). +; http://php.net/assert.quiet-eval +;assert.quiet_eval = 0 + +[COM] +; path to a file containing GUIDs, IIDs or filenames of files with TypeLibs +; http://php.net/com.typelib-file +;com.typelib_file = + +; allow Distributed-COM calls +; http://php.net/com.allow-dcom +;com.allow_dcom = true + +; autoregister constants of a component's typlib on com_load() +; http://php.net/com.autoregister-typelib +;com.autoregister_typelib = true + +; register constants casesensitive +; http://php.net/com.autoregister-casesensitive +;com.autoregister_casesensitive = false + +; show warnings on duplicate constant registrations +; http://php.net/com.autoregister-verbose +;com.autoregister_verbose = true + +; The default character set code-page to use when passing strings to and from COM objects. +; Default: system ANSI code page +;com.code_page= + +[mbstring] +; language for internal character representation. +; This affects mb_send_mail() and mbstring.detect_order. +; http://php.net/mbstring.language +;mbstring.language = Japanese + +; Use of this INI entry is deprecated, use global internal_encoding instead. +; internal/script encoding. +; Some encoding cannot work as internal encoding. (e.g. SJIS, BIG5, ISO-2022-*) +; If empty, default_charset or internal_encoding or iconv.internal_encoding is used. +; The precedence is: default_charset < internal_encoding < iconv.internal_encoding +;mbstring.internal_encoding = + +; Use of this INI entry is deprecated, use global input_encoding instead. +; http input encoding. +; mbstring.encoding_translation = On is needed to use this setting. +; If empty, default_charset or input_encoding or mbstring.input is used. +; The precedence is: default_charset < input_encoding < mbstring.http_input +; http://php.net/mbstring.http-input +;mbstring.http_input = + +; Use of this INI entry is deprecated, use global output_encoding instead. +; http output encoding. +; mb_output_handler must be registered as output buffer to function. +; If empty, default_charset or output_encoding or mbstring.http_output is used. +; The precedence is: default_charset < output_encoding < mbstring.http_output +; To use an output encoding conversion, mbstring's output handler must be set +; otherwise output encoding conversion cannot be performed. +; http://php.net/mbstring.http-output +;mbstring.http_output = + +; enable automatic encoding translation according to +; mbstring.internal_encoding setting. Input chars are +; converted to internal encoding by setting this to On. +; Note: Do _not_ use automatic encoding translation for +; portable libs/applications. +; http://php.net/mbstring.encoding-translation +;mbstring.encoding_translation = Off + +; automatic encoding detection order. +; "auto" detect order is changed according to mbstring.language +; http://php.net/mbstring.detect-order +;mbstring.detect_order = auto + +; substitute_character used when character cannot be converted +; one from another +; http://php.net/mbstring.substitute-character +;mbstring.substitute_character = none + +; overload(replace) single byte functions by mbstring functions. +; mail(), ereg(), etc are overloaded by mb_send_mail(), mb_ereg(), +; etc. Possible values are 0,1,2,4 or combination of them. +; For example, 7 for overload everything. +; 0: No overload +; 1: Overload mail() function +; 2: Overload str*() functions +; 4: Overload ereg*() functions +; http://php.net/mbstring.func-overload +;mbstring.func_overload = 0 + +; enable strict encoding detection. +; Default: Off +;mbstring.strict_detection = On + +; This directive specifies the regex pattern of content types for which mb_output_handler() +; is activated. +; Default: mbstring.http_output_conv_mimetype=^(text/|application/xhtml\+xml) +;mbstring.http_output_conv_mimetype= + +; This directive specifies maximum stack depth for mbstring regular expressions. It is similar +; to the pcre.recursion_limit for PCRE. +; Default: 100000 +;mbstring.regex_stack_limit=100000 + +; This directive specifies maximum retry count for mbstring regular expressions. It is similar +; to the pcre.backtrack_limit for PCRE. +; Default: 1000000 +;mbstring.regex_retry_limit=1000000 + +[gd] +; Tell the jpeg decode to ignore warnings and try to create +; a gd image. The warning will then be displayed as notices +; disabled by default +; http://php.net/gd.jpeg-ignore-warning +;gd.jpeg_ignore_warning = 1 + +[exif] +; Exif UNICODE user comments are handled as UCS-2BE/UCS-2LE and JIS as JIS. +; With mbstring support this will automatically be converted into the encoding +; given by corresponding encode setting. When empty mbstring.internal_encoding +; is used. For the decode settings you can distinguish between motorola and +; intel byte order. A decode setting cannot be empty. +; http://php.net/exif.encode-unicode +;exif.encode_unicode = ISO-8859-15 + +; http://php.net/exif.decode-unicode-motorola +;exif.decode_unicode_motorola = UCS-2BE + +; http://php.net/exif.decode-unicode-intel +;exif.decode_unicode_intel = UCS-2LE + +; http://php.net/exif.encode-jis +;exif.encode_jis = + +; http://php.net/exif.decode-jis-motorola +;exif.decode_jis_motorola = JIS + +; http://php.net/exif.decode-jis-intel +;exif.decode_jis_intel = JIS + +[Tidy] +; The path to a default tidy configuration file to use when using tidy +; http://php.net/tidy.default-config +;tidy.default_config = /usr/local/lib/php/default.tcfg + +; Should tidy clean and repair output automatically? +; WARNING: Do not use this option if you are generating non-html content +; such as dynamic images +; http://php.net/tidy.clean-output +tidy.clean_output = Off + +[soap] +; Enables or disables WSDL caching feature. +; http://php.net/soap.wsdl-cache-enabled +soap.wsdl_cache_enabled=1 + +; Sets the directory name where SOAP extension will put cache files. +; http://php.net/soap.wsdl-cache-dir +soap.wsdl_cache_dir="/tmp" + +; (time to live) Sets the number of second while cached file will be used +; instead of original one. +; http://php.net/soap.wsdl-cache-ttl +soap.wsdl_cache_ttl=86400 + +; Sets the size of the cache limit. (Max. number of WSDL files to cache) +soap.wsdl_cache_limit = 5 + +[sysvshm] +; A default size of the shared memory segment +;sysvshm.init_mem = 10000 + +[ldap] +; Sets the maximum number of open links or -1 for unlimited. +ldap.max_links = -1 + +[dba] +;dba.default_handler= + +[opcache] +; Determines if Zend OPCache is enabled +;opcache.enable=1 + +; Determines if Zend OPCache is enabled for the CLI version of PHP +;opcache.enable_cli=0 + +; The OPcache shared memory storage size. +;opcache.memory_consumption=128 + +; The amount of memory for interned strings in Mbytes. +;opcache.interned_strings_buffer=8 + +; The maximum number of keys (scripts) in the OPcache hash table. +; Only numbers between 200 and 1000000 are allowed. +;opcache.max_accelerated_files=10000 + +; The maximum percentage of "wasted" memory until a restart is scheduled. +;opcache.max_wasted_percentage=5 + +; When this directive is enabled, the OPcache appends the current working +; directory to the script key, thus eliminating possible collisions between +; files with the same name (basename). Disabling the directive improves +; performance, but may break existing applications. +;opcache.use_cwd=1 + +; When disabled, you must reset the OPcache manually or restart the +; webserver for changes to the filesystem to take effect. +;opcache.validate_timestamps=1 + +; How often (in seconds) to check file timestamps for changes to the shared +; memory storage allocation. ("1" means validate once per second, but only +; once per request. "0" means always validate) +;opcache.revalidate_freq=2 + +; Enables or disables file search in include_path optimization +;opcache.revalidate_path=0 + +; If disabled, all PHPDoc comments are dropped from the code to reduce the +; size of the optimized code. +;opcache.save_comments=1 + +; Allow file existence override (file_exists, etc.) performance feature. +;opcache.enable_file_override=0 + +; A bitmask, where each bit enables or disables the appropriate OPcache +; passes +;opcache.optimization_level=0x7FFFBFFF + +;opcache.dups_fix=0 + +; The location of the OPcache blacklist file (wildcards allowed). +; Each OPcache blacklist file is a text file that holds the names of files +; that should not be accelerated. The file format is to add each filename +; to a new line. The filename may be a full path or just a file prefix +; (i.e., /var/www/x blacklists all the files and directories in /var/www +; that start with 'x'). Line starting with a ; are ignored (comments). +;opcache.blacklist_filename= + +; Allows exclusion of large files from being cached. By default all files +; are cached. +;opcache.max_file_size=0 + +; Check the cache checksum each N requests. +; The default value of "0" means that the checks are disabled. +;opcache.consistency_checks=0 + +; How long to wait (in seconds) for a scheduled restart to begin if the cache +; is not being accessed. +;opcache.force_restart_timeout=180 + +; OPcache error_log file name. Empty string assumes "stderr". +;opcache.error_log= + +; All OPcache errors go to the Web server log. +; By default, only fatal errors (level 0) or errors (level 1) are logged. +; You can also enable warnings (level 2), info messages (level 3) or +; debug messages (level 4). +;opcache.log_verbosity_level=1 + +; Preferred Shared Memory back-end. Leave empty and let the system decide. +;opcache.preferred_memory_model= + +; Protect the shared memory from unexpected writing during script execution. +; Useful for internal debugging only. +;opcache.protect_memory=0 + +; Allows calling OPcache API functions only from PHP scripts which path is +; started from specified string. The default "" means no restriction +;opcache.restrict_api= + +; Mapping base of shared memory segments (for Windows only). All the PHP +; processes have to map shared memory into the same address space. This +; directive allows to manually fix the "Unable to reattach to base address" +; errors. +;opcache.mmap_base= + +; Facilitates multiple OPcache instances per user (for Windows only). All PHP +; processes with the same cache ID and user share an OPcache instance. +;opcache.cache_id= + +; Enables and sets the second level cache directory. +; It should improve performance when SHM memory is full, at server restart or +; SHM reset. The default "" disables file based caching. +;opcache.file_cache= + +; Enables or disables opcode caching in shared memory. +;opcache.file_cache_only=0 + +; Enables or disables checksum validation when script loaded from file cache. +;opcache.file_cache_consistency_checks=1 + +; Implies opcache.file_cache_only=1 for a certain process that failed to +; reattach to the shared memory (for Windows only). Explicitly enabled file +; cache is required. +;opcache.file_cache_fallback=1 + +; Enables or disables copying of PHP code (text segment) into HUGE PAGES. +; This should improve performance, but requires appropriate OS configuration. +;opcache.huge_code_pages=1 + +; Validate cached file permissions. +;opcache.validate_permission=0 + +; Prevent name collisions in chroot'ed environment. +;opcache.validate_root=0 + +; If specified, it produces opcode dumps for debugging different stages of +; optimizations. +;opcache.opt_debug_level=0 + +; Specifies a PHP script that is going to be compiled and executed at server +; start-up. +; http://php.net/opcache.preload +;opcache.preload= + +; Preloading code as root is not allowed for security reasons. This directive +; facilitates to let the preloading to be run as another user. +; http://php.net/opcache.preload_user +;opcache.preload_user= + +; Prevents caching files that are less than this number of seconds old. It +; protects from caching of incompletely updated files. In case all file updates +; on your site are atomic, you may increase performance by setting it to "0". +;opcache.file_update_protection=2 + +; Absolute path used to store shared lockfiles (for *nix only). +;opcache.lockfile_path=/tmp + +[curl] +; A default value for the CURLOPT_CAINFO option. This is required to be an +; absolute path. +;curl.cainfo = + +[openssl] +; The location of a Certificate Authority (CA) file on the local filesystem +; to use when verifying the identity of SSL/TLS peers. Most users should +; not specify a value for this directive as PHP will attempt to use the +; OS-managed cert stores in its absence. If specified, this value may still +; be overridden on a per-stream basis via the "cafile" SSL stream context +; option. +;openssl.cafile= + +; If openssl.cafile is not specified or if the CA file is not found, the +; directory pointed to by openssl.capath is searched for a suitable +; certificate. This value must be a correctly hashed certificate directory. +; Most users should not specify a value for this directive as PHP will +; attempt to use the OS-managed cert stores in its absence. If specified, +; this value may still be overridden on a per-stream basis via the "capath" +; SSL stream context option. +;openssl.capath= + +[ffi] +; FFI API restriction. Possible values: +; "preload" - enabled in CLI scripts and preloaded files (default) +; "false" - always disabled +; "true" - always enabled +;ffi.enable=preload + +; List of headers files to preload, wildcard patterns allowed. +;ffi.preload= diff --git a/roles/gestsup/files/security.conf b/roles/gestsup/files/security.conf new file mode 100644 index 0000000..e99595a --- /dev/null +++ b/roles/gestsup/files/security.conf @@ -0,0 +1,73 @@ +# +# Disable access to the entire file system except for the directories that +# are explicitly allowed later. +# +# This currently breaks the configurations that come with some web application +# Debian packages. +# +# +# AllowOverride None +# Require all denied +# + + +# Changing the following options will not really affect the security of the +# server, but might make attacks slightly more difficult in some cases. + +# +# ServerTokens +# This directive configures what you return as the Server HTTP response +# Header. The default is 'Full' which sends information about the OS-Type +# and compiled in modules. +# Set to one of: Full | OS | Minimal | Minor | Major | Prod +# where Full conveys the most information, and Prod the least. +#ServerTokens Minimal +ServerTokens Prod +#ServerTokens Full + +# +# Optionally add a line containing the server version and virtual host +# name to server-generated pages (internal error documents, FTP directory +# listings, mod_status and mod_info output etc., but not CGI generated +# documents or custom error documents). +# Set to "EMail" to also include a mailto: link to the ServerAdmin. +# Set to one of: On | Off | EMail +#ServerSignature Off +ServerSignature On + +# +# Allow TRACE method +# +# Set to "extended" to also reflect the request body (only for testing and +# diagnostic purposes). +# +# Set to one of: On | Off | extended +TraceEnable Off +#TraceEnable On + +# +# Forbid access to version control directories +# +# If you use version control systems in your document root, you should +# probably deny access to their directories. For example, for subversion: +# +# +# Require all denied +# + +# +# Setting this header will prevent MSIE from interpreting files as something +# else than declared by the content type in the HTTP headers. +# Requires mod_headers to be enabled. +# +#Header set X-Content-Type-Options: "nosniff" + +# +# Setting this header will prevent other sites from embedding pages from this +# site as frames. This defends against clickjacking attacks. +# Requires mod_headers to be enabled. +# +#Header set X-Frame-Options: "sameorigin" + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/roles/gestsup/handlers/main.yml b/roles/gestsup/handlers/main.yml new file mode 100644 index 0000000..012d896 --- /dev/null +++ b/roles/gestsup/handlers/main.yml @@ -0,0 +1,6 @@ +--- + - name: redemarrage apache2 + service: + name: apache2 + state: restarted + enabled: yes diff --git a/roles/gestsup/tasks/main.yml b/roles/gestsup/tasks/main.yml new file mode 100644 index 0000000..9f05def --- /dev/null +++ b/roles/gestsup/tasks/main.yml @@ -0,0 +1,122 @@ +- name: Installation des dépendances + apt: + name: + - apache2 + - mariadb-server + - python3-pip + - php + - php-mysql + - php-xml + - php-curl + - php-imap + - php-zip + - php-mbstring + - php-gd + - php-intl + - php-ldap + - snapd + - unzip + state: present + +- name: Install pymysql + become: true + pip: + name: pymysql + state: present + +- name: Copie de php.ini + copy: + src: php.ini + dest: /etc/php/7.4/apache2 + +- name: Copie de apache2.conf + copy: + src: apache2.conf + dest: /etc/apache2 + +- name: Suppression de l'ancien security.conf + file: + path: /etc/apache2/conf-available/security.conf + state: absent + +- name: Suppression de l'ancien lien symbolique + file: + path: /etc/apache2/conf-enabled/security.conf + state: absent + +- name: Copie de security.conf pour apache2 + copy: + src: security.conf + dest: /etc/apache2/conf-available + +- name: Création d'un lien symbolique pour security.conf + ansible.builtin.shell: ln -s /etc/apache2/conf-available/security.conf /etc/apache2/conf-enabled/ + +- name: mariadb en mode enabled + service: + name: mysql + enabled: yes + +- name: Création de l'utilisateur gestsup + mysql_user: + name: gestsup + password: gestsup + priv: '*.*:ALL,GRANT' + state: present + login_unix_socket: /var/run/mysqld/mysqld.sock + +- name: Decompression du fichier gestsup.zip + ansible.builtin.unarchive: + src: http://s-adm.gsb.adm/gsbstore/gestsup_3.2.15.zip + dest: /var/www/html/ + remote_src: yes + +- name: Suppression de index.html + ansible.builtin.file: + path: /var/www/html/index.html + state: absent + +- name: Création de l'utilisateur et attribution au groupe www-data + ansible.builtin.shell: adduser gestsup --ingroup www-data + +- name: Attribution des repertoires a www-data et gestsup + ansible.builtin.file: + path: /var/www/html + owner: gestsup + group: www-data + recurse: yes + +- name: Attribution de droit 750 + ansible.builtin.shell: find /var/www/html/ -type d -exec chmod 750 {} \; + +- name: Attribution de droit en 640 + ansible.builtin.shell: find /var/www/html/ -type f -exec chmod 640 {} \; + +- name: Droit 770 pour le repertoire upload + ansible.builtin.file: + path: /var/www/html/upload + mode: '0770' + recurse: yes + +- name: Droit 770 pour le repertoire images/model + ansible.builtin.file: + path: /var/www/html/images/model + mode: '0770' + recurse: yes + +- name: Droit 770 pour le repertoire backup + ansible.builtin.file: + path: /var/www/html/backup + mode: '0770' + recurse: yes + +- name: Droit 770 pour le repertoire _SQL + ansible.builtin.file: + path: /var/www/html/_SQL + mode: '0770' + recurse: yes + +- name: Droit 660 pour connect.php + ansible.builtin.file: + path: /var/www/html/connect.php + mode: '0660' diff --git a/roles/goss/defaults/main.yml b/roles/goss/defaults/main.yml new file mode 100644 index 0000000..b564958 --- /dev/null +++ b/roles/goss/defaults/main.yml @@ -0,0 +1,3 @@ +depl_url: "http://s-adm.gsb.adm/gsbstore" +depl_goss: "goss" + diff --git a/roles/goss/tasks/main.yml b/roles/goss/tasks/main.yml new file mode 100644 index 0000000..a82feb1 --- /dev/null +++ b/roles/goss/tasks/main.yml @@ -0,0 +1,21 @@ +--- + +- name: goss binary exists + stat: path=/usr/local/bin/goss + register: gossbin + +- name: install goss sur machine standard + get_url: + url: "{{ depl_url }}/{{ depl_goss }}" + dest: /usr/local/bin/{{ depl_goss }} + mode: 0755 + when: gossbin.stat.exists == False and ansible_hostname != "s-adm" + +- name: install goss sur s-adm + copy: + src: "/var/www/html/gsbstore/{{ depl_goss }}" + dest: /usr/local/bin/{{ depl_goss }} + mode: 0755 + remote_src: yes + when: gossbin.stat.exists == False and ansible_hostname == "s-adm" + diff --git a/roles/icinga/README.md b/roles/icinga/README.md new file mode 100644 index 0000000..c9e721f --- /dev/null +++ b/roles/icinga/README.md @@ -0,0 +1,117 @@ +# Instalation de NSClient++ sur la machine s-win + +En premier lieu, installer Mozilla Firefox via Internet Explorer. + +Une fois Mozilla intallé, installer NSClient++ avec ce lien: [NSClient++](https://nsclient.org/download/) + +Puis choisir la version Windows + +# Etapes de l'installation + +Sur l'étape **Select monitoring tool**, sélectionner **Generic**. + +Sur l'étape **Choose setup type**, sélectionner **Typical**. + +Sur l'étape **NSClient++ Configuration: + +``` + +Allowed hosts: 172.16.0.8 + +Password: root + +``` + +Activer **check plugins, check_nt et check_nrpe**. + +**Laisser NSCA client et web server désactivé** + +Cocher la case **Insecure legacy mode** + + +Terminer l'installation. + +# Modification des fichiers + +Rendez vous dans le répertoire **C:\Programmes\NSClient++** puis ouvrez le fichier **nsclient** (celui avec un rouage). + +Une fois ouvert, modifier tout le fichier avec ceci: + +``` + +#If you want to fill this file with all available options run the following command: +#nscp settings --generate --add-defaults --load-all +#If you want to activate a module and bring in all its options use: +#nscp settings --activate-module --add-defaults +#For details run: nscp settings --help + + +; in flight - TODO +[/settings/default] + +; Undocumented key +password = root + +; Undocumented key +allowed hosts = 172.16.0.8 + + +; in flight - TODO +[/settings/NRPE/server] + +; Undocumented key +verify mode = none + +; Undocumented key +insecure = true + + +; in flight - TODO +[/modules] + +; Undocumented key +CheckExternalScripts = enabled + +; Undocumented key +CheckHelpers = enabled + +; Undocumented key +CheckEventLog = enabled + +; Undocumented key +CheckNSCP = enabled + +; Undocumented key +CheckDisk = enabled + +; Undocumented key +CheckSystem = enabled + +; Undocumented key +NSClientServer = enabled + +; Undocumented key +NRPEServer = enabled + +``` + +Redémarrez le service NSClient++ via le **cmd**: + +``` + +services.msc + +``` + +Puis clique droit sur le service **NCLient++ Monitoring Agent** et appuyer sur **Redémarrer** + + +Retourner sur le serveur nagios puis écrire: + +``` + +systemctl restart icinga + +``` + +Les services de la machine **srv-2012** apparaissent en **OK**. diff --git a/roles/icinga/files/cfg/contacts_icinga.cfg b/roles/icinga/files/cfg/contacts_icinga.cfg new file mode 100644 index 0000000..8a66285 --- /dev/null +++ b/roles/icinga/files/cfg/contacts_icinga.cfg @@ -0,0 +1,59 @@ +############################################################################### +# contacts.cfg +############################################################################### + + + +############################################################################### +############################################################################### +# +# CONTACTS +# +############################################################################### +############################################################################### + +# In this simple config file, a single contact will receive all alerts. + +#define contact{ +# contact_name root +# alias Root +# service_notification_period 24x7 +# host_notification_period 24x7 +# service_notification_options w,u,c,r +# host_notification_options d,r +# service_notification_commands notify-service-by-email +# host_notification_commands notify-host-by-email +# email root@localhost +# } + + +define contact{ + contact_name admin + alias Administrateur + service_notification_period 24x7 + host_notification_period 24x7 + service_notification_options w,u,c,r + host_notification_options d,r + service_notification_commands notify-service-by-email + host_notification_commands notify-host-by-email + email icinga.ppe31@gmail.com + } + + + +############################################################################### +############################################################################### +# +# CONTACT GROUPS +# +############################################################################### +############################################################################### + +# We only have one contact in this simple configuration file, so there is +# no need to create more than one contact group. + +define contactgroup{ + contactgroup_name admins + alias Nagios Administrators + members admin + } diff --git a/roles/icinga/files/cfg/extinfo_icinga.cfg b/roles/icinga/files/cfg/extinfo_icinga.cfg new file mode 100644 index 0000000..07bd594 --- /dev/null +++ b/roles/icinga/files/cfg/extinfo_icinga.cfg @@ -0,0 +1,13 @@ +## +## Extended Host and Service Information +## + +define hostextinfo{ + hostgroup_name debian-servers + notes Debian GNU/Linux servers +# notes_url http://webserver.localhost.localdomain/hostinfo.pl?host=netware1 + icon_image base/debian.png + icon_image_alt Debian GNU/Linux + vrml_image debian.png + statusmap_image base/debian.gd2 + } diff --git a/roles/icinga/files/cfg/generic-host_icinga.cfg b/roles/icinga/files/cfg/generic-host_icinga.cfg new file mode 100644 index 0000000..e6d96ac --- /dev/null +++ b/roles/icinga/files/cfg/generic-host_icinga.cfg @@ -0,0 +1,19 @@ +# Generic host definition template - This is NOT a real host, just a template! + +define host{ + name generic-host ; The name of this host template + notifications_enabled 1 ; Host notifications are enabled + event_handler_enabled 1 ; Host event handler is enabled + flap_detection_enabled 1 ; Flap detection is enabled + failure_prediction_enabled 1 ; Failure prediction is enabled + process_perf_data 1 ; Process performance data + retain_status_information 1 ; Retain status information across program restarts + retain_nonstatus_information 1 ; Retain non-status information across program restarts + check_command check-host-alive + max_check_attempts 10 + notification_interval 0 + notification_period 24x7 + notification_options d,u,r + contact_groups admins + register 0 ; DONT REGISTER THIS DEFINITION - ITS NOT A REAL HOST, JUST A TEMPLATE! + } diff --git a/roles/icinga/files/cfg/generic-service_icinga.cfg b/roles/icinga/files/cfg/generic-service_icinga.cfg new file mode 100644 index 0000000..4d60c79 --- /dev/null +++ b/roles/icinga/files/cfg/generic-service_icinga.cfg @@ -0,0 +1,26 @@ +# generic service template definition +define service{ + name generic-service ; The 'name' of this service template + active_checks_enabled 1 ; Active service checks are enabled + passive_checks_enabled 1 ; Passive service checks are enabled/accepted + parallelize_check 1 ; Active service checks should be parallelized (disabling this can lead to major performance problems) + obsess_over_service 1 ; We should obsess over this service (if necessary) + check_freshness 0 ; Default is to NOT check service 'freshness' + notifications_enabled 1 ; Service notifications are enabled + event_handler_enabled 1 ; Service event handler is enabled + flap_detection_enabled 1 ; Flap detection is enabled + failure_prediction_enabled 1 ; Failure prediction is enabled + process_perf_data 1 ; Process performance data + retain_status_information 1 ; Retain status information across program restarts + retain_nonstatus_information 1 ; Retain non-status information across program restarts + notification_interval 0 ; Only send notifications on status change by default. + is_volatile 0 + check_period 24x7 + normal_check_interval 5 + retry_check_interval 1 + max_check_attempts 4 + notification_period 24x7 + notification_options w,u,c,r + contact_groups admins + register 0 ; DONT REGISTER THIS DEFINITION - ITS NOT A REAL SERVICE, JUST A TEMPLATE! + } diff --git a/roles/icinga/files/cfg/gwsio2.cfg b/roles/icinga/files/cfg/gwsio2.cfg new file mode 100644 index 0000000..c09b7d2 --- /dev/null +++ b/roles/icinga/files/cfg/gwsio2.cfg @@ -0,0 +1,14 @@ +# A simple configuration file for monitoring the local host +# This can serve as an example for configuring other servers; +# Custom services specific to this host are added here, but services +# defined in nagios2-common_services.cfg may also apply. +# + +define host{ + use generic-host ; Name of host template to use + host_name gwsio2 + alias Passerelle + address 192.168.0.1 + icon_image cook/linux_server.gif + statusmap_image cook/linux_server.gd2 + } diff --git a/roles/icinga/files/cfg/hostgroups_icinga.cfg b/roles/icinga/files/cfg/hostgroups_icinga.cfg new file mode 100644 index 0000000..a7df306 --- /dev/null +++ b/roles/icinga/files/cfg/hostgroups_icinga.cfg @@ -0,0 +1,75 @@ +# Some generic hostgroup definitions + +define hostgroup { + hostgroup_name all + alias All Servers + members * + } + +define hostgroup { + hostgroup_name localhost + alias Debian GNU/Linux Servers + members localhost + } + +define hostgroup { + hostgroup_name debian-servers + alias Serveurs distant + members s-infra, s-proxy, r-int, r-ext, s-adm, s-itil, s-mess +} + +define hostgroup {  + hostgroup_name ssh-servers + alias acces SSH + members s-adm, s-infra, s-proxy, r-int, r-ext, localhost, gwsio2, s-itil, s-mess, s-lb +} + +define hostgroup {  + hostgroup_name dns-servers + alias serveurs-dns + members s-infra, srv-2012 +} + +define hostgroup {  + hostgroup_name dhcp-servers + alias serveurs-dhcp + members r-int, srv-2012 +} + +define hostgroup { + hostgroup_name http-servers + alias serveurs-web + members localhost, s-itil, s-adm + } + +#define hostgroup { +# hostgroup_name email-servers +# alias serveurs-email +# members s-mess +# } + +define hostgroup {  + hostgroup_name proxy-servers + alias serveurs-proxy + members s-proxy +} + +define hostgroup{ + hostgroup_name windows-servers + alias windows-servers + members srv-2012 +} + +define hostgroup{ + hostgroup_name dns-win + alias dns-win + members srv-2012 +} + +define hostgroup{ + hostgroup_name uptimegrp + alias uptimegrp + members s-infra, s-proxy, r-int, r-ext, s-adm, s-itil, s-mess, s-lb +} + + diff --git a/roles/icinga/files/cfg/localhost_icinga.cfg b/roles/icinga/files/cfg/localhost_icinga.cfg new file mode 100644 index 0000000..c15cda4 --- /dev/null +++ b/roles/icinga/files/cfg/localhost_icinga.cfg @@ -0,0 +1,60 @@ +# A simple configuration file for monitoring the local host +# This can serve as an example for configuring other servers; +# Custom services specific to this host are added here, but services +# defined in icinga-common_services.cfg may also apply. +# + +define host{ + use generic-host ; Name of host template to use + host_name localhost + alias localhost + address 127.0.0.1 + parents gwsio2 + } + +# Define a service to check the disk space of the root partition +# on the local machine. Warning if < 20% free, critical if +# < 10% free space on partition. + +define service{ + use generic-service ; Name of service template to use + host_name localhost + service_description Disk Space + check_command check_all_disks!20%!10% + } + + + +# Define a service to check the number of currently logged in +# users on the local machine. Warning if > 20 users, critical +# if > 50 users. + +define service{ + use generic-service ; Name of service template to use + host_name localhost + service_description Current Users + check_command check_users!20!50 + } + + +# Define a service to check the number of currently running procs +# on the local machine. Warning if > 250 processes, critical if +# > 400 processes. + +define service{ + use generic-service ; Name of service template to use + host_name localhost + service_description Total Processes + check_command check_procs!250!400 + } + + + +# Define a service to check the load on the local machine. + +define service{ + use generic-service ; Name of service template to use + host_name localhost + service_description Current Load + check_command check_load!5.0!4.0!3.0!10.0!6.0!4.0 + } diff --git a/roles/icinga/files/cfg/netgear.cfg b/roles/icinga/files/cfg/netgear.cfg new file mode 100644 index 0000000..23562fe --- /dev/null +++ b/roles/icinga/files/cfg/netgear.cfg @@ -0,0 +1,16 @@ +# A simple configuration file for monitoring the local host +# This can serve as an example for configuring other servers; +# Custom services specific to this host are added here, but services +# defined in nagios2-common_services.cfg may also apply. +# + +define host{ + use generic-host ; Name of host template to use + host_name netgear + alias switch + address 192.168.0.2 + #parents gwsio4 + icon_image cook/switch.gif + statusmap_image cook/switch.gd2 +} + diff --git a/roles/icinga/files/cfg/r-ext.cfg b/roles/icinga/files/cfg/r-ext.cfg new file mode 100644 index 0000000..4c14bef --- /dev/null +++ b/roles/icinga/files/cfg/r-ext.cfg @@ -0,0 +1,13 @@ +# A simple configuration file for monitoring the local host +# This can serve as an example for configuring other servers; +# Custom services specific to this host are added here, but services +# defined in nagios2-common_services.cfg may also apply. +# + +define host{ + use generic-host ; Name of host template to use + host_name r-ext + alias Routeur externe + address 192.168.200.253 + parents localhost + } diff --git a/roles/icinga/files/cfg/r-int.cfg b/roles/icinga/files/cfg/r-int.cfg new file mode 100644 index 0000000..77ebe3d --- /dev/null +++ b/roles/icinga/files/cfg/r-int.cfg @@ -0,0 +1,13 @@ +# A simple configuration file for monitoring the local host +# This can serve as an example for configuring other servers; +# Custom services specific to this host are added here, but services +# defined in nagios2-common_services.cfg may also apply. +# + +define host{ + use generic-host ; Name of host template to use + host_name r-int + alias Routeur interne + address 172.16.0.254 + parents r-ext + } diff --git a/roles/icinga/files/cfg/s-adm.cfg b/roles/icinga/files/cfg/s-adm.cfg new file mode 100644 index 0000000..aeadbee --- /dev/null +++ b/roles/icinga/files/cfg/s-adm.cfg @@ -0,0 +1,14 @@ +# A simple configuration file for monitoring the local host +# This can serve as an example for configuring other servers; +# Custom services specific to this host are added here, but services +# defined in nagios2-common_services.cfg may also apply. +# + +define host{ + use generic-host ; Name of host template to use + host_name s-adm + alias debian-servers + address 192.168.99.99 + parents r-int + } + diff --git a/roles/icinga/files/cfg/s-infra.cfg b/roles/icinga/files/cfg/s-infra.cfg new file mode 100644 index 0000000..c369ff6 --- /dev/null +++ b/roles/icinga/files/cfg/s-infra.cfg @@ -0,0 +1,14 @@ +# A simple configuration file for monitoring the local host +# This can serve as an example for configuring other servers; +# Custom services specific to this host are added here, but services +# defined in nagios2-common_services.cfg may also apply. +# + +define host{ + use generic-host ; Name of host template to use + host_name s-infra + alias debian-servers + address 172.16.0.1 + parents r-int + } + diff --git a/roles/icinga/files/cfg/s-itil.cfg b/roles/icinga/files/cfg/s-itil.cfg new file mode 100644 index 0000000..8f34e2e --- /dev/null +++ b/roles/icinga/files/cfg/s-itil.cfg @@ -0,0 +1,14 @@ +# A simple configuration file for monitoring the local host +# This can serve as an example for configuring other servers; +# Custom services specific to this host are added here, but services +# defined in nagios2-common_services.cfg may also apply. +# + +define host{ + use generic-host ; Name of host template to use + host_name s-itil + alias debian-servers + address 172.16.0.9 + parents r-int + } + diff --git a/roles/icinga/files/cfg/s-lb.cfg b/roles/icinga/files/cfg/s-lb.cfg new file mode 100644 index 0000000..5754f25 --- /dev/null +++ b/roles/icinga/files/cfg/s-lb.cfg @@ -0,0 +1,14 @@ +# A simple configuration file for monitoring the local host +# This can serve as an example for configuring other servers; +# Custom services specific to this host are added here, but services +# defined in nagios2-common_services.cfg may also apply. +# + +define host{ + use generic-host ; Name of host template$ + host_name s-lb + alias debian-servers + address 192.168.100.10 + parents r-int + } + diff --git a/roles/icinga/files/cfg/s-mess.cfg b/roles/icinga/files/cfg/s-mess.cfg new file mode 100644 index 0000000..79df415 --- /dev/null +++ b/roles/icinga/files/cfg/s-mess.cfg @@ -0,0 +1,14 @@ +# A simple configuration file for monitoring the local host +# This can serve as an example for configuring other servers; +# Custom services specific to this host are added here, but services +# defined in nagios2-common_services.cfg may also apply. +# + +define host{ + use generic-host ; Name of host template$ + host_name s-mess + alias nextcloud + address 172.16.0.7 + parents r-int + } + diff --git a/roles/icinga/files/cfg/s-proxy.cfg b/roles/icinga/files/cfg/s-proxy.cfg new file mode 100644 index 0000000..de4f3c9 --- /dev/null +++ b/roles/icinga/files/cfg/s-proxy.cfg @@ -0,0 +1,13 @@ +# A simple configuration file for monitoring the local host +# This can serve as an example for configuring other servers; +# Custom services specific to this host are added here, but services +# defined in nagios2-common_services.cfg may also apply. +# + +define host{ + use generic-host ; Name of host template to use + host_name s-proxy + alias serveur proxy + address 172.16.0.2 + parents r-int + } diff --git a/roles/icinga/files/cfg/services_icinga.cfg b/roles/icinga/files/cfg/services_icinga.cfg new file mode 100644 index 0000000..b69e5d8 --- /dev/null +++ b/roles/icinga/files/cfg/services_icinga.cfg @@ -0,0 +1,106 @@ +define service { + hostgroup_name http-servers + service_description HTTP + check_command check_http + use generic-service + notification_interval 0 ; set > 0 if you want to be renotified +} + +define service { + hostgroup_name ssh-servers + service_description SSH + check_command check_ssh + use generic-service + notification_interval 0 ; set > 0 if you want to be renotified +} + +define service{ + use generic-service + hostgroup_name debian-servers + service_description Espace disque + check_command check_snmp_storage!public!--v2c!"^/$|tmp|usr|var"!90!95 + } + +define service{ + use generic-service + hostgroup_name debian-servers + service_description Charge machine + check_command check_snmp_load!public!--v2c!netsl!2,1,1!3,2,2 + } + +define service{ + use generic-service + hostgroup_name localhost + service_description Charge machine + check_command check_load!5.0!4.0!3.0!10.0!6.0!4.0 + } + +define service{ + use generic-service + hostgroup_name debian-servers + service_description RAM + check_command check_snmp_mem!public!--v2c!-N!95,60!99,90 +} + +define service{ + use generic-service + hostgroup_name windows-servers + service_description Version NSClient++ + check_command check_nt!CLIENTVERSION +} + +define service{ + use generic-service + hostgroup_name windows-servers + service_description Charge CPU + check_command check_nt!CPULOAD!-l 5,80,90,15,80,90 +} + +define service{ + use generic-service + hostgroup_name windows-servers + service_description Uptime + check_command check_nt!UPTIME +} + +define service{ + use generic-service + hostgroup_name windows-servers + service_description Mem Use + check_command check_nt!MEMUSE!80,90 +} + +define service{ + use generic-service + hostgroup_name windows-servers + service_description Disk Space + check_command check_nt!USEDDISKSPACE!-l C!10,5 +} + +define service{ + use generic-service + hostgroup_name dns-win + service_description Service DNS + check_command check_nt!SERVICESTATE!-l W32Time,"Client DNS" +} + +define service{ + use generic-service + hostgroup_name uptimegrp + service_description Uptime + check_command check_snmp!-C public -o 1.3.6.1.2.1.1.3.0 +} + +define service{ + use generic-service + hostgroup_name dns-servers + service_description DNS Ext + check_command check_dns +} + +#define service{ +# use generic-service +# hostgroup_name dhcp-servers +# service_description Service DHCP +# check_command check_dhcp +#} diff --git a/roles/icinga/files/cfg/srv-2012.cfg b/roles/icinga/files/cfg/srv-2012.cfg new file mode 100644 index 0000000..8ff28a9 --- /dev/null +++ b/roles/icinga/files/cfg/srv-2012.cfg @@ -0,0 +1,16 @@ +# A simple configuration file for monitoring the local host +# This can serve as an example for configuring other servers; +# Custom services specific to this host are added here, but services +# defined in nagios2-common_services.cfg may also apply. +# + +define host{ + use generic-host ; Name of host template to use + host_name srv-2012 + alias windows-servers + address 172.16.0.6 + parents r-int + icon_image base/win40.gif + statusmap_image base/win40.gd2 + } + diff --git a/roles/icinga/files/cfg/timeperiods_icinga.cfg b/roles/icinga/files/cfg/timeperiods_icinga.cfg new file mode 100644 index 0000000..55ecf9d --- /dev/null +++ b/roles/icinga/files/cfg/timeperiods_icinga.cfg @@ -0,0 +1,50 @@ +############################################################################### +# timeperiods.cfg +############################################################################### + +# This defines a timeperiod where all times are valid for checks, +# notifications, etc. The classic "24x7" support nightmare. :-) + +define timeperiod{ + timeperiod_name 24x7 + alias 24 Hours A Day, 7 Days A Week + sunday 00:00-24:00 + monday 00:00-24:00 + tuesday 00:00-24:00 + wednesday 00:00-24:00 + thursday 00:00-24:00 + friday 00:00-24:00 + saturday 00:00-24:00 + } + +# Here is a slightly friendlier period during work hours +define timeperiod{ + timeperiod_name workhours + alias Standard Work Hours + monday 09:00-17:00 + tuesday 09:00-17:00 + wednesday 09:00-17:00 + thursday 09:00-17:00 + friday 09:00-17:00 + } + +# The complement of workhours +define timeperiod{ + timeperiod_name nonworkhours + alias Non-Work Hours + sunday 00:00-24:00 + monday 00:00-09:00,17:00-24:00 + tuesday 00:00-09:00,17:00-24:00 + wednesday 00:00-09:00,17:00-24:00 + thursday 00:00-09:00,17:00-24:00 + friday 00:00-09:00,17:00-24:00 + saturday 00:00-24:00 + } + +# This one is a favorite: never :) +define timeperiod{ + timeperiod_name never + alias Never + } + +# end of file diff --git a/roles/icinga/files/check_iftraffic3.pl b/roles/icinga/files/check_iftraffic3.pl new file mode 100755 index 0000000..62ddbd1 --- /dev/null +++ b/roles/icinga/files/check_iftraffic3.pl @@ -0,0 +1,643 @@ +#!/usr/bin/perl -w +# +# check_iftraffic.pl - Nagios(r) network traffic monitor plugin +# Copyright (C) 2004 Gerd Mueller / Netways GmbH +# $Id: check_iftraffic.pl 1119 2006-02-09 10:30:09Z gmueller $ +# +# mw = Markus Werner mw+nagios@wobcom.de +# Remarks (mw): +# +# I adopted as much as possible the programming style of the origin code. +# +# There should be a function to exit this programm, +# instead of calling print and exit statements all over the place. +# +# +# minor changes by mw +# The snmp if_counters on net devices can have overflows. +# I wrote this code to address this situation. +# It has no automatic detection and which point the overflow +# occurs but it will generate a warning state and you +# can set the max value by calling this script with an additional +# arg. +# +# minor cosmetic changes by mw +# Sorry but I couldn't sustain to clean up some things. +# +# gj = Greg Frater gregATfraterfactory.com +# Remarks (gj): +# minor (gj): +# +# * fixed the performance data, formating was not to spec +# * Added a check of the interfaces status (up/down). +# If down the check returns a critical status. +# * Allow either textual or the numeric index value. +# * If the interface speed is not specified on the command line +# it gets it automatically from IfSpeed +# * Added option for second ifSpeed to allow for asymetrcal links +# such as a DSL line or cable modem where the download and upload +# speeds are different +# * Added -B option to display results in bits/sec instead of Bytes/sec +# * Added the current usage in Bytes/s (or bit/s) to the perfdata output +# * Added ability for plugin to determine interface to query by matching IP +# address of host with entry in ipAdEntIfIndex (.1.3.6.1.2.1.4.20.1.2) +# * Added -L flag to list entries found in the ipAdEntIfIndex table +# Otherwise, it works as before. +# +# +# +# +# based on check_traffic from Adrian Wieczorek, +# +# Send us bug reports, questions and comments about this plugin. +# Latest version of this software: http://www.nagiosexchange.org +# +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307 + +use strict; + +use Net::SNMP; +use Getopt::Long; +&Getopt::Long::config('bundling'); + +use Data::Dumper; + +my $host_ip; +my $host_address; +my $iface_number; +my $iface_descr; +my $iface_speed; +my $iface_speedOut; +my $index_list; +my $opt_h; +my $units; + +my $session; +my $error; +my $port = 161; +my $snmp_version = 1; + +my @snmpoids; + +# SNMP OIDs for Traffic +my $snmpIfOperStatus = '1.3.6.1.2.1.2.2.1.8'; +my $snmpIfInOctets = '1.3.6.1.2.1.2.2.1.10'; +my $snmpIfOutOctets = '1.3.6.1.2.1.2.2.1.16'; +my $snmpIfDescr = '1.3.6.1.2.1.2.2.1.2'; +my $snmpIfSpeed = '1.3.6.1.2.1.2.2.1.5'; +my $snmpIPAdEntIfIndex = '1.3.6.1.2.1.4.20.1.2'; + +my $response; + +# Path to tmp files +my $TRAFFIC_FILE = "/tmp/traffic"; + +# changes sos 20090717 UNKNOWN must bes 3 +my %STATUS_CODE = + ( 'UNKNOWN' => '3', 'OK' => '0', 'WARNING' => '1', 'CRITICAL' => '2' ); + +#default values; +my $state = "UNKNOWN"; +my $if_status = '4'; +my ( $in_bytes, $out_bytes ) = 0; +my $warn_usage = 85; +my $crit_usage = 98; +my $COMMUNITY = "public"; +my $use_reg = undef; # Use Regexp for name +my $output = ""; +my $bits = undef; +my $suffix = "Bs"; +my $label = "MBytes"; + +#added 20050614 by mw +my $max_value; +my $max_bytes; + +#cosmetic changes 20050614 by mw, see old versions for detail +# Added options for bits and second max ifspeed 20100202 by gj +# Added options for specificy IP addr to match 20100405 by gj +my $status = GetOptions( + "h|help" => \$opt_h, + 'B' => \$bits, + 'bits' => \$bits, + "C|community=s" => \$COMMUNITY, + "w|warning=s" => \$warn_usage, + "c|critical=s" => \$crit_usage, + "b|bandwidth|I|inBandwidth=i" => \$iface_speed, + "O|outBandwidth=i" => \$iface_speedOut, + 'r' => \$use_reg, + 'noregexp' => \$use_reg, + "p|port=i" => \$port, + "u|units=s" => \$units, + "i|interface=s" => \$iface_number, + "A|address=s" => \$host_ip, + "H|hostname=s" => \$host_address, + 'L' => \$index_list, + 'list' => \$index_list, + + #added 20050614 by mw + "M|max=i" => \$max_value +); + +if ( $status == 0 ) { + print_help(); + exit $STATUS_CODE{'OK'}; +} + +# Changed 20091214 gj +# Check for missing options +#if ( ( !$host_address ) or ( !$iface_descr ) ) { +if ( !$host_address ) { + print "\nMissing host address!\n\n"; + stop(print_usage(),"OK"); +} elsif ( ( $iface_speed ) and ( !$units ) ){ + print "\nMissing units!\n\n"; + stop(print_usage(),"OK"); +} elsif ( ( $units ) and ( ( !$iface_speed ) and ( !$iface_speedOut ) ) ) { + print "\nMissing interface maximum speed!\n\n"; + stop(print_usage(),"OK"); +} elsif ( ( $iface_speedOut ) and ( !$units ) ) { + print "\nMissing units for Out maximum speed!\n\n"; + stop(print_usage(),"OK"); +} + + +if ($bits) { + $suffix = "bs" +} + +if ( !$iface_speed ) { + # Do nothing +}else{ + + #change 20050414 by mw + # Added iface_speedOut 20100202 by gj + # Convert interface speed to kiloBytes + $iface_speed = bits2bytes( $iface_speed, $units ) / 1024; + if ( $iface_speedOut ) { + $iface_speedOut = bits2bytes( $iface_speedOut, $units ) / 1024; + } + if ( !$max_value ) { + + # If no -M Parameter was set, set it to 32Bit Overflow + $max_bytes = 4194304 ; # the value is (2^32/1024) + } + else { + $max_bytes = unit2bytes( $max_value, $units ); + } +} + +if ( $snmp_version =~ /[12]/ ) { + ( $session, $error ) = Net::SNMP->session( + -hostname => $host_address, + -community => $COMMUNITY, + -port => $port, + -version => $snmp_version + ); + + if ( !defined($session) ) { + stop("UNKNOWN: $error","UNKNOWN"); + } +} +elsif ( $snmp_version =~ /3/ ) { + $state = 'UNKNOWN'; + stop("$state: No support for SNMP v3 yet\n",$state); +} +else { + $state = 'UNKNOWN'; + stop("$state: No support for SNMP v$snmp_version yet\n",$state); +} + +# Neither Interface Index nor Host IP address were specified +if ( !$iface_descr ) { + if ( !$host_ip ){ + # try to resolve host name and find index from ip addr + $iface_descr = fetch_Ip2IfIndex( $session, $host_address ); + } else { + # Use ip addr to find index + $iface_descr = fetch_Ip2IfIndex( $session, $host_ip ); + } +} + +#push( @snmpoids, $snmpIPAdEntIfIndex . "." . $host_address ); + +# Added 20091209 gj +# Detect if a string description was given or a numberic interface index number +if ( $iface_descr =~ /[^0123456789]+/ ) { + $iface_number = fetch_ifdescr( $session, $iface_descr ); +}else{ + $iface_number = $iface_descr; +} + +push( @snmpoids, $snmpIfSpeed . "." . $iface_number ); +push( @snmpoids, $snmpIfOperStatus . "." . $iface_number ); +push( @snmpoids, $snmpIfInOctets . "." . $iface_number ); +push( @snmpoids, $snmpIfOutOctets . "." . $iface_number ); + +if ( !defined( $response = $session->get_request(@snmpoids) ) ) { + my $answer = $session->error; + $session->close; + + stop("WARNING: SNMP error: $answer\n", "WARNING"); +} + +# Added 20091209 gj +# Get interface speed from device if not provided on command line +# Convert to kiloBytes +if ( !$iface_speed ) { + $iface_speed = $response->{ $snmpIfSpeed . "." . $iface_number }; + $units = "b"; + $iface_speed = bits2bytes( $iface_speed, $units ) / 1024; +} + +# Added 20100201 gj +# Check if Out max speed was provided, use same if speed for both if not +if (!$iface_speedOut) { + $iface_speedOut = $iface_speed; +} + +$if_status = $response->{ $snmpIfOperStatus . "." . $iface_number }; +$in_bytes = $response->{ $snmpIfInOctets . "." . $iface_number } / 1024; # in kiloBytes +$out_bytes = $response->{ $snmpIfOutOctets . "." . $iface_number } / 1024; # in kiloBytes + +$session->close; + +my $row; +my $last_check_time = time - 1; +my $last_in_bytes = $in_bytes; +my $last_out_bytes = $out_bytes; + +if ( + open( FILE, + "<" . $TRAFFIC_FILE . "_if" . $iface_number . "_" . $host_address + ) + ) +{ + while ( $row = ) { + + #cosmetic change 20050416 by mw + #Couldn't sustain;-) +## chomp(); + ( $last_check_time, $last_in_bytes, $last_out_bytes ) = + split( ":", $row ); + + ### by sos 17.07.2009 check for last_bytes + if ( ! $last_in_bytes ) { $last_in_bytes=$in_bytes; } + if ( ! $last_out_bytes ) { $last_out_bytes=$out_bytes; } + + if ($last_in_bytes !~ m/\d/) { $last_in_bytes=$in_bytes; } + if ($last_out_bytes !~ m/\d/) { $last_out_bytes=$out_bytes; } + } + close(FILE); +} + +my $update_time = time; + +open( FILE, ">" . $TRAFFIC_FILE . "_if" . $iface_number . "_" . $host_address ) + or die "Can't open $TRAFFIC_FILE for writing: $!"; + +printf FILE ( "%s:%.0ld:%.0ld\n", $update_time, $in_bytes, $out_bytes ); +close(FILE); + +my $db_file; + +#added 20050614 by mw +#Check for and correct counter overflow (if possible). +#See function counter_overflow. +$in_bytes = counter_overflow( $in_bytes, $last_in_bytes, $max_bytes ); +$out_bytes = counter_overflow( $out_bytes, $last_out_bytes, $max_bytes ); + +# Calculate traffic since last check (RX\TX) in kiloBytes +my $in_traffic = sprintf( "%.2lf", + ( $in_bytes - $last_in_bytes ) / ( time - $last_check_time ) ); +my $out_traffic = sprintf( "%.2lf", + ( $out_bytes - $last_out_bytes ) / ( time - $last_check_time ) ); + +# sos 20090717 changed due to rrdtool needs bytes +my $in_traffic_absolut = $in_bytes * 1024 ; +my $out_traffic_absolut = $out_bytes * 1024; + +# Calculate usage percentages +my $in_usage = sprintf( "%.2f", ( 1.0 * $in_traffic * 100 ) / $iface_speed ); +my $out_usage = sprintf( "%.2f", ( 1.0 * $out_traffic * 100 ) / $iface_speedOut ); + + +if ($bits) { + # Convert output from Bytes to bits + $in_bytes = $in_bytes * 8; + $out_bytes = $out_bytes * 8; + $in_traffic = $in_traffic * 8; + $out_traffic = $out_traffic * 8; + $label = "Mbits"; +} + +my $in_prefix = "K"; +my $out_prefix = "K"; + +if ( $in_traffic > 1024 ) { + $in_traffic = sprintf( "%.2f", $in_traffic / 1024 ); + $in_prefix = "M"; +} +if ( $out_traffic > 1024 ) { + $out_traffic = sprintf( "%.2f", $out_traffic / 1024 ); + $out_prefix = "M"; +} +if ( $in_traffic > 1024 * 1024 ) { + $in_traffic = sprintf( "%.2f", $in_traffic / 1024 * 1024 ); + $in_prefix = "G"; +} +if ( $out_traffic > 1024 * 1024 ) { + $out_traffic = sprintf( "%.2f",$out_traffic / 1024 * 1024 ); + $out_prefix = "G"; +} + +# Convert from kiloBytes to megaBytes +$in_bytes = sprintf( "%.2f", $in_bytes / 1024 ); +$out_bytes = sprintf( "%.2f", $out_bytes / 1024 ); + +$state = "OK"; + +# Added 20091209 by gj +if ( $if_status != 1 ) { + $output = "Interface $iface_descr is down!"; + +}else{ + $output = + "Average IN: " + . $in_traffic . $in_prefix . $suffix . " (" . $in_usage . "%), " + . "Average OUT: " . $out_traffic . $out_prefix . $suffix . " (" . $out_usage . "%)
"; + $output .= "Total RX: $in_bytes $label, Total TX: $out_bytes $label"; +} + +# Changed 20091209 gj +if ( ( $in_usage > $crit_usage ) or ( $out_usage > $crit_usage ) or ( $if_status != 1 ) ) { + $state = "CRITICAL"; +} + +if ( ( $in_usage > $warn_usage ) + or ( $out_usage > $warn_usage ) && $state eq "OK" ) +{ + $state = "WARNING"; +} + +# Changed 20091209 gj +$output = "$state - $output" + if ( $state ne "OK" ); + +# Changed 20091214 gj - commas should have been semi colons +$output .= +"|inUsage=$in_usage%;$warn_usage;$crit_usage outUsage=$out_usage%;$warn_usage;$crit_usage" + . " inBandwidth=" . $in_traffic . $in_prefix . $suffix . " outBandwidth=" . $out_traffic . $out_prefix . $suffix + . " inAbsolut=$in_traffic_absolut outAbsolut=$out_traffic_absolut"; + +stop($output, $state); + + +sub fetch_Ip2IfIndex { + my $state; + my $response; + + my $snmpkey; + my $answer; + my $key; + + my ( $session, $host ) = @_; + + + # Determine if we have a host name or IP addr + if ( $host =~ /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/ ){ + #print "\nI found an IP address\n\n"; + } else { + $host = get_ip ( $host ); + #print "\nWe have a host name $host\n\n"; + } + + # Quit if results not found + if ( !defined( $response = $session->get_table($snmpIPAdEntIfIndex) ) ) { + $answer = $session->error; + $session->close; + $state = 'CRITICAL'; + $session->close; + exit $STATUS_CODE{$state}; + } + + + my %resp = %{$response}; +# foreach $key ( keys %{$response} ) { + + if ( $index_list ){ + print ("\nInterfaces found:\n"); + print (" IP Addr\tIndex\n"); + print ("------------------------\n"); + } + # Check each returned value + foreach $key ( keys %resp ) { + + if ( $index_list ){ + my $index_addr = substr $key, 21; + print ($index_addr,"\t ",$resp{$key},"\n"); + } + + # Check for ip address mathcin in returned index results + if ( $key =~ /$host$/ ) { + $snmpkey = $resp{$key}; + } + } + unless ( defined $snmpkey ) { + $session->close; + $state = 'CRITICAL'; + printf "$state: Could not match $host \n"; + exit $STATUS_CODE{$state}; + } + return $snmpkey; +} + +sub fetch_ifdescr { + my $state; + my $response; + + my $snmpkey; + my $answer; + my $key; + + my ( $session, $ifdescr ) = @_; + + if ( !defined( $response = $session->get_table($snmpIfDescr) ) ) { + $answer = $session->error; + $session->close; + $state = 'CRITICAL'; + $session->close; + exit $STATUS_CODE{$state}; + } + + foreach $key ( keys %{$response} ) { + + # added 20070816 by oer: remove trailing 0 Byte for Windows :-( + my $resp=$response->{$key}; + $resp =~ s/\x00//; + + + my $test = defined($use_reg) + ? $resp =~ /$ifdescr/ + : $resp eq $ifdescr; + + if ($test) { + + ###if ( $resp =~ /^$ifdescr$/ ) { + ###if ( $resp =~ /$ifdescr/ ) { + ### print "$resp \n"; + ###if ( $response->{$key} =~ /^$ifdescr$/ ) { + + $key =~ /.*\.(\d+)$/; + $snmpkey = $1; + + # print "$ifdescr = $key / $snmpkey \n"; #debug + } + } + unless ( defined $snmpkey ) { + $session->close; + $state = 'CRITICAL'; + printf "$state: Could not match $ifdescr \n"; + exit $STATUS_CODE{$state}; + } + return $snmpkey; +} + +#added 20050416 by mw +#Converts an input value to value in bits +sub bits2bytes { + return unit2bytes(@_) / 8; +} + +#added 20050416 by mw +#Converts an input value to value in bytes +sub unit2bytes { + my ( $value, $unit ) = @_; + + if ( $unit eq "g" ) { + return $value * 1024 * 1024 * 1024; + } + elsif ( $unit eq "m" ) { + return $value * 1024 * 1024; + } + elsif ( $unit eq "k" ) { + return $value * 1024; + } + elsif ( $unit eq "b" ) { + return $value * 1; + } + else { + print "You have to supply a supported unit\n"; + exit $STATUS_CODE{'UNKNOWN'}; + } +} + +#added 20050414 by mw +#This function detects if an overflow occurs. If so, it returns +#a computed value for $bytes. +#If there is no counter overflow it simply returns the origin value of $bytes. +#IF there is a Counter reboot wrap, just use previous output. +sub counter_overflow { + my ( $bytes, $last_bytes, $max_bytes ) = @_; + + $bytes += $max_bytes if ( $bytes < $last_bytes ); + $bytes = $last_bytes if ( $bytes < $last_bytes ); + return $bytes; +} + +# Added 20100202 by gj +# Print results and exit script +sub stop { + my $result = shift; + my $exit_code = shift; + print $result . "\n"; + exit ( $STATUS_CODE{$exit_code} ); +} + +# Added 20100405 by gj +# Lookup hosts ip address +sub get_ip { + use Net::DNS; + + my ( $host_name ) = @_; + + my $res = Net::DNS::Resolver->new; + my $query = $res->search($host_name); + + if ($query) { + foreach my $rr ($query->answer) { + next unless $rr->type eq "A"; + #print $rr->address, "\n"; + return $rr->address; + } + } else { + + stop("Error: IP address not resolved\n","UNKNOWN"); + } +} + +#cosmetic changes 20050614 by mw +#Couldn't sustain "HERE";-), either. +sub print_usage { + print <> /var/lib/nagios3/host-perfdata.out + } + + +# 'process-service-perfdata' command definition +define command{ + command_name process-service-perfdata + command_line /usr/bin/printf "%b" "$LASTSERVICECHECK$\t$HOSTNAME$\t$SERVICEDESC$\t$SERVICESTATE$\t$SERVICEATTEMPT$\t$SERVICESTATETYPE$\t$SERVICEEXECUTIONTIME$\t$SERVICELATENCY$\t$SERVICEOUTPUT$\t$SERVICEPERFDATA$\n" >> /var/lib/nagios3/service-perfdata.out + } diff --git a/roles/icinga/files/contacts_icinga.cfg b/roles/icinga/files/contacts_icinga.cfg new file mode 100644 index 0000000..8a66285 --- /dev/null +++ b/roles/icinga/files/contacts_icinga.cfg @@ -0,0 +1,59 @@ +############################################################################### +# contacts.cfg +############################################################################### + + + +############################################################################### +############################################################################### +# +# CONTACTS +# +############################################################################### +############################################################################### + +# In this simple config file, a single contact will receive all alerts. + +#define contact{ +# contact_name root +# alias Root +# service_notification_period 24x7 +# host_notification_period 24x7 +# service_notification_options w,u,c,r +# host_notification_options d,r +# service_notification_commands notify-service-by-email +# host_notification_commands notify-host-by-email +# email root@localhost +# } + + +define contact{ + contact_name admin + alias Administrateur + service_notification_period 24x7 + host_notification_period 24x7 + service_notification_options w,u,c,r + host_notification_options d,r + service_notification_commands notify-service-by-email + host_notification_commands notify-host-by-email + email icinga.ppe31@gmail.com + } + + + +############################################################################### +############################################################################### +# +# CONTACT GROUPS +# +############################################################################### +############################################################################### + +# We only have one contact in this simple configuration file, so there is +# no need to create more than one contact group. + +define contactgroup{ + contactgroup_name admins + alias Nagios Administrators + members admin + } diff --git a/roles/icinga/files/dns.cfg b/roles/icinga/files/dns.cfg new file mode 100644 index 0000000..5b69aca --- /dev/null +++ b/roles/icinga/files/dns.cfg @@ -0,0 +1,11 @@ +# 'check_dns' command definition +define command{ + command_name check_dns + command_line /usr/lib/nagios/plugins/check_dns -H www.dfco.fr -s '$HOSTADDRESS$' +} + +# 'check_dig' command definition +define command{ + command_name check_dig + command_line /usr/lib/nagios/plugins/check_dig -H '$HOSTADDRESS$' -l '$ARG1$' +} diff --git a/roles/icinga/files/icinga.cfg b/roles/icinga/files/icinga.cfg new file mode 100644 index 0000000..fde1780 --- /dev/null +++ b/roles/icinga/files/icinga.cfg @@ -0,0 +1,1494 @@ +############################################################################## +# +# ICINGA.CFG - Sample Main Config File for Icinga +# +# Read the documentation for more information on this configuration +# file. I've provided some comments here, but things may not be so +# clear without further explanation. +# +############################################################################## + + +# LOG FILE +# This is the main log file where service and host events are logged +# for historical purposes. This should be the first option specified +# in the config file!!! + +log_file=/var/log/icinga/icinga.log + +# Commands definitions +cfg_file=/etc/icinga/commands.cfg + +# Debian also defaults to using the check commands defined by the debian +# nagios-plugins package +cfg_dir=/etc/nagios-plugins/config + +# OBJECT CONFIGURATION FILE(S) +# These are the object configuration files in which you define hosts, +# host groups, contacts, contact groups, services, etc. +# Hint: Check the docs/wiki on how to monitor remote hosts with different +# transport methods and plugins + +# Debian uses by default a configuration directory where icinga-common, +# other packages and the local admin can dump or link configuration +# files into. +cfg_dir=/etc/icinga/objects/ + +# Definitions for ido2db process checks +#cfg_file=/etc/icinga/objects/ido2db_check_proc.cfg + +# Definitions for broker modules like idoutils.cfg +cfg_dir=/etc/icinga/modules + + + +# OBJECT CACHE FILE +# This option determines where object definitions are cached when +# Icinga starts/restarts. The CGIs read object definitions from +# this cache file (rather than looking at the object config files +# directly) in order to prevent inconsistencies that can occur +# when the config files are modified after Icinga starts. +# If you explicitely set it to /dev/null the core will skip writing +# the objects cache file entirely. +# Note: This is a mandatory output for Icinga Classic UI to work properly. +# Tip: Use that file to debug your configuration with fully resolved +# objects like the core sees them. + +object_cache_file=/var/cache/icinga/objects.cache + + + +# PRE-CACHED OBJECT FILE +# This options determines the location of the precached object file. +# If you run Icinga with the -p command line option, it will preprocess +# your object configuration file(s) and write the cached config to this +# file. You can then start Icinga with the -u option to have it read +# object definitions from this precached file, rather than the standard +# object configuration files (see the cfg_file and cfg_dir options above). +# Using a precached object file can speed up the time needed to (re)start +# the Icinga process if you've got a large and/or complex configuration. +# Read the documentation section on optimizing Icinga to find our more +# about how this feature works. + +precached_object_file=/var/cache/icinga/objects.precache + + + +# RESOURCE FILE +# This is an optional resource file that contains $USERx$ macro +# definitions. Multiple resource files can be specified by using +# multiple resource_file definitions. The CGIs will not attempt to +# read the contents of resource files, so information that is +# considered to be sensitive (usernames, passwords, etc) can be +# defined as macros in this file and restrictive permissions (600) +# can be placed on this file. + +resource_file=/etc/icinga/resource.cfg + + + +# STATUS FILE +# This is where the current status of all monitored services and +# hosts is stored. Its contents are read and processed by the CGIs. +# The contents of the status file are deleted every time Icinga +# restarts. +# If you explicitely set it to /dev/null the core will skip writing +# the status file entirely. This becomes handy when using other methods +# for data retrieval (e.g. IDOUtils DB) +# Note: This is a mandatory output for Icinga Classic UI to work properly. + +status_file=/var/lib/icinga/status.dat + + + +# STATUS FILE UPDATE INTERVAL +# This option determines the frequency (in seconds) that +# Icinga will periodically dump program, host, and +# service status data. +# Increase the value, if you don't require it that often. + +#status_update_interval=30 +status_update_interval=10 + + + +# ICINGA USER +# This determines the effective user that Icinga should run as. +# You can either supply a username or a UID. + +icinga_user=nagios + + + +# ICINGA GROUP +# This determines the effective group that Icinga should run as. +# You can either supply a group name or a GID. + +icinga_group=nagios + + + +# EXTERNAL COMMAND OPTION +# This option allows you to specify whether or not Icinga should check +# for external commands (in the command file defined below). By default +# Icinga will *not* check for external commands, just to be on the +# cautious side. If you want to be able to use the CGI command interface +# you will have to enable this. +# Values: 0 = disable commands, 1 = enable commands + +check_external_commands=1 + + + +# EXTERNAL COMMAND CHECK INTERVAL +# This is the interval at which Icinga should check for external commands. +# This value works of the interval_length you specify later. If you leave +# that at its default value of 60 (seconds), a value of 1 here will cause +# Icinga to check for external commands every minute. If you specify a +# number followed by an "s" (i.e. 15s), this will be interpreted to mean +# actual seconds rather than a multiple of the interval_length variable. +# Note: In addition to reading the external command file at regularly +# scheduled intervals, Icinga will also check for external commands after +# event handlers are executed. +# NOTE: Setting this value to -1 causes Icinga to check the external +# command file as often as possible. + +#command_check_interval=15s +command_check_interval=-1 + + + +# EXTERNAL COMMAND FILE +# This is the file that Icinga checks for external command requests. +# It is also where the command CGI will write commands that are submitted +# by users, so it must be writeable by the user that the web server +# is running as (usually 'nobody'). Permissions should be set at the +# directory level instead of on the file, as the file is deleted every +# time its contents are processed. +# Debian Users: In case you didn't read README.Debian yet, _NOW_ is the +# time to do it. + +command_file=/var/lib/icinga/rw/icinga.cmd + + + +# EXTERNAL COMMAND BUFFER SLOTS +# This settings is used to tweak the number of items or "slots" that +# the Icinga daemon should allocate to the buffer that holds incoming +# external commands before they are processed. As external commands +# are processed by the daemon, they are removed from the buffer. +# Increase the value, if you are using addons like check_mk supplying +# more external commands (passive check results) than usual. + +#external_command_buffer_slots=32768 +external_command_buffer_slots=4096 + + + +# LOCK FILE +# This is the lockfile that Icinga will use to store its PID number +# in when it is running in daemon mode. + +lock_file=/var/run/icinga/icinga.pid + + + +# TEMP FILE +# This is a temporary file that is used as scratch space when Icinga +# updates the status log, cleans the comment file, etc. This file +# is created, used, and deleted throughout the time that Icinga is +# running. + +temp_file=/var/cache/icinga/icinga.tmp + + + +# TEMP PATH +# This is path where Icinga can create temp files for service and +# host check results, etc. + +temp_path=/tmp + + + +# EVENT BROKER OPTIONS +# Controls what (if any) data gets sent to the event broker. +# Values: 0 = Broker nothing +# -1 = Broker everything +# = See documentation + +event_broker_options=-1 + + + +# EVENT BROKER MODULE(S) +# ----> use the new *module definition* instead: +# ----> http://docs.icinga.org/latest/en/objectdefinitions.html +# +# Example definitions can be found in the '/etc/icinga/modules/' directory. +# If you want to enable idoutils in Debian install icinga-idoutils and copy +# /usr/share/doc/icinga-idoutils/examples/idoutils.cfg-sample to +# /etc/icinga/modules/idoutils.cfg. +# Don't forget to also enable the daemon in /etc/default/icinga + +# LOG ROTATION METHOD +# This is the log rotation method that Icinga should use to rotate +# the main log file. Values are as follows.. +# n = None - don't rotate the log +# h = Hourly rotation (top of the hour) +# d = Daily rotation (midnight every day) +# w = Weekly rotation (midnight on Saturday evening) +# m = Monthly rotation (midnight last day of month) + +log_rotation_method=d + + + +# LOG ARCHIVE PATH +# This is the directory where archived (rotated) log files should be +# placed (assuming you've chosen to do log rotation). + +log_archive_path=/var/log/icinga/archives + + + +# LOGGING OPTIONS FOR DAEMON +# If you want messages logged to the daemon log file (usually icinga.log). +# Default option is 1 (yes), the other valid option is 0 (no) + +use_daemon_log=1 + + + +# LOGGING OPTIONS FOR SYSLOG +# If you want messages logged to the syslog facility, as well as the +# Icinga log file set this option to 1. If not, set it to 0. + +use_syslog=1 + + + +# SYSLOG FACILITY +# If you enabled use_syslog you can set icinga to use a local facility +# instead of the default.To enable set this option to 1, if not, set it to 0. + +use_syslog_local_facility=0 + + + +# SYSLOG LOCAL FACILITY +# If you specified the use_syslog_local_facility you can chose which +# local facility to use. Valid values are from 0 to 7 + +syslog_local_facility=5 + + + +# NOTIFICATION LOGGING OPTION +# If you don't want notifications to be logged, set this value to 0. +# If notifications should be logged, set the value to 1. + +log_notifications=1 + + + +# SERVICE RETRY LOGGING OPTION +# If you don't want service check retries to be logged, set this value +# to 0. If retries should be logged, set the value to 1. + +log_service_retries=1 + + + +# HOST RETRY LOGGING OPTION +# If you don't want host check retries to be logged, set this value to +# 0. If retries should be logged, set the value to 1. + +log_host_retries=1 + + + +# EVENT HANDLER LOGGING OPTION +# If you don't want host and service event handlers to be logged, set +# this value to 0. If event handlers should be logged, set the value +# to 1. + +log_event_handlers=1 + + + +# INITIAL STATES LOGGING OPTION +# If you want Icinga to log all initial host and service states to +# the main log file (the first time the service or host is checked) +# you can enable this option by setting this value to 1. If you +# are not using an external application that does long term state +# statistics reporting, you do not need to enable this option. In +# this case, set the value to 0. + +log_initial_states=0 + + + +# CURRENT STATES LOGGING OPTION +# If you don't want Icinga to log all current host and service states +# after log has been rotated to the main log file, you can disable this +# option by setting this value to 0. Default value is 1. + +log_current_states=1 + + + +# EXTERNAL COMMANDS LOGGING OPTION +# If you don't want Icinga to log external commands, set this value +# to 0. If external commands should be logged, set this value to 1. +# Note: This option does not include logging of passive service +# checks - see the option below for controlling whether or not +# passive checks are logged. + +log_external_commands=1 + + + +# LOG ANONYMIZED EXTERNAL COMMAND AUTHOR !!EXPERIMENTAL!! +# This option substitutes the user name on external commands with +# the string "" if the command gets logged. It is +# anonymized in log files only. This option was added to make +# icinga compliant with data retention laws on various countries. +# This option is disabled by default. + +log_anonymized_external_command_author=0 + + + +# PASSIVE CHECKS LOGGING OPTION +# If you don't want Icinga to log passive host and service checks, set +# this value to 0. If passive checks should be logged, set +# this value to 1. + +log_passive_checks=1 + + + +# LONG PLUGIN OUTPUT LOGGING OPTION +# If you want Icinga to log the complete text of the plugin output +# to the log instead of only the first line then set this value to 1. +# Default value is 0. + +log_long_plugin_output=0 + + + +# GLOBAL HOST AND SERVICE EVENT HANDLERS +# These options allow you to specify a host and service event handler +# command that is to be run for every host or service state change. +# The global event handler is executed immediately prior to the event +# handler that you have optionally specified in each host or +# service definition. The command argument is the short name of a +# command definition that you define in your host configuration file. +# Read the HTML docs for more information. + +#global_host_event_handler=somecommand +#global_service_event_handler=somecommand + + + +# SERVICE INTER-CHECK DELAY METHOD +# This is the method that Icinga should use when initially +# "spreading out" service checks when it starts monitoring. The +# default is to use smart delay calculation, which will try to +# space all service checks out evenly to minimize CPU load. +# Using the dumb setting will cause all checks to be scheduled +# at the same time (with no delay between them)! This is not a +# good thing for production, but is useful when testing the +# parallelization functionality. +# n = None - don't use any delay between checks +# d = Use a "dumb" delay of 1 second between checks +# s = Use "smart" inter-check delay calculation +# x.xx = Use an inter-check delay of x.xx seconds + +service_inter_check_delay_method=s + + + +# MAXIMUM SERVICE CHECK SPREAD +# This variable determines the timeframe (in minutes) from the +# program start time that an initial check of all services should +# be completed. Default is 30 minutes. + +max_service_check_spread=30 + + + +# SERVICE CHECK INTERLEAVE FACTOR +# This variable determines how service checks are interleaved. +# Interleaving the service checks allows for a more even +# distribution of service checks and reduced load on remote +# hosts. Setting this value to 1 is equivalent to how versions +# of Icinga previous to 0.0.5 did service checks. Set this +# value to s (smart) for automatic calculation of the interleave +# factor unless you have a specific reason to change it. +# s = Use "smart" interleave factor calculation +# x = Use an interleave factor of x, where x is a +# number greater than or equal to 1. + +service_interleave_factor=s + + + +# HOST INTER-CHECK DELAY METHOD +# This is the method that Icinga should use when initially +# "spreading out" host checks when it starts monitoring. The +# default is to use smart delay calculation, which will try to +# space all host checks out evenly to minimize CPU load. +# Using the dumb setting will cause all checks to be scheduled +# at the same time (with no delay between them)! +# n = None - don't use any delay between checks +# d = Use a "dumb" delay of 1 second between checks +# s = Use "smart" inter-check delay calculation +# x.xx = Use an inter-check delay of x.xx seconds + +host_inter_check_delay_method=s + + + +# MAXIMUM HOST CHECK SPREAD +# This variable determines the timeframe (in minutes) from the +# program start time that an initial check of all hosts should +# be completed. Default is 30 minutes. + +max_host_check_spread=30 + + + +# MAXIMUM CONCURRENT SERVICE CHECKS +# This option allows you to specify the maximum number of +# service checks that can be run in parallel at any given time. +# Specifying a value of 1 for this variable essentially prevents +# any service checks from being parallelized. A value of 0 +# will not restrict the number of concurrent checks that are +# being executed. + +max_concurrent_checks=0 + + + +# HOST AND SERVICE CHECK REAPER FREQUENCY +# This is the frequency (in seconds!) that Icinga will process +# the results of host and service checks. +# Lower this value in larger environments to allow faster +# check result processing (requires more cpu power). + +#check_result_reaper_frequency=1 +check_result_reaper_frequency=10 + + + + +# MAX CHECK RESULT REAPER TIME +# This is the max amount of time (in seconds) that a single +# check result reaper event will be allowed to run before +# returning control back to Icinga so it can perform other +# duties. + +max_check_result_reaper_time=30 + + + + +# CHECK RESULT PATH +# This is directory where Icinga stores the results of host and +# service checks that have not yet been processed. +# +# Note: Make sure that only one instance of Icinga has access +# to this directory! + +check_result_path=/var/lib/icinga/spool/checkresults + + + + +# MAX CHECK RESULT FILE AGE +# This option determines the maximum age (in seconds) which check +# result files are considered to be valid. Files older than this +# threshold will be mercilessly deleted without further processing. + +max_check_result_file_age=3600 + + + + +# MAX CHECK RESULT LIST ITEMS !!EXPERIMENTAL!! +# This experimental option allows you to set the max number of items +# the checkresult reaper will put onto the checkresult list for further +# processing by the core. If there are too many, the reaping will be +# terminated early, allowing the core to process the results sooner. +# On larger setups, that list might grow too much, and decrease +# performance on processing. You might experiment with that value, the +# inner core default is set to 0, disabling that feature. +# Values: +# 0 = Disable max check result list items +# number = set max check result list items + +#max_check_result_list_items=1024 + + + + +# CACHED HOST CHECK HORIZON +# This option determines the maximum amount of time (in seconds) +# that the state of a previous host check is considered current. +# Cached host states (from host checks that were performed more +# recently that the timeframe specified by this value) can immensely +# improve performance in regards to the host check logic. +# Too high of a value for this option may result in inaccurate host +# states being used by Icinga, while a lower value may result in a +# performance hit for host checks. Use a value of 0 to disable host +# check caching. + +cached_host_check_horizon=15 + + + +# CACHED SERVICE CHECK HORIZON +# This option determines the maximum amount of time (in seconds) +# that the state of a previous service check is considered current. +# Cached service states (from service checks that were performed more +# recently that the timeframe specified by this value) can immensely +# improve performance in regards to predictive dependency checks. +# Use a value of 0 to disable service check caching. + +cached_service_check_horizon=15 + + + +# ENABLE PREDICTIVE HOST DEPENDENCY CHECKS +# This option determines whether or not Icinga will attempt to execute +# checks of hosts when it predicts that future dependency logic test +# may be needed. These predictive checks can help ensure that your +# host dependency logic works well. +# Values: +# 0 = Disable predictive checks +# 1 = Enable predictive checks (default) + +enable_predictive_host_dependency_checks=1 + + + +# ENABLE PREDICTIVE SERVICE DEPENDENCY CHECKS +# This option determines whether or not Icinga will attempt to execute +# checks of service when it predicts that future dependency logic test +# may be needed. These predictive checks can help ensure that your +# service dependency logic works well. +# Values: +# 0 = Disable predictive checks +# 1 = Enable predictive checks (default) + +enable_predictive_service_dependency_checks=1 + + + +# SOFT STATE DEPENDENCIES +# This option determines whether or not Icinga will use soft state +# information when checking host and service dependencies. Normally +# Icinga will only use the latest hard host or service state when +# checking dependencies. If you want it to use the latest state (regardless +# of whether its a soft or hard state type), enable this option. +# Values: +# 0 = Don't use soft state dependencies (default) +# 1 = Use soft state dependencies + +soft_state_dependencies=0 + + + +# TIME CHANGE ADJUSTMENT THRESHOLDS +# These options determine when Icinga will react to detected changes +# in system time (forward into the future). + +#time_change_threshold=900 + + + +# AUTO-RESCHEDULING OPTION +# This option determines whether or not Icinga will attempt to +# automatically reschedule active host and service checks to +# "smooth" them out over time. This can help balance the load on +# the monitoring server. +# WARNING: THIS IS AN EXPERIMENTAL FEATURE - IT CAN DEGRADE +# PERFORMANCE, RATHER THAN INCREASE IT, IF USED IMPROPERLY + +auto_reschedule_checks=0 + + + +# AUTO-RESCHEDULING INTERVAL +# This option determines how often (in seconds) Icinga will +# attempt to automatically reschedule checks. This option only +# has an effect if the auto_reschedule_checks option is enabled. +# Default is 30 seconds. +# WARNING: THIS IS AN EXPERIMENTAL FEATURE - IT CAN DEGRADE +# PERFORMANCE, RATHER THAN INCREASE IT, IF USED IMPROPERLY + +auto_rescheduling_interval=30 + + + +# AUTO-RESCHEDULING WINDOW +# This option determines the "window" of time (in seconds) that +# Icinga will look at when automatically rescheduling checks. +# Only host and service checks that occur in the next X seconds +# (determined by this variable) will be rescheduled. This option +# only has an effect if the auto_reschedule_checks option is +# enabled. Default is 180 seconds (3 minutes). +# WARNING: THIS IS AN EXPERIMENTAL FEATURE - IT CAN DEGRADE +# PERFORMANCE, RATHER THAN INCREASE IT, IF USED IMPROPERLY + +auto_rescheduling_window=180 + + + +# SLEEP TIME +# This is the number of seconds to sleep between checking for system +# events and service checks that need to be run. + +sleep_time=0.25 + + + +# TIMEOUT VALUES +# These options control how much time Icinga will allow various +# types of commands to execute before killing them off. Options +# are available for controlling maximum time allotted for +# service checks, host checks, event handlers, notifications, the +# ocsp command, and performance data commands. All values are in +# seconds. +# Increase the timeout values in case you are experiencing a lot +# of check timeouts. Addons like e.g. check_mk will perform +# one combined active servicecheck which could take longer than +# the default of 60sec. + +#service_check_timeout=120 +service_check_timeout=60 +host_check_timeout=30 +event_handler_timeout=30 +notification_timeout=30 +ocsp_timeout=5 +perfdata_timeout=5 + + + +# RETAIN STATE INFORMATION +# This setting determines whether or not Icinga will save state +# information for services and hosts before it shuts down. Upon +# startup Icinga will reload all saved service and host state +# information before starting to monitor. This is useful for +# maintaining long-term data on state statistics, etc, but will +# slow Icinga down a bit when it (re)starts. Since its only +# a one-time penalty, I think its well worth the additional +# startup delay. + +retain_state_information=1 + + + +# STATE RETENTION FILE +# This is the file that Icinga should use to store host and +# service state information before it shuts down. The state +# information in this file is also read immediately prior to +# starting to monitor the network when Icinga is restarted. +# This file is used only if the retain_state_information +# variable is set to 1. + +state_retention_file=/var/cache/icinga/retention.dat + + + +# SYNC FILE +# This is an advanced facility to pass a subset of retention +# information into Icinga on a running system. This is similar +# to the state retention file with the following difference: +# +# - if the last_check value is less than the current last_check, +# then the state information is ignored (this must be specified +# immediately after the object identifiers) +# +# - downtimes and comments are not identified by an id number, but +# by other "similar characteristics". This is required to work in +# a distributed Nagios environment +# * downtimes: hostname, servicename (if appropriate), author, +# comment, start_time, end_time, fixed, duration +# * comments: hostname, servicename, author, comment +# +# If this variable is set, then on Icinga startup, the sync file +# will be read after the retention file has been processed. If the +# file is read successfully, it will be removed. +# If the file does not exist, no error will appear. +# There is also an API that will force a read of the sync file. + +#sync_retention_file=/var/cache/icinga/sync.dat + + + +# RETENTION DATA UPDATE INTERVAL +# This setting determines how often (in minutes) that Icinga +# will automatically save retention data during normal operation. +# If you set this value to 0, Icinga will not save retention +# data at regular interval, but it will still save retention +# data before shutting down or restarting. If you have disabled +# state retention, this option has no effect. + +retention_update_interval=60 + + + +# USE RETAINED PROGRAM STATE +# This setting determines whether or not Icinga will set +# program status variables based on the values saved in the +# retention file. If you want to use retained program status +# information, set this value to 1. If not, set this value +# to 0. + +use_retained_program_state=1 + + +# DUMP RETAINED HOST SERVICE STATES TO NEB +# This setting determines wether or not Icinga will dump host +# and service states based on the values saved in the retention +# file to the neb modules. It will already do that on event loop +# initialization. +# Changed in Icinga 1.10 to disabled - re-enable if you require it. + +dump_retained_host_service_states_to_neb=0 + + + +# USE RETAINED SCHEDULING INFO +# This setting determines whether or not Icinga will retain +# the scheduling info (next check time) for hosts and services +# based on the values saved in the retention file. If you +# If you want to use retained scheduling info, set this +# value to 1. If not, set this value to 0. + +use_retained_scheduling_info=1 + + + +# RETAINED ATTRIBUTE MASKS (ADVANCED FEATURE) +# The following variables are used to specify specific host and +# service attributes that should *not* be retained by Icinga during +# program restarts. +# +# The values of the masks are bitwise ANDs of values specified +# by the "MODATTR_" definitions found in include/common.h. +# For example, if you do not want the current enabled/disabled state +# of flap detection and event handlers for hosts to be retained, you +# would use a value of 24 for the host attribute mask... +# MODATTR_EVENT_HANDLER_ENABLED (8) + MODATTR_FLAP_DETECTION_ENABLED (16) = 24 + +# This mask determines what host attributes are not retained +retained_host_attribute_mask=0 + +# This mask determines what service attributes are not retained +retained_service_attribute_mask=0 + +# These two masks determine what process attributes are not retained. +# There are two masks, because some process attributes have host and service +# options. For example, you can disable active host checks, but leave active +# service checks enabled. +retained_process_host_attribute_mask=0 +retained_process_service_attribute_mask=0 + +# These two masks determine what contact attributes are not retained. +# There are two masks, because some contact attributes have host and +# service options. For example, you can disable host notifications for +# a contact, but leave service notifications enabled for them. +retained_contact_host_attribute_mask=0 +retained_contact_service_attribute_mask=0 + + + +# INTERVAL LENGTH +# This is the seconds per unit interval as used in the +# host/contact/service configuration files. Setting this to 60 means +# that each interval is one minute long (60 seconds). Other settings +# have not been tested much, so your mileage is likely to vary... + +interval_length=60 + + + +# AGGRESSIVE HOST CHECKING OPTION +# If you don't want to turn on aggressive host checking features, set +# this value to 0 (the default). Otherwise set this value to 1 to +# enable the aggressive check option. Read the docs for more info +# on what aggressive host check is or check out the source code in +# base/checks.c + +use_aggressive_host_checking=0 + + + +# SERVICE CHECK EXECUTION OPTION +# This determines whether or not Icinga will actively execute +# service checks when it initially starts. If this option is +# disabled, checks are not actively made, but Icinga can still +# receive and process passive check results that come in. Unless +# you're implementing redundant hosts or have a special need for +# disabling the execution of service checks, leave this enabled! +# Values: 1 = enable checks, 0 = disable checks + +execute_service_checks=1 + + + +# PASSIVE SERVICE CHECK ACCEPTANCE OPTION +# This determines whether or not Icinga will accept passive +# service checks results when it initially (re)starts. +# Values: 1 = accept passive checks, 0 = reject passive checks + +accept_passive_service_checks=1 + + + +# HOST CHECK EXECUTION OPTION +# This determines whether or not Icinga will actively execute +# host checks when it initially starts. If this option is +# disabled, checks are not actively made, but Icinga can still +# receive and process passive check results that come in. Unless +# you're implementing redundant hosts or have a special need for +# disabling the execution of host checks, leave this enabled! +# Values: 1 = enable checks, 0 = disable checks + +execute_host_checks=1 + + + +# PASSIVE HOST CHECK ACCEPTANCE OPTION +# This determines whether or not Icinga will accept passive +# host checks results when it initially (re)starts. +# Values: 1 = accept passive checks, 0 = reject passive checks + +accept_passive_host_checks=1 + + + +# NOTIFICATIONS OPTION +# This determines whether or not Icinga will sent out any host or +# service notifications when it is initially (re)started. +# Values: 1 = enable notifications, 0 = disable notifications + +enable_notifications=1 + + + +# EVENT HANDLER USE OPTION +# This determines whether or not Icinga will run any host or +# service event handlers when it is initially (re)started. Unless +# you're implementing redundant hosts, leave this option enabled. +# Values: 1 = enable event handlers, 0 = disable event handlers + +enable_event_handlers=1 + + + +# STATE BASED ESCALATION RANGES !!!Experimental!!! +# This option allows you to enable state based escalation ranges which +# will allow a more detailed granularity on when an escalation notification +# may happen, adding a filter based on the current host or service state +# when checking the escalation for notification viability. +# This is a behavioural change to the default, and therefore intentionally +# disabled. Enable at your own risk, as this remains an experimental feature. +# Values: 1 = enable state based escalation ranges, +# 0 = disable state based escalation ranges + +#enable_state_based_escalation_ranges=0 + + + +# PROCESS PERFORMANCE DATA OPTION +# This determines whether or not Icinga will process performance +# data returned from service and host checks. If this option is +# enabled, host performance data will be processed using the +# host_perfdata_command (defined below) and service performance +# data will be processed using the service_perfdata_command (also +# defined below). Read the HTML docs for more information on +# performance data. +# Values: 1 = process performance data, 0 = do not process performance data + +process_performance_data=0 + + + +# HOST AND SERVICE PERFORMANCE DATA PROCESSING COMMANDS +# These commands are run after every host and service check is +# performed. These commands are executed only if the +# process_performance_data option (above) is set to 1. The command +# argument is the short name of a command definition that you +# define in your host configuration file. Read the HTML docs for +# more information on performance data. + +#host_perfdata_command=process-host-perfdata +#service_perfdata_command=process-service-perfdata + + + +# HOST AND SERVICE PERFORMANCE DATA FILES +# These files are used to store host and service performance data. +# Performance data is only written to these files if the +# process_performance_data option (above) is set to 1. + +#host_perfdata_file=/tmp/host-perfdata +#service_perfdata_file=/tmp/service-perfdata + + + +# HOST AND SERVICE PERFORMANCE DATA FILE TEMPLATES +# These options determine what data is written (and how) to the +# performance data files. The templates may contain macros, special +# characters (\t for tab, \r for carriage return, \n for newline) +# and plain text. A newline is automatically added after each write +# to the performance data file. Some examples of what you can do are +# shown below. + +#host_perfdata_file_template=[HOSTPERFDATA]\t$TIMET$\t$HOSTNAME$\t$HOSTEXECUTIONTIME$\t$HOSTOUTPUT$\t$HOSTPERFDATA$ +#service_perfdata_file_template=[SERVICEPERFDATA]\t$TIMET$\t$HOSTNAME$\t$SERVICEDESC$\t$SERVICEEXECUTIONTIME$\t$SERVICELATENCY$\t$SERVICEOUTPUT$\t$SERVICEPERFDATA$ + + + +# HOST AND SERVICE PERFORMANCE DATA FILE MODES +# This option determines whether or not the host and service +# performance data files are opened in write ("w") or append ("a") +# mode. If you want to use named pipes, you should use the special +# pipe ("p") mode which avoid blocking at startup, otherwise you will +# likely want the defult append ("a") mode. + +#host_perfdata_file_mode=a +#service_perfdata_file_mode=a + + + +# HOST AND SERVICE PERFORMANCE DATA FILE PROCESSING INTERVAL +# These options determine how often (in seconds) the host and service +# performance data files are processed using the commands defined +# below. A value of 0 indicates the files should not be periodically +# processed. + +#host_perfdata_file_processing_interval=0 +#service_perfdata_file_processing_interval=0 + + + +# HOST AND SERVICE PERFORMANCE DATA FILE PROCESSING COMMANDS +# These commands are used to periodically process the host and +# service performance data files. The interval at which the +# processing occurs is determined by the options above. + +#host_perfdata_file_processing_command=process-host-perfdata-file +#service_perfdata_file_processing_command=process-service-perfdata-file + + +# HOST AND SERVICE PERFORMANCE DATA PROCESS EMPTY RESULTS +# THese options determine wether the core will process empty perfdata +# results or not. This is needed for distributed monitoring, and intentionally +# turned on by default. +# If you don't require empty perfdata - saving some cpu cycles +# on unwanted macro calculation - you can turn that off. Be careful! +# Values: 1 = enable, 0 = disable + +#host_perfdata_process_empty_results=1 +#service_perfdata_process_empty_results=1 + + + +# ALLOW EMPTY HOSTGROUP ASSIGMENT FOR SERVICES +# This boolean option determines whether services assigned to empty +# host groups (host groups with no host members) will cause Icinga to +# exit with error on start up (or during a configuration check) or not. +# It's useful to be able to assign services to empty hostgroups when +# configuration files or pre-cached object files are distributed to +# various pollers, or when the process of generating Icinga config is +# automated, or when a set of services is slowly being phased out but +# should be kept around. +# The default behavior if the option is not present in the main +# configuration file is for Icinga to exit with error if services are +# associated with host groups that have no hosts associated with them. + +#allow_empty_hostgroup_assignment=0 + + + +# OBSESS OVER SERVICE CHECKS OPTION +# This determines whether or not Icinga will obsess over service +# checks and run the ocsp_command defined below. Unless you're +# planning on implementing distributed monitoring, do not enable +# this option. Read the HTML docs for more information on +# implementing distributed monitoring. +# Values: 1 = obsess over services, 0 = do not obsess (default) + +obsess_over_services=0 + + + +# OBSESSIVE COMPULSIVE SERVICE PROCESSOR COMMAND +# This is the command that is run for every service check that is +# processed by Icinga. This command is executed only if the +# obsess_over_services option (above) is set to 1. The command +# argument is the short name of a command definition that you +# define in your host configuration file. Read the HTML docs for +# more information on implementing distributed monitoring. + +#ocsp_command=somecommand + + + +# OBSESS OVER HOST CHECKS OPTION +# This determines whether or not Icinga will obsess over host +# checks and run the ochp_command defined below. Unless you're +# planning on implementing distributed monitoring, do not enable +# this option. Read the HTML docs for more information on +# implementing distributed monitoring. +# Values: 1 = obsess over hosts, 0 = do not obsess (default) + +obsess_over_hosts=0 + + + +# OBSESSIVE COMPULSIVE HOST PROCESSOR COMMAND +# This is the command that is run for every host check that is +# processed by Icinga. This command is executed only if the +# obsess_over_hosts option (above) is set to 1. The command +# argument is the short name of a command definition that you +# define in your host configuration file. Read the HTML docs for +# more information on implementing distributed monitoring. + +#ochp_command=somecommand + + + +# TRANSLATE PASSIVE HOST CHECKS OPTION +# This determines whether or not Icinga will translate +# DOWN/UNREACHABLE passive host check results into their proper +# state for this instance of Icinga. This option is useful +# if you have distributed or failover monitoring setup. In +# these cases your other Icinga servers probably have a different +# "view" of the network, with regards to the parent/child relationship +# of hosts. If a distributed monitoring server thinks a host +# is DOWN, it may actually be UNREACHABLE from the point of +# this Icinga instance. Enabling this option will tell Icinga +# to translate any DOWN or UNREACHABLE host states it receives +# passively into the correct state from the view of this server. +# Values: 1 = perform translation, 0 = do not translate (default) + +translate_passive_host_checks=0 + + + +# PASSIVE HOST CHECKS ARE SOFT OPTION +# This determines whether or not Icinga will treat passive host +# checks as being HARD or SOFT. By default, a passive host check +# result will put a host into a HARD state type. This can be changed +# by enabling this option. +# Values: 0 = passive checks are HARD, 1 = passive checks are SOFT + +passive_host_checks_are_soft=0 + + + +# ORPHANED HOST/SERVICE CHECK OPTIONS +# These options determine whether or not Icinga will periodically +# check for orphaned host service checks. Since service checks are +# not rescheduled until the results of their previous execution +# instance are processed, there exists a possibility that some +# checks may never get rescheduled. A similar situation exists for +# host checks, although the exact scheduling details differ a bit +# from service checks. Orphaned checks seem to be a rare +# problem and should not happen under normal circumstances. +# If you have problems with service checks never getting +# rescheduled, make sure you have orphaned service checks enabled. +# Values: 1 = enable checks, 0 = disable checks + +check_for_orphaned_services=1 +check_for_orphaned_hosts=1 + + + +# SERVICE CHECK TIMEOUT STATE +# This setting determines the state Icinga will report when a +# service check times out meaning it does not respond within +# service_check_timeout seconds. The default is set to Unknown +# and not Critical. +# Valid settings are: +# c - Critical +# u - Unknown (default) +# w - Warning +# o - OK + +service_check_timeout_state=u + + + +# SERVICE FRESHNESS CHECK OPTION +# This option determines whether or not Icinga will periodically +# check the "freshness" of service results. Enabling this option +# is useful for ensuring passive checks are received in a timely +# manner. +# Values: 1 = enabled freshness checking, 0 = disable freshness checking + +check_service_freshness=1 + + + +# SERVICE FRESHNESS CHECK INTERVAL +# This setting determines how often (in seconds) Icinga will +# check the "freshness" of service check results. If you have +# disabled service freshness checking, this option has no effect. + +service_freshness_check_interval=60 + + + +# HOST FRESHNESS CHECK OPTION +# This option determines whether or not Icinga will periodically +# check the "freshness" of host results. Enabling this option +# is useful for ensuring passive checks are received in a timely +# manner. +# Values: 1 = enabled freshness checking, 0 = disable freshness checking + +check_host_freshness=0 + + + +# HOST FRESHNESS CHECK INTERVAL +# This setting determines how often (in seconds) Icinga will +# check the "freshness" of host check results. If you have +# disabled host freshness checking, this option has no effect. + +host_freshness_check_interval=60 + + + + +# ADDITIONAL FRESHNESS THRESHOLD LATENCY +# This setting determines the number of seconds that Icinga +# will add to any host and service freshness thresholds that +# it calculates (those not explicitly specified by the user). + +additional_freshness_latency=15 + + + + +# FLAP DETECTION OPTION +# This option determines whether or not Icinga will try +# and detect hosts and services that are "flapping". +# Flapping occurs when a host or service changes between +# states too frequently. When Icinga detects that a +# host or service is flapping, it will temporarily suppress +# notifications for that host/service until it stops +# flapping. Flap detection is very experimental, so read +# the HTML documentation before enabling this feature! +# Values: 1 = enable flap detection +# 0 = disable flap detection (default) + +enable_flap_detection=1 + + + +# FLAP DETECTION THRESHOLDS FOR HOSTS AND SERVICES +# Read the HTML documentation on flap detection for +# an explanation of what this option does. This option +# has no effect if flap detection is disabled. + +low_service_flap_threshold=5.0 +high_service_flap_threshold=20.0 +low_host_flap_threshold=5.0 +high_host_flap_threshold=20.0 + + + +# DATE FORMAT OPTION +# This option determines how short dates are displayed. Valid options +# include: +# us (MM-DD-YYYY HH:MM:SS) +# euro (DD-MM-YYYY HH:MM:SS) +# iso8601 (YYYY-MM-DD HH:MM:SS) +# strict-iso8601 (YYYY-MM-DDTHH:MM:SS) +# + +date_format=iso8601 + + + + +# TIMEZONE OFFSET +# This option is used to override the default timezone that this +# instance of Icinga runs in. If not specified, Icinga will use +# the system configured timezone. +# +# NOTE: In order to display the correct timezone in the CGIs, you +# will also need to alter the Apache directives for the CGI path +# to include your timezone. Example: +# +# +# SetEnv TZ "Australia/Brisbane" +# ... +# + +#use_timezone=US/Mountain +#use_timezone=Australia/Brisbane + + + + +# P1.PL FILE LOCATION +# This value determines where the p1.pl perl script (used by the +# embedded Perl interpreter) is located. If you didn't compile +# Icinga with embedded Perl support, this option has no effect. + +p1_file=/usr/lib/icinga/p1.pl + + + +# EMBEDDED PERL INTERPRETER OPTION +# This option determines whether or not the embedded Perl interpreter +# will be enabled during runtime. This option has no effect if Icinga +# has not been compiled with support for embedded Perl. +# This option is intentionally disabled by default, because embedded +# perl can cause memory leaks and make Icinga unstable if not properly +# used. +# Only enable this setting when you really know what you are doing! +# Values: 0 = disable interpreter, 1 = enable interpreter + +enable_embedded_perl=1 + + + +# EMBEDDED PERL USAGE OPTION +# This option determines whether or not Icinga will process Perl plugins +# and scripts with the embedded Perl interpreter if the plugins/scripts +# do not explicitly indicate whether or not it is okay to do so. Read +# the HTML documentation on the embedded Perl interpreter for more +# information on how this option works. + +use_embedded_perl_implicitly=1 + + + +# EVENT HANDLERS FOR STALKED HOSTS/SERVICES +# Allow running event handlers for stalked hosts/services in order +# to forward to external systems. +# Values: 0 = disabled (default), 1 = enabled + +stalking_event_handlers_for_hosts=0 +stalking_event_handlers_for_services=0 + + + +# NOTIFICATIONS FOR STALKED HOSTS/SERVICES +# Allow notifications for stalked hosts/services globally +# for all contacts in order to notify about a stalking +# alert. +# Values: 0 = disabled (default), 1 = enabled + +stalking_notifications_for_hosts=0 +stalking_notifications_for_services=0 + + + +# ILLEGAL OBJECT NAME CHARACTERS +# This option allows you to specify illegal characters that cannot +# be used in host names, service descriptions, or names of other +# object types. + +illegal_object_name_chars=`~!$%^&*|'"<>?,()= + + + +# ILLEGAL MACRO OUTPUT CHARACTERS +# This option allows you to specify illegal characters that are +# stripped from macros before being used in notifications, event +# handlers, etc. This DOES NOT affect macros used in service or +# host check commands. +# The following macros are stripped of the characters you specify: +# $HOSTOUTPUT$ +# $HOSTPERFDATA$ +# $HOSTACKAUTHOR$ +# $HOSTACKCOMMENT$ +# $SERVICEOUTPUT$ +# $SERVICEPERFDATA$ +# $SERVICEACKAUTHOR$ +# $SERVICEACKCOMMENT$ + +illegal_macro_output_chars=`~$&|'"<> + + + +# KEEP UNKNOWN MACROS +# This option can be used to keep unknown macros within the output. +# e.g. check_proc -C $foo$ will remain. +# This was the default in versions older than Icinga 1.8, but now +# the default is to remove those macros from the output, causing +# the shell to interpret $foo and leaving a single $ there. See +# #2291 for further information. +# Make sure to escape single dollar signs with another '$', as the +# docs describe. Other than that, enable this setting to revert to +# the old behaviour. + +keep_unknown_macros=1 + + + +# REGULAR EXPRESSION MATCHING +# This option controls whether or not regular expression matching +# takes place in the object config files. Regular expression +# matching is used to match host, hostgroup, service, and service +# group names/descriptions in some fields of various object types. +# Values: 1 = enable regexp matching, 0 = disable regexp matching + +use_regexp_matching=0 + + + +# "TRUE" REGULAR EXPRESSION MATCHING +# This option controls whether or not "true" regular expression +# matching takes place in the object config files. This option +# only has an effect if regular expression matching is enabled +# (see above). If this option is DISABLED, regular expression +# matching only occurs if a string contains wildcard characters +# (* and ?). If the option is ENABLED, regexp matching occurs +# all the time (which can be annoying). +# Values: 1 = enable true matching, 0 = disable true matching + +use_true_regexp_matching=0 + + + +# ADMINISTRATOR EMAIL/PAGER ADDRESSES +# The email and pager address of a global administrator (likely you). +# Icinga never uses these values itself, but you can access them by +# using the $ADMINEMAIL$ and $ADMINPAGER$ macros in your notification +# commands. + +admin_email=root@localhost +admin_pager=pageroot@localhost + + + +# DAEMON CORE DUMP OPTION +# This option determines whether or not Icinga is allowed to create +# a core dump when it runs as a daemon. Note that it is generally +# considered bad form to allow this, but it may be useful for +# debugging purposes. Enabling this option doesn't guarantee that +# a core file will be produced, but that's just life... +# Values: 1 - Allow core dumps +# 0 - Do not allow core dumps (default) + +daemon_dumps_core=0 + + + +# LARGE INSTALLATION TWEAKS OPTION +# This option determines whether or not Icinga will take some shortcuts +# which can save on memory and CPU usage in large Icinga installations. +# Read the documentation for more information on the benefits/tradeoffs +# of enabling this option. +# Values: 1 - Enabled tweaks +# 0 - Disable tweaks (default) + +use_large_installation_tweaks=0 + + + +# ENABLE ENVIRONMENT MACROS +# This option determines whether or not Icinga will make all standard +# macros available as environment variables when host/service checks +# and system commands (event handlers, notifications, etc.) are +# executed. Enabling this option can cause performance issues in +# large installations, as it will consume a bit more memory and (more +# importantly) consume more CPU. +# Keep in mind that various addons/plugins will require this setting +# to be enabled (e.g. check_oracle_health) for special usage. +# Values: 1 - Enable environment variable macros +# 0 - Disable environment variable macros (default) + +enable_environment_macros=1 + + + +# CHILD PROCESS MEMORY OPTION +# This option determines whether or not Icinga will free memory in +# child processes (processed used to execute system commands and host/ +# service checks). If you specify a value here, it will override +# program defaults. +# Value: 1 - Free memory in child processes +# 0 - Do not free memory in child processes + +#free_child_process_memory=1 + + + +# CHILD PROCESS FORKING BEHAVIOR +# This option determines how Icinga will fork child processes +# (used to execute system commands and host/service checks). Normally +# child processes are fork()ed twice, which provides a very high level +# of isolation from problems. Fork()ing once is probably enough and will +# save a great deal on CPU usage (in large installs), so you might +# want to consider using this. If you specify a value here, it will +# program defaults. +# Value: 1 - Child processes fork() twice +# 0 - Child processes fork() just once + +#child_processes_fork_twice=1 + + + +# DEBUG LEVEL +# This option determines how much (if any) debugging information will +# be written to the debug file. OR values together to log multiple +# types of information. +# Values: +# -1 = Everything +# 0 = Nothing +# 1 = Functions +# 2 = Configuration +# 4 = Process information +# 8 = Scheduled events +# 16 = Host/service checks +# 32 = Notifications +# 64 = Event broker +# 128 = External commands +# 256 = Commands +# 512 = Scheduled downtime +# 1024 = Comments +# 2048 = Macros + +debug_level=0 + + + +# DEBUG VERBOSITY +# This option determines how verbose the debug log out will be. +# Values: 0 = Brief output +# 1 = More detailed +# 2 = Very detailed + +debug_verbosity=2 + + + +# DEBUG FILE +# This option determines where Icinga should write debugging information. + +debug_file=/var/log/icinga/icinga.debug + + + +# MAX DEBUG FILE SIZE +# This option determines the maximum size (in bytes) of the debug file. If +# the file grows larger than this size, it will be renamed with a .old +# extension. If a file already exists with a .old extension it will +# automatically be deleted. This helps ensure your disk space usage doesn't +# get out of control when debugging Icinga. + +# 100M +max_debug_file_size=100000000 diff --git a/roles/icinga/files/icinga.conf b/roles/icinga/files/icinga.conf new file mode 100644 index 0000000..e19a486 --- /dev/null +++ b/roles/icinga/files/icinga.conf @@ -0,0 +1,27 @@ +# apache configuration for icinga + +ScriptAlias /cgi-bin/icinga /usr/lib/cgi-bin/icinga + +# Where the stylesheets (config files) reside +Alias /icinga/stylesheets /etc/icinga/stylesheets + +# Where the HTML pages live +Alias /icinga /usr/share/icinga/htdocs + + + Options FollowSymLinks + + DirectoryIndex index.html + + AllowOverride AuthConfig +# Require all granted + + AuthName "Icinga Access" + AuthType Basic + AuthUserFile /etc/icinga/htpasswd.users + Require valid-user + + + + Options FollowSymLinks MultiViews + diff --git a/roles/icinga/files/nt.cfg b/roles/icinga/files/nt.cfg new file mode 100644 index 0000000..fcae576 --- /dev/null +++ b/roles/icinga/files/nt.cfg @@ -0,0 +1,15 @@ +# If you are confused about this command definition, cause you was +# reading other suggestions, please have a look into +# /usr/share/doc/monitoring-plugins/README.Debian + +# 'check_nt' command definition +#define command { +# command_name check_nt +# command_line /usr/lib/nagios/plugins/check_nt -H '$HOSTADDRESS$' -v '$ARG1$' +#} + +# 'check_nscp' command definition +define command { + command_name check_nscp + command_line /usr/lib/nagios/plugins/check_nt -H '$HOSTADDRESS$' -p 12489 -v '$ARG1$' +} diff --git a/roles/icinga/files/services_icinga.cfg b/roles/icinga/files/services_icinga.cfg new file mode 100644 index 0000000..4ea25d8 --- /dev/null +++ b/roles/icinga/files/services_icinga.cfg @@ -0,0 +1,106 @@ +define service { + hostgroup_name http-servers + service_description HTTP + check_command check_http + use generic-service + notification_interval 0 ; set > 0 if you want to be renotified +} + +define service { + hostgroup_name ssh-servers + service_description SSH + check_command check_ssh + use generic-service + notification_interval 0 ; set > 0 if you want to be renotified +} + +define service{ + use generic-service + hostgroup_name debian-servers + service_description Espace disque + check_command check_snmp_storage!public!--v2c!"^/$|tmp|usr|var"!90!95 + } + +define service{ + use generic-service + hostgroup_name debian-servers + service_description Charge machine + check_command check_snmp_load!public!--v2c!netsl!2,1,1!3,2,2 + } + +define service{ + use generic-service + hostgroup_name localhost + service_description Charge machine + check_command check_load!5.0!4.0!3.0!10.0!6.0!4.0 + } + +define service{ + use generic-service + hostgroup_name debian-servers + service_description RAM + check_command check_snmp_mem!public!--v2c!-N!95,60!99,90 +} + +define service{ + use generic-service + hostgroup_name windows-servers + service_description Version NSClient++ + check_command check_nt!CLIENTVERSION +} + +define service{ + use generic-service + hostgroup_name windows-servers + service_description Charge CPU + check_command check_nt!CPULOAD!-l 5,80,90,15,80,90 +} + +define service{ + use generic-service + hostgroup_name windows-servers + service_description Uptime + check_command check_nt!UPTIME +} + +define service{ + use generic-service + hostgroup_name windows-servers + service_description Mem Use + check_command check_nt!MEMUSE!80,90 +} + +define service{ + use generic-service + hostgroup_name windows-servers + service_description Disk Space + check_command check_nt!USEDDISKSPACE!-l C!10,5 +} + +define service{ + use generic-service + hostgroup_name windows-servers + service_description Service DNS + check_command check_nt!SERVICESTATE!-l W32Time,"Client DNS" +} + +define service{ + use generic-service + hostgroup_name uptimegrp + service_description Uptime + check_command check_snmp!-C public -o 1.3.6.1.2.1.1.3.0 +} + +define service{ + use generic-service + hostgroup_name dns-servers + service_description DNS Ext + check_command check_dns +} + +#define service{ +# use generic-service +# hostgroup_name dhcp-servers +# service_description Service DHCP +# check_command check_dhcp +#} diff --git a/roles/icinga/handlers/main.yml b/roles/icinga/handlers/main.yml new file mode 100644 index 0000000..721651e --- /dev/null +++ b/roles/icinga/handlers/main.yml @@ -0,0 +1,12 @@ +--- + - name: restart icinga + service: name=icinga state=restarted + + - name: stop icinga + service: name=icinga state=stopped + + - name: start icinga + service: name=icinga state=started + + - name: restart apache + service: name=apache2 state=restarted diff --git a/roles/icinga/tasks/main.yml b/roles/icinga/tasks/main.yml new file mode 100644 index 0000000..84a2a8f --- /dev/null +++ b/roles/icinga/tasks/main.yml @@ -0,0 +1,124 @@ +--- +- name: Installation apache2 + apt: + name: + - apache2 + - snmp + - icinga + - nagios-snmp-plugins + - python3-passlib + state: present + +- name: Copie de fichier icinga.conf pour apache + copy: src=icinga.conf dest=/etc/apache2/sites-enabled/ + notify: + - restart icinga + +- name: Copier le fichier commands.cfg pour icinga + copy: src=commands.cfg dest=/etc/icinga/ + notify: + - restart icinga + +- name: Commente la ligne qui pose problème dans nt.cfg + copy: src=nt.cfg dest=/etc/nagios-plugins/config/ + notify: + - restart icinga + +- name: macro pour test hdd + replace: + dest: /etc/icinga/icinga.cfg + regexp: 'keep_unknown_macros=0' + replace: 'keep_unknown_macros=1' + backup : yes + notify: + - restart icinga + +- name: python3 par defaut + alternatives: + link: /usr/bin/python + name: python + path: /usr/bin/python3 + priority: 10 + +- name: Changement de mot de passe de icingaadmin + htpasswd: + path: /etc/icinga/htpasswd.users + name: icingaadmin + password: root + + +- name: Copie du fichier contact + copy: src=contacts_icinga.cfg dest=/etc/icinga/objects + +- name: Copie du fichier s-infra s-proxy s-adm r-int r-ext srv-2012 gwsio2 s-test hostgroup + synchronize: + src: cfg/ + dest: /etc/icinga/objects + notify: + - restart icinga + +- name: attribution des droits dossier icinga + file: + path: /var/lib/icinga + owner: nagios + mode: 751 + recurse: yes + notify: + - restart icinga + +- name: attribution des droits dossier icinga rw + file: + path: /var/lib/icinga/rw + owner: nagios + mode: 2710 + recurse: yes + notify: + - restart icinga + +- name: activation des commandes externes + replace: + dest: /etc/icinga/icinga.cfg + regexp: 'check_external_commands=0' + replace: 'check_external_commands=1' + notify: + - restart icinga + +- name: reconfiguration des droits avec dpkg statoverride + shell: dpkg-statoverride --update --force-all --add nagios www-data 2710 /var/lib/icinga/rw + +- name: reconfiguration des droits avec dpkg statoverride + shell: dpkg-statoverride --update --force-all --add nagios nagios 751 /var/lib/icinga + +- name: suppression de checkresults + file: + path: /var/lib/icinga/spool/checkresults + state: absent + +- name: creation du dossier checkresults avec droits de lecture + file: + path: /var/lib/icinga/spool/checkresults + state: directory + owner: nagios + group: root + mode: '755' + + #- name: Changement droit notif + # shell: chmod 644 /var/log/icinga/icinga.log + + +#- name: copie dns.cfg +# copy: remote_src=true src=dns.cfg dest=/etc/nagios-plugins/config + + #- name: copie check traffic + # copy: src=check_iftraffic3.pl dest=/usr/lib/nagios/plugins + + #- name: modif des droits plugin traffic + # shell: chmod 755 /usr/lib/nagios/plugins/check_iftraffic3.pl + +- name: message d'information + debug: msg="Pour superviser le Windows, il faut installer NSClient++" + +- name: redemarrage apache + service: + name: apache2 + state: restarted diff --git a/roles/itil/README.md b/roles/itil/README.md new file mode 100644 index 0000000..23e7397 --- /dev/null +++ b/roles/itil/README.md @@ -0,0 +1,60 @@ +## Comment marche le rôle + +Le rôle installe un serveur GLPI fonctionnant graĉe à php et à nginx. +Ce rôle permet aussi d'installer FusionInventory sur glpi. +Le rôle permet aussi de sauvegarde la BDD de glpi. + +## Comment utiliser GLPI + +Après le pull-config, aller sur une machine du réseau n-user et aller sur http://s-itil/install/install.php +Puis lancer l'installation, les paramètres sql à fournir sont : +serveur : localhost +utilisateur : glpi +mot de passe : glpi +Selectionner la base glpi +Ne pas envoyer de statistique d'usage + +## Fusion Inventory : + +Installer le plugin dans Configuration > Plugins +Activer le plugin +Pour que la remonter de l'agent se fasse, il faut ajouter une crontab (crontab -e) sur s-itil : * * * * * /usr/bin/php7.4 /var/www/glpi/front/cron.php &>/dev/null +Puis éxécuter le tasksheduler dans Configuration > Actions automatiques > taskscheduler + +Pour l'agent Windows, récuperer l'agent sur http://s-itil/ficlients +Il faut faire une installation à parti de 0 +Selectionner comme type d'installation complète +Dans le mode serveur mettre l'url : http://s-itil/plugins/fusioninventory et cocher la case installation rapide + +Pour l'agent Debian il faut installer le paquet fusioninventory-agent +Ajouter la ligne server = http://s-itil/plugins/fusioninventory dans le fichier /etc/fusioninventory/agent.cfg +Redemarrer le service fusioninventory-agent puis faite un reload +Exécuter la commande pkill -USR1 -f -P 1 fusioninventory-agent + +## Postfix : + +Aller dans Configuration > Notification, activer le suivi et les notification +Aller dans Configuration des notifications par courriels +Mettre l'adresse mail de supervision dans : Courriel de l'administrateur, Courriel expéditeur et comme adresse de réponse +Le mode d'envoie des courriels est SMTP +l'hôte SMTP est localhost +## LDAP : + +Aller dans Configuration > Authentification > Annuaires LDAP. +Ajouter un serveur en cliquant sur le + +Remplisser les cases: +Nom : s-win +Serveur par défaut : oui +Actif : oui +Serveur : s-win.gsb.lan +Filtre de connexion : (&(objectClass=user)(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) +BaseDN : DC=gsb,DC=lan +DN du compte : GSB\Administrateur +Mot de passe : Azerty1+ +Champ de l'identifiant : samaccountname + +Pour importer les utilisateurs allez dans Administration > Utilisateur > Liaison annuaire LDAP > Importation de nouveau utilisateurs +Appuyer sur rechercher +Puis sélectionner les utilisateurs afficher, allez dans action et sélectionnez importer. + + diff --git a/roles/itil/defaults/main.yml b/roles/itil/defaults/main.yml new file mode 100644 index 0000000..9d0e586 --- /dev/null +++ b/roles/itil/defaults/main.yml @@ -0,0 +1,5 @@ +depl_url: "http://s-adm.gsb.adm/gsbstore" +depl_glpi: "glpi-9.5.6.tgz" +depl_fusioninventory: "fusioninventory-9.5+3.0.tar.bz2" +depl_fusioninventory_agentx64: "fusioninventory-agent_windows-x64_2.6.exe" +depl_fusioninventory_agentx86: "fusioninventory-agent_windows-x86_2.6.exe" diff --git a/roles/itil/files/.my.cnf b/roles/itil/files/.my.cnf new file mode 100644 index 0000000..34d0e25 --- /dev/null +++ b/roles/itil/files/.my.cnf @@ -0,0 +1,3 @@ +[client] +user=root +password=root diff --git a/roles/itil/files/dbdump b/roles/itil/files/dbdump new file mode 100644 index 0000000..f892580 --- /dev/null +++ b/roles/itil/files/dbdump @@ -0,0 +1,4 @@ +#!/bin/sh +chm="/var/www/html/glpi/files/_dumps" +# Dump base GLPI +mysqldump -uroot -proot glpi |gzip > $chm/$(date +%Y-%m-%d).sql.gz diff --git a/roles/itil/files/glpi.conf b/roles/itil/files/glpi.conf new file mode 100644 index 0000000..4c37222 --- /dev/null +++ b/roles/itil/files/glpi.conf @@ -0,0 +1,12 @@ +DocumentRoot /var/www/glpi + + Options Indexes FollowSymLinks MultiViews + AllowOverride All + Order allow,deny + allow from all + AuthType Basic + + + LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined + CustomLog ${APACHE_LOG_DIR}/glpi_access.log combined + ErrorLog ${APACHE_LOG_DIR}/glpi_error.log diff --git a/roles/itil/handlers/main.yml b/roles/itil/handlers/main.yml new file mode 100644 index 0000000..2d5614c --- /dev/null +++ b/roles/itil/handlers/main.yml @@ -0,0 +1,9 @@ +--- + - name: restart php-fpm + service: name=php7.0-fpm state=restarted + + - name: restart nginx + service: name=nginx state=restarted + + - name: restart mariadb-server + service: name=mariadb-server state=restarted diff --git a/roles/itil/tasks/main.yml b/roles/itil/tasks/main.yml new file mode 100644 index 0000000..fe619d5 --- /dev/null +++ b/roles/itil/tasks/main.yml @@ -0,0 +1,160 @@ +--- + - name: Installation des paquets + apt: + state: latest + name: + - nginx + - php-fpm + - php-mbstring + - php-mysql + - php-gd + - php-curl + - php-xml + - php-apcu + - php-ldap + - php-imap + - php-xmlrpc + - php-cas + - python3-mysqldb + - mariadb-server + - python3-pymysql + - php-intl + - php-bz2 + - php-zip + - postfix + - mailutils + + - name: Changement listen dans le fichier conf de php7.3 + replace: + dest: /etc/php/7.4/fpm/pool.d/www.conf + regexp: 'listen = /run/php/php7.4-fpm.sock' + replace: 'listen = 127.0.0.1:9000' + backup: yes + + - name: Effacement block nginx default + file: + path: /etc/nginx/sites-enabled/default + state: absent + + - name: Creation fichier block nginx + template: + src: block.j2 + dest: /etc/nginx/sites-enabled/glpi + + - name: Remplacement dans le fichier de conf php du timeout + replace: + dest: /etc/php/7.4/fpm/php.ini + regexp: 'max_execution_time = 30' + replace: 'max_execution_time = 600' + backup: yes + + notify: + - restart nginx + + - name: Creation de la base de donnee mysql + mysql_db: + name: "{{ glpi_dbname }}" + state: present + login_unix_socket: /var/run/mysqld/mysqld.sock + + - name: Creation de l'utilisateur mysql avec tous les privileges + mysql_user: + name: "{{ glpi_dbuser }}" + password: "{{ glpi_dbpasswd }}" + priv: "*.*:ALL,GRANT" + login_unix_socket: /var/run/mysqld/mysqld.sock + with_items: + - 127.0.0.1 +# - ::1 +# - localhost + + - name: Creation du repertoire {{ glpi_dir }} + file: + path: "{{ glpi_dir }}" + state: directory + owner: www-data + group: www-data + + - name: Installation de GLPI + unarchive: + src: "{{ depl_url }}/{{ depl_glpi }}" + dest: /var/www/html + remote_src: yes + owner: www-data + group: www-data + + - name: Changement des attributs {{ glpi_dir }} + file: + path: "{{ glpi_dir }}" + owner: www-data + group: www-data + mode: 0755 + recurse: yes + + - name: Changement des attributs {{ glpi_dir }}/plugins + file: + path: "{{ glpi_dir }}/plugins" + mode: 0777 + owner: www-data + group: www-data + recurse: yes + +# - name: Attribution des permissions +# shell: chown -R www-data:www-data /var/www/html/glpi/ + +# - name: copy .my.cnf file with root password credentials +# copy: src=.my.cnf dest=/root/tools/ansible/.my.cnf owner=root mode=0600 + + - name: Installation de Fusioninventory pour Linux + unarchive: + src: "{{ depl_url }}/{{ depl_fusioninventory }}" + #src: http://depl/gsbstore/fusioninventory-{{ fd_version }}.tar.bz2 + dest: /var/www/html/glpi/plugins + remote_src: yes + + - name: Creation de ficlient + file: + path: /var/www/html/ficlients + state: directory + owner: www-data + group: www-data + mode: 0775 + + - name: Attribution des droits nginx.index + file: + path: /var/www/html/index.nginx-debian.html + owner: www-data + group: www-data + mode: 0775 + + - name: Installation de FusionInventory windows x64 + get_url: + url: "{{ depl_url }}/{{ depl_fusioninventory_agentx64 }}" + dest: "/var/www/html/ficlients" + + - name: Installation de FusionInventory windows x86 + get_url: + url: "{{ depl_url }}/{{ depl_fusioninventory_agentx86 }}" + dest: "/var/www/html/ficlients" + + - name: Attribution des permissions sur repertoire /plugins/fusioninventory + file: + path: /var/www/html/glpi/plugins/fusioninventory + owner: www-data + group: www-data + recurse: yes + state: directory + + - name: Copie du script dbdump + copy: + src: dbdump + dest: /root/ + + - name: chmod de dbdump + shell: chmod +x /root/dbdump + + - debug: + msg: "Redemarrez le serveur GLPI" + + - debug: + msg: "L'utilisateur mysql:ID:glpi et MDP:glpi" diff --git a/roles/itil/templates/block.j2 b/roles/itil/templates/block.j2 new file mode 100644 index 0000000..0cec4f7 --- /dev/null +++ b/roles/itil/templates/block.j2 @@ -0,0 +1,23 @@ +server { + listen 80 default_server; + root {{ glpi_dir }}; + index index.php; + server_name localhost; + + location / {try_files $uri $uri/ index.php;} + + #prise en charge PHP + location ~ \.php$ { + fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include fastcgi_params; + fastcgi_param SERVER_NAME $host; + } + + location /ficlients { + root /var/www/html; + autoindex on; + } +} diff --git a/roles/local-store/files/getall-2021 b/roles/local-store/files/getall-2021 new file mode 100644 index 0000000..c2f3226 --- /dev/null +++ b/roles/local-store/files/getall-2021 @@ -0,0 +1,25 @@ +#!/bin/bash +GLPIREL=9.5.3 +wget -nc https://github.com/glpi-project/glpi/releases/download/${GLPIREL}/glpi-${GLPIREL}.tgz + +FIREL=9.5+1.0 +#wget -nc https://github.com/fusioninventory/fusioninventory-for-glpi/releases/download/glpi${FIREL}/fusioninventory-${FIREL}.tar.gz +#https://github.com/fusioninventory/fusioninventory-for-glpi/releases/download/glpi9.5.0%2B1.0/fusioninventory-9.5.0+1.0.tar.bz2 +wget -nc https://github.com/fusioninventory/fusioninventory-for-glpi/releases/download/glpi9.5.0%2B1.0/fusioninventory-9.5.0+1.0.tar.bz2 + +FIAGREL=2.6 +wget -nc https://github.com/fusioninventory/fusioninventory-agent/releases/download/${FIAGREL}/fusioninventory-agent_windows-x64_${FIAGREL}.exe + +wget -nc https://github.com/fusioninventory/fusioninventory-agent/releases/download/${FIAGREL}/fusioninventory-agent_windows-x86_${FIAGREL}.exe + +FOGREL=1.5.9 +wget -nc https://github.com/FOGProject/fogproject/archive/${FOGREL}.tar.gz -O fogproject-${FOGREL}.tar.gz +#https://github.com/FOGProject/fogproject/archive/1.5.9.tar.gz + +#wget -nc https://fr.wordpress.org/wordpress-5.3.2-fr_FR.tar.gz +wget -nc https://fr.wordpress.org/wordpress-5.6-fr_FR.tar.gz + +GOSSVER=v0.3.16 +curl -L https://github.com/aelsabbahy/goss/releases/download/${GOSSVER}/goss-linux-amd64 -o goss +chmod +x goss + diff --git a/roles/local-store/files/getall-latest b/roles/local-store/files/getall-latest new file mode 100644 index 0000000..c2f3226 --- /dev/null +++ b/roles/local-store/files/getall-latest @@ -0,0 +1,25 @@ +#!/bin/bash +GLPIREL=9.5.3 +wget -nc https://github.com/glpi-project/glpi/releases/download/${GLPIREL}/glpi-${GLPIREL}.tgz + +FIREL=9.5+1.0 +#wget -nc https://github.com/fusioninventory/fusioninventory-for-glpi/releases/download/glpi${FIREL}/fusioninventory-${FIREL}.tar.gz +#https://github.com/fusioninventory/fusioninventory-for-glpi/releases/download/glpi9.5.0%2B1.0/fusioninventory-9.5.0+1.0.tar.bz2 +wget -nc https://github.com/fusioninventory/fusioninventory-for-glpi/releases/download/glpi9.5.0%2B1.0/fusioninventory-9.5.0+1.0.tar.bz2 + +FIAGREL=2.6 +wget -nc https://github.com/fusioninventory/fusioninventory-agent/releases/download/${FIAGREL}/fusioninventory-agent_windows-x64_${FIAGREL}.exe + +wget -nc https://github.com/fusioninventory/fusioninventory-agent/releases/download/${FIAGREL}/fusioninventory-agent_windows-x86_${FIAGREL}.exe + +FOGREL=1.5.9 +wget -nc https://github.com/FOGProject/fogproject/archive/${FOGREL}.tar.gz -O fogproject-${FOGREL}.tar.gz +#https://github.com/FOGProject/fogproject/archive/1.5.9.tar.gz + +#wget -nc https://fr.wordpress.org/wordpress-5.3.2-fr_FR.tar.gz +wget -nc https://fr.wordpress.org/wordpress-5.6-fr_FR.tar.gz + +GOSSVER=v0.3.16 +curl -L https://github.com/aelsabbahy/goss/releases/download/${GOSSVER}/goss-linux-amd64 -o goss +chmod +x goss + diff --git a/roles/local-store/tasks/main.yml b/roles/local-store/tasks/main.yml new file mode 100644 index 0000000..1dc1ae9 --- /dev/null +++ b/roles/local-store/tasks/main.yml @@ -0,0 +1,18 @@ +--- + +- name: Installation bind9 + file: + path: /var/www/html/gsbstore/ + state: directory + mode: '0755' + +- name: Copie getall-latest + copy: + src: getall-latest + dest: /var/www/html/gsbstore + +- name: Copie getall-2021 + copy: + src: getall-2021 + dest: /var/www/html/gsbstore + diff --git a/roles/mariadb-ab/README.md b/roles/mariadb-ab/README.md new file mode 100644 index 0000000..7c52ca0 --- /dev/null +++ b/roles/mariadb-ab/README.md @@ -0,0 +1,4 @@ +##Installation de s-lb-bd + +Ce rôle installe mariadb avec python puis créer une base de données wordpress accessible depuis le réseau 192.168.102.0/24. + diff --git a/roles/mariadb-ab/_travis.yml b/roles/mariadb-ab/_travis.yml new file mode 100644 index 0000000..36bbf62 --- /dev/null +++ b/roles/mariadb-ab/_travis.yml @@ -0,0 +1,29 @@ +--- +language: python +python: "2.7" + +# Use the new container infrastructure +sudo: false + +# Install ansible +addons: + apt: + packages: + - python-pip + +install: + # Install ansible + - pip install ansible + + # Check ansible version + - ansible --version + + # Create ansible.cfg with correct roles_path + - printf '[defaults]\nroles_path=../' >ansible.cfg + +script: + # Basic role syntax check + - ansible-playbook tests/test.yml -i tests/inventory --syntax-check + +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ \ No newline at end of file diff --git a/roles/mariadb-ab/defaults/main.yml b/roles/mariadb-ab/defaults/main.yml new file mode 100644 index 0000000..bf0e537 --- /dev/null +++ b/roles/mariadb-ab/defaults/main.yml @@ -0,0 +1,2 @@ +--- +# defaults file for mariadb diff --git a/roles/mariadb-ab/files/my.cnf b/roles/mariadb-ab/files/my.cnf new file mode 100644 index 0000000..1308652 --- /dev/null +++ b/roles/mariadb-ab/files/my.cnf @@ -0,0 +1,128 @@ +# +# The MySQL database server configuration file. +# +# You can copy this to one of: +# - "/etc/mysql/my.cnf" to set global options, +# - "~/.my.cnf" to set user-specific options. +# +# One can use all long options that the program supports. +# Run program with --help to get a list of available options and with +# --print-defaults to see which it would actually understand and use. +# +# For explanations see +# http://dev.mysql.com/doc/mysql/en/server-system-variables.html + +# This will be passed to all mysql clients +# It has been reported that passwords should be enclosed with ticks/quotes +# escpecially if they contain "#" chars... +# Remember to edit /etc/mysql/debian.cnf when changing the socket location. +[client] +port = 3306 +socket = /var/run/mysqld/mysqld.sock + +# Here is entries for some specific programs +# The following values assume you have at least 32M ram + +# This was formally known as [safe_mysqld]. Both versions are currently parsed. +[mysqld_safe] +socket = /var/run/mysqld/mysqld.sock +nice = 0 + +[mysqld] +# +# * Basic Settings +# +user = mysql +pid-file = /var/run/mysqld/mysqld.pid +socket = /var/run/mysqld/mysqld.sock +port = 3306 +basedir = /usr +datadir = /var/lib/mysql +tmpdir = /tmp +lc-messages-dir = /usr/share/mysql +skip-external-locking +# +# Instead of skip-networking the default is now to listen only on +# localhost which is more compatible and is not less secure. +#bind-address = 127.0.0.1 +# +# * Fine Tuning +# +key_buffer = 16M +max_allowed_packet = 16M +thread_stack = 192K +thread_cache_size = 8 +# This replaces the startup script and checks MyISAM tables if needed +# the first time they are touched +myisam-recover = BACKUP +#max_connections = 100 +#table_cache = 64 +#thread_concurrency = 10 +# +# * Query Cache Configuration +# +query_cache_limit = 1M +query_cache_size = 16M +# +# * Logging and Replication +# +# Both location gets rotated by the cronjob. +# Be aware that this log type is a performance killer. +# As of 5.1 you can enable the log at runtime! +#general_log_file = /var/log/mysql/mysql.log +#general_log = 1 +# +# Error log - should be very few entries. +# +log_error = /var/log/mysql/error.log +# +# Here you can see queries with especially long duration +#slow_query_log_file = /var/log/mysql/mysql-slow.log +#slow_query_log = 1 +#long_query_time = 2 +#log_queries_not_using_indexes +# +# The following can be used as easy to replay backup logs or for replication. +# note: if you are setting up a replication slave, see README.Debian about +# other settings you may need to change. +#server-id = 1 +#log_bin = /var/log/mysql/mysql-bin.log +expire_logs_days = 10 +max_binlog_size = 100M +#binlog_do_db = include_database_name +#binlog_ignore_db = include_database_name +# +# * InnoDB +# +# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/. +# Read the manual for more InnoDB related options. There are many! +# +# * Security Features +# +# Read the manual, too, if you want chroot! +# chroot = /var/lib/mysql/ +# +# For generating SSL certificates I recommend the OpenSSL GUI "tinyca". +# +# ssl-ca=/etc/mysql/cacert.pem +# ssl-cert=/etc/mysql/server-cert.pem +# ssl-key=/etc/mysql/server-key.pem + + + +[mysqldump] +quick +quote-names +max_allowed_packet = 16M + +[mysql] +#no-auto-rehash # faster start of mysql but no tab completition + +[isamchk] +key_buffer = 16M + +# +# * IMPORTANT: Additional settings that can override those from this file! +# The files must end with '.cnf', otherwise they'll be ignored. +# +!includedir /etc/mysql/conf.d/ diff --git a/roles/mariadb-ab/handlers/main.yml b/roles/mariadb-ab/handlers/main.yml new file mode 100644 index 0000000..49ba9f4 --- /dev/null +++ b/roles/mariadb-ab/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for mariadb diff --git a/roles/mariadb-ab/meta/main.yml b/roles/mariadb-ab/meta/main.yml new file mode 100644 index 0000000..6f81d2b --- /dev/null +++ b/roles/mariadb-ab/meta/main.yml @@ -0,0 +1,232 @@ +galaxy_info: + author: your name + description: your description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Some suggested licenses: + # - BSD (default) + # - MIT + # - GPLv2 + # - GPLv3 + # - Apache + # - CC-BY + license: license (GPLv2, CC-BY, etc) + + min_ansible_version: 1.2 + + # Optionally specify the branch Galaxy will use when accessing the GitHub + # repo for this role. During role install, if no tags are available, + # Galaxy will use this branch. During import Galaxy will access files on + # this branch. If travis integration is cofigured, only notification for this + # branch will be accepted. Otherwise, in all cases, the repo's default branch + # (usually master) will be used. + #github_branch: + + # + # Below are all platforms currently available. Just uncomment + # the ones that apply to your role. If you don't see your + # platform on this list, let us know and we'll get it added! + # + #platforms: + #- name: OpenBSD + # versions: + # - all + # - 5.6 + # - 5.7 + # - 5.8 + # - 5.9 + # - 6.0 + # - 6.1 + # - 6.2 + #- name: Fedora + # versions: + # - all + # - 16 + # - 17 + # - 18 + # - 19 + # - 20 + # - 21 + # - 22 + # - 23 + # - 24 + # - 25 + # - 26 + #- name: DellOS + # versions: + # - all + # - 10 + # - 6 + # - 9 + #- name: MacOSX + # versions: + # - all + # - 10.10 + # - 10.11 + # - 10.12 + # - 10.7 + # - 10.8 + # - 10.9 + #- name: Synology + # versions: + # - all + # - any + #- name: Junos + # versions: + # - all + # - any + #- name: GenericBSD + # versions: + # - all + # - any + #- name: Void Linux + # versions: + # - all + # - any + #- name: GenericLinux + # versions: + # - all + # - any + #- name: NXOS + # versions: + # - all + # - any + #- name: macOS + # versions: + # - all + # - Sierra + #- name: IOS + # versions: + # - all + # - any + #- name: Amazon + # versions: + # - all + # - 2013.03 + # - 2013.09 + # - 2016.03 + # - 2016.09 + #- name: ArchLinux + # versions: + # - all + # - any + #- name: FreeBSD + # versions: + # - all + # - 10.0 + # - 10.1 + # - 10.2 + # - 10.3 + # - 11.0 + # - 11.1 + # - 8.0 + # - 8.1 + # - 8.2 + # - 8.3 + # - 8.4 + # - 9.0 + # - 9.1 + # - 9.1 + # - 9.2 + # - 9.3 + #- name: Ubuntu + # versions: + # - all + # - artful + # - lucid + # - maverick + # - natty + # - oneiric + # - precise + # - quantal + # - raring + # - saucy + # - trusty + # - utopic + # - vivid + # - wily + # - xenial + # - yakkety + # - zesty + #- name: Debian + # versions: + # - all + # - etch + # - jessie + # - lenny + # - sid + # - squeeze + # - stretch + # - wheezy + #- name: Alpine + # versions: + # - all + # - any + #- name: EL + # versions: + # - all + # - 5 + # - 6 + # - 7 + #- name: Windows + # versions: + # - all + # - 2012R2 + #- name: SmartOS + # versions: + # - all + # - any + #- name: opensuse + # versions: + # - all + # - 12.1 + # - 12.2 + # - 12.3 + # - 13.1 + # - 13.2 + #- name: SLES + # versions: + # - all + # - 10SP3 + # - 10SP4 + # - 11 + # - 11SP1 + # - 11SP2 + # - 11SP3 + # - 11SP4 + # - 12 + # - 12SP1 + #- name: GenericUNIX + # versions: + # - all + # - any + #- name: Solaris + # versions: + # - all + # - 10 + # - 11.0 + # - 11.1 + # - 11.2 + # - 11.3 + #- name: eos + # versions: + # - all + # - Any + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is + # a keyword that describes and categorizes the role. + # Users find roles by searching for tags. Be sure to + # remove the '[]' above if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of + # alphanumeric characters. Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. + # Be sure to remove the '[]' above if you add dependencies + # to this list. \ No newline at end of file diff --git a/roles/mariadb-ab/tasks/main.yml b/roles/mariadb-ab/tasks/main.yml new file mode 100644 index 0000000..9d434fe --- /dev/null +++ b/roles/mariadb-ab/tasks/main.yml @@ -0,0 +1,42 @@ +--- +- name: Installation des paquets python-mysqldb mariadb-server + apt: + name: + - python3-mysqldb + - mariadb-server + - python3-passlib + - python3-pymysql + state: present + +- name: python3 par defaut + alternatives: + link: /usr/bin/python + name: python + path: /usr/bin/python3 + priority: 10 + +- name: Create mysql database + mysql_db: + name: "{{ maria_dbname }}" + state: present + login_unix_socket: /var/run/mysqld/mysqld.sock + +- name: Creation de l'utilisateur mysql avec tous les privileges + mysql_user: + name: "{{ maria_dbuser }}" + password: "{{ maria_dbpasswd }}" + priv: '*.*:ALL,GRANT' + login_unix_socket: /var/run/mysqld/mysqld.sock + host: 192.168.102.% +# - ::1 +# - localhost + +- name: Copie du fichier my.cnf pour autorises toutes les adresses sur le port 3306 + copy: + src: my.cnf + dest: /etc/mysql/ + +- name: Redemarrage du service mariadb + service: + name: mariadb + state: restarted diff --git a/roles/mariadb-ab/tests/inventory b/roles/mariadb-ab/tests/inventory new file mode 100644 index 0000000..d18580b --- /dev/null +++ b/roles/mariadb-ab/tests/inventory @@ -0,0 +1 @@ +localhost \ No newline at end of file diff --git a/roles/mariadb-ab/tests/test.yml b/roles/mariadb-ab/tests/test.yml new file mode 100644 index 0000000..ec4a223 --- /dev/null +++ b/roles/mariadb-ab/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - mariadb \ No newline at end of file diff --git a/roles/mariadb-ab/vars/main.yml b/roles/mariadb-ab/vars/main.yml new file mode 100644 index 0000000..618771d --- /dev/null +++ b/roles/mariadb-ab/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for mariadb diff --git a/roles/mariadb/README.md b/roles/mariadb/README.md new file mode 100644 index 0000000..4316917 --- /dev/null +++ b/roles/mariadb/README.md @@ -0,0 +1,4 @@ +##Installation de s-lb-bd + +Ce rôle installe mariadb avec python puis créer une base de données wordpress accessible depuis le réseau 192.168.102.0/24. + diff --git a/roles/mariadb/_travis.yml b/roles/mariadb/_travis.yml new file mode 100644 index 0000000..36bbf62 --- /dev/null +++ b/roles/mariadb/_travis.yml @@ -0,0 +1,29 @@ +--- +language: python +python: "2.7" + +# Use the new container infrastructure +sudo: false + +# Install ansible +addons: + apt: + packages: + - python-pip + +install: + # Install ansible + - pip install ansible + + # Check ansible version + - ansible --version + + # Create ansible.cfg with correct roles_path + - printf '[defaults]\nroles_path=../' >ansible.cfg + +script: + # Basic role syntax check + - ansible-playbook tests/test.yml -i tests/inventory --syntax-check + +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ \ No newline at end of file diff --git a/roles/mariadb/defaults/main.yml b/roles/mariadb/defaults/main.yml new file mode 100644 index 0000000..bf0e537 --- /dev/null +++ b/roles/mariadb/defaults/main.yml @@ -0,0 +1,2 @@ +--- +# defaults file for mariadb diff --git a/roles/mariadb/handlers/main.yml b/roles/mariadb/handlers/main.yml new file mode 100644 index 0000000..49ba9f4 --- /dev/null +++ b/roles/mariadb/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for mariadb diff --git a/roles/mariadb/meta/main.yml b/roles/mariadb/meta/main.yml new file mode 100644 index 0000000..6f81d2b --- /dev/null +++ b/roles/mariadb/meta/main.yml @@ -0,0 +1,232 @@ +galaxy_info: + author: your name + description: your description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Some suggested licenses: + # - BSD (default) + # - MIT + # - GPLv2 + # - GPLv3 + # - Apache + # - CC-BY + license: license (GPLv2, CC-BY, etc) + + min_ansible_version: 1.2 + + # Optionally specify the branch Galaxy will use when accessing the GitHub + # repo for this role. During role install, if no tags are available, + # Galaxy will use this branch. During import Galaxy will access files on + # this branch. If travis integration is cofigured, only notification for this + # branch will be accepted. Otherwise, in all cases, the repo's default branch + # (usually master) will be used. + #github_branch: + + # + # Below are all platforms currently available. Just uncomment + # the ones that apply to your role. If you don't see your + # platform on this list, let us know and we'll get it added! + # + #platforms: + #- name: OpenBSD + # versions: + # - all + # - 5.6 + # - 5.7 + # - 5.8 + # - 5.9 + # - 6.0 + # - 6.1 + # - 6.2 + #- name: Fedora + # versions: + # - all + # - 16 + # - 17 + # - 18 + # - 19 + # - 20 + # - 21 + # - 22 + # - 23 + # - 24 + # - 25 + # - 26 + #- name: DellOS + # versions: + # - all + # - 10 + # - 6 + # - 9 + #- name: MacOSX + # versions: + # - all + # - 10.10 + # - 10.11 + # - 10.12 + # - 10.7 + # - 10.8 + # - 10.9 + #- name: Synology + # versions: + # - all + # - any + #- name: Junos + # versions: + # - all + # - any + #- name: GenericBSD + # versions: + # - all + # - any + #- name: Void Linux + # versions: + # - all + # - any + #- name: GenericLinux + # versions: + # - all + # - any + #- name: NXOS + # versions: + # - all + # - any + #- name: macOS + # versions: + # - all + # - Sierra + #- name: IOS + # versions: + # - all + # - any + #- name: Amazon + # versions: + # - all + # - 2013.03 + # - 2013.09 + # - 2016.03 + # - 2016.09 + #- name: ArchLinux + # versions: + # - all + # - any + #- name: FreeBSD + # versions: + # - all + # - 10.0 + # - 10.1 + # - 10.2 + # - 10.3 + # - 11.0 + # - 11.1 + # - 8.0 + # - 8.1 + # - 8.2 + # - 8.3 + # - 8.4 + # - 9.0 + # - 9.1 + # - 9.1 + # - 9.2 + # - 9.3 + #- name: Ubuntu + # versions: + # - all + # - artful + # - lucid + # - maverick + # - natty + # - oneiric + # - precise + # - quantal + # - raring + # - saucy + # - trusty + # - utopic + # - vivid + # - wily + # - xenial + # - yakkety + # - zesty + #- name: Debian + # versions: + # - all + # - etch + # - jessie + # - lenny + # - sid + # - squeeze + # - stretch + # - wheezy + #- name: Alpine + # versions: + # - all + # - any + #- name: EL + # versions: + # - all + # - 5 + # - 6 + # - 7 + #- name: Windows + # versions: + # - all + # - 2012R2 + #- name: SmartOS + # versions: + # - all + # - any + #- name: opensuse + # versions: + # - all + # - 12.1 + # - 12.2 + # - 12.3 + # - 13.1 + # - 13.2 + #- name: SLES + # versions: + # - all + # - 10SP3 + # - 10SP4 + # - 11 + # - 11SP1 + # - 11SP2 + # - 11SP3 + # - 11SP4 + # - 12 + # - 12SP1 + #- name: GenericUNIX + # versions: + # - all + # - any + #- name: Solaris + # versions: + # - all + # - 10 + # - 11.0 + # - 11.1 + # - 11.2 + # - 11.3 + #- name: eos + # versions: + # - all + # - Any + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is + # a keyword that describes and categorizes the role. + # Users find roles by searching for tags. Be sure to + # remove the '[]' above if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of + # alphanumeric characters. Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. + # Be sure to remove the '[]' above if you add dependencies + # to this list. \ No newline at end of file diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml new file mode 100644 index 0000000..b857b5c --- /dev/null +++ b/roles/mariadb/tasks/main.yml @@ -0,0 +1,15 @@ +--- +# tasks file for mariadb +- name: Installation de python-mysqldb + apt: name=python-mysqldb state=present + +- name: Installation de mariadb-server + apt: name=mariadb-server state=present + +- name: Create mysql database + mysql_db: name={{ maria_dbname }} state=present + +- name: Commenter la ligne + replace: dest=/etc/mysql/mariadb.conf.d/50-server.cnf + regexp='bind-address = 127.0.0.1' + replace='#bind-address = 127.0.0.1' \ No newline at end of file diff --git a/roles/mariadb/tests/inventory b/roles/mariadb/tests/inventory new file mode 100644 index 0000000..d18580b --- /dev/null +++ b/roles/mariadb/tests/inventory @@ -0,0 +1 @@ +localhost \ No newline at end of file diff --git a/roles/mariadb/tests/test.yml b/roles/mariadb/tests/test.yml new file mode 100644 index 0000000..ec4a223 --- /dev/null +++ b/roles/mariadb/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - mariadb \ No newline at end of file diff --git a/roles/mariadb/vars/main.yml b/roles/mariadb/vars/main.yml new file mode 100644 index 0000000..618771d --- /dev/null +++ b/roles/mariadb/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for mariadb diff --git a/roles/mess/files/nslcd.conf b/roles/mess/files/nslcd.conf new file mode 100644 index 0000000..29ea826 --- /dev/null +++ b/roles/mess/files/nslcd.conf @@ -0,0 +1,31 @@ +# /etc/nslcd.conf +# nslcd configuration file. See nslcd.conf(5) +# for details. + +# The user and group nslcd should run as. +uid nslcd +gid nslcd + +# The location at which the LDAP server(s) should be reachable. +uri ldap://172.16.0.6:389 + +# The search base that will be used for all queries. +base cn=Users,dc=gsb,dc=lan + +# The LDAP protocol version to use. +#ldap_version 3 + +# The DN to bind with for normal lookups. +binddn cn=ncsld-connect,cn=Users,dc=gsb,dc=lan +bindpw secret + +# The DN used for password modifications by root. +#rootpwmoddn cn=admin,dc=example,dc=com + +# SSL options +#ssl off +#tls_reqcert never + +# The search scope. +#scope sub + diff --git a/roles/mess/files/pam_ldap.conf b/roles/mess/files/pam_ldap.conf new file mode 100644 index 0000000..f23a43a --- /dev/null +++ b/roles/mess/files/pam_ldap.conf @@ -0,0 +1,6 @@ +base dc=gsb,dc=lan +binddn cn=nslcd-connect,cn=Users,dc=gsb,dc=lan +bindpw secret +bind_policy soft +uri ldap://172.16.0.6:389/ +ssl no diff --git a/roles/mess/files/slapd.conf b/roles/mess/files/slapd.conf new file mode 100644 index 0000000..4aed8b9 --- /dev/null +++ b/roles/mess/files/slapd.conf @@ -0,0 +1,144 @@ +# This is the main slapd configuration file. See slapd.conf(5) for more +# info on the configuration options. + +####################################################################### +# Global Directives: + +# Features to permit +#allow bind_v2 + +# Schema and objectClass definitions +include /etc/ldap/schema/core.schema +include /etc/ldap/schema/cosine.schema +include /etc/ldap/schema/nis.schema +include /etc/ldap/schema/inetorgperson.schema +include /etc/ldap/schema/mailserver.schema +include /etc/ldap/schema/sudo.schema +include /etc/ldap/schema/samba.schema + +# Where the pid file is put. The init.d script +# will not stop the server if you change this. +pidfile /var/run/slapd/slapd.pid + +# List of arguments that were passed to the server +argsfile /var/run/slapd/slapd.args + +password-hash {SSHA} + +# Read slapd.conf(5) for possible values +loglevel 256 + +# Where the dynamically loaded modules are stored +modulepath /usr/lib/ldap +moduleload back_ldap +moduleload rwm + +# The maximum number of entries that is returned for a search operation +sizelimit 500 + +# The tool-threads parameter sets the actual amount of cpu's that is used +# for indexing. +tool-threads 1 + +####################################################################### +# Specific Backend Directives for hdb: +# Backend specific directives apply to this backend until another +# 'backend' directive occurs +backend ldap + + +####################################################################### +# Specific Backend Directives for 'other': +# Backend specific directives apply to this backend until another +# 'backend' directive occurs +#backend + +####################################################################### +# Specific Directives for database #1, of type hdb: +# Database specific directives apply to this databasse until another +# 'database' directive occurs +database ldap + +# The base of your directory in database #1 +suffix "dc=gsb,dc=lan" +uri "ldap://172.16.0.6:389" +#directory "/var/lib/ldap" + +# The dbconfig settings are used to generate a DB_CONFIG file the first +# time slapd starts. They do NOT override existing an existing DB_CONFIG +# file. You should therefore change these settings in DB_CONFIG directly +# or remove DB_CONFIG and restart slapd for changes to take effect. + +# For the Debian package we use 2MB as default but be sure to update this +# value if you have plenty of RAM +#dbconfig set_cachesize 0 2097152 0 + +# Sven Hartge reported that he had to set this value incredibly high +# to get slapd running at all. See http://bugs.debian.org/303057 for more +# information. + +# Number of objects that can be locked at the same time. +#dbconfig set_lk_max_objects 1500 +# Number of locks (both requested and granted) +#dbconfig set_lk_max_locks 1500 +# Number of lockers +#dbconfig set_lk_max_lockers 1500 + +# Indexing options for database #1 +#index objectClass eq +#index uid eq,sub +#index entryCSN,entryUUID eq + +# Save the time that the entry gets modified, for database #1 +lastmod on + +# Checkpoint the BerkeleyDB database periodically in case of system +# failure and to speed slapd shutdown. +#checkpoint 512 30 + +# Where to store the replica logs for database #1 +# replogfile /var/lib/ldap/replog + +# The userPassword by default can be changed +# by the entry owning it if they are authenticated. +# Others should not be able to see it, except the +# admin entry below +# These access lines apply to database #1 only +access to attrs=userPassword + by dn="cn=admin,dc=yunohost,dc=org" write + by anonymous auth + by self write + by * none + +access to attrs=cn,gecos,givenName,mail,maildrop,displayName,sn + by dn="cn=admin,dc=yunohost,dc=org" write + by self write + by * read + + +# Ensure read access to the base for things like +# supportedSASLMechanisms. Without this you may +# have problems with SASL not knowing what +# mechanisms are available and the like. +# Note that this is covered by the 'access to *' +# ACL below too but if you change that as people +# are wont to do you'll still need this if you +# want SASL (and possible other things) to work +# happily. +access to dn.base="" by * read + +# The admin dn has full write access, everyone else +# can read everything. +access to * + by dn="cn=admin,dc=yunohost,dc=org" write + by group/groupOfNames/Member="cn=admin,ou=groups,dc=yunohost,dc=org" write + by * read + +####################################################################### +# Specific Directives for database #2, of type 'other' (can be hdb too): +# Database specific directives apply to this databasse until another +# 'database' directive occurs +#database + +# The base of your directory for database #2 +#suffix "dc=debian,dc=org" diff --git a/roles/mess/handlers/main.yml b/roles/mess/handlers/main.yml new file mode 100644 index 0000000..6ad92ff --- /dev/null +++ b/roles/mess/handlers/main.yml @@ -0,0 +1,3 @@ +--- + - name: restart slapd + service: name=slapd state=restarted diff --git a/roles/mess/tasks/main.yml b/roles/mess/tasks/main.yml new file mode 100644 index 0000000..82a7113 --- /dev/null +++ b/roles/mess/tasks/main.yml @@ -0,0 +1,15 @@ +--- +#- name: Installation openLDAP +# apt: name=slapd state=present update_cache=yes + +#- name: Copie du slapd.conf +# copy: src=slapd.conf dest=/etc/openldap + +- name: Copie du nslcd.conf + copy: src=nslcd.conf dest=/etc/ + +- name: Copie du pam_ldap.conf + copy: src=pam_ldap.conf dest=/etc/ + +- name: Recup du depot git + git: repo=https://github.com/YunoHost/install_script dest=/tmp/install_script diff --git a/roles/metricbeat-cli/README.md b/roles/metricbeat-cli/README.md new file mode 100644 index 0000000..224f3d6 --- /dev/null +++ b/roles/metricbeat-cli/README.md @@ -0,0 +1,9 @@ +## Utilisation du rôle metricbeat-cli + +Ce rôle permet d'installer l'agent metricbeat pour le serveur ELK. +Metricbeat sert à faire des statistiques de performances sur les différents serveurs. +Ce rôle fonctionne en faisant : +Une installation de metricbeat, +Une configuration de metricbeat, +Active le module system pour avoir les statistiques d'usages du système sur ELK, +Lance la configuration de metricbeat. diff --git a/roles/metricbeat-cli/files/metricbeat.yml b/roles/metricbeat-cli/files/metricbeat.yml new file mode 100644 index 0000000..72f1878 --- /dev/null +++ b/roles/metricbeat-cli/files/metricbeat.yml @@ -0,0 +1,189 @@ +###################### Metricbeat Configuration Example ####################### + +# This file is an example configuration file highlighting only the most common +# options. The metricbeat.reference.yml file from the same directory contains all the +# supported options with more comments. You can use it as a reference. +# +# You can find the full configuration reference here: +# https://www.elastic.co/guide/en/beats/metricbeat/index.html + +# =========================== Modules configuration ============================ + +metricbeat.config.modules: + # Glob pattern for configuration loading + path: ${path.config}/modules.d/*.yml + + # Set to true to enable config reloading + reload.enabled: false + + # Period on which files under path should be checked for changes + #reload.period: 10s + +# ======================= Elasticsearch template setting ======================= + +setup.template.settings: + index.number_of_shards: 1 + index.codec: best_compression + #_source.enabled: false + + +# ================================== General =================================== + +# The name of the shipper that publishes the network data. It can be used to group +# all the transactions sent by a single shipper in the web interface. +#name: + +# The tags of the shipper are included in their own field with each +# transaction published. +#tags: ["service-X", "web-tier"] + +# Optional fields that you can specify to add additional information to the +# output. +#fields: +# env: staging + +# ================================= Dashboards ================================= +# These settings control loading the sample dashboards to the Kibana index. Loading +# the dashboards is disabled by default and can be enabled either by setting the +# options here or by using the `setup` command. +#setup.dashboards.enabled: false + +# The URL from where to download the dashboards archive. By default this URL +# has a value which is computed based on the Beat name and version. For released +# versions, this URL points to the dashboard archive on the artifacts.elastic.co +# website. +#setup.dashboards.url: + +# =================================== Kibana =================================== + +# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API. +# This requires a Kibana endpoint configuration. +setup.kibana: + + # Kibana Host + # Scheme and port can be left out and will be set to the default (http and 5601) + # In case you specify and additional path, the scheme is required: http://localhost:5601/path + # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601 + host: "s-elk.gsb.lan:5601" + + # Kibana Space ID + # ID of the Kibana Space into which the dashboards should be loaded. By default, + # the Default Space will be used. + #space.id: + +# =============================== Elastic Cloud ================================ + +# These settings simplify using Metricbeat with the Elastic Cloud (https://cloud.elastic.co/). + +# The cloud.id setting overwrites the `output.elasticsearch.hosts` and +# `setup.kibana.host` options. +# You can find the `cloud.id` in the Elastic Cloud web UI. +#cloud.id: + +# The cloud.auth setting overwrites the `output.elasticsearch.username` and +# `output.elasticsearch.password` settings. The format is `:`. +#cloud.auth: + +# ================================== Outputs =================================== + +# Configure what output to use when sending the data collected by the beat. + +# ---------------------------- Elasticsearch Output ---------------------------- +output.elasticsearch: + # Array of hosts to connect to. + hosts: ["s-elk.gsb.lan:9200"] + + # Protocol - either `http` (default) or `https`. + #protocol: "https" + + # Authentication credentials - either API key or username/password. + #api_key: "id:api_key" + username: "elastic" + password: "changeme" + +# ------------------------------ Logstash Output ------------------------------- +#output.logstash: + # The Logstash hosts + #hosts: ["localhost:5044"] + + # Optional SSL. By default is off. + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + + # Certificate for SSL client authentication + #ssl.certificate: "/etc/pki/client/cert.pem" + + # Client Certificate Key + #ssl.key: "/etc/pki/client/cert.key" + +# ================================= Processors ================================= + +# Configure processors to enhance or manipulate events generated by the beat. + +processors: + - add_host_metadata: ~ + - add_cloud_metadata: ~ + - add_docker_metadata: ~ + - add_kubernetes_metadata: ~ + + +# ================================== Logging =================================== + +# Sets log level. The default log level is info. +# Available log levels are: error, warning, info, debug +#logging.level: debug + +# At debug level, you can selectively enable logging only for some components. +# To enable all selectors use ["*"]. Examples of other selectors are "beat", +# "publisher", "service". +#logging.selectors: ["*"] + +# ============================= X-Pack Monitoring ============================== +# Metricbeat can export internal metrics to a central Elasticsearch monitoring +# cluster. This requires xpack monitoring to be enabled in Elasticsearch. The +# reporting is disabled by default. + +# Set to true to enable the monitoring reporter. +#monitoring.enabled: false + +# Sets the UUID of the Elasticsearch cluster under which monitoring data for this +# Metricbeat instance will appear in the Stack Monitoring UI. If output.elasticsearch +# is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch. +#monitoring.cluster_uuid: + +# Uncomment to send the metrics to Elasticsearch. Most settings from the +# Elasticsearch output are accepted here as well. +# Note that the settings should point to your Elasticsearch *monitoring* cluster. +# Any setting that is not set is automatically inherited from the Elasticsearch +# output configuration, so if you have the Elasticsearch output configured such +# that it is pointing to your Elasticsearch monitoring cluster, you can simply +# uncomment the following line. +#monitoring.elasticsearch: + +# ============================== Instrumentation =============================== + +# Instrumentation support for the metricbeat. +#instrumentation: + # Set to true to enable instrumentation of metricbeat. + #enabled: false + + # Environment in which metricbeat is running on (eg: staging, production, etc.) + #environment: "" + + # APM Server hosts to report instrumentation results to. + #hosts: + # - http://localhost:8200 + + # API Key for the APM Server(s). + # If api_key is set then secret_token will be ignored. + #api_key: + + # Secret token for the APM Server(s). + #secret_token: + + +# ================================= Migration ================================== + +# This allows to enable 6.7 migration aliases +#migration.6_to_7.enabled: true + diff --git a/roles/metricbeat-cli/handlers/main.yml b/roles/metricbeat-cli/handlers/main.yml new file mode 100644 index 0000000..ee365f2 --- /dev/null +++ b/roles/metricbeat-cli/handlers/main.yml @@ -0,0 +1,5 @@ +- name: start metricbeat + service: + name: metricbeat + state: started + enabled: yes diff --git a/roles/metricbeat-cli/tasks/main.yml b/roles/metricbeat-cli/tasks/main.yml new file mode 100644 index 0000000..be76be8 --- /dev/null +++ b/roles/metricbeat-cli/tasks/main.yml @@ -0,0 +1,23 @@ +--- +- name: Récupération de metricbeat + get_url: + url: http://s-adm.gsb.adm/gsbstore/metricbeat-7.16.3-amd64.deb + dest: /tmp/ + +- name: Installation de metricbeat + apt: + deb: /tmp/metricbeat-7.16.3-amd64.deb + +- name: Changement du fichier de conf + copy: + src: metricbeat.yml + dest: /etc/metricbeat/metricbeat.yml + +- name: Configuration de metricbeat + shell: metricbeat modules enable system + notify: start metricbeat + +- name: Lancement de la configuration de metricbeat + shell: metricbeat setup -e + notify: start metricbeat + diff --git a/roles/mysql/defaults/main.yml b/roles/mysql/defaults/main.yml new file mode 100644 index 0000000..c6d435b --- /dev/null +++ b/roles/mysql/defaults/main.yml @@ -0,0 +1,4 @@ +--- +wp_mysql_db: wordpress +wp_mysql_user: wp +wp_mysql_password: wp diff --git a/roles/mysql/files/.my.cnf b/roles/mysql/files/.my.cnf new file mode 100644 index 0000000..34d0e25 --- /dev/null +++ b/roles/mysql/files/.my.cnf @@ -0,0 +1,3 @@ +[client] +user=root +password=root diff --git a/roles/mysql/handlers/main.yml b/roles/mysql/handlers/main.yml new file mode 100644 index 0000000..caa5308 --- /dev/null +++ b/roles/mysql/handlers/main.yml @@ -0,0 +1,3 @@ +--- + - name: restart mysql-server + service: name=mysql-server state=restarted diff --git a/roles/mysql/tasks/main.yml b/roles/mysql/tasks/main.yml new file mode 100644 index 0000000..eb11703 --- /dev/null +++ b/roles/mysql/tasks/main.yml @@ -0,0 +1,13 @@ +--- +# - name: Create mysql database +# mysql_db: name={{ wp_mysql_db }} state=present + +# - name: Create mysql user +# mysql_user: +# name={{ wp_mysql_user }} +# password={{ wp_mysql_password }} +# priv=*.*:ALL +# host=localhost + + - name: copy .my.cnf file with root password credentials + copy: src=.my.cnf dest=/root/.my.cnf owner=root mode=0600 diff --git a/roles/nagios/README.md b/roles/nagios/README.md new file mode 100644 index 0000000..864d951 --- /dev/null +++ b/roles/nagios/README.md @@ -0,0 +1,152 @@ +# Rôle nagios +*** +Rôle Nagios pour la supervision des différentes machines + +## Tables des matières + 1. [Que fait le rôle Nagios ?] + 2. [NSClient++] + + +## Que fait le rôle Nagios ? + + +### Installation et configuration de Nagios4 + +Le rôle Nagios va installer apache2 pour le serveur web, snmp pour la supervision, nagios4 qui sera notre outil de supervision, les plugins de nagios4. + +On copie les fichiers pour apache, les commandes de nagios, le fichiers des groupes de machines pour la supervision, le fichier des différents services à superviser, on autorise ensuite l'authentification et on définit le mot de passe. + +Pour l'id de Nagios, c'est "nagiosadmin", à l'adresse "https://s-mon/nagios4". + +``` + +new password: nimda +Retype password: nimda + +``` + +On définit par la suite l'adresse mail de contact pour les notifications par mail, on copie tous les fichiers cfg des machines. + + + +Il faut désormais installer NSClient++ sur la machine s-win pour permettre la supervision des différents services. +Veuillez suivre le tutoriel suivant: + + +## Installation de NSClient++ sur la machine s-win + +En premier lieu, installer Mozilla Firefox via Internet Explorer. + +Une fois Mozilla intallé, installer NSClient++ avec ce lien: [NSClient++](https://nsclient.org/download/) + +Puis choisir la version Windows + +### Etapes de l'installation + +Sur l'étape **Select monitoring tool**, sélectionner **Generic**. + +Sur l'étape **Choose setup type**, sélectionner **Typical**. + +Sur l'étape **NSClient++ Configuration: + +``` + +Allowed hosts: 172.16.0.8 + +Password: root + +``` + +Activer **check plugins, check_nt et check_nrpe**. + +**Laisser NSCA client et web server désactivé** + +Cocher la case **Insecure legacy mode** + + +Terminer l'installation. + +### Modification des fichiers + +Rendez vous dans le répertoire **C:\Programmes\NSClient++** puis ouvrez le fichier **nsclient.ini** (celui avec un rouage). + +Une fois ouvert, modifier tout le fichier avec ceci: + +``` + +#If you want to fill this file with all available options run the following command: +#nscp settings --generate --add-defaults --load-all +#If you want to activate a module and bring in all its options use: +#nscp settings --activate-module --add-defaults +#For details run: nscp settings --help + + +; in flight - TODO +[/settings/default] + +; Undocumented key +password = root + +; Undocumented key +allowed hosts = 172.16.0.8 + + +; in flight - TODO +[/settings/NRPE/server] + +; Undocumented key +verify mode = none + +; Undocumented key +insecure = true + + +; in flight - TODO +[/modules] + +; Undocumented key +CheckExternalScripts = enabled + +; Undocumented key +CheckHelpers = enabled + +; Undocumented key +CheckEventLog = enabled + +; Undocumented key +CheckNSCP = enabled + +; Undocumented key +CheckDisk = enabled + +; Undocumented key +CheckSystem = enabled + +; Undocumented key +NSClientServer = enabled + +; Undocumented key +NRPEServer = enabled + +``` + +Redémarrez le service NSClient++ via le **cmd**: + +``` + +services.msc + +``` + +Puis clique droit sur le service **NCLient++ Monitoring Agent** et appuyer sur **Redémarrer** + + +Retourner sur le serveur nagios puis écrire: + +``` + +systemctl restart nagios4 + +``` + +Les services de la machine **srv-2012** apparaissent en **OK**. diff --git a/roles/nagios/files/cfg/localhost.cfg b/roles/nagios/files/cfg/localhost.cfg new file mode 100644 index 0000000..cc142b2 --- /dev/null +++ b/roles/nagios/files/cfg/localhost.cfg @@ -0,0 +1,159 @@ +############################################################################### +# LOCALHOST.CFG - SAMPLE OBJECT CONFIG FILE FOR MONITORING THIS MACHINE +# +# +# NOTE: This config file is intended to serve as an *extremely* simple +# example of how you can create configuration entries to monitor +# the local (Linux) machine. +# +############################################################################### + + + +############################################################################### +# +# HOST DEFINITION +# +############################################################################### + +# Define a host for the local machine + +define host { + + use linux-server ; Name of host template to use + ; This host definition will inherit all variables that are defined + ; in (or inherited by) the linux-server host template definition. + host_name localhost + alias localhost + address 127.0.0.1 +} + + + +############################################################################### +# +# HOST GROUP DEFINITION +# +############################################################################### + +# Define an optional hostgroup for Linux machines + +define hostgroup { + + hostgroup_name linux-servers ; The name of the hostgroup + alias Linux Servers ; Long name of the group + members localhost ; Comma separated list of hosts that belong to this group +} + + + +############################################################################### +# +# SERVICE DEFINITIONS +# +############################################################################### + +# Define a service to "ping" the local machine + +define service { + + use local-service ; Name of service template to use + host_name localhost + service_description PING + check_command check_ping!100.0,20%!500.0,60% +} + + + +# Define a service to check the disk space of the root partition +# on the local machine. Warning if < 20% free, critical if +# < 10% free space on partition. + +define service { + + use local-service ; Name of service template to use + host_name localhost + service_description Root Partition + check_command check_local_disk!20%!10%!/ +} + + + +# Define a service to check the number of currently logged in +# users on the local machine. Warning if > 20 users, critical +# if > 50 users. + +define service { + + use local-service ; Name of service template to use + host_name localhost + service_description Current Users + check_command check_local_users!20!50 +} + + + +# Define a service to check the number of currently running procs +# on the local machine. Warning if > 250 processes, critical if +# > 400 processes. + +define service { + + use local-service ; Name of service template to use + host_name localhost + service_description Total Processes + check_command check_local_procs!250!400!RSZDT +} + + + +# Define a service to check the load on the local machine. + +define service { + + use local-service ; Name of service template to use + host_name localhost + service_description Current Load + check_command check_local_load!5.0,4.0,3.0!10.0,6.0,4.0 +} + + + +# Define a service to check the swap usage the local machine. +# Critical if less than 10% of swap is free, warning if less than 20% is free + +define service { + + use local-service ; Name of service template to use + host_name localhost + service_description Swap Usage + check_command check_local_swap!20%!10% +} + + + +# Define a service to check SSH on the local machine. +# Disable notifications for this service by default, as not all users may have SSH enabled. + +define service { + + use local-service ; Name of service template to use + host_name localhost + service_description SSH + check_command check_ssh + notifications_enabled 0 +} + + + +# Define a service to check HTTP on the local machine. +# Disable notifications for this service by default, as not all users may have HTTP enabled. + +define service { + + use local-service ; Name of service template to use + host_name localhost + service_description HTTP + check_command check_http + notifications_enabled 0 +} diff --git a/roles/nagios/files/cfg/r-ext.cfg b/roles/nagios/files/cfg/r-ext.cfg new file mode 100644 index 0000000..13ec13e --- /dev/null +++ b/roles/nagios/files/cfg/r-ext.cfg @@ -0,0 +1,15 @@ +# A simple configuration file for monitoring the local host +# This can serve as an example for configuring other servers; +# Custom services specific to this host are added here, but services +# defined in nagios2-common_services.cfg may also apply. +# + +define host{ + use linux-server ; Name of host template to use + host_name r-ext + alias serveur proxy + address 192.168.200.253 + parents r-int + } + + diff --git a/roles/nagios/files/cfg/r-int.cfg b/roles/nagios/files/cfg/r-int.cfg new file mode 100644 index 0000000..c6366f0 --- /dev/null +++ b/roles/nagios/files/cfg/r-int.cfg @@ -0,0 +1,14 @@ +# A simple configuration file for monitoring the local host +# This can serve as an example for configuring other servers; +# Custom services specific to this host are added here, but services +# defined in nagios2-common_services.cfg may also apply. +# + +define host{ + use linux-server ; Name of host template to use + host_name r-int + alias serveur proxy + address 172.16.0.254 + } + + diff --git a/roles/nagios/files/cfg/s-adm.cfg b/roles/nagios/files/cfg/s-adm.cfg new file mode 100644 index 0000000..50a2366 --- /dev/null +++ b/roles/nagios/files/cfg/s-adm.cfg @@ -0,0 +1,13 @@ +# A simple configuration file for monitoring the local host +# This can serve as an example for configuring other servers; +# Custom services specific to this host are added here, but services +# defined in nagios2-common_services.cfg may also apply. +# + +define host{ + use linux-server ; Name of host template to use + host_name s-adm + alias debian-servers + address 192.168.99.99 + } + diff --git a/roles/nagios/files/cfg/s-appli.cfg b/roles/nagios/files/cfg/s-appli.cfg new file mode 100644 index 0000000..e71a2cf --- /dev/null +++ b/roles/nagios/files/cfg/s-appli.cfg @@ -0,0 +1,13 @@ +# A simple configuration file for monitoring the local host +# This can serve as an example for configuring other servers; +# Custom services specific to this host are added here, but services +# defined in nagios2-common_services.cfg may also apply. +# + +define host{ + use linux-server ; Name of host template to use + host_name s-appli + alias debian-servers + address 172.16.0.3 + } + diff --git a/roles/nagios/files/cfg/s-backup.cfg b/roles/nagios/files/cfg/s-backup.cfg new file mode 100644 index 0000000..b75a576 --- /dev/null +++ b/roles/nagios/files/cfg/s-backup.cfg @@ -0,0 +1,13 @@ +# A simple configuration file for monitoring the local host +# This can serve as an example for configuring other servers; +# Custom services specific to this host are added here, but services +# defined in nagios2-common_services.cfg may also apply. +# + +define host{ + use linux-server ; Name of host template to use + host_name s-backup + alias serveur proxy + address 172.16.0.4 + } + diff --git a/roles/nagios/files/cfg/s-fog.cfg b/roles/nagios/files/cfg/s-fog.cfg new file mode 100644 index 0000000..0e57c04 --- /dev/null +++ b/roles/nagios/files/cfg/s-fog.cfg @@ -0,0 +1,14 @@ +# A simple configuration file for monitoring the local host +# This can serve as an example for configuring other servers; +# Custom services specific to this host are added here, but services +# defined in nagios2-common_services.cfg may also apply. +# + +define host{ + use linux-server ; Name of host template to use + host_name s-fog + alias serveur proxy + address 172.16.0.16 + } + + diff --git a/roles/nagios/files/cfg/s-infra.cfg b/roles/nagios/files/cfg/s-infra.cfg new file mode 100644 index 0000000..6005eaf --- /dev/null +++ b/roles/nagios/files/cfg/s-infra.cfg @@ -0,0 +1,13 @@ +# A simple configuration file for monitoring the local host +# This can serve as an example for configuring other servers; +# Custom services specific to this host are added here, but services +# defined in nagios2-common_services.cfg may also apply. +# + +define host{ + use linux-server ; Name of host template to use + host_name s-infra + alias debian-servers + address 172.16.0.1 + } + diff --git a/roles/nagios/files/cfg/s-itil.cfg b/roles/nagios/files/cfg/s-itil.cfg new file mode 100644 index 0000000..8e6686d --- /dev/null +++ b/roles/nagios/files/cfg/s-itil.cfg @@ -0,0 +1,14 @@ +# A simple configuration file for monitoring the local host +# This can serve as an example for configuring other servers; +# Custom services specific to this host are added here, but services +# defined in nagios2-common_services.cfg may also apply. +# + +define host{ + use linux-server ; Name of host template to use + host_name s-itil + alias serveur proxy + address 172.16.0.9 + } + + diff --git a/roles/nagios/files/cfg/s-nxc.cfg b/roles/nagios/files/cfg/s-nxc.cfg new file mode 100644 index 0000000..2d9f480 --- /dev/null +++ b/roles/nagios/files/cfg/s-nxc.cfg @@ -0,0 +1,13 @@ +# A simple configuration file for monitoring the local host +# This can serve as an example for configuring other servers; +# Custom services specific to this host are added here, but services +# defined in nagios2-common_services.cfg may also apply. +# + +define host{ + use linux-server ; Name of host template to use + host_name s-nxc + alias debian-servers + address 172.16.0.7 + } + diff --git a/roles/nagios/files/cfg/s-proxy.cfg b/roles/nagios/files/cfg/s-proxy.cfg new file mode 100644 index 0000000..feff838 --- /dev/null +++ b/roles/nagios/files/cfg/s-proxy.cfg @@ -0,0 +1,14 @@ +# A simple configuration file for monitoring the local host +# This can serve as an example for configuring other servers; +# Custom services specific to this host are added here, but services +# defined in nagios2-common_services.cfg may also apply. +# + +define host{ + use linux-server ; Name of host template to use + host_name s-proxy + alias serveur proxy + address 172.16.0.2 + } + + diff --git a/roles/nagios/files/cfg/s-win.cfg b/roles/nagios/files/cfg/s-win.cfg new file mode 100644 index 0000000..93ad782 --- /dev/null +++ b/roles/nagios/files/cfg/s-win.cfg @@ -0,0 +1,14 @@ +# A simple configuration file for monitoring the local host +# This can serve as an example for configuring other servers; +# Custom services specific to this host are added here, but services +# defined in nagios2-common_services.cfg may also apply. +# + +define host{ + use linux-server ; Name of host template to use + host_name s-win + alias serveur proxy + address 172.16.0.6 + } + + diff --git a/roles/nagios/files/commands.cfg b/roles/nagios/files/commands.cfg new file mode 100644 index 0000000..3cd0a0a --- /dev/null +++ b/roles/nagios/files/commands.cfg @@ -0,0 +1,151 @@ +############################################################################### +# COMMANDS.CFG - SAMPLE COMMAND DEFINITIONS FOR NAGIOS +############################################################################### + + +################################################################################ +# NOTIFICATION COMMANDS +################################################################################ + + +# 'notify-host-by-email' command definition +define command{ + command_name notify-host-by-email + command_line /usr/bin/printf "%b" "***** Nagios *****\n\nNotification Type: $NOTIFICATIONTYPE$\nHost: $HOSTNAME$\nState: $HOSTSTATE$\nAddress: $HOSTADDRESS$\nInfo: $HOSTOUTPUT$\n\nDate/Time: $LONGDATETIME$\n" | /usr/bin/mail -s "** $NOTIFICATIONTYPE$ Host Alert: $HOSTNAME$ is $HOSTSTATE$ **" $CONTACTEMAIL$ + } + +# 'notify-service-by-email' command definition +define command{ + command_name notify-service-by-email + command_line /usr/bin/printf "%b" "***** Nagios *****\n\nNotification Type: $NOTIFICATIONTYPE$\n\nService: $SERVICEDESC$\nHost: $HOSTALIAS$\nAddress: $HOSTADDRESS$\nState: $SERVICESTATE$\n\nDate/Time: $LONGDATETIME$\n\nAdditional Info:\n\n$SERVICEOUTPUT$\n" | /usr/bin/mail -s "** $NOTIFICATIONTYPE$ Service Alert: $HOSTALIAS$/$SERVICEDESC$ is $SERVICESTATE$ **" $CONTACTEMAIL$ + } + + + + + +################################################################################ +# HOST CHECK COMMANDS +################################################################################ + +# On Debian, check-host-alive is being defined from within the +# nagios-plugins-basic package + +define command { + + command_name check_local_disk + command_line $USER1$/check_disk -w $ARG1$ -c $ARG2$ -p $ARG3$ +} + + + +define command { + + command_name check_local_load + command_line $USER1$/check_load -w $ARG1$ -c $ARG2$ +} + + + +define command { + + command_name check_local_procs + command_line $USER1$/check_procs -w $ARG1$ -c $ARG2$ -s $ARG3$ +} + + + +define command { + + command_name check_local_users + command_line $USER1$/check_users -w $ARG1$ -c $ARG2$ +} + + + +define command { + + command_name check_local_swap + command_line $USER1$/check_swap -w $ARG1$ -c $ARG2$ +} + + +define command{ + command_name check_snmp_storage + command_line $USER1$/check_snmp_storage.pl -H $HOSTADDRESS$ -C $ARG1$ $ARG2$ -m $ARG3$ -w $ARG4$ -c $ARG5$ +} + +define command{ + command_name check_snmp_load + command_line $USER1$/check_snmp_load.pl -H $HOSTADDRESS$ -C $ARG1$ $ARG2$ -T $ARG3$ -w $ARG4$ -c $ARG5$ +} + +define command{ + command_name check_snmp_mem + command_line $USER1$/check_snmp_mem.pl -H $HOSTADDRESS$ -C $ARG1$ $ARG2$ $ARG3$ -w $ARG4$ -c $ARG5$ +} + +define command{ + command_name check_snmp_int + command_line $USER1$/check_snmp_netint.pl -H $HOSTADDRESS$ -C $ARG1$ $ARG2$ -n $ARG3$ -a -m -k -M -w $ARG4$ -c $ARG5$ +} + +define command{ + command_name check_iftraffic3 + #command_name check_win_int + #command_line $USER1$/check_iftraffic3.pl -H $HOSTADDRESS$ -C $ARG1$ + #command_line $USER1$/check_snmp_int.pl -H $HOSTADDRESS$ -C $ARG1$ $ARG2$ -n $ARG3$ -k -M -g -w $ARG4$ -c $ARG5$ + command_line $USER1$/check_iftraffic3.pl -H $HOSTADDRESS$ -C $ARG1$ -i $ARG2$ -w $ARG3$ -c $ARG4$ +} + +define command{ + command_name check_snmp + command_line $USER1$/check_snmp -H $HOSTADDRESS$ $ARG1$ +} +############################### +##WINDOWS +############################### + +define command{ + command_name check_nt + command_line $USER1$/check_nt -H $HOSTADDRESS$ -s root -p 12489 -v $ARG1$ $ARG2$ +} + +define command{ + command_name check_dns_ext + command_line $USER1$/check_dns -H google.com -s '$HOSTADDRESS$' +} + +#define command{ +# command_line check_dns_int +# command_line $USER1*/check_dns -H s-infra.gsb.lan -s '$HOSTADDRESS$' +#} + +#define command{ +# command_line check_dhcp +# command_line $USER1$/check_dhcp -H $HOSTADDRESS$ -s $ARG1$ -i $ARG2$ +#} + +#define command{ +# command_name check_dig +# command_line /usr/lib/nagios/plugins/check_dig -H '$HOSTADDRESS$' -l '$ARG1$' +#} + + +################################################################################ +# PERFORMANCE DATA COMMANDS +################################################################################ + + +# 'process-host-perfdata' command definition +define command{ + command_name process-host-perfdata + command_line /usr/bin/printf "%b" "$LASTHOSTCHECK$\t$HOSTNAME$\t$HOSTSTATE$\t$HOSTATTEMPT$\t$HOSTSTATETYPE$\t$HOSTEXECUTIONTIME$\t$HOSTOUTPUT$\t$HOSTPERFDATA$\n" >> /var/lib/nagios3/host-perfdata.out + } + + +# 'process-service-perfdata' command definition +define command{ + command_name process-service-perfdata + command_line /usr/bin/printf "%b" "$LASTSERVICECHECK$\t$HOSTNAME$\t$SERVICEDESC$\t$SERVICESTATE$\t$SERVICEATTEMPT$\t$SERVICESTATETYPE$\t$SERVICEEXECUTIONTIME$\t$SERVICELATENCY$\t$SERVICEOUTPUT$\t$SERVICEPERFDATA$\n" >> /var/lib/nagios3/service-perfdata.out + } diff --git a/roles/nagios/files/hostgroups.cfg b/roles/nagios/files/hostgroups.cfg new file mode 100644 index 0000000..28dd996 --- /dev/null +++ b/roles/nagios/files/hostgroups.cfg @@ -0,0 +1,30 @@ +define hostgroup { + + hostgroup_name debian-servers ; The name of the hostgroup + alias Linux Servers ; Long name of the group + members s-infra, s-proxy, s-adm, s-nxc, s-appli, s-backup, s-itil, s-fog, r-int, r-ext ; Comma separated list of hosts that belong to this group +} + +define hostgroup { + hostgroup_name windows-servers + alias Serveurs Windows + members s-win +} + +define hostgroup { + hostgroup_name http-servers + alias Serveurs web + members s-itil +} + +define hostgroup { + hostgroup_name dhcp-servers + alias Serveurs DHCP + members s-adm, r-int +} + +define hostgroup { + hostgroup_name dns-servers + alias Serveurs DNS + members s-infra, s-backup +} diff --git a/roles/nagios/files/interfaces b/roles/nagios/files/interfaces new file mode 100644 index 0000000..711e54c --- /dev/null +++ b/roles/nagios/files/interfaces @@ -0,0 +1,23 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +source /etc/network/interfaces.d/* + +# The loopback network interface +auto lo +iface lo inet loopback + +# The primary network interface +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.104/24 + gateway 192.168.99.99 + +# Cote n-infra +allow-hotplug enp0s8 +iface enp0s8 inet static + address 172.16.0.8/24 + up ip route add 172.16.64.0/24 via 172.16.0.254 + up ip route add 172.16.128.0/24 via 172.16.0.254 + up ip route add 192.168.0.0/16 via 172.16.0.254 + up ip route add 192.168.200.0/24 via 172.16.0.254 diff --git a/roles/nagios/files/nt.cfg b/roles/nagios/files/nt.cfg new file mode 100644 index 0000000..fcae576 --- /dev/null +++ b/roles/nagios/files/nt.cfg @@ -0,0 +1,15 @@ +# If you are confused about this command definition, cause you was +# reading other suggestions, please have a look into +# /usr/share/doc/monitoring-plugins/README.Debian + +# 'check_nt' command definition +#define command { +# command_name check_nt +# command_line /usr/lib/nagios/plugins/check_nt -H '$HOSTADDRESS$' -v '$ARG1$' +#} + +# 'check_nscp' command definition +define command { + command_name check_nscp + command_line /usr/lib/nagios/plugins/check_nt -H '$HOSTADDRESS$' -p 12489 -v '$ARG1$' +} diff --git a/roles/nagios/files/sasl_passwd b/roles/nagios/files/sasl_passwd new file mode 100644 index 0000000..861c6a3 --- /dev/null +++ b/roles/nagios/files/sasl_passwd @@ -0,0 +1,2 @@ +[smtp.gmail.com]:587 nagios.gsb22@gmail.com:Azerty1+ +chmod 600 /etc/postfix/sasl_passwd diff --git a/roles/nagios/files/services.cfg b/roles/nagios/files/services.cfg new file mode 100644 index 0000000..b67860e --- /dev/null +++ b/roles/nagios/files/services.cfg @@ -0,0 +1,126 @@ +# A simple configuration file for monitoring the local host +# This can serve as an example for configuring other servers; +# Custom services specific to this host are added here, but services +# defined in nagios2-common_services.cfg may also apply. +# + +define service { + use generic-service + hostgroup_name debian-servers + service_description PING + check_command check_ping!100.0,20%!500.0,60% +} + +define service { + use generic-service + hostgroup_name windows-servers + service_description PING + check_command check_ping!100.0,20%!500.0,60% +} + +define service { + hostgroup_name http-servers + service_description HTTP + check_command check_http + use generic-service + notification_interval 0 ; set > 0 if you want to be renotified +} + +define service { + hostgroup_name debian-servers + service_description SSH + check_command check_ssh + use generic-service + notification_interval 0 ; set > 0 if you want to be renotified +} + +define service{ + use generic-service + hostgroup_name debian-servers + service_description Espace disque + check_command check_snmp_storage!public!--v2c!"^/$|tmp|usr|var"!90!95 + } + +define service{ + use generic-service + hostgroup_name debian-servers + service_description Charge machine + check_command check_snmp_load!public!--v2c!netsl!2,1,1!3,2,2 + } + +define service{ + use generic-service + hostgroup_name debian-servers + service_description Charge machine + check_command check_load!5.0!4.0!3.0!10.0!6.0!4.0 + } + +define service{ + use generic-service + hostgroup_name debian-servers + service_description RAM + check_command check_snmp_mem!public!--v2c!-N!95,60!99,90 +} + +define service{ + use generic-service + hostgroup_name debian-servers + service_description Uptime + check_command check_snmp!-C public -o 1.3.6.1.2.1.1.3.0 +} + +define service{ + use generic-service + hostgroup_name windows-servers + service_description Uptime + check_command check_snmp!-C public -o 1.3.6.1.2.1.1.3.0 +} + +define service{ + use generic-service + hostgroup_name windows-servers + service_description Charge CPU + check_command check_nt!CPULOAD!-l 5,80,90,15,80,90 +} + +define service{ + use generic-service + hostgroup_name windows-servers + service_description Uptime + check_command check_nt!UPTIME +} + +define service{ + use generic-service + hostgroup_name windows-servers + service_description Mem Use + check_command check_nt!MEMUSE!80,90 +} + +define service{ + use generic-service + hostgroup_name windows-servers + service_description Disk Space + check_command check_nt!USEDDISKSPACE!-l C!10,5 +} + +define service{ + use generic-service + hostgroup_name windows-servers + service_description Service DNS + check_command check_nt!SERVICESTATE!-l W32Time,"Client DNS" +} + +define service{ + use generic-service + hostgroup_name dns-servers + service_description DNS Ext + check_command check_dns_ext +} + +#define service{ +# use generic-service +# hostgroup_name dns-servers +# service_description DNS Int +# check_command check_dns_int +#} diff --git a/roles/nagios/handlers/main.yml b/roles/nagios/handlers/main.yml new file mode 100644 index 0000000..37ed5f0 --- /dev/null +++ b/roles/nagios/handlers/main.yml @@ -0,0 +1,17 @@ +- name: restart nagios4 + service: + name: nagios4 + state: restarted + enabled: yes + +- name: restart apache2 + service: + name: apache2 + state: restarted + enabled: yes + +- name: restart postfix + service: + name: postfix + state: restarted + enabled: yes diff --git a/roles/nagios/tasks/main.yml b/roles/nagios/tasks/main.yml new file mode 100644 index 0000000..5248cd4 --- /dev/null +++ b/roles/nagios/tasks/main.yml @@ -0,0 +1,124 @@ +- name: apt update + tags: update + apt: + update-cache: yes + cache_valid_time: 3600 + +- name: Installation apache2 + tags: apache + apt: + name: + - apache2 + - snmp + - nagios4 + - nagios-snmp-plugins + - python3-passlib + state: present + +- name: Copie du fichier nagios4-cgi.conf pour apache + tags: nagios4-cgi + template: + src: nagios4-cgi.conf.j2 + dest: /etc/apache2/conf-enabled/nagios4-cgi.conf + notify: restart nagios4 + +- name: Copier le fichier commands.cfg pour nagios + tags: commande + copy: + src: commands.cfg + dest: /etc/nagios4/objects/commands.cfg + notify: restart nagios4 + +- name: Copie le fichier nt.cfg pour commenter la ligne qui pose problème + tags: nt.cfg + copy: + src: nt.cfg + dest: /etc/nagios-plugins/config/nt.cfg + notify: restart nagios4 + +- name: Copie du fichier hostgroup pour nagios + tags: groups + copy: + src: hostgroups.cfg + dest: /etc/nagios4/objects + notify: restart nagios4 + +- name: Copie du fichier des services + tags: services + copy: + src: services.cfg + dest: /etc/nagios4/objects + notify: restart nagios4 + +- name: python3 par defaut + tags: python3 + alternatives: + link: /usr/bin/python + name: python + path: /usr/bin/python3 + priority: 10 + +- name: Remplacement de la ligne use_authentication=0 + tags: authentication + replace: + path: /etc/nagios4/cgi.cfg + regexp: 'use_authentication=0' + replace: 'use_authentication=1' + notify: restart nagios4 + + +- name: a2enmod rewrite cgi + tags: a2enmod + command: a2enmod rewrite cgi + notify: + - restart apache2 + - restart nagios4 + +- name: Mot de passe pour nagiosadmin + tags: passwd + command: htdigest -c /etc/nagios4/htdigest.users "{{ access }}" nagiosadmin + register: htpexist + +- name: Copie du fichier contact + tags: contact + template: + src: contacts.cfg.j2 + dest: /etc/nagios4/objects/contacts.cfg + +- name: Copie des fichiers des machines + tags: cfg + copy: + src: cfg/ + dest: /etc/nagios4/objects + notify: restart nagios4 + +- name: Copie du fichier nagios.cfg + tags: nagios.cfg + template: + src: nagios.cfg.j2 + dest: /etc/nagios4/nagios.cfg + notify: + - restart nagios4 + - restart apache2 + +- name: Suppression du fichier windows.cfg + tags: windowscfg + file: + state: absent + path: /etc/nagios4/objects/windows.cfg + +- name: Suppression du fichier printer.cfg + tags: printercfg + file: + state: absent + path: /etc/nagios4/objects/printer.cfg + +- name: Suppression du fichier switch.cfg + tags: switchcfg + file: + state: absent + path: /etc/nagios4/objects/switch.cfg + +- name: message d'information + tags: msg + debug: msg="Pour superviser le Windows, il faut installer NSClient++" \ No newline at end of file diff --git a/roles/nagios/templates/contacts.cfg.j2 b/roles/nagios/templates/contacts.cfg.j2 new file mode 100644 index 0000000..a0d7984 --- /dev/null +++ b/roles/nagios/templates/contacts.cfg.j2 @@ -0,0 +1,57 @@ +############################################################################### +# CONTACTS.CFG - SAMPLE CONTACT/CONTACTGROUP DEFINITIONS +# +# +# NOTES: This config file provides you with some example contact and contact +# group definitions that you can reference in host and service +# definitions. +# +# You don't need to keep these definitions in a separate file from your +# other object definitions. This has been done just to make things +# easier to understand. +# +############################################################################### + + + +############################################################################### +# +# CONTACTS +# +############################################################################### + +# Just one contact defined by default - the Nagios admin (that's you) +# This contact definition inherits a lot of default values from the +# 'generic-contact' template which is defined elsewhere. + +define contact { + + contact_name nagiosadmin + use generic-contact + alias Administrateur + service_notification_period 24x7 + host_notification_period 24x7 + service_notification_options w,u,c,r + host_notification_options d,r + service_notification_commands notify-service-by-email + host_notification_commands notify-host-by-email + email nagios.gsb22@gmail.com +} + + + +############################################################################### +# +# CONTACT GROUPS +# +############################################################################### + +# We only have one contact in this simple configuration file, so there is +# no need to create more than one contact group. + +define contactgroup { + + contactgroup_name admins + alias Nagios Administrators + members nagiosadmin +} diff --git a/roles/nagios/templates/main.cf.j2 b/roles/nagios/templates/main.cf.j2 new file mode 100644 index 0000000..a47b0cb --- /dev/null +++ b/roles/nagios/templates/main.cf.j2 @@ -0,0 +1,10 @@ +#On active l'authentification SASL +smtp_sasl_auth_enable=yes +#Les méthodes pour l'authenfication anonyme +smtp_sasl_security_options=noanonymous +#Le chemin de sasl_passwd +smtp_sasl_password_maps=hash:/etc/postfix/sasl/sasl_passwd +#On active le cryptage STARTTLS +smtp_tls_security_level=encrypt +#Chemin des certificats CA +smtp_tls_CAfile=/etc/ssl/certs/ca-certificate.crt diff --git a/roles/nagios/templates/nagios.cfg.j2 b/roles/nagios/templates/nagios.cfg.j2 new file mode 100644 index 0000000..7d8e1df --- /dev/null +++ b/roles/nagios/templates/nagios.cfg.j2 @@ -0,0 +1,1394 @@ +############################################################################## +# +# NAGIOS.CFG - Sample Main Config File for Nagios 4.4.6 +# +# Read the documentation for more information on this configuration +# file. I've provided some comments here, but things may not be so +# clear without further explanation. +# +# +############################################################################## + + +# LOG FILE +# This is the main log file where service and host events are logged +# for historical purposes. This should be the first option specified +# in the config file!!! + +log_file=/var/log/nagios4/nagios.log + + + +# Debian also defaults to using the check commands defined by the debian +# monitoring-plugins package +cfg_dir=/etc/nagios-plugins/config + +# Debian uses by default a configuration directory where nagios4-common, +# other packages and the local admin can dump or link configuration +# files into. +#cfg_dir=/etc/nagios4/conf.d +cfg_dir=/etc/nagios4/objects + + + + +# OBJECT CONFIGURATION FILE(S) +# These are the object configuration files in which you define hosts, +# host groups, contacts, contact groups, services, etc. +# You can split your object definitions across several config files +# if you wish (as shown below), or keep them all in a single config file. + +# You can specify individual object config files as shown below: +#cfg_file=/etc/nagios4/objects/commands.cfg +#cfg_file=/etc/nagios4/objects/contacts.cfg +#cfg_file=/etc/nagios4/objects/timeperiods.cfg +#cfg_file=/etc/nagios4/objects/templates.cfg + +# Definitions for monitoring the local (Linux) host +#cfg_file=/etc/nagios4/objects/localhost.cfg +#cfg_file=/etc/nagios4/objects/s-infra.cfg +#cfg_file=/etc/nagios4/objects/s-proxy.cfg + + +# Definitions for monitoring a Windows machine +#cfg_file=/etc/nagios4/objects/windows.cfg + +# Definitions for monitoring a router/switch +#cfg_file=/etc/nagios4/objects/switch.cfg + +# Definitions for monitoring a network printer +#cfg_file=/etc/nagios4/objects/printer.cfg + + +# You can also tell Nagios to process all config files (with a .cfg +# extension) in a particular directory by using the cfg_dir +# directive as shown below: + +#cfg_dir=/etc/nagios4/servers +#cfg_dir=/etc/nagios4/printers +#cfg_dir=/etc/nagios4/switches +#cfg_dir=/etc/nagios4/routers + + + + +# OBJECT CACHE FILE +# This option determines where object definitions are cached when +# Nagios starts/restarts. The CGIs read object definitions from +# this cache file (rather than looking at the object config files +# directly) in order to prevent inconsistencies that can occur +# when the config files are modified after Nagios starts. + +object_cache_file=/var/lib/nagios4/objects.cache + + + +# PRE-CACHED OBJECT FILE +# This options determines the location of the precached object file. +# If you run Nagios with the -p command line option, it will preprocess +# your object configuration file(s) and write the cached config to this +# file. You can then start Nagios with the -u option to have it read +# object definitions from this precached file, rather than the standard +# object configuration files (see the cfg_file and cfg_dir options above). +# Using a precached object file can speed up the time needed to (re)start +# the Nagios process if you've got a large and/or complex configuration. +# Read the documentation section on optimizing Nagios to find our more +# about how this feature works. + +precached_object_file=/var/lib/nagios4/objects.precache + + + +# RESOURCE FILE +# This is an optional resource file that contains $USERx$ macro +# definitions. Multiple resource files can be specified by using +# multiple resource_file definitions. The CGIs will not attempt to +# read the contents of resource files, so information that is +# considered to be sensitive (usernames, passwords, etc) can be +# defined as macros in this file and restrictive permissions (600) +# can be placed on this file. + +resource_file=/etc/nagios4/resource.cfg + + + +# STATUS FILE +# This is where the current status of all monitored services and +# hosts is stored. Its contents are read and processed by the CGIs. +# The contents of the status file are deleted every time Nagios +# restarts. + +status_file=/var/lib/nagios4/status.dat + + + +# STATUS FILE UPDATE INTERVAL +# This option determines the frequency (in seconds) that +# Nagios will periodically dump program, host, and +# service status data. + +status_update_interval=10 + + + +# NAGIOS USER +# This determines the effective user that Nagios should run as. +# You can either supply a username or a UID. + +nagios_user=nagios + + + +# NAGIOS GROUP +# This determines the effective group that Nagios should run as. +# You can either supply a group name or a GID. + +nagios_group=nagios + + + +# EXTERNAL COMMAND OPTION +# This option allows you to specify whether or not Nagios should check +# for external commands (in the command file defined below). +# By default Nagios will check for external commands. +# If you want to be able to use the CGI command interface +# you will have to enable this. +# Values: 0 = disable commands, 1 = enable commands + +check_external_commands=1 + + + +# EXTERNAL COMMAND FILE +# This is the file that Nagios checks for external command requests. +# It is also where the command CGI will write commands that are submitted +# by users, so it must be writeable by the user that the web server +# is running as (usually 'nobody'). Permissions should be set at the +# directory level instead of on the file, as the file is deleted every +# time its contents are processed. + +command_file=/var/lib/nagios4/rw/nagios.cmd + + + +# QUERY HANDLER INTERFACE +# This is the socket that is created for the Query Handler interface + +#query_socket=/var/lib/nagios4/rw/nagios.qh + + + +# LOCK FILE +# This is the lockfile that Nagios will use to store its PID number +# in when it is running in daemon mode. + +lock_file=/var/run/nagios4/nagios4.pid + + + +# TEMP FILE +# This is a temporary file that is used as scratch space when Nagios +# updates the status log, cleans the comment file, etc. This file +# is created, used, and deleted throughout the time that Nagios is +# running. + +temp_file=/var/lib/nagios4/nagios.tmp + + + +# TEMP PATH +# This is path where Nagios can create temp files for service and +# host check results, etc. + +temp_path=/tmp + + + +# EVENT BROKER OPTIONS +# Controls what (if any) data gets sent to the event broker. +# Values: 0 = Broker nothing +# -1 = Broker everything +# = See documentation + +event_broker_options=-1 + + + +# EVENT BROKER MODULE(S) +# This directive is used to specify an event broker module that should +# by loaded by Nagios at startup. Use multiple directives if you want +# to load more than one module. Arguments that should be passed to +# the module at startup are separated from the module path by a space. +# +#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +# WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING +#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +# +# Do NOT overwrite modules while they are being used by Nagios or Nagios +# will crash in a fiery display of SEGFAULT glory. This is a bug/limitation +# either in dlopen(), the kernel, and/or the filesystem. And maybe Nagios... +# +# The correct/safe way of updating a module is by using one of these methods: +# 1. Shutdown Nagios, replace the module file, restart Nagios +# 2. Delete the original module file, move the new module file into place, +# restart Nagios +# +# Example: +# +# broker_module= [moduleargs] + +#broker_module=/somewhere/module1.o +#broker_module=/somewhere/module2.o arg1 arg2=3 debug=0 + + + +# LOG ROTATION METHOD +# This is the log rotation method that Nagios should use to rotate +# the main log file. Values are as follows.. +# n = None - don't rotate the log +# h = Hourly rotation (top of the hour) +# d = Daily rotation (midnight every day) +# w = Weekly rotation (midnight on Saturday evening) +# m = Monthly rotation (midnight last day of month) + +log_rotation_method=d + + + +# LOG ARCHIVE PATH +# This is the directory where archived (rotated) log files should be +# placed (assuming you've chosen to do log rotation). + +log_archive_path=/var/log/nagios4/archives + + + +# LOGGING OPTIONS +# If you want messages logged to the syslog facility, as well as the +# Nagios log file set this option to 1. If not, set it to 0. + +use_syslog=1 + + + +# NOTIFICATION LOGGING OPTION +# If you don't want notifications to be logged, set this value to 0. +# If notifications should be logged, set the value to 1. + +log_notifications=1 + + + +# SERVICE RETRY LOGGING OPTION +# If you don't want service check retries to be logged, set this value +# to 0. If retries should be logged, set the value to 1. + +log_service_retries=1 + + + +# HOST RETRY LOGGING OPTION +# If you don't want host check retries to be logged, set this value to +# 0. If retries should be logged, set the value to 1. + +log_host_retries=1 + + + +# EVENT HANDLER LOGGING OPTION +# If you don't want host and service event handlers to be logged, set +# this value to 0. If event handlers should be logged, set the value +# to 1. + +log_event_handlers=1 + + + +# INITIAL STATES LOGGING OPTION +# If you want Nagios to log all initial host and service states to +# the main log file (the first time the service or host is checked) +# you can enable this option by setting this value to 1. If you +# are not using an external application that does long term state +# statistics reporting, you do not need to enable this option. In +# this case, set the value to 0. + +log_initial_states=0 + + + +# CURRENT STATES LOGGING OPTION +# If you don't want Nagios to log all current host and service states +# after log has been rotated to the main log file, you can disable this +# option by setting this value to 0. Default value is 1. + +log_current_states=1 + + + +# EXTERNAL COMMANDS LOGGING OPTION +# If you don't want Nagios to log external commands, set this value +# to 0. If external commands should be logged, set this value to 1. +# Note: This option does not include logging of passive service +# checks - see the option below for controlling whether or not +# passive checks are logged. + +log_external_commands=1 + + + +# PASSIVE CHECKS LOGGING OPTION +# If you don't want Nagios to log passive host and service checks, set +# this value to 0. If passive checks should be logged, set +# this value to 1. + +log_passive_checks=1 + + + +# GLOBAL HOST AND SERVICE EVENT HANDLERS +# These options allow you to specify a host and service event handler +# command that is to be run for every host or service state change. +# The global event handler is executed immediately prior to the event +# handler that you have optionally specified in each host or +# service definition. The command argument is the short name of a +# command definition that you define in your host configuration file. +# Read the HTML docs for more information. + +#global_host_event_handler=somecommand +#global_service_event_handler=somecommand + + + +# SERVICE INTER-CHECK DELAY METHOD +# This is the method that Nagios should use when initially +# "spreading out" service checks when it starts monitoring. The +# default is to use smart delay calculation, which will try to +# space all service checks out evenly to minimize CPU load. +# Using the dumb setting will cause all checks to be scheduled +# at the same time (with no delay between them)! This is not a +# good thing for production, but is useful when testing the +# parallelization functionality. +# n = None - don't use any delay between checks +# d = Use a "dumb" delay of 1 second between checks +# s = Use "smart" inter-check delay calculation +# x.xx = Use an inter-check delay of x.xx seconds + +service_inter_check_delay_method=s + + + +# MAXIMUM SERVICE CHECK SPREAD +# This variable determines the timeframe (in minutes) from the +# program start time that an initial check of all services should +# be completed. Default is 30 minutes. + +max_service_check_spread=30 + + + +# SERVICE CHECK INTERLEAVE FACTOR +# This variable determines how service checks are interleaved. +# Interleaving the service checks allows for a more even +# distribution of service checks and reduced load on remote +# hosts. Setting this value to 1 is equivalent to how versions +# of Nagios previous to 0.0.5 did service checks. Set this +# value to s (smart) for automatic calculation of the interleave +# factor unless you have a specific reason to change it. +# s = Use "smart" interleave factor calculation +# x = Use an interleave factor of x, where x is a +# number greater than or equal to 1. + +service_interleave_factor=s + + + +# HOST INTER-CHECK DELAY METHOD +# This is the method that Nagios should use when initially +# "spreading out" host checks when it starts monitoring. The +# default is to use smart delay calculation, which will try to +# space all host checks out evenly to minimize CPU load. +# Using the dumb setting will cause all checks to be scheduled +# at the same time (with no delay between them)! +# n = None - don't use any delay between checks +# d = Use a "dumb" delay of 1 second between checks +# s = Use "smart" inter-check delay calculation +# x.xx = Use an inter-check delay of x.xx seconds + +host_inter_check_delay_method=s + + + +# MAXIMUM HOST CHECK SPREAD +# This variable determines the timeframe (in minutes) from the +# program start time that an initial check of all hosts should +# be completed. Default is 30 minutes. + +max_host_check_spread=30 + + + +# MAXIMUM CONCURRENT SERVICE CHECKS +# This option allows you to specify the maximum number of +# service checks that can be run in parallel at any given time. +# Specifying a value of 1 for this variable essentially prevents +# any service checks from being parallelized. A value of 0 +# will not restrict the number of concurrent checks that are +# being executed. + +max_concurrent_checks=0 + + + +# HOST AND SERVICE CHECK REAPER FREQUENCY +# This is the frequency (in seconds!) that Nagios will process +# the results of host and service checks. + +check_result_reaper_frequency=10 + + + + +# MAX CHECK RESULT REAPER TIME +# This is the max amount of time (in seconds) that a single +# check result reaper event will be allowed to run before +# returning control back to Nagios so it can perform other +# duties. + +max_check_result_reaper_time=30 + + + + +# CHECK RESULT PATH +# This is directory where Nagios stores the results of host and +# service checks that have not yet been processed. +# +# Note: Make sure that only one instance of Nagios has access +# to this directory! + +check_result_path=/var/lib/nagios4/spool/checkresults + + + + +# MAX CHECK RESULT FILE AGE +# This option determines the maximum age (in seconds) which check +# result files are considered to be valid. Files older than this +# threshold will be mercilessly deleted without further processing. + +max_check_result_file_age=3600 + + + + +# CACHED HOST CHECK HORIZON +# This option determines the maximum amount of time (in seconds) +# that the state of a previous host check is considered current. +# Cached host states (from host checks that were performed more +# recently that the timeframe specified by this value) can immensely +# improve performance in regards to the host check logic. +# Too high of a value for this option may result in inaccurate host +# states being used by Nagios, while a lower value may result in a +# performance hit for host checks. Use a value of 0 to disable host +# check caching. + +cached_host_check_horizon=15 + + + +# CACHED SERVICE CHECK HORIZON +# This option determines the maximum amount of time (in seconds) +# that the state of a previous service check is considered current. +# Cached service states (from service checks that were performed more +# recently that the timeframe specified by this value) can immensely +# improve performance in regards to predictive dependency checks. +# Use a value of 0 to disable service check caching. + +cached_service_check_horizon=15 + + + +# ENABLE PREDICTIVE HOST DEPENDENCY CHECKS +# This option determines whether or not Nagios will attempt to execute +# checks of hosts when it predicts that future dependency logic test +# may be needed. These predictive checks can help ensure that your +# host dependency logic works well. +# Values: +# 0 = Disable predictive checks +# 1 = Enable predictive checks (default) + +enable_predictive_host_dependency_checks=1 + + + +# ENABLE PREDICTIVE SERVICE DEPENDENCY CHECKS +# This option determines whether or not Nagios will attempt to execute +# checks of service when it predicts that future dependency logic test +# may be needed. These predictive checks can help ensure that your +# service dependency logic works well. +# Values: +# 0 = Disable predictive checks +# 1 = Enable predictive checks (default) + +enable_predictive_service_dependency_checks=1 + + + +# SOFT STATE DEPENDENCIES +# This option determines whether or not Nagios will use soft state +# information when checking host and service dependencies. Normally +# Nagios will only use the latest hard host or service state when +# checking dependencies. If you want it to use the latest state (regardless +# of whether its a soft or hard state type), enable this option. +# Values: +# 0 = Don't use soft state dependencies (default) +# 1 = Use soft state dependencies + +soft_state_dependencies=0 + + + +# TIME CHANGE ADJUSTMENT THRESHOLDS +# These options determine when Nagios will react to detected changes +# in system time (either forward or backwards). + +#time_change_threshold=900 + + + +# AUTO-RESCHEDULING OPTION +# This option determines whether or not Nagios will attempt to +# automatically reschedule active host and service checks to +# "smooth" them out over time. This can help balance the load on +# the monitoring server. +# WARNING: THIS IS AN EXPERIMENTAL FEATURE - IT CAN DEGRADE +# PERFORMANCE, RATHER THAN INCREASE IT, IF USED IMPROPERLY + +auto_reschedule_checks=0 + + + +# AUTO-RESCHEDULING INTERVAL +# This option determines how often (in seconds) Nagios will +# attempt to automatically reschedule checks. This option only +# has an effect if the auto_reschedule_checks option is enabled. +# Default is 30 seconds. +# WARNING: THIS IS AN EXPERIMENTAL FEATURE - IT CAN DEGRADE +# PERFORMANCE, RATHER THAN INCREASE IT, IF USED IMPROPERLY + +auto_rescheduling_interval=30 + + + +# AUTO-RESCHEDULING WINDOW +# This option determines the "window" of time (in seconds) that +# Nagios will look at when automatically rescheduling checks. +# Only host and service checks that occur in the next X seconds +# (determined by this variable) will be rescheduled. This option +# only has an effect if the auto_reschedule_checks option is +# enabled. Default is 180 seconds (3 minutes). +# WARNING: THIS IS AN EXPERIMENTAL FEATURE - IT CAN DEGRADE +# PERFORMANCE, RATHER THAN INCREASE IT, IF USED IMPROPERLY + +auto_rescheduling_window=180 + + + +# TIMEOUT VALUES +# These options control how much time Nagios will allow various +# types of commands to execute before killing them off. Options +# are available for controlling maximum time allotted for +# service checks, host checks, event handlers, notifications, the +# ocsp command, and performance data commands. All values are in +# seconds. + +service_check_timeout=60 +host_check_timeout=30 +event_handler_timeout=30 +notification_timeout=30 +ocsp_timeout=5 +ochp_timeout=5 +perfdata_timeout=5 + + + +# RETAIN STATE INFORMATION +# This setting determines whether or not Nagios will save state +# information for services and hosts before it shuts down. Upon +# startup Nagios will reload all saved service and host state +# information before starting to monitor. This is useful for +# maintaining long-term data on state statistics, etc, but will +# slow Nagios down a bit when it (re)starts. Since its only +# a one-time penalty, I think its well worth the additional +# startup delay. + +retain_state_information=1 + + + +# STATE RETENTION FILE +# This is the file that Nagios should use to store host and +# service state information before it shuts down. The state +# information in this file is also read immediately prior to +# starting to monitor the network when Nagios is restarted. +# This file is used only if the retain_state_information +# variable is set to 1. + +state_retention_file=/var/lib/nagios4/retention.dat + + + +# RETENTION DATA UPDATE INTERVAL +# This setting determines how often (in minutes) that Nagios +# will automatically save retention data during normal operation. +# If you set this value to 0, Nagios will not save retention +# data at regular interval, but it will still save retention +# data before shutting down or restarting. If you have disabled +# state retention, this option has no effect. + +retention_update_interval=60 + + + +# USE RETAINED PROGRAM STATE +# This setting determines whether or not Nagios will set +# program status variables based on the values saved in the +# retention file. If you want to use retained program status +# information, set this value to 1. If not, set this value +# to 0. + +use_retained_program_state=1 + + + +# USE RETAINED SCHEDULING INFO +# This setting determines whether or not Nagios will retain +# the scheduling info (next check time) for hosts and services +# based on the values saved in the retention file. If you +# If you want to use retained scheduling info, set this +# value to 1. If not, set this value to 0. + +use_retained_scheduling_info=1 + + + +# RETAINED ATTRIBUTE MASKS (ADVANCED FEATURE) +# The following variables are used to specify specific host and +# service attributes that should *not* be retained by Nagios during +# program restarts. +# +# The values of the masks are bitwise ANDs of values specified +# by the "MODATTR_" definitions found in include/common.h. +# For example, if you do not want the current enabled/disabled state +# of flap detection and event handlers for hosts to be retained, you +# would use a value of 24 for the host attribute mask... +# MODATTR_EVENT_HANDLER_ENABLED (8) + MODATTR_FLAP_DETECTION_ENABLED (16) = 24 + +# This mask determines what host attributes are not retained +retained_host_attribute_mask=0 + +# This mask determines what service attributes are not retained +retained_service_attribute_mask=0 + +# These two masks determine what process attributes are not retained. +# There are two masks, because some process attributes have host and service +# options. For example, you can disable active host checks, but leave active +# service checks enabled. +retained_process_host_attribute_mask=0 +retained_process_service_attribute_mask=0 + +# These two masks determine what contact attributes are not retained. +# There are two masks, because some contact attributes have host and +# service options. For example, you can disable host notifications for +# a contact, but leave service notifications enabled for them. +retained_contact_host_attribute_mask=0 +retained_contact_service_attribute_mask=0 + + + +# INTERVAL LENGTH +# This is the seconds per unit interval as used in the +# host/contact/service configuration files. Setting this to 60 means +# that each interval is one minute long (60 seconds). Other settings +# have not been tested much, so your mileage is likely to vary... + +interval_length=60 + + + +# CHECK FOR UPDATES +# This option determines whether Nagios will automatically check to +# see if new updates (releases) are available. It is recommend that you +# enable this option to ensure that you stay on top of the latest critical +# patches to Nagios. Nagios is critical to you - make sure you keep it in +# good shape. Nagios will check once a day for new updates. Data collected +# by Nagios Enterprises from the update check is processed in accordance +# with our privacy policy - see https://api.nagios.org for details. + +check_for_updates=1 + + + +# BARE UPDATE CHECK +# This option determines what data Nagios will send to api.nagios.org when +# it checks for updates. By default, Nagios will send information on the +# current version of Nagios you have installed, as well as an indicator as +# to whether this was a new installation or not. Nagios Enterprises uses +# this data to determine the number of users running specific version of +# Nagios. Enable this option if you do not want this information to be sent. + +bare_update_check=0 + + + +# AGGRESSIVE HOST CHECKING OPTION +# If you don't want to turn on aggressive host checking features, set +# this value to 0 (the default). Otherwise set this value to 1 to +# enable the aggressive check option. Read the docs for more info +# on what aggressive host check is or check out the source code in +# base/checks.c + +use_aggressive_host_checking=0 + + + +# SERVICE CHECK EXECUTION OPTION +# This determines whether or not Nagios will actively execute +# service checks when it initially starts. If this option is +# disabled, checks are not actively made, but Nagios can still +# receive and process passive check results that come in. Unless +# you're implementing redundant hosts or have a special need for +# disabling the execution of service checks, leave this enabled! +# Values: 1 = enable checks, 0 = disable checks + +execute_service_checks=1 + + + +# PASSIVE SERVICE CHECK ACCEPTANCE OPTION +# This determines whether or not Nagios will accept passive +# service checks results when it initially (re)starts. +# Values: 1 = accept passive checks, 0 = reject passive checks + +accept_passive_service_checks=1 + + + +# HOST CHECK EXECUTION OPTION +# This determines whether or not Nagios will actively execute +# host checks when it initially starts. If this option is +# disabled, checks are not actively made, but Nagios can still +# receive and process passive check results that come in. Unless +# you're implementing redundant hosts or have a special need for +# disabling the execution of host checks, leave this enabled! +# Values: 1 = enable checks, 0 = disable checks + +execute_host_checks=1 + + + +# PASSIVE HOST CHECK ACCEPTANCE OPTION +# This determines whether or not Nagios will accept passive +# host checks results when it initially (re)starts. +# Values: 1 = accept passive checks, 0 = reject passive checks + +accept_passive_host_checks=1 + + + +# NOTIFICATIONS OPTION +# This determines whether or not Nagios will sent out any host or +# service notifications when it is initially (re)started. +# Values: 1 = enable notifications, 0 = disable notifications + +enable_notifications=1 + + + +# EVENT HANDLER USE OPTION +# This determines whether or not Nagios will run any host or +# service event handlers when it is initially (re)started. Unless +# you're implementing redundant hosts, leave this option enabled. +# Values: 1 = enable event handlers, 0 = disable event handlers + +enable_event_handlers=1 + + + +# PROCESS PERFORMANCE DATA OPTION +# This determines whether or not Nagios will process performance +# data returned from service and host checks. If this option is +# enabled, host performance data will be processed using the +# host_perfdata_command (defined below) and service performance +# data will be processed using the service_perfdata_command (also +# defined below). Read the HTML docs for more information on +# performance data. +# Values: 1 = process performance data, 0 = do not process performance data + +process_performance_data=0 + + + +# HOST AND SERVICE PERFORMANCE DATA PROCESSING COMMANDS +# These commands are run after every host and service check is +# performed. These commands are executed only if the +# enable_performance_data option (above) is set to 1. The command +# argument is the short name of a command definition that you +# define in your host configuration file. Read the HTML docs for +# more information on performance data. + +#host_perfdata_command=process-host-perfdata +#service_perfdata_command=process-service-perfdata + + + +# HOST AND SERVICE PERFORMANCE DATA FILES +# These files are used to store host and service performance data. +# Performance data is only written to these files if the +# enable_performance_data option (above) is set to 1. + +#host_perfdata_file=/var/lib/nagios4/host-perfdata +#service_perfdata_file=/var/lib/nagios4/service-perfdata + + + +# HOST AND SERVICE PERFORMANCE DATA FILE TEMPLATES +# These options determine what data is written (and how) to the +# performance data files. The templates may contain macros, special +# characters (\t for tab, \r for carriage return, \n for newline) +# and plain text. A newline is automatically added after each write +# to the performance data file. Some examples of what you can do are +# shown below. + +#host_perfdata_file_template=[HOSTPERFDATA]\t$TIMET$\t$HOSTNAME$\t$HOSTEXECUTIONTIME$\t$HOSTOUTPUT$\t$HOSTPERFDATA$ +#service_perfdata_file_template=[SERVICEPERFDATA]\t$TIMET$\t$HOSTNAME$\t$SERVICEDESC$\t$SERVICEEXECUTIONTIME$\t$SERVICELATENCY$\t$SERVICEOUTPUT$\t$SERVICEPERFDATA$ + + + +# HOST AND SERVICE PERFORMANCE DATA FILE MODES +# This option determines whether or not the host and service +# performance data files are opened in write ("w") or append ("a") +# mode. If you want to use named pipes, you should use the special +# pipe ("p") mode which avoid blocking at startup, otherwise you will +# likely want the default append ("a") mode. + +#host_perfdata_file_mode=a +#service_perfdata_file_mode=a + + + +# HOST AND SERVICE PERFORMANCE DATA FILE PROCESSING INTERVAL +# These options determine how often (in seconds) the host and service +# performance data files are processed using the commands defined +# below. A value of 0 indicates the files should not be periodically +# processed. + +#host_perfdata_file_processing_interval=0 +#service_perfdata_file_processing_interval=0 + + + +# HOST AND SERVICE PERFORMANCE DATA FILE PROCESSING COMMANDS +# These commands are used to periodically process the host and +# service performance data files. The interval at which the +# processing occurs is determined by the options above. + +#host_perfdata_file_processing_command=process-host-perfdata-file +#service_perfdata_file_processing_command=process-service-perfdata-file + + + +# HOST AND SERVICE PERFORMANCE DATA PROCESS EMPTY RESULTS +# These options determine whether the core will process empty perfdata +# results or not. This is needed for distributed monitoring, and intentionally +# turned on by default. +# If you don't require empty perfdata - saving some cpu cycles +# on unwanted macro calculation - you can turn that off. Be careful! +# Values: 1 = enable, 0 = disable + +#host_perfdata_process_empty_results=1 +#service_perfdata_process_empty_results=1 + + +# OBSESS OVER SERVICE CHECKS OPTION +# This determines whether or not Nagios will obsess over service +# checks and run the ocsp_command defined below. Unless you're +# planning on implementing distributed monitoring, do not enable +# this option. Read the HTML docs for more information on +# implementing distributed monitoring. +# Values: 1 = obsess over services, 0 = do not obsess (default) + +obsess_over_services=0 + + + +# OBSESSIVE COMPULSIVE SERVICE PROCESSOR COMMAND +# This is the command that is run for every service check that is +# processed by Nagios. This command is executed only if the +# obsess_over_services option (above) is set to 1. The command +# argument is the short name of a command definition that you +# define in your host configuration file. Read the HTML docs for +# more information on implementing distributed monitoring. + +#ocsp_command=somecommand + + + +# OBSESS OVER HOST CHECKS OPTION +# This determines whether or not Nagios will obsess over host +# checks and run the ochp_command defined below. Unless you're +# planning on implementing distributed monitoring, do not enable +# this option. Read the HTML docs for more information on +# implementing distributed monitoring. +# Values: 1 = obsess over hosts, 0 = do not obsess (default) + +obsess_over_hosts=0 + + + +# OBSESSIVE COMPULSIVE HOST PROCESSOR COMMAND +# This is the command that is run for every host check that is +# processed by Nagios. This command is executed only if the +# obsess_over_hosts option (above) is set to 1. The command +# argument is the short name of a command definition that you +# define in your host configuration file. Read the HTML docs for +# more information on implementing distributed monitoring. + +#ochp_command=somecommand + + + +# TRANSLATE PASSIVE HOST CHECKS OPTION +# This determines whether or not Nagios will translate +# DOWN/UNREACHABLE passive host check results into their proper +# state for this instance of Nagios. This option is useful +# if you have distributed or failover monitoring setup. In +# these cases your other Nagios servers probably have a different +# "view" of the network, with regards to the parent/child relationship +# of hosts. If a distributed monitoring server thinks a host +# is DOWN, it may actually be UNREACHABLE from the point of +# this Nagios instance. Enabling this option will tell Nagios +# to translate any DOWN or UNREACHABLE host states it receives +# passively into the correct state from the view of this server. +# Values: 1 = perform translation, 0 = do not translate (default) + +translate_passive_host_checks=0 + + + +# PASSIVE HOST CHECKS ARE SOFT OPTION +# This determines whether or not Nagios will treat passive host +# checks as being HARD or SOFT. By default, a passive host check +# result will put a host into a HARD state type. This can be changed +# by enabling this option. +# Values: 0 = passive checks are HARD, 1 = passive checks are SOFT + +passive_host_checks_are_soft=0 + + + +# ORPHANED HOST/SERVICE CHECK OPTIONS +# These options determine whether or not Nagios will periodically +# check for orphaned host service checks. Since service checks are +# not rescheduled until the results of their previous execution +# instance are processed, there exists a possibility that some +# checks may never get rescheduled. A similar situation exists for +# host checks, although the exact scheduling details differ a bit +# from service checks. Orphaned checks seem to be a rare +# problem and should not happen under normal circumstances. +# If you have problems with service checks never getting +# rescheduled, make sure you have orphaned service checks enabled. +# Values: 1 = enable checks, 0 = disable checks + +check_for_orphaned_services=1 +check_for_orphaned_hosts=1 + + + +# SERVICE FRESHNESS CHECK OPTION +# This option determines whether or not Nagios will periodically +# check the "freshness" of service results. Enabling this option +# is useful for ensuring passive checks are received in a timely +# manner. +# Values: 1 = enabled freshness checking, 0 = disable freshness checking + +check_service_freshness=1 + + + +# SERVICE FRESHNESS CHECK INTERVAL +# This setting determines how often (in seconds) Nagios will +# check the "freshness" of service check results. If you have +# disabled service freshness checking, this option has no effect. + +service_freshness_check_interval=60 + + + +# SERVICE CHECK TIMEOUT STATE +# This setting determines the state Nagios will report when a +# service check times out - that is does not respond within +# service_check_timeout seconds. This can be useful if a +# machine is running at too high a load and you do not want +# to consider a failed service check to be critical (the default). +# Valid settings are: +# c - Critical (default) +# u - Unknown +# w - Warning +# o - OK + +service_check_timeout_state=c + + + +# HOST FRESHNESS CHECK OPTION +# This option determines whether or not Nagios will periodically +# check the "freshness" of host results. Enabling this option +# is useful for ensuring passive checks are received in a timely +# manner. +# Values: 1 = enabled freshness checking, 0 = disable freshness checking + +check_host_freshness=0 + + + +# HOST FRESHNESS CHECK INTERVAL +# This setting determines how often (in seconds) Nagios will +# check the "freshness" of host check results. If you have +# disabled host freshness checking, this option has no effect. + +host_freshness_check_interval=60 + + + + +# ADDITIONAL FRESHNESS THRESHOLD LATENCY +# This setting determines the number of seconds that Nagios +# will add to any host and service freshness thresholds that +# it calculates (those not explicitly specified by the user). + +additional_freshness_latency=15 + + + + +# FLAP DETECTION OPTION +# This option determines whether or not Nagios will try +# and detect hosts and services that are "flapping". +# Flapping occurs when a host or service changes between +# states too frequently. When Nagios detects that a +# host or service is flapping, it will temporarily suppress +# notifications for that host/service until it stops +# flapping. Flap detection is very experimental, so read +# the HTML documentation before enabling this feature! +# Values: 1 = enable flap detection +# 0 = disable flap detection (default) + +enable_flap_detection=1 + + + +# FLAP DETECTION THRESHOLDS FOR HOSTS AND SERVICES +# Read the HTML documentation on flap detection for +# an explanation of what this option does. This option +# has no effect if flap detection is disabled. + +low_service_flap_threshold=5.0 +high_service_flap_threshold=20.0 +low_host_flap_threshold=5.0 +high_host_flap_threshold=20.0 + + + +# DATE FORMAT OPTION +# This option determines how short dates are displayed. Valid options +# include: +# us (MM-DD-YYYY HH:MM:SS) +# euro (DD-MM-YYYY HH:MM:SS) +# iso8601 (YYYY-MM-DD HH:MM:SS) +# strict-iso8601 (YYYY-MM-DDTHH:MM:SS) +# + +date_format=us + + + + +# TIMEZONE OFFSET +# This option is used to override the default timezone that this +# instance of Nagios runs in. If not specified, Nagios will use +# the system configured timezone. +# +# NOTE: In order to display the correct timezone in the CGIs, you +# will also need to alter the Apache directives for the CGI path +# to include your timezone. Example: +# +# +# SetEnv TZ "Australia/Brisbane" +# ... +# + +#use_timezone=US/Mountain +#use_timezone=Australia/Brisbane + + + +# ILLEGAL OBJECT NAME CHARACTERS +# This option allows you to specify illegal characters that cannot +# be used in host names, service descriptions, or names of other +# object types. + +illegal_object_name_chars=`~!$%^&*|'"<>?,()= + + + +# ILLEGAL MACRO OUTPUT CHARACTERS +# This option allows you to specify illegal characters that are +# stripped from macros before being used in notifications, event +# handlers, etc. This DOES NOT affect macros used in service or +# host check commands. +# The following macros are stripped of the characters you specify: +# $HOSTOUTPUT$ +# $LONGHOSTOUTPUT$ +# $HOSTPERFDATA$ +# $HOSTACKAUTHOR$ +# $HOSTACKCOMMENT$ +# $SERVICEOUTPUT$ +# $LONGSERVICEOUTPUT$ +# $SERVICEPERFDATA$ +# $SERVICEACKAUTHOR$ +# $SERVICEACKCOMMENT$ + +illegal_macro_output_chars=`~$&|'"<> + + + +# REGULAR EXPRESSION MATCHING +# This option controls whether or not regular expression matching +# takes place in the object config files. Regular expression +# matching is used to match host, hostgroup, service, and service +# group names/descriptions in some fields of various object types. +# Values: 1 = enable regexp matching, 0 = disable regexp matching + +use_regexp_matching=0 + + + +# "TRUE" REGULAR EXPRESSION MATCHING +# This option controls whether or not "true" regular expression +# matching takes place in the object config files. This option +# only has an effect if regular expression matching is enabled +# (see above). If this option is DISABLED, regular expression +# matching only occurs if a string contains wildcard characters +# (* and ?). If the option is ENABLED, regexp matching occurs +# all the time (which can be annoying). +# Values: 1 = enable true matching, 0 = disable true matching + +use_true_regexp_matching=0 + + + +# ADMINISTRATOR EMAIL/PAGER ADDRESSES +# The email and pager address of a global administrator (likely you). +# Nagios never uses these values itself, but you can access them by +# using the $ADMINEMAIL$ and $ADMINPAGER$ macros in your notification +# commands. + +admin_email=nagios@localhost +admin_pager=pagenagios@localhost + + + +# DAEMON CORE DUMP OPTION +# This option determines whether or not Nagios is allowed to create +# a core dump when it runs as a daemon. Note that it is generally +# considered bad form to allow this, but it may be useful for +# debugging purposes. Enabling this option doesn't guarantee that +# a core file will be produced, but that's just life... +# Values: 1 - Allow core dumps +# 0 - Do not allow core dumps (default) + +daemon_dumps_core=0 + + + +# LARGE INSTALLATION TWEAKS OPTION +# This option determines whether or not Nagios will take some shortcuts +# which can save on memory and CPU usage in large Nagios installations. +# Read the documentation for more information on the benefits/tradeoffs +# of enabling this option. +# Values: 1 - Enabled tweaks +# 0 - Disable tweaks (default) + +use_large_installation_tweaks=0 + + + +# ENABLE ENVIRONMENT MACROS +# This option determines whether or not Nagios will make all standard +# macros available as environment variables when host/service checks +# and system commands (event handlers, notifications, etc.) are +# executed. +# Enabling this is a very bad idea for anything but very small setups, +# as it means plugins, notification scripts and eventhandlers may run +# out of environment space. It will also cause a significant increase +# in CPU- and memory usage and drastically reduce the number of checks +# you can run. +# Values: 1 - Enable environment variable macros +# 0 - Disable environment variable macros (default) + +enable_environment_macros=0 + + + +# CHILD PROCESS MEMORY OPTION +# This option determines whether or not Nagios will free memory in +# child processes (processed used to execute system commands and host/ +# service checks). If you specify a value here, it will override +# program defaults. +# Value: 1 - Free memory in child processes +# 0 - Do not free memory in child processes + +#free_child_process_memory=1 + + + +# CHILD PROCESS FORKING BEHAVIOR +# This option determines how Nagios will fork child processes +# (used to execute system commands and host/service checks). Normally +# child processes are fork()ed twice, which provides a very high level +# of isolation from problems. Fork()ing once is probably enough and will +# save a great deal on CPU usage (in large installs), so you might +# want to consider using this. If you specify a value here, it will +# program defaults. +# Value: 1 - Child processes fork() twice +# 0 - Child processes fork() just once + +#child_processes_fork_twice=1 + + + +# DEBUG LEVEL +# This option determines how much (if any) debugging information will +# be written to the debug file. OR values together to log multiple +# types of information. +# Values: +# -1 = Everything +# 0 = Nothing +# 1 = Functions +# 2 = Configuration +# 4 = Process information +# 8 = Scheduled events +# 16 = Host/service checks +# 32 = Notifications +# 64 = Event broker +# 128 = External commands +# 256 = Commands +# 512 = Scheduled downtime +# 1024 = Comments +# 2048 = Macros +# 4096 = Interprocess communication +# 8192 = Scheduling +# 16384 = Workers + +debug_level=0 + + + +# DEBUG VERBOSITY +# This option determines how verbose the debug log out will be. +# Values: 0 = Brief output +# 1 = More detailed +# 2 = Very detailed + +debug_verbosity=1 + + + +# DEBUG FILE +# This option determines where Nagios should write debugging information. + +debug_file=/var/log/nagios4/nagios.debug + + + +# MAX DEBUG FILE SIZE +# This option determines the maximum size (in bytes) of the debug file. If +# the file grows larger than this size, it will be renamed with a .old +# extension. If a file already exists with a .old extension it will +# automatically be deleted. This helps ensure your disk space usage doesn't +# get out of control when debugging Nagios. + +max_debug_file_size=1000000 + + + +# Should we allow hostgroups to have no hosts, we default this to off since +# that was the old behavior + +allow_empty_hostgroup_assignment=0 + + + +# Normally worker count is dynamically allocated based on 1.5 * number of cpu's +# with a minimum of 4 workers. This value will override the defaults + +#check_workers=3 + + + +# DISABLE SERVICE CHECKS WHEN HOST DOWN +# This option will disable all service checks if the host is not in an UP state +# +# While desirable in some environments, enabling this value can distort report +# values as the expected quantity of checks will not have been performed + +#host_down_disable_service_checks=0 + + + +# SET SERVICE/HOST STATUS WHEN SERVICE CHECK SKIPPED +# These options will allow you to set the status of a service when its +# service check is skipped due to one of three reasons: +# 1) failed dependency check; 2) parent's status; 3) host not up +# Number 3 can only happen if 'host_down_disable_service_checks' above +# is set to 1. +# Valid values for the service* options are: +# -1 Do not change the service status (default - same as before 4.4) +# 0 Set the service status to STATE_OK +# 1 Set the service status to STATE_WARNING +# 2 Set the service status to STATE_CRITICAL +# 3 Set the service status to STATE_UNKNOWN +# The host_skip_check_dependency_status option will allow you to set the +# status of a host when itscheck is skipped due to a failed dependency check. +# Valid values for the host_skip_check_dependency_status are: +# -1 Do not change the service status (default - same as before 4.4) +# 0 Set the host status to STATE_UP +# 1 Set the host status to STATE_DOWN +# 2 Set the host status to STATE_UNREACHABLE +# We may add one or more statuses in the future. + +#service_skip_check_dependency_status=-1 +#service_skip_check_parent_status=-1 +#service_skip_check_host_down_status=-1 +#host_skip_check_dependency_status=-1 + + + +# LOAD CONTROL OPTIONS +# To get current defaults based on your system, issue this command to +# the query handler: +# echo -e '@core loadctl\0' | nc -U /usr/local/nagios/var/rw/nagios.qh +# +# Please note that used incorrectly these options can induce enormous latency. +# +# loadctl_options: +# jobs_max The maximum amount of jobs to run at one time +# jobs_min The minimum amount of jobs to run at one time +# jobs_limit The maximum amount of jobs the current load lets us run +# backoff_limit The minimum backoff_change +# backoff_change # of jobs to remove from jobs_limit when backing off +# rampup_limit Minimum rampup_change +# rampup_change # of jobs to add to jobs_limit when ramping up + +#loadctl_options=jobs_max=100;backoff_limit=10;rampup_change=5 diff --git a/roles/nagios/templates/nagios4-cgi.conf.j2 b/roles/nagios/templates/nagios4-cgi.conf.j2 new file mode 100644 index 0000000..84ac038 --- /dev/null +++ b/roles/nagios/templates/nagios4-cgi.conf.j2 @@ -0,0 +1,27 @@ +ScriptAlias /cgi-bin/nagios4 /usr/lib/cgi-bin/nagios4 +ScriptAlias /nagios4/cgi-bin /usr/lib/cgi-bin/nagios4 +Alias /nagios4/stylesheets /etc/nagios4/stylesheets + +Alias /nagios4 /usr/share/nagios4/htdocs + + + Options FollowSymLinks + DirectoryIndex index.php index.html + AllowOverride AuthConfig + AuthDigestDomain "nagios4" + AuthDigestProvider file + AuthUserFile "/etc/nagios4/htdigest.users" + AuthGroupFile "/etc/group" + AuthName "Restricted Nagios4 Access" + AuthType Digest + Require valid-user + + + + Options +ExecCGI + + + + Options +ExecCGI + AddHandler cgi-script .cgi + diff --git a/roles/nxc-traefik/README.md b/roles/nxc-traefik/README.md new file mode 100644 index 0000000..b28558d --- /dev/null +++ b/roles/nxc-traefik/README.md @@ -0,0 +1,35 @@ +# Installation de Nextcloud et du proxy inverse Traefik + +Nextcloud et Traefik fonctionnent grâce à docker. Pour pouvoir faire fonctionner ce playbook, docker doit être installé. + +## Premièrement + +Le playbook va créer le dossier nxc à la racine de root. Deux fichier docker-compose "nextcloud.yml" et "traefik.yml" y seront copiés depuis le répertoire "files" du playbook. +Enfin, dans le répertoire nxc, seront créé les dossier certs et config. + +### Deuxièmement + +Le playbook va copier les fichiers placés dans "files" et les placer dans les bons répertoires. + +#### Troisièmement + +Le playbook va créer un certificat x509 grâce à mkcert, il s'agit d'une solution permettant de créer +des certificats auto-signés. Pour cela il télécharge mkcert sur s-adm (utiliser le getall). + +mkcert sera placé dans : /usr/local/bin/ + +Pour créer le certificat le playbook va executer des lignes de commandes (lancé depuis nxc/) : +``` +/usr/local/bin/mkcert -install # Installe mkcert +/usr/local/bin/mkcert -key-file key.pem -cert-file cert.pem "hôte.domaine.local" "*.domaine.local" #Crée le certificat le DNS spécifié +``` +##### Quatrièmement + +Le playbook va lancer les fichier "docker-compose" à savoir : nextcloud.yml et traefik.yml. +Cela va installer les solutions automatiquement. Nextcloud est alors fonctionnel avec +un proxy inverse qui va rediriger en HTTPS. + + +ATTENTION : Après avoir relancé la VM, executez le script "nxc-start.sh" afin d'installer les piles applicatives. +Une fois le script fini, accedez au site : +https://s-nxc.gsb.lan diff --git a/roles/nxc-traefik/files/dynamic.yml b/roles/nxc-traefik/files/dynamic.yml new file mode 100644 index 0000000..12fc931 --- /dev/null +++ b/roles/nxc-traefik/files/dynamic.yml @@ -0,0 +1,18 @@ +http: + routers: + traefik: + rule: "Host(`traefik.docker.localhost`)" + service: "api@internal" + tls: + domains: + - main: "docker.localhost" + sans: + - "*.docker.localhost" + - main: "s-nxc.gsb.lan" + sans: + - "*.gsb.lan" + +tls: + certificates: + - certFile: "/etc/certs/local-cert.pem" + keyFile: "/etc/certs/local-key.pem" diff --git a/roles/nxc-traefik/files/nextcloud.yml b/roles/nxc-traefik/files/nextcloud.yml new file mode 100644 index 0000000..fe1597e --- /dev/null +++ b/roles/nxc-traefik/files/nextcloud.yml @@ -0,0 +1,58 @@ +version: '2' + +volumes: + # nextcloud: + db: + +services: + db: + image: mariadb + container_name: db + restart: always + #command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW + command: --innodb-read-only-compressed=OFF + volumes: + - db:/var/lib/mysql + networks: + - nxc-db + environment: + - MYSQL_ROOT_PASSWORD=blabla + - MYSQL_PASSWORD=blabla + - MYSQL_DATABASE=nextcloud + - MYSQL_USER=nextcloud + + nxc: + image: nextcloud + restart: always + container_name: nxc +# ports: +# - 8080:80 +# links: + depends_on: + - db + volumes: + - ./nextcloud:/var/www/html + environment: + - MYSQL_PASSWORD=blabla + - MYSQL_DATABASE=nextcloud + - MYSQL_USER=nextcloud + - MYSQL_HOST=db + labels: + # Enable this container to be mapped by traefik + # For more information, see: https://docs.traefik.io/providers/docker/#exposedbydefault + - "traefik.enable=true" + # URL to reach this container + - "traefik.http.routers.nxc.rule=Host(`s-nxc.gsb.lan`)" + # Activation of TLS + - "traefik.http.routers.nxc.tls=true" + # If port is different than 80, use the following service: + #- "traefik.http.services..loadbalancer.server.port=" + # - "traefik.http.services.app.loadbalancer.server.port=8080" + networks: + - proxy + - nxc-db +networks: + proxy: + external: true + nxc-db: + external: false diff --git a/roles/nxc-traefik/files/nxc-debug.sh b/roles/nxc-traefik/files/nxc-debug.sh new file mode 100755 index 0000000..de78ec7 --- /dev/null +++ b/roles/nxc-traefik/files/nxc-debug.sh @@ -0,0 +1,6 @@ +#!/bin/bash +docker-compose -f nextcloud.yml down +docker-compose -f traefik.yml down +sleep 1 +docker-compose -f traefik.yml up -d --remove-orphans +docker-compose -f nextcloud.yml up -d diff --git a/roles/nxc-traefik/files/nxc-prune.sh b/roles/nxc-traefik/files/nxc-prune.sh new file mode 100755 index 0000000..2efce15 --- /dev/null +++ b/roles/nxc-traefik/files/nxc-prune.sh @@ -0,0 +1,4 @@ +#!/bin/bash +docker volume prune -f +docker container prune -f +docker image prune -f diff --git a/roles/nxc-traefik/files/nxc-start.sh b/roles/nxc-traefik/files/nxc-start.sh new file mode 100755 index 0000000..595b22a --- /dev/null +++ b/roles/nxc-traefik/files/nxc-start.sh @@ -0,0 +1,3 @@ +#!/bin/bash +docker-compose -f traefik.yml up -d +docker-compose -f nextcloud.yml up -d diff --git a/roles/nxc-traefik/files/nxc-stop.sh b/roles/nxc-traefik/files/nxc-stop.sh new file mode 100755 index 0000000..2775a51 --- /dev/null +++ b/roles/nxc-traefik/files/nxc-stop.sh @@ -0,0 +1,3 @@ +#!/bin/bash +docker-compose -f nextcloud.yml down +docker-compose -f traefik.yml down diff --git a/roles/nxc-traefik/files/static.yml b/roles/nxc-traefik/files/static.yml new file mode 100644 index 0000000..cc336a2 --- /dev/null +++ b/roles/nxc-traefik/files/static.yml @@ -0,0 +1,31 @@ +global: + sendAnonymousUsage: false + +api: + dashboard: true + insecure: true + +providers: + docker: + endpoint: "unix:///var/run/docker.sock" + watch: true + exposedByDefault: false + + file: + filename: /etc/traefik/dynamic.yml + watch: true + +log: + level: INFO + format: common + +entryPoints: + http: + address: ":80" + http: + redirections: + entryPoint: + to: https + scheme: https + https: + address: ":443" diff --git a/roles/nxc-traefik/files/traefik.yml b/roles/nxc-traefik/files/traefik.yml new file mode 100644 index 0000000..28a91ad --- /dev/null +++ b/roles/nxc-traefik/files/traefik.yml @@ -0,0 +1,28 @@ +version: '3' + +services: + reverse-proxy: + #image: traefik:v2.5 + image: traefik + container_name: traefik + restart: always + security_opt: + - no-new-privileges:true + ports: + # Web + - 80:80 + - 443:443 + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + # Map the static configuration into the container + - ./config/static.yml:/etc/traefik/traefik.yml:ro + # Map the dynamic configuration into the container + - ./config/dynamic.yml:/etc/traefik/dynamic.yml:ro + # Map the certificats into the container + - ./certs:/etc/certs:ro + networks: + - proxy + +networks: + proxy: + external: true diff --git a/roles/nxc-traefik/tasks/main.yml b/roles/nxc-traefik/tasks/main.yml new file mode 100644 index 0000000..2ee04b7 --- /dev/null +++ b/roles/nxc-traefik/tasks/main.yml @@ -0,0 +1,78 @@ +--- +- name: Creation du repertoire de nextcloud et traefik + file: + path: /root/nxc + state: directory + +- name: Creation du repertoire nxc/config + file: + path: /root/nxc/config + state: directory + +- name: Creation du repertoire nxc/certs + file: + path: /root/nxc/certs + state: directory + +- name: Copie de static.yml + copy: + src: static.yml + dest: /root/nxc/config + +- name: Copie de dynamic.yml + copy: + src: dynamic.yml + dest: /root/nxc/config + +- name: Copie de nextcloud.yml + copy: + src: nextcloud.yml + dest: /root/nxc + +- name: Copie de traefik.yml + copy: + src: traefik.yml + dest: /root/nxc + +- name: Copie de nxc-stop.sh + copy: + src: nxc-stop.sh + dest: /root/nxc + mode: '0755' + +- name: Copie de nxc-debug.sh + copy: + src: nxc-debug.sh + dest: /root/nxc + mode: '0755' + +- name: Copie de nxc-start.sh + copy: + src: nxc-start.sh + dest: /root/nxc + mode: '0755' + +- name: Copie de nxc-prune.sh + copy: + src: nxc-prune.sh + dest: /root/nxc + mode: '0755' + +- name: Telechargement mkcert + get_url: + url: http://s-adm.gsb.adm/gsbstore/mkcert + dest: /usr/local/bin + mode: '0755' + +- name: Initialisation mkcert + command: /usr/local/bin/mkcert -install + args: + chdir: /root/nxc + +- name: Creation certificats + command: /usr/local/bin/mkcert -cert-file certs/local-cert.pem -key-file certs/local-key.pem "s-nxc.gsb.lan" "*.gsb.lan" + args: + chdir: /root/nxc + +- name: Creation reseau docker proxy + command: docker network create proxy diff --git a/roles/old/docker-iredmail-ab/files/fstab b/roles/old/docker-iredmail-ab/files/fstab new file mode 100644 index 0000000..c86a33e --- /dev/null +++ b/roles/old/docker-iredmail-ab/files/fstab @@ -0,0 +1,13 @@ +# /etc/fstab: static file system information. +# +# Use 'blkid' to print the universally unique identifier for a +# device; this may be used with UUID= as a more robust way to name devices +# that works even if disks are added and removed. See fstab(5). +# +# +/dev/mapper/stretch64--vg-root / ext4 errors=remount-ro 0 1 +# /boot was on /dev/sda1 during installation +UUID=8f340ef0-94a1-4730-8da3-81ce5e38d666 /boot ext2 defaults 0 2 +/dev/mapper/stretch64--vg-swap_1 none swap sw 0 0 +/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0 +/dev/sdb1 /var/lib/containers ext4 defaults 0 0 \ No newline at end of file diff --git a/roles/old/docker-iredmail-ab/files/https_proxy.conf b/roles/old/docker-iredmail-ab/files/https_proxy.conf new file mode 100644 index 0000000..ebff942 --- /dev/null +++ b/roles/old/docker-iredmail-ab/files/https_proxy.conf @@ -0,0 +1,2 @@ +[Service] +Environment="HTTPS_PROXY=http://192.168.99.99:8080/" \ No newline at end of file diff --git a/roles/old/docker-iredmail-ab/files/iredmail.sh b/roles/old/docker-iredmail-ab/files/iredmail.sh new file mode 100644 index 0000000..cba0bdf --- /dev/null +++ b/roles/old/docker-iredmail-ab/files/iredmail.sh @@ -0,0 +1,14 @@ +#!/bin/bash + +docker run --privileged -p 80:80 -p 443:443 \ + -h s-mess.sio.lan \ + -e "DOMAIN=sio.lan" \ + -e "MYSQL_ROOT_PASSWORD=iredmail" \ + -e "SOGO_WORKERS=1" \ + -e "TIMEZONE=Europe/Paris" \ + -e "POSTMASTER_PASSWORD=Azertyuiop1+" \ + -e "IREDAPD_PLUGINS=['reject_null_sender', 'reject_sender_login_mismatch', 'greylisting', 'throttle', 'amavisd_wblist', 'sql_alias_access_policy']" \ + -v /root/mysql:/var/lib/mysql \ + -v /root/vmail:/var/vmail \ + -v /root/clamav:/var/lib/clamav \ + --name=iredmail lejmr/iredmail:mysql-latest diff --git a/roles/old/docker-iredmail-ab/handlers/main.yml b/roles/old/docker-iredmail-ab/handlers/main.yml new file mode 100644 index 0000000..0ccee7e --- /dev/null +++ b/roles/old/docker-iredmail-ab/handlers/main.yml @@ -0,0 +1,3 @@ +--- + - name: restart docker + service: name=docker state=restarted \ No newline at end of file diff --git a/roles/old/docker-iredmail-ab/tasks/main.yml b/roles/old/docker-iredmail-ab/tasks/main.yml new file mode 100644 index 0000000..fd967fa --- /dev/null +++ b/roles/old/docker-iredmail-ab/tasks/main.yml @@ -0,0 +1,83 @@ +--- +- name: Installation de apt-transport-https + apt: name=apt-transport-https state=present + +- name: Installation de ca-certificates + apt: name=ca-certificates state=present + +- name: Installation de gnupg2 + apt: name=gnupg2 state=present + +- name: Installation de software-properties-common + apt: name=software-properties-common state=present + +- name: Installation de sudo + apt: name=sudo state=present + +- name: Installation de docker + shell: export https_proxy=http://192.168.99.99:8080 && curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add - + +- name: Récupération des paquets docker-ce et docker-compose + shell: sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable" + +- name: Création du répertoire docker.service.d + file: + path: /etc/systemd/system/docker.service.d + state: directory + owner: root + group: root + mode: 0775 + recurse: yes + +- name: Copie https_proxy.conf + copy: src=https_proxy.conf dest=/etc/systemd/system/docker.service.d/ + notify: + - restart docker + +- name: Vérification des nouveaux paquets + shell: sudo apt-get update + +- name: Installation de docker-ce + shell: sudo apt-get install -y docker-ce + +- name: Installation de docker-compose + shell: export https_proxy=http://192.168.99.99:8080 && curl -L "https://github.com/docker/compose/releases/download/1.23.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose + +- name: Modification des droits de docker-compose + shell: chmod +x /usr/local/bin/docker-compose + +- name: Copie du fichier fstab + copy: src=fstab dest=/etc/ + +- name: Copie du script bash Iredmail + copy: src=iredmail.sh dest=/root/tools/ansible + +- name: Changement du système de fichier de /dev/sdb1 en ext4 + shell: mkfs.ext4 /dev/sdb1 + +- name: Montage /dev/sdb1 sur /var/lib/docker + shell: mount /dev/sdb1 /var/lib/docker + +- name: Droit pour le script Iredmail + shell: chmod a+x /root/tools/ansible/iredmail.sh + +- name: Création du répertoire mysql + shell: mkdir /root//mysql + +- name: Création du répertoire vmail + shell: mkdir /root/vmail + +- name: Création du répertoire clamav + shell: mkdir /root/clamav + +- name: Exécution du script Iredmail + debug: msg="Exécuter le script iredmail.sh qui se trouve dans tools/ansible" + +- name: Montage /dev/sdb1 + debug: msg="Pour vérifier que /dev/sdb1 est bien monté sur le répertoire /var/lib/docker, utiliser la commande df -h" + +- name: Test docker + debug: msg="Effectuer la commande docker run hello-world pour vérifier l'installation de docker-ce et effectuer la commande docker-compose --version pour vérifier que la version est bien la 1.23.1" + +- name: Démarrer le container + debug: msg="Pour démarrer le container openvas, utiliser la commande docker start nom_du_container_ (/var/lib/docker/containers), accéder à la page via l'adresse https://172.16.0.19:443" diff --git a/roles/old/docker-openvas-ab/files/fstab b/roles/old/docker-openvas-ab/files/fstab new file mode 100644 index 0000000..c86a33e --- /dev/null +++ b/roles/old/docker-openvas-ab/files/fstab @@ -0,0 +1,13 @@ +# /etc/fstab: static file system information. +# +# Use 'blkid' to print the universally unique identifier for a +# device; this may be used with UUID= as a more robust way to name devices +# that works even if disks are added and removed. See fstab(5). +# +# +/dev/mapper/stretch64--vg-root / ext4 errors=remount-ro 0 1 +# /boot was on /dev/sda1 during installation +UUID=8f340ef0-94a1-4730-8da3-81ce5e38d666 /boot ext2 defaults 0 2 +/dev/mapper/stretch64--vg-swap_1 none swap sw 0 0 +/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0 +/dev/sdb1 /var/lib/containers ext4 defaults 0 0 \ No newline at end of file diff --git a/roles/old/docker-openvas-ab/files/https_proxy.conf b/roles/old/docker-openvas-ab/files/https_proxy.conf new file mode 100644 index 0000000..ebff942 --- /dev/null +++ b/roles/old/docker-openvas-ab/files/https_proxy.conf @@ -0,0 +1,2 @@ +[Service] +Environment="HTTPS_PROXY=http://192.168.99.99:8080/" \ No newline at end of file diff --git a/roles/old/docker-openvas-ab/handlers/main.yml b/roles/old/docker-openvas-ab/handlers/main.yml new file mode 100644 index 0000000..0ccee7e --- /dev/null +++ b/roles/old/docker-openvas-ab/handlers/main.yml @@ -0,0 +1,3 @@ +--- + - name: restart docker + service: name=docker state=restarted \ No newline at end of file diff --git a/roles/old/docker-openvas-ab/tasks/main.yml b/roles/old/docker-openvas-ab/tasks/main.yml new file mode 100644 index 0000000..2ffb798 --- /dev/null +++ b/roles/old/docker-openvas-ab/tasks/main.yml @@ -0,0 +1,77 @@ +--- +- name: Installation de apt-transport-https + apt: name=apt-transport-https state=present + +- name: Installation de ca-certificates + apt: name=ca-certificates state=present + +- name: Installation de gnupg2 + apt: name=gnupg2 state=present + +- name: Installation de software-properties-common + apt: name=software-properties-common state=present + +- name: Installation de sudo + apt: name=sudo state=present + +- name: Installation de docker + shell: export https_proxy=http://192.168.99.99:8080 && curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add - + +- name: Récupération des paquets docker-ce et docker-compose + shell: sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable" + +- name: Création du répertoire docker.service.d + file: + path: /etc/systemd/system/docker.service.d + state: directory + owner: root + group: root + mode: 0775 + recurse: yes + +- name: Copie https_proxy.conf + copy: src=https_proxy.conf dest=/etc/systemd/system/docker.service.d/ + notify: + - restart docker + +- name: Vérification des nouveaux paquets + shell: sudo apt-get update + +- name: Installation de docker-ce + shell: sudo apt-get install -y docker-ce + +- name: Installation de docker-compose + shell: export https_proxy=http://192.168.99.99:8080 && curl -L "https://github.com/docker/compose/releases/download/1.23.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose + +- name: Modification des droits de docker-compose + shell: chmod +x /usr/local/bin/docker-compose + +- name: Création du docker portainer_data + shell: docker volume create portainer_data + +- name: Initialisation de portainer + shell: docker run -d -p 9000:9000 -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer + +- name: Copie du fichier fstab + copy: src=fstab dest=/etc/ + +- name: Changement du système de fichier de /dev/sdb1 en ext4 + shell: mkfs.ext4 /dev/sdb1 + +- name: Montage /dev/sdb1 sur /var/lib/docker + shell: mount /dev/sdb1 /var/lib/docker + +- name: Installation d'OpenVAS + debug: msg="Exécuter la commande suivante pour mettre en place openvas > docker run -d -p 443:443 -e PUBLIC_HOSTNAME=172.16.0.19 --name openvas mikesplain/openvas puis redémarrer docker avec service docker restart" + + #- name: Installation d'IredMail + #debug: msg="Exécuter la commande suivante pour mettre en place openvas > docker run -d -p 443:443 -e PUBLIC_HOSTNAME=172.16.0.19 --name iredmail lejmr/iredmail puis redémarrer docker avec service docker restart" + +- name: Montage /dev/sdb1 + debug: msg="Pour vérifier que /dev/sdb1 est bien monté sur le répertoire /var/lib/docker, utiliser la commande df -h" + +- name: Test docker + debug: msg="Effectuer la commande docker run hello-world pour vérifier l'installation de docker-ce et effectuer la commande docker-compose --version pour vérifier que la version est bien la 1.23.1" + +- name: Démarrer le container + debug: msg="Pour démarrer le container openvas, utiliser la commande docker start nom_du_container_ (/var/lib/docker/containers), accéder à la page via l'adresse https://172.16.0.19:443" diff --git a/roles/old/firewall-vpn-l-cs/files/iptables-vpn b/roles/old/firewall-vpn-l-cs/files/iptables-vpn new file mode 100644 index 0000000..c363d43 --- /dev/null +++ b/roles/old/firewall-vpn-l-cs/files/iptables-vpn @@ -0,0 +1,58 @@ +#!/bin/bash + +#renommage des interfaces +IFPUB=enp0s9 +IFINT=enp0s8 + +iptables -F +#iptables -F -t nat + +#bloquer tout +iptables -P INPUT DROP +iptables -P OUTPUT DROP +iptables -P FORWARD ACCEPT + +iptables -A INPUT -i lo +iptables -A OUTPUT -o lo + +#autorise l'acces SSH +iptables -A INPUT -p tcp --dport 22 -j ACCEPT +iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + +#Autorise les requete DNS en tant que client +iptables -A OUTPUT -p udp --dport 53 -j ACCEPT +iptables -A INPUT -p udp --sport 53 -j ACCEPT +iptables -A INPUT -p udp --dport 53 -j ACCEPT +iptables -A OUTPUT -p udp --sport 53 -j ACCEPT + +#autorise isakmp +iptables -A OUTPUT -p udp --dport 500 -j ACCEPT +iptables -A INPUT -p udp --sport 500 -j ACCEPT +iptables -A INPUT -p udp --dport 500 -j ACCEPT +iptables -A OUTPUT -p udp --sport 500 -j ACCEPT + +#autorise nat-t-ike +iptables -A OUTPUT -p udp --dport 4500 -j ACCEPT +iptables -A INPUT -p udp --sport 4500 -j ACCEPT +iptables -A INPUT -p udp --dport 5500 -j ACCEPT +iptables -A OUTPUT -p udp --sport 4500 -j ACCEPT + + +# allow IPsec IKE negotiations +#iptables -I INPUT -p udp --sport 500 --dport 500 -j ACCEPT +#iptables -I OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT +# ESP encryption and authentication +iptables -I INPUT -p 50 -j ACCEPT +iptables -I OUTPUT -p 50 -j ACCEPT + +#autorise la supervision ( SNMP ) +iptables -A OUTPUT -p udp --dport 161 -j ACCEPT +iptables -A INPUT -p udp --sport 161 -j ACCEPT + +#autorise NTP +iptables -A OUTPUT -p udp --dport 123 -j ACCEPT +iptables -A INPUT -p udp --sport 123 -j ACCEPT + +#autoriser les ping sauf de l'exterieur +iptables -A INPUT -p icmp -m limit --limit 30/minute -j ACCEPT +iptables -A OUTPUT -p icmp -j ACCEPT \ No newline at end of file diff --git a/roles/old/firewall-vpn-l-cs/tasks/main.yml b/roles/old/firewall-vpn-l-cs/tasks/main.yml new file mode 100644 index 0000000..c171284 --- /dev/null +++ b/roles/old/firewall-vpn-l-cs/tasks/main.yml @@ -0,0 +1,3 @@ +--- + - name: fichier parefeu pour VPN + copy: src=iptables-vpn dest=/root/ diff --git a/roles/old/firewall-vpn-l/files/ferm.conf b/roles/old/firewall-vpn-l/files/ferm.conf new file mode 100644 index 0000000..31d5ec1 --- /dev/null +++ b/roles/old/firewall-vpn-l/files/ferm.conf @@ -0,0 +1,68 @@ +# -*- shell-script -*- +# +# Configuration file for ferm(1). +# + +@def $DEV_ADM = enp0s3; +@def $DEV_AG = enp0s8; +@def $DEV_VPN = enp0s9; + +@def $NET_ADM=192.168.99.102/24; +@def $NET_AG=172.16.128.254/24; +@def $NET_VPN=192.168.0.52/24; + +table filter { + chain INPUT { + policy DROP; + + # connection tracking + mod state state INVALID DROP; + mod state state (ESTABLISHED RELATED) ACCEPT; + + # allow local packet + interface lo ACCEPT; + + # allow SSH connections + proto tcp dport ssh ACCEPT; + + # allow DNS connections + proto udp sport domain ACCEPT; + proto udp dport domain ACCEPT; + + # allow IPsec + interface ($DEV_AG $DEV_VPN) { + proto udp sport 500 ACCEPT; + proto udp dport 500 ACCEPT; + proto esp ACCEPT; + } + + # Autoriser nat-t-ike + # interface ($DEV_AG) { + proto udp sport 4500 ACCEPT; + proto udp dport 5500 ACCEPT; +# } + + # allow DNS connections + #interface ($DEV_INT) { + proto (udp tcp) dport domain ACCEPT; + #} + + # autoriser NTP + proto udp sport 123 ACCEPT; + + } + chain OUTPUT { + policy ACCEPT; + + # connection tracking + # mod state state INVALID DROP; + # mod state state (ESTABLISHED RELATED) ACCEPT; + } + chain FORWARD { + policy ACCEPT; + + # connection tracking + mod state state INVALID DROP; + mod state state (ESTABLISHED RELATED) ACCEPT; + } +} \ No newline at end of file diff --git a/roles/old/firewall-vpn-l/files/iptables-vpn b/roles/old/firewall-vpn-l/files/iptables-vpn new file mode 100644 index 0000000..c363d43 --- /dev/null +++ b/roles/old/firewall-vpn-l/files/iptables-vpn @@ -0,0 +1,58 @@ +#!/bin/bash + +#renommage des interfaces +IFPUB=enp0s9 +IFINT=enp0s8 + +iptables -F +#iptables -F -t nat + +#bloquer tout +iptables -P INPUT DROP +iptables -P OUTPUT DROP +iptables -P FORWARD ACCEPT + +iptables -A INPUT -i lo +iptables -A OUTPUT -o lo + +#autorise l'acces SSH +iptables -A INPUT -p tcp --dport 22 -j ACCEPT +iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + +#Autorise les requete DNS en tant que client +iptables -A OUTPUT -p udp --dport 53 -j ACCEPT +iptables -A INPUT -p udp --sport 53 -j ACCEPT +iptables -A INPUT -p udp --dport 53 -j ACCEPT +iptables -A OUTPUT -p udp --sport 53 -j ACCEPT + +#autorise isakmp +iptables -A OUTPUT -p udp --dport 500 -j ACCEPT +iptables -A INPUT -p udp --sport 500 -j ACCEPT +iptables -A INPUT -p udp --dport 500 -j ACCEPT +iptables -A OUTPUT -p udp --sport 500 -j ACCEPT + +#autorise nat-t-ike +iptables -A OUTPUT -p udp --dport 4500 -j ACCEPT +iptables -A INPUT -p udp --sport 4500 -j ACCEPT +iptables -A INPUT -p udp --dport 5500 -j ACCEPT +iptables -A OUTPUT -p udp --sport 4500 -j ACCEPT + + +# allow IPsec IKE negotiations +#iptables -I INPUT -p udp --sport 500 --dport 500 -j ACCEPT +#iptables -I OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT +# ESP encryption and authentication +iptables -I INPUT -p 50 -j ACCEPT +iptables -I OUTPUT -p 50 -j ACCEPT + +#autorise la supervision ( SNMP ) +iptables -A OUTPUT -p udp --dport 161 -j ACCEPT +iptables -A INPUT -p udp --sport 161 -j ACCEPT + +#autorise NTP +iptables -A OUTPUT -p udp --dport 123 -j ACCEPT +iptables -A INPUT -p udp --sport 123 -j ACCEPT + +#autoriser les ping sauf de l'exterieur +iptables -A INPUT -p icmp -m limit --limit 30/minute -j ACCEPT +iptables -A OUTPUT -p icmp -j ACCEPT \ No newline at end of file diff --git a/roles/old/firewall-vpn-l/handlers/main.yml b/roles/old/firewall-vpn-l/handlers/main.yml new file mode 100644 index 0000000..e427fa2 --- /dev/null +++ b/roles/old/firewall-vpn-l/handlers/main.yml @@ -0,0 +1,3 @@ +--- + - name: Restart ferm + service: name=ferm state=restarted diff --git a/roles/old/firewall-vpn-l/tasks/main.yml b/roles/old/firewall-vpn-l/tasks/main.yml new file mode 100644 index 0000000..b0a540d --- /dev/null +++ b/roles/old/firewall-vpn-l/tasks/main.yml @@ -0,0 +1,8 @@ +--- +- name : installer ferm + apt: name=ferm state=present + +- name: fichier parefeu pour VPN + copy: src=ferm.conf dest=/etc/ferm/ferm.conf + notify: + - Restart ferm \ No newline at end of file diff --git a/roles/old/firewall-vpn-r-cs/files/iptables-vpn b/roles/old/firewall-vpn-r-cs/files/iptables-vpn new file mode 100644 index 0000000..5ed337d --- /dev/null +++ b/roles/old/firewall-vpn-r-cs/files/iptables-vpn @@ -0,0 +1,58 @@ +#!/bin/bash + +#renommage des interfaces +IFPUB=enp0s8 +IFINT=enp0s9 + +iptables -F +#iptables -F -t nat + +#bloquer tout +iptables -P INPUT DROP +iptables -P OUTPUT DROP +iptables -P FORWARD ACCEPT + +iptables -A INPUT -i lo +iptables -A OUTPUT -o lo + +#autorise l'acces SSH +iptables -A INPUT -p tcp --dport 22 -j ACCEPT +iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + +#Autorise les requete DNS en tant que client +iptables -A OUTPUT -p udp --dport 53 -j ACCEPT +iptables -A INPUT -p udp --sport 53 -j ACCEPT +iptables -A INPUT -p udp --dport 53 -j ACCEPT +iptables -A OUTPUT -p udp --sport 53 -j ACCEPT + +#autorise isakmp +iptables -A OUTPUT -p udp --dport 500 -j ACCEPT +iptables -A INPUT -p udp --sport 500 -j ACCEPT +iptables -A INPUT -p udp --dport 500 -j ACCEPT +iptables -A OUTPUT -p udp --sport 500 -j ACCEPT + +#autorise nat-t-ike +iptables -A OUTPUT -p udp --dport 4500 -j ACCEPT +iptables -A INPUT -p udp --sport 4500 -j ACCEPT +iptables -A INPUT -p udp --dport 5500 -j ACCEPT +iptables -A OUTPUT -p udp --sport 4500 -j ACCEPT + + +# allow IPsec IKE negotiations +#iptables -I INPUT -p udp --sport 500 --dport 500 -j ACCEPT +#iptables -I OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT +# ESP encryption and authentication +iptables -I INPUT -p 50 -j ACCEPT +iptables -I OUTPUT -p 50 -j ACCEPT + +#autorise la supervision ( SNMP ) +iptables -A OUTPUT -p udp --dport 161 -j ACCEPT +iptables -A INPUT -p udp --sport 161 -j ACCEPT + +#autorise NTP +iptables -A OUTPUT -p udp --dport 123 -j ACCEPT +iptables -A INPUT -p udp --sport 123 -j ACCEPT + +#autoriser les ping sauf de l'exterieur +iptables -A INPUT -p icmp -m limit --limit 30/minute -j ACCEPT +iptables -A OUTPUT -p icmp -j ACCEPT \ No newline at end of file diff --git a/roles/old/firewall-vpn-r-cs/tasks/main.yml b/roles/old/firewall-vpn-r-cs/tasks/main.yml new file mode 100644 index 0000000..c171284 --- /dev/null +++ b/roles/old/firewall-vpn-r-cs/tasks/main.yml @@ -0,0 +1,3 @@ +--- + - name: fichier parefeu pour VPN + copy: src=iptables-vpn dest=/root/ diff --git a/roles/old/firewall-vpn-r/files/ferm.conf b/roles/old/firewall-vpn-r/files/ferm.conf new file mode 100644 index 0000000..899911f --- /dev/null +++ b/roles/old/firewall-vpn-r/files/ferm.conf @@ -0,0 +1,67 @@ +# -*- shell-script -*- +# +# Configuration file for ferm(1). +# + +@def $DEV_ADM = enp0s3; +@def $DEV_VPN = enp0s8; +@def $DEV_EXT = enp0s9; + +@def $NET_ADM=192.168.99.112/24; +@def $NET_VPN=192.168.0.51/24; +@def $NET_EXT=192.168.1.2/24; + +table filter { + chain INPUT { + policy DROP; + + # connection tracking + mod state state INVALID DROP; + mod state state (ESTABLISHED RELATED) ACCEPT; + + # allow local packet + interface lo ACCEPT; + + # allow SSH connections + proto tcp dport ssh ACCEPT; + + + # allow DNS connections + proto udp sport domain ACCEPT; + proto udp dport domain ACCEPT; + + + # allow IPsec + interface ($DEV_VPN) { + proto udp sport 500 ACCEPT; + proto udp dport 500 ACCEPT; + proto esp ACCEPT; + } + + # Autoriser nat-t-ike + interface ($DEV_VPN) { + proto udp sport 4500 ACCEPT; + proto udp dport 5500 ACCEPT; + } + + # allow DNS connections + #interface ($DEV_INT) { +# proto (udp tcp) dport domain ACCEPT; + #} + + + # autoriser NTP + proto udp sport 123 ACCEPT; + + } + chain OUTPUT { + policy ACCEPT; + } + chain FORWARD { + policy ACCEPT; + + # connection tracking + mod state state INVALID DROP; + mod state state (ESTABLISHED RELATED) ACCEPT; + } +} \ No newline at end of file diff --git a/roles/old/firewall-vpn-r/files/iptables-vpn b/roles/old/firewall-vpn-r/files/iptables-vpn new file mode 100644 index 0000000..5ed337d --- /dev/null +++ b/roles/old/firewall-vpn-r/files/iptables-vpn @@ -0,0 +1,58 @@ +#!/bin/bash + +#renommage des interfaces +IFPUB=enp0s8 +IFINT=enp0s9 + +iptables -F +#iptables -F -t nat + +#bloquer tout +iptables -P INPUT DROP +iptables -P OUTPUT DROP +iptables -P FORWARD ACCEPT + +iptables -A INPUT -i lo +iptables -A OUTPUT -o lo + +#autorise l'acces SSH +iptables -A INPUT -p tcp --dport 22 -j ACCEPT +iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + +#Autorise les requete DNS en tant que client +iptables -A OUTPUT -p udp --dport 53 -j ACCEPT +iptables -A INPUT -p udp --sport 53 -j ACCEPT +iptables -A INPUT -p udp --dport 53 -j ACCEPT +iptables -A OUTPUT -p udp --sport 53 -j ACCEPT + +#autorise isakmp +iptables -A OUTPUT -p udp --dport 500 -j ACCEPT +iptables -A INPUT -p udp --sport 500 -j ACCEPT +iptables -A INPUT -p udp --dport 500 -j ACCEPT +iptables -A OUTPUT -p udp --sport 500 -j ACCEPT + +#autorise nat-t-ike +iptables -A OUTPUT -p udp --dport 4500 -j ACCEPT +iptables -A INPUT -p udp --sport 4500 -j ACCEPT +iptables -A INPUT -p udp --dport 5500 -j ACCEPT +iptables -A OUTPUT -p udp --sport 4500 -j ACCEPT + + +# allow IPsec IKE negotiations +#iptables -I INPUT -p udp --sport 500 --dport 500 -j ACCEPT +#iptables -I OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT +# ESP encryption and authentication +iptables -I INPUT -p 50 -j ACCEPT +iptables -I OUTPUT -p 50 -j ACCEPT + +#autorise la supervision ( SNMP ) +iptables -A OUTPUT -p udp --dport 161 -j ACCEPT +iptables -A INPUT -p udp --sport 161 -j ACCEPT + +#autorise NTP +iptables -A OUTPUT -p udp --dport 123 -j ACCEPT +iptables -A INPUT -p udp --sport 123 -j ACCEPT + +#autoriser les ping sauf de l'exterieur +iptables -A INPUT -p icmp -m limit --limit 30/minute -j ACCEPT +iptables -A OUTPUT -p icmp -j ACCEPT \ No newline at end of file diff --git a/roles/old/firewall-vpn-r/handlers/main.yml b/roles/old/firewall-vpn-r/handlers/main.yml new file mode 100644 index 0000000..e427fa2 --- /dev/null +++ b/roles/old/firewall-vpn-r/handlers/main.yml @@ -0,0 +1,3 @@ +--- + - name: Restart ferm + service: name=ferm state=restarted diff --git a/roles/old/firewall-vpn-r/tasks/main.yml b/roles/old/firewall-vpn-r/tasks/main.yml new file mode 100644 index 0000000..b2d49ed --- /dev/null +++ b/roles/old/firewall-vpn-r/tasks/main.yml @@ -0,0 +1,8 @@ +--- +- name : installer ferm + apt: name=ferm state=present + +- name: fichier parefeu pour VPN + copy: src=ferm.conf dest=/etc/ferm/ferm.conf + notify: + - Restart ferm \ No newline at end of file diff --git a/roles/old/itil-cs/files/.my.cnf b/roles/old/itil-cs/files/.my.cnf new file mode 100644 index 0000000..34d0e25 --- /dev/null +++ b/roles/old/itil-cs/files/.my.cnf @@ -0,0 +1,3 @@ +[client] +user=root +password=root diff --git a/roles/old/itil-cs/files/glpi.conf b/roles/old/itil-cs/files/glpi.conf new file mode 100644 index 0000000..4c37222 --- /dev/null +++ b/roles/old/itil-cs/files/glpi.conf @@ -0,0 +1,12 @@ +DocumentRoot /var/www/glpi + + Options Indexes FollowSymLinks MultiViews + AllowOverride All + Order allow,deny + allow from all + AuthType Basic + + + LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined + CustomLog ${APACHE_LOG_DIR}/glpi_access.log combined + ErrorLog ${APACHE_LOG_DIR}/glpi_error.log diff --git a/roles/old/itil-cs/files/script b/roles/old/itil-cs/files/script new file mode 100644 index 0000000..f400139 --- /dev/null +++ b/roles/old/itil-cs/files/script @@ -0,0 +1,4 @@ +#!/bin/sh +chm= »/var/www/html/glpi/files/_dumps » +# Dump base GLPI +mysqldump -uroot -proot glpi |gzip > $chm/$(date +%Y-%m-%d).sql.gz \ No newline at end of file diff --git a/roles/old/itil-cs/handlers/main.yml b/roles/old/itil-cs/handlers/main.yml new file mode 100644 index 0000000..9744cf7 --- /dev/null +++ b/roles/old/itil-cs/handlers/main.yml @@ -0,0 +1,6 @@ +--- + - name: restart apache2 + service: name=apache2 state=restarted + + - name: restart mysql-server + service: name=mysql-server state=restarted diff --git a/roles/old/itil-cs/tasks/main.yml b/roles/old/itil-cs/tasks/main.yml new file mode 100644 index 0000000..ced06f0 --- /dev/null +++ b/roles/old/itil-cs/tasks/main.yml @@ -0,0 +1,65 @@ +--- + - name: Install apache2 + apt: name=apache2 state=present update_cache=yes + notify: + - restart apache2 + + - name: Install php5 + apt: name=php5 state=present update_cache=yes + + - name: Install php5-mysql + apt: name=php5-mysql state=present update_cache=yes + + - name: Install php5-gd + apt: name=php5-gd state=present update_cache=yes + + - name: Install php5-curl + apt: name=php5-curl state=present update_cache=yes + + - name: Install php5-imap + apt: name=php5-imap state=present update_cache=yes + + - name: Install php5-ldap + apt: name=php5-ldap state=present update_cache=yes + + - name: Download GLPI from Internet + copy: src=glpi-9.1.3.tgz dest=/var/www/ + + - name: Instructions + debug: msg="En cas de problemes, relancez le playbook une seconde fois." + + - name: unpack tarball + unarchive: src=/var/www/glpi-9.1.3.tgz dest=/var/www/ + + - name: Fix permissions + shell: chown -R www-data:www-data /var/www/glpi/ + + - name: copy .my.cnf file with root password credentials + copy: src=.my.cnf dest=/root/tools/ansible/.my.cnf owner=root mode=0600 + + + - name: Print web instructions + debug: msg="/!\ Se rendre sur http://adresse_ip_de_votre_serveur/glpi et suivre l'installation" + + - name: Download Fusioninventory from Internet + copy: src=fusioninventory-for-glpi_0.85+1.3.tar.gz dest=/var/www/glpi/plugins + + - name: unpack tarball + unarchive: src=/var/www/glpi/plugins/fusioninventory-for-glpi_0.85+1.3.tar.gz dest=/var/www/glpi/plugins + + - name: Print web instructions + debug: msg="(i) Fusioninventory plugin installed in /var/www/glpi/plugins" + + - name: copy glpi.conf + copy: src=glpi.conf dest=/etc/apache2/sites-available/ + + - name: activation du site glpi + shell: a2ensite glpi.conf + notify: + - restart apache2 + + - name: copie script + copy: src=script dest=/root/ + + - name: chmod + shell: chmod +x /root/script \ No newline at end of file diff --git a/roles/old/snmp-cs/files/snmpd.conf b/roles/old/snmp-cs/files/snmpd.conf new file mode 100644 index 0000000..6b81b54 --- /dev/null +++ b/roles/old/snmp-cs/files/snmpd.conf @@ -0,0 +1,193 @@ +############################################################################### +# +# EXAMPLE.conf: +# An example configuration file for configuring the Net-SNMP agent ('snmpd') +# See the 'snmpd.conf(5)' man page for details +# +# Some entries are deliberately commented out, and will need to be explicitly activated +# +############################################################################### +# +# AGENT BEHAVIOUR +# + +# Listen for connections from the local system only +#agentAddress udp:127.0.0.1:161 +# Listen for connections on all interfaces (both IPv4 *and* IPv6) +agentAddress udp:161,udp6:[::1]:161 + + + +############################################################################### +# +# SNMPv3 AUTHENTICATION +# +# Note that these particular settings don't actually belong here. +# They should be copied to the file /var/lib/snmp/snmpd.conf +# and the passwords changed, before being uncommented in that file *only*. +# Then restart the agent + +# createUser authOnlyUser MD5 "remember to change this password" +# createUser authPrivUser SHA "remember to change this one too" DES +# createUser internalUser MD5 "this is only ever used internally, but still change the password" + +# If you also change the usernames (which might be sensible), +# then remember to update the other occurances in this example config file to match. + + + +############################################################################### +# +# ACCESS CONTROL +# + + # system + hrSystem groups only +view systemonly included .1.3.6.1.2.1.1 +view systemonly included .1.3.6.1.2.1.25.1 + + # Full access from the local host +rocommunity public s-mon.gsb.adm + # Default access to basic system info +rocommunity public + + # Full access from an example network + # Adjust this network address to match your local + # settings, change the community string, + # and check the 'agentAddress' setting above +#rocommunity secret 10.0.0.0/16 + + # Full read-only access for SNMPv3 + rouser authOnlyUser + # Full write access for encrypted requests + # Remember to activate the 'createUser' lines above +#rwuser authPrivUser priv + +# It's no longer typically necessary to use the full 'com2sec/group/access' configuration +# r[ou]user and r[ow]community, together with suitable views, should cover most requirements + + + +############################################################################### +# +# SYSTEM INFORMATION +# + +# Note that setting these values here, results in the corresponding MIB objects being 'read-only' +# See snmpd.conf(5) for more details +sysLocation Sitting on the Dock of the Bay +sysContact Me + # Application + End-to-End layers +sysServices 72 + + +# +# Process Monitoring +# + # At least one 'mountd' process +proc mountd + # No more than 4 'ntalkd' processes - 0 is OK +proc ntalkd 4 + # At least one 'sendmail' process, but no more than 10 +proc sendmail 10 1 + +# Walk the UCD-SNMP-MIB::prTable to see the resulting output +# Note that this table will be empty if there are no "proc" entries in the snmpd.conf file + + +# +# Disk Monitoring +# + # 10MBs required on root disk, 5% free on /var, 10% free on all other disks +disk / 10000 +disk /var 5% +includeAllDisks 10% + +# Walk the UCD-SNMP-MIB::dskTable to see the resulting output +# Note that this table will be empty if there are no "disk" entries in the snmpd.conf file + + +# +# System Load +# + # Unacceptable 1-, 5-, and 15-minute load averages +load 12 10 5 + +# Walk the UCD-SNMP-MIB::laTable to see the resulting output +# Note that this table *will* be populated, even without a "load" entry in the snmpd.conf file + + + +############################################################################### +# +# ACTIVE MONITORING +# + + # send SNMPv1 traps + trapsink localhost public + # send SNMPv2c traps +#trap2sink localhost public + # send SNMPv2c INFORMs +#informsink localhost public + +# Note that you typically only want *one* of these three lines +# Uncommenting two (or all three) will result in multiple copies of each notification. + + +# +# Event MIB - automatically generate alerts +# + # Remember to activate the 'createUser' lines above +iquerySecName internalUser +rouser internalUser + # generate traps on UCD error conditions +defaultMonitors yes + # generate traps on linkUp/Down +linkUpDownNotifications yes + + + +############################################################################### +# +# EXTENDING THE AGENT +# + +# +# Arbitrary extension commands +# + extend test1 /bin/echo Hello, world! + extend-sh test2 echo Hello, world! ; echo Hi there ; exit 35 +#extend-sh test3 /bin/sh /tmp/shtest + +# Note that this last entry requires the script '/tmp/shtest' to be created first, +# containing the same three shell commands, before the line is uncommented + +# Walk the NET-SNMP-EXTEND-MIB tables (nsExtendConfigTable, nsExtendOutput1Table +# and nsExtendOutput2Table) to see the resulting output + +# Note that the "extend" directive supercedes the previous "exec" and "sh" directives +# However, walking the UCD-SNMP-MIB::extTable should still returns the same output, +# as well as the fuller results in the above tables. + + +# +# "Pass-through" MIB extension command +# +#pass .1.3.6.1.4.1.8072.2.255 /bin/sh PREFIX/local/passtest +#pass .1.3.6.1.4.1.8072.2.255 /usr/bin/perl PREFIX/local/passtest.pl + +# Note that this requires one of the two 'passtest' scripts to be installed first, +# before the appropriate line is uncommented. +# These scripts can be found in the 'local' directory of the source distribution, +# and are not installed automatically. + +# Walk the NET-SNMP-PASS-MIB::netSnmpPassExamples subtree to see the resulting output + + +# +# AgentX Sub-agents +# + # Run as an AgentX master agent + master agentx + # Listen for network connections (from localhost) + # rather than the default named socket /var/agentx/master +#agentXSocket tcp:localhost:705 diff --git a/roles/old/snmp-cs/handlers/main.yml b/roles/old/snmp-cs/handlers/main.yml new file mode 100644 index 0000000..9d9b583 --- /dev/null +++ b/roles/old/snmp-cs/handlers/main.yml @@ -0,0 +1,3 @@ +--- + - name: restart snmpd + service: name=snmpd state=restarted diff --git a/roles/old/snmp-cs/tasks/main.yml b/roles/old/snmp-cs/tasks/main.yml new file mode 100644 index 0000000..63a1fbf --- /dev/null +++ b/roles/old/snmp-cs/tasks/main.yml @@ -0,0 +1,14 @@ +--- + +- name: Installation snmpd + apt: name=snmpd state=present + +- name: Installation snmp + apt: name=snmp state=present + +- name: Copie du fichier snmpd.conf + copy: src=snmpd.conf dest=/etc/snmp/ + notify: + - restart snmpd + + diff --git a/roles/old/user-yb/tasks/main.yml b/roles/old/user-yb/tasks/main.yml new file mode 100644 index 0000000..89118cf --- /dev/null +++ b/roles/old/user-yb/tasks/main.yml @@ -0,0 +1,47 @@ +--- + - name: Installation des paquets + apt: name={{item}} state=present force=yes + with_items: + - dmidecode + - hwdata + - ucf + - hdparm + - perl + - libuniversal-require-perl + - libwww-perl + - libparse-edid-perl + - libproc-daemon-perl + - libfile-which-perl + - libhttp-daemon-perl + - libxml-treepp-perl + - libyaml-perl + - libnet-cups-perl + - libnet-ip-perl + - libdigest-sha-perl + - libsocket-getaddrinfo-perl + - libtext-template-perl + + - name: Creation du repertoire fi + file: path=/root/fi state=directory owner=www-data group=www-data + + - name: Installation de fusioninventory + get_url: + url: http://debian.fusioninventory.org/downloads/fusioninventory-agent_2.5-3_all.deb + dest: /root/fi + remote_src: yes + owner: www-data + group: www-data + + - name: Installation du paquet .deb + apt: + deb: /root/fi/fusioninventory-agent_2.5-3_all.deb + + - name: Configuration du fichier agent.cfg + replace: + dest: /etc/fusioninventory/agent.cfg + regexp: '#server = http://server.domain.com/glpi/plugins/fusioninventory/' + replace: 'server = http://172.16.0.9/plugins/fusioninventory/' + backup: yes + + - debug: + msg: "Faire un systemectl restart fusioninventory-agent puis un reload" diff --git a/roles/old/vpn-stg-l/files/ipsec.conf b/roles/old/vpn-stg-l/files/ipsec.conf new file mode 100644 index 0000000..79f40ae --- /dev/null +++ b/roles/old/vpn-stg-l/files/ipsec.conf @@ -0,0 +1,23 @@ +config setup + charondebug="all" + uniqueids=yes + strictcrlpolicy=no +conn %default +conn tunnel # + left=192.168.0.52 + leftsubnet=172.16.128.0/24 + right=192.168.0.51 + rightsubnet=192.168.1.0/24, 192.168.200.0/24, 172.16.0.0/24 + ike=aes256-sha2_256-modp1024! + esp=aes256-sha2_256! + keyingtries=0 + ikelifetime=1h + lifetime=8h + dpddelay=30 + dpdtimeout=120 + dpdaction=restart + authby=secret + auto=start + keyexchange=ikev2 + type=tunnel +# diff --git a/roles/old/vpn-stg-l/files/ipsec.secrets b/roles/old/vpn-stg-l/files/ipsec.secrets new file mode 100644 index 0000000..65d30ce --- /dev/null +++ b/roles/old/vpn-stg-l/files/ipsec.secrets @@ -0,0 +1,8 @@ +# This file holds shared secrets or RSA private keys for authentication. + +# RSA private key for this host, authenticating it to any other host +# which knows the public part. + +# this file is managed with debconf and will contain the automatically created private key +include /var/lib/strongswan/ipsec.secrets.inc +192.168.0.52 192.168.0.51 : PSK 'root' \ No newline at end of file diff --git a/roles/old/vpn-stg-l/files/sysctl.conf b/roles/old/vpn-stg-l/files/sysctl.conf new file mode 100644 index 0000000..b138754 --- /dev/null +++ b/roles/old/vpn-stg-l/files/sysctl.conf @@ -0,0 +1,60 @@ +# +# /etc/sysctl.conf - Configuration file for setting system variables +# See /etc/sysctl.d/ for additonal system variables +# See sysctl.conf (5) for information. +# + +#kernel.domainname = example.com + +# Uncomment the following to stop low-level messages on console +#kernel.printk = 3 4 1 3 + +##############################################################3 +# Functions previously found in netbase +# + +# Uncomment the next two lines to enable Spoof protection (reverse-path filter) +# Turn on Source Address Verification in all interfaces to +# prevent some spoofing attacks +#net.ipv4.conf.default.rp_filter=1 +#net.ipv4.conf.all.rp_filter=1 + +# Uncomment the next line to enable TCP/IP SYN cookies +# See http://lwn.net/Articles/277146/ +# Note: This may impact IPv6 TCP sessions too +#net.ipv4.tcp_syncookies=1 + +# Uncomment the next line to enable packet forwarding for IPv4 +net.ipv4.ip_forward=1 + +# Uncomment the next line to enable packet forwarding for IPv6 +# Enabling this option disables Stateless Address Autoconfiguration +# based on Router Advertisements for this host +#net.ipv6.conf.all.forwarding=1 + + +################################################################### +# Additional settings - these settings can improve the network +# security of the host and prevent against some network attacks +# including spoofing attacks and man in the middle attacks through +# redirection. Some network environments, however, require that these +# settings are disabled so review and enable them as needed. +# +# Do not accept ICMP redirects (prevent MITM attacks) +#net.ipv4.conf.all.accept_redirects = 0 +#net.ipv6.conf.all.accept_redirects = 0 +# _or_ +# Accept ICMP redirects only for gateways listed in our default +# gateway list (enabled by default) +# net.ipv4.conf.all.secure_redirects = 1 +# +# Do not send ICMP redirects (we are not a router) +#net.ipv4.conf.all.send_redirects = 0 +# +# Do not accept IP source route packets (we are not a router) +#net.ipv4.conf.all.accept_source_route = 0 +#net.ipv6.conf.all.accept_source_route = 0 +# +# Log Martian Packets +#net.ipv4.conf.all.log_martians = 1 +# diff --git a/roles/old/vpn-stg-l/handlers/main.yml b/roles/old/vpn-stg-l/handlers/main.yml new file mode 100644 index 0000000..719832b --- /dev/null +++ b/roles/old/vpn-stg-l/handlers/main.yml @@ -0,0 +1,4 @@ +--- + - name: restart ipsec + service: name=ipsec state=restarted + diff --git a/roles/old/vpn-stg-l/tasks/main.yml b/roles/old/vpn-stg-l/tasks/main.yml new file mode 100644 index 0000000..73c001a --- /dev/null +++ b/roles/old/vpn-stg-l/tasks/main.yml @@ -0,0 +1,21 @@ +--- +#Installation ipsec strongswan côté gauche pour le fichier de secret partagé + - name: install strongswan, fichier secret partagé + apt: name=strongswan state=present + + - name: install tcpdump + apt: name=tcpdump state=present update_cache=yes + + - name: activation du routage + copy: src=sysctl.conf dest=/etc/sysctl.conf + + - name: Copie fichier ipsec.conf + copy: src=ipsec.conf dest=/etc/ipsec.conf + notify: restart ipsec + + - name: Copie fichier ipsec.secrets + copy: src=ipsec.secrets dest=/etc/ipsec.secrets + notify: restart ipsec + + - name: Message d'information + debug: msg="Veuillez consulter le document "r-vp.txt" dans ansible/gsb/doc" \ No newline at end of file diff --git a/roles/old/vpn-stg-r/files/ipsec.conf b/roles/old/vpn-stg-r/files/ipsec.conf new file mode 100644 index 0000000..85535f1 --- /dev/null +++ b/roles/old/vpn-stg-r/files/ipsec.conf @@ -0,0 +1,23 @@ +config setup + charondebug="all" + uniqueids=yes + strictcrlpolicy=no +conn %default +conn tunnel # + left=192.168.0.51 + leftsubnet=192.168.1.0/24, 192.168.200.0/24, 172.16.0.0/24 + right=192.168.0.52 + rightsubnet=172.16.128.0/24 + ike=aes256-sha2_256-modp1024! + esp=aes256-sha2_256! + keyingtries=0 + ikelifetime=1h + lifetime=8h + dpddelay=30 + dpdtimeout=120 + dpdaction=restart + authby=secret + auto=start + keyexchange=ikev2 + type=tunnel +# diff --git a/roles/old/vpn-stg-r/files/ipsec.secrets b/roles/old/vpn-stg-r/files/ipsec.secrets new file mode 100644 index 0000000..9d46a82 --- /dev/null +++ b/roles/old/vpn-stg-r/files/ipsec.secrets @@ -0,0 +1,8 @@ +# This file holds shared secrets or RSA private keys for authentication. + +# RSA private key for this host, authenticating it to any other host +# which knows the public part. + +# this file is managed with debconf and will contain the automatically created private key +include /var/lib/strongswan/ipsec.secrets.inc +192.168.0.51 192.168.0.52 : PSK 'root' \ No newline at end of file diff --git a/roles/old/vpn-stg-r/files/sysctl.conf b/roles/old/vpn-stg-r/files/sysctl.conf new file mode 100644 index 0000000..b138754 --- /dev/null +++ b/roles/old/vpn-stg-r/files/sysctl.conf @@ -0,0 +1,60 @@ +# +# /etc/sysctl.conf - Configuration file for setting system variables +# See /etc/sysctl.d/ for additonal system variables +# See sysctl.conf (5) for information. +# + +#kernel.domainname = example.com + +# Uncomment the following to stop low-level messages on console +#kernel.printk = 3 4 1 3 + +##############################################################3 +# Functions previously found in netbase +# + +# Uncomment the next two lines to enable Spoof protection (reverse-path filter) +# Turn on Source Address Verification in all interfaces to +# prevent some spoofing attacks +#net.ipv4.conf.default.rp_filter=1 +#net.ipv4.conf.all.rp_filter=1 + +# Uncomment the next line to enable TCP/IP SYN cookies +# See http://lwn.net/Articles/277146/ +# Note: This may impact IPv6 TCP sessions too +#net.ipv4.tcp_syncookies=1 + +# Uncomment the next line to enable packet forwarding for IPv4 +net.ipv4.ip_forward=1 + +# Uncomment the next line to enable packet forwarding for IPv6 +# Enabling this option disables Stateless Address Autoconfiguration +# based on Router Advertisements for this host +#net.ipv6.conf.all.forwarding=1 + + +################################################################### +# Additional settings - these settings can improve the network +# security of the host and prevent against some network attacks +# including spoofing attacks and man in the middle attacks through +# redirection. Some network environments, however, require that these +# settings are disabled so review and enable them as needed. +# +# Do not accept ICMP redirects (prevent MITM attacks) +#net.ipv4.conf.all.accept_redirects = 0 +#net.ipv6.conf.all.accept_redirects = 0 +# _or_ +# Accept ICMP redirects only for gateways listed in our default +# gateway list (enabled by default) +# net.ipv4.conf.all.secure_redirects = 1 +# +# Do not send ICMP redirects (we are not a router) +#net.ipv4.conf.all.send_redirects = 0 +# +# Do not accept IP source route packets (we are not a router) +#net.ipv4.conf.all.accept_source_route = 0 +#net.ipv6.conf.all.accept_source_route = 0 +# +# Log Martian Packets +#net.ipv4.conf.all.log_martians = 1 +# diff --git a/roles/old/vpn-stg-r/handlers/main.yml b/roles/old/vpn-stg-r/handlers/main.yml new file mode 100644 index 0000000..719832b --- /dev/null +++ b/roles/old/vpn-stg-r/handlers/main.yml @@ -0,0 +1,4 @@ +--- + - name: restart ipsec + service: name=ipsec state=restarted + diff --git a/roles/old/vpn-stg-r/tasks/main.yml b/roles/old/vpn-stg-r/tasks/main.yml new file mode 100644 index 0000000..5160f44 --- /dev/null +++ b/roles/old/vpn-stg-r/tasks/main.yml @@ -0,0 +1,21 @@ +--- +#Installation ipsec strongswan côté droit pour le fichier de secret partagé + - name: install strongswan, fichier secret partagé + apt: name=strongswan state=present + + - name: install tcpdump + apt: name=tcpdump state=present update_cache=yes + + - name: activation du routage + copy: src=sysctl.conf dest=/etc/sysctl.conf + + - name: Copie fichier ipsec.conf + copy: src=ipsec.conf dest=/etc/ipsec.conf + notify: restart ipsec + + - name: Copie fichier ipsec.secrets + copy: src=ipsec.secrets dest=/etc/ipsec.secrets + notify: restart ipsec + + - name: Message d'information + debug: msg="Veuillez consulter le document "r-vp.txt" dans ansible/gsb/doc" \ No newline at end of file diff --git a/roles/old/vpn/files/sysctl.conf b/roles/old/vpn/files/sysctl.conf new file mode 100644 index 0000000..b138754 --- /dev/null +++ b/roles/old/vpn/files/sysctl.conf @@ -0,0 +1,60 @@ +# +# /etc/sysctl.conf - Configuration file for setting system variables +# See /etc/sysctl.d/ for additonal system variables +# See sysctl.conf (5) for information. +# + +#kernel.domainname = example.com + +# Uncomment the following to stop low-level messages on console +#kernel.printk = 3 4 1 3 + +##############################################################3 +# Functions previously found in netbase +# + +# Uncomment the next two lines to enable Spoof protection (reverse-path filter) +# Turn on Source Address Verification in all interfaces to +# prevent some spoofing attacks +#net.ipv4.conf.default.rp_filter=1 +#net.ipv4.conf.all.rp_filter=1 + +# Uncomment the next line to enable TCP/IP SYN cookies +# See http://lwn.net/Articles/277146/ +# Note: This may impact IPv6 TCP sessions too +#net.ipv4.tcp_syncookies=1 + +# Uncomment the next line to enable packet forwarding for IPv4 +net.ipv4.ip_forward=1 + +# Uncomment the next line to enable packet forwarding for IPv6 +# Enabling this option disables Stateless Address Autoconfiguration +# based on Router Advertisements for this host +#net.ipv6.conf.all.forwarding=1 + + +################################################################### +# Additional settings - these settings can improve the network +# security of the host and prevent against some network attacks +# including spoofing attacks and man in the middle attacks through +# redirection. Some network environments, however, require that these +# settings are disabled so review and enable them as needed. +# +# Do not accept ICMP redirects (prevent MITM attacks) +#net.ipv4.conf.all.accept_redirects = 0 +#net.ipv6.conf.all.accept_redirects = 0 +# _or_ +# Accept ICMP redirects only for gateways listed in our default +# gateway list (enabled by default) +# net.ipv4.conf.all.secure_redirects = 1 +# +# Do not send ICMP redirects (we are not a router) +#net.ipv4.conf.all.send_redirects = 0 +# +# Do not accept IP source route packets (we are not a router) +#net.ipv4.conf.all.accept_source_route = 0 +#net.ipv6.conf.all.accept_source_route = 0 +# +# Log Martian Packets +#net.ipv4.conf.all.log_martians = 1 +# diff --git a/roles/old/vpn/handlers/main.yml b/roles/old/vpn/handlers/main.yml new file mode 100644 index 0000000..75fe472 --- /dev/null +++ b/roles/old/vpn/handlers/main.yml @@ -0,0 +1,6 @@ +--- + - name: restart racoon + service: name=racoon state=restarted + + - name: restart setkey + service: name=setkey state=restarted diff --git a/roles/old/vpn/tasks/main.yml b/roles/old/vpn/tasks/main.yml new file mode 100644 index 0000000..5288385 --- /dev/null +++ b/roles/old/vpn/tasks/main.yml @@ -0,0 +1,23 @@ +--- + - name: Installation Racoon + apt: name=racoon state=present update_cache=yes + + - name: install ipsec-tools + apt: name=ipsec-tools state=present update_cache=yes + + - name: install tcpdump + apt: name=tcpdump state=present update_cache=yes + + - name: generation racoon.conf + template: src=racoon.conf.j2 dest=/etc/racoon/racoon.conf + + - name: generation ipsec-tools.conf + template: src=ipsec-tools.conf.j2 dest=/etc/ipsec-tools.conf + notify: restart setkey + + - name: generation psk.txt + template: src=psk.txt.j2 dest=/etc/racoon/psk.txt + notify: restart racoon + + - name: activation du routage + copy: src=sysctl.conf dest=/etc/sysctl.conf diff --git a/roles/old/vpn/templates/ipsec-tools.conf.j2 b/roles/old/vpn/templates/ipsec-tools.conf.j2 new file mode 100755 index 0000000..d5205df --- /dev/null +++ b/roles/old/vpn/templates/ipsec-tools.conf.j2 @@ -0,0 +1,9 @@ +flush; +spdflush; + +spdadd {{ mynet }}/24 {{ remnet }}/24 any -P out ipsec + esp/tunnel/{{ ip1 }}-{{ remip }}/require; + +spdadd {{ remnet }}/24 {{ mynet }}/24 any -P in ipsec + esp/tunnel/{{ remip }}-{{ ip1 }}/require; + diff --git a/roles/old/vpn/templates/psk.txt.j2 b/roles/old/vpn/templates/psk.txt.j2 new file mode 100644 index 0000000..12e07d4 --- /dev/null +++ b/roles/old/vpn/templates/psk.txt.j2 @@ -0,0 +1,2 @@ +{{ remip }} secret + diff --git a/roles/old/vpn/templates/racoon.conf.j2 b/roles/old/vpn/templates/racoon.conf.j2 new file mode 100644 index 0000000..d5d52a7 --- /dev/null +++ b/roles/old/vpn/templates/racoon.conf.j2 @@ -0,0 +1,19 @@ +path pre_shared_key "/etc/racoon/psk.txt"; + +remote {{ remip }} { + exchange_mode main,aggressive; + proposal { + encryption_algorithm 3des; + hash_algorithm sha1; + authentication_method pre_shared_key; + dh_group 2; + } +} + +sainfo address {{ mynet }}/24 any address {{ remnet }}/24 any { + pfs_group 2; + lifetime time 1 hour ; + encryption_algorithm 3des, blowfish 448, rijndael ; + authentication_algorithm hmac_sha1, hmac_md5 ; + compression_algorithm deflate ; +} diff --git a/roles/old/wordpress/handlers/main.yml b/roles/old/wordpress/handlers/main.yml new file mode 100644 index 0000000..b8b354d --- /dev/null +++ b/roles/old/wordpress/handlers/main.yml @@ -0,0 +1,3 @@ +--- + - name: restart apache2 + service: name=apache2 state=restarted diff --git a/roles/old/wordpress/tasks/main.yml b/roles/old/wordpress/tasks/main.yml new file mode 100644 index 0000000..4c6f47a --- /dev/null +++ b/roles/old/wordpress/tasks/main.yml @@ -0,0 +1,40 @@ +--- +- name: Téléchargement de wordpress + get_url: + url: http://depl/gsbstore/wordpress-5.3.2-fr_FR.tar.gz + dest: /var/www/html + +- name: Extraction du fichier wordpress + unarchive: + src: /var/www/html/wordpress-5.3.2-fr_FR.tar.gz + dest: /var/www/html + +- name: Fix permissions owner + shell: chown -R www-data /var/www/html/wordpress + +- name: Fix permissions groups + shell: chgrp -R www-data /var/www/html/wordpress + +- name: Mettre à jour le site Apache par défaut + lineinfile: + dest: /etc/apache2/sites-enabled/000-default.conf + regexp: "(.)+DocumentRoot /var/www/html" + line: "DocumentRoot /var/www/html/wordpress" + +- name: restart apache2 + service: + name: apache2 + state: restarted + +- name: Mettre à jour le fichier de configuration WordPress + lineinfile: + dest: /var/www/html/wordpress/wp-config-sample.php + backup: yes + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + with_items: + - {'regexp': "define\\('DB_NAME', '(.)+'\\);", 'line': "define('DB_NAME', 'wordpress');"} + - {'regexp': "define\\('DB_HOST', '(.)+'\\);", 'line': "define('DB_HOST', 'localhost');"} + - {'regexp': "define\\('DB_USER', '(.)+'\\);", 'line': "define('DB_USER', 'wp');"} + - {'regexp': "define\\('DB_PASSWORD', '(.)+'\\);", 'line': "define('DB_PASSWORD', 'wp');"} + diff --git a/roles/old/x509-l/files/ipsec.conf b/roles/old/x509-l/files/ipsec.conf new file mode 100644 index 0000000..5467d9d --- /dev/null +++ b/roles/old/x509-l/files/ipsec.conf @@ -0,0 +1,25 @@ +config setup + charondebug="all" + uniqueids=yes + strictcrlpolicy=no +conn %default +conn tunnel # + left=192.168.0.52 + leftsubnet=172.16.128.0/24 + right=192.168.0.51 + rightsubnet=192.168.1.0/24, 192.168.200.0/24, 172.16.0.0/24 + ike=aes256-sha2_256-modp1024! + esp=aes256-sha2_256! + keyingtries=0 + ikelifetime=1h + lifetime=8h + dpddelay=30 + dpdtimeout=120 + dpdaction=restart + #authby=secret + auto=start + keyexchange=ikev2 + type=tunnel + leftcert=r-vp2Cert.pem + leftid="C=CH, O=GSB, CN=r-vp2" + rightid="C=CH, O=GSB, CN=r-vp1" diff --git a/roles/old/x509-l/files/ipsec.secrets b/roles/old/x509-l/files/ipsec.secrets new file mode 100644 index 0000000..d5cfa53 --- /dev/null +++ b/roles/old/x509-l/files/ipsec.secrets @@ -0,0 +1,9 @@ +# This file holds shared secrets or RSA private keys for authentication. + +# RSA private key for this host, authenticating it to any other host +# which knows the public part. + +# this file is managed with debconf and will contain the automatically created private key +#include /var/lib/strongswan/ipsec.secrets.inc +#192.168.0.52 192.168.0.51 : PSK 'root' +: RSA r-vp2Key.pem \ No newline at end of file diff --git a/roles/old/x509-l/files/sysctl.conf b/roles/old/x509-l/files/sysctl.conf new file mode 100644 index 0000000..b138754 --- /dev/null +++ b/roles/old/x509-l/files/sysctl.conf @@ -0,0 +1,60 @@ +# +# /etc/sysctl.conf - Configuration file for setting system variables +# See /etc/sysctl.d/ for additonal system variables +# See sysctl.conf (5) for information. +# + +#kernel.domainname = example.com + +# Uncomment the following to stop low-level messages on console +#kernel.printk = 3 4 1 3 + +##############################################################3 +# Functions previously found in netbase +# + +# Uncomment the next two lines to enable Spoof protection (reverse-path filter) +# Turn on Source Address Verification in all interfaces to +# prevent some spoofing attacks +#net.ipv4.conf.default.rp_filter=1 +#net.ipv4.conf.all.rp_filter=1 + +# Uncomment the next line to enable TCP/IP SYN cookies +# See http://lwn.net/Articles/277146/ +# Note: This may impact IPv6 TCP sessions too +#net.ipv4.tcp_syncookies=1 + +# Uncomment the next line to enable packet forwarding for IPv4 +net.ipv4.ip_forward=1 + +# Uncomment the next line to enable packet forwarding for IPv6 +# Enabling this option disables Stateless Address Autoconfiguration +# based on Router Advertisements for this host +#net.ipv6.conf.all.forwarding=1 + + +################################################################### +# Additional settings - these settings can improve the network +# security of the host and prevent against some network attacks +# including spoofing attacks and man in the middle attacks through +# redirection. Some network environments, however, require that these +# settings are disabled so review and enable them as needed. +# +# Do not accept ICMP redirects (prevent MITM attacks) +#net.ipv4.conf.all.accept_redirects = 0 +#net.ipv6.conf.all.accept_redirects = 0 +# _or_ +# Accept ICMP redirects only for gateways listed in our default +# gateway list (enabled by default) +# net.ipv4.conf.all.secure_redirects = 1 +# +# Do not send ICMP redirects (we are not a router) +#net.ipv4.conf.all.send_redirects = 0 +# +# Do not accept IP source route packets (we are not a router) +#net.ipv4.conf.all.accept_source_route = 0 +#net.ipv6.conf.all.accept_source_route = 0 +# +# Log Martian Packets +#net.ipv4.conf.all.log_martians = 1 +# diff --git a/roles/old/x509-l/handlers/main.yml b/roles/old/x509-l/handlers/main.yml new file mode 100644 index 0000000..719832b --- /dev/null +++ b/roles/old/x509-l/handlers/main.yml @@ -0,0 +1,4 @@ +--- + - name: restart ipsec + service: name=ipsec state=restarted + diff --git a/roles/old/x509-l/tasks/main.yml b/roles/old/x509-l/tasks/main.yml new file mode 100644 index 0000000..b42d977 --- /dev/null +++ b/roles/old/x509-l/tasks/main.yml @@ -0,0 +1,21 @@ +--- +#Installation ipsec strongswan côté gauche pour la communication via certificat + - name: 1. install strongswan, com via certificat + apt: name=strongswan state=present + + - name: install tcpdump + apt: name=tcpdump state=present update_cache=yes + + - name: activation du routage + copy: src=sysctl.conf dest=/etc/sysctl.conf + + - name: Copie fichier ipsec.conf + copy: src=ipsec.conf dest=/etc/ipsec.conf + notify: restart ipsec + + - name: Copie fichier ipsec.secrets + copy: src=ipsec.secrets dest=/etc/ipsec.secrets + notify: restart ipsec + + - name: Message d'information + debug: msg="Veuillez consulter le document "r-vp.txt" dans ansible/gsb/doc" \ No newline at end of file diff --git a/roles/old/x509-r/files/generate.sh b/roles/old/x509-r/files/generate.sh new file mode 100755 index 0000000..4adff04 --- /dev/null +++ b/roles/old/x509-r/files/generate.sh @@ -0,0 +1,19 @@ +#!/bin/bash + +cd /etc/ipsec.d + +ipsec pki --gen --type rsa --size 4096 --outform pem > private/strongswanKey.pem + +ipsec pki --self --ca --lifetime 3650 --in private/strongswanKey.pem --type rsa --dn "C=CH, O=GSB, CN=Root CA" --outform pem > cacerts/strongswanCert.pem + +ipsec pki --gen --type rsa --size 2048 --outform pem > private/r-vp1Key.pem + +chmod 600 private/r-vp1Key.pem + +ipsec pki --pub --in private/r-vp1Key.pem --type rsa | ipsec pki --issue --lifetime 730 --cacert cacerts/strongswanCert.pem --cakey private/strongswanKey.pem --dn "C=CH, O=GSB, CN=r-vp1" --san r-vp1 --flag serverAuth --flag ikeIntermediate --outform pem > certs/r-vp1Cert.pem + +ipsec pki --gen --type rsa --size 2048 --outform pem > private/r-vp2Key.pem + +chmod 600 private/r-vp2Key.pem + +ipsec pki --pub --in private/r-vp2Key.pem --type rsa | ipsec pki --issue --lifetime 730 --cacert cacerts/strongswanCert.pem --cakey private/strongswanKey.pem --dn "C=CH, O=GSB, CN=r-vp2" --san r-vp2 --flag serverAuth --flag ikeIntermediate --outform pem > certs/r-vp2Cert.pem \ No newline at end of file diff --git a/roles/old/x509-r/files/ipsec.conf b/roles/old/x509-r/files/ipsec.conf new file mode 100644 index 0000000..0fc2758 --- /dev/null +++ b/roles/old/x509-r/files/ipsec.conf @@ -0,0 +1,25 @@ +config setup + charondebug="all" + uniqueids=yes + strictcrlpolicy=no +conn %default +conn tunnel # + left=192.168.0.51 + leftsubnet=192.168.1.0/24, 192.168.200.0/24, 172.16.0.0/24 + right=192.168.0.52 + rightsubnet=172.16.128.0/24 + ike=aes256-sha2_256-modp1024! + esp=aes256-sha2_256! + keyingtries=0 + ikelifetime=1h + lifetime=8h + dpddelay=30 + dpdtimeout=120 + dpdaction=restart + #authby=secret + auto=start + keyexchange=ikev2 + type=tunnel + leftcert=r-vp1Cert.pem + leftid="C=CH, O=GSB, CN=r-vp1" + rightid="C=CH, O=GSB, CN=r-vp2" diff --git a/roles/old/x509-r/files/ipsec.secrets b/roles/old/x509-r/files/ipsec.secrets new file mode 100644 index 0000000..4965c70 --- /dev/null +++ b/roles/old/x509-r/files/ipsec.secrets @@ -0,0 +1,9 @@ +# This file holds shared secrets or RSA private keys for authentication. + +# RSA private key for this host, authenticating it to any other host +# which knows the public part. + +# this file is managed with debconf and will contain the automatically created private key +#include /var/lib/strongswan/ipsec.secrets.inc +#192.168.0.51 192.168.0.52 : PSK 'root' +: RSA r-vp1Key.pem \ No newline at end of file diff --git a/roles/old/x509-r/files/recupKey.sh b/roles/old/x509-r/files/recupKey.sh new file mode 100755 index 0000000..049a432 --- /dev/null +++ b/roles/old/x509-r/files/recupKey.sh @@ -0,0 +1,16 @@ +#!/bin/bash + +REMH=192.168.0.52 + +cd /etc/ipsec.d + +scp cacerts/strongswanCert.pem root@$REMH:/etc/ipsec.d/cacerts + +scp certs/r-vp2Cert.pem root@$REMH:/etc/ipsec.d/certs + +scp certs/r-vp1Cert.pem root@$REMH:/etc/ipsec.d/certs + +scp private/r-vp2Key.pem root@$REMH:/etc/ipsec.d/private + +scp private/r-vp1Key.pem root@$REMH:/etc/ipsec.d/private + diff --git a/roles/old/x509-r/files/sysctl.conf b/roles/old/x509-r/files/sysctl.conf new file mode 100644 index 0000000..b138754 --- /dev/null +++ b/roles/old/x509-r/files/sysctl.conf @@ -0,0 +1,60 @@ +# +# /etc/sysctl.conf - Configuration file for setting system variables +# See /etc/sysctl.d/ for additonal system variables +# See sysctl.conf (5) for information. +# + +#kernel.domainname = example.com + +# Uncomment the following to stop low-level messages on console +#kernel.printk = 3 4 1 3 + +##############################################################3 +# Functions previously found in netbase +# + +# Uncomment the next two lines to enable Spoof protection (reverse-path filter) +# Turn on Source Address Verification in all interfaces to +# prevent some spoofing attacks +#net.ipv4.conf.default.rp_filter=1 +#net.ipv4.conf.all.rp_filter=1 + +# Uncomment the next line to enable TCP/IP SYN cookies +# See http://lwn.net/Articles/277146/ +# Note: This may impact IPv6 TCP sessions too +#net.ipv4.tcp_syncookies=1 + +# Uncomment the next line to enable packet forwarding for IPv4 +net.ipv4.ip_forward=1 + +# Uncomment the next line to enable packet forwarding for IPv6 +# Enabling this option disables Stateless Address Autoconfiguration +# based on Router Advertisements for this host +#net.ipv6.conf.all.forwarding=1 + + +################################################################### +# Additional settings - these settings can improve the network +# security of the host and prevent against some network attacks +# including spoofing attacks and man in the middle attacks through +# redirection. Some network environments, however, require that these +# settings are disabled so review and enable them as needed. +# +# Do not accept ICMP redirects (prevent MITM attacks) +#net.ipv4.conf.all.accept_redirects = 0 +#net.ipv6.conf.all.accept_redirects = 0 +# _or_ +# Accept ICMP redirects only for gateways listed in our default +# gateway list (enabled by default) +# net.ipv4.conf.all.secure_redirects = 1 +# +# Do not send ICMP redirects (we are not a router) +#net.ipv4.conf.all.send_redirects = 0 +# +# Do not accept IP source route packets (we are not a router) +#net.ipv4.conf.all.accept_source_route = 0 +#net.ipv6.conf.all.accept_source_route = 0 +# +# Log Martian Packets +#net.ipv4.conf.all.log_martians = 1 +# diff --git a/roles/old/x509-r/handlers/main.yml b/roles/old/x509-r/handlers/main.yml new file mode 100644 index 0000000..719832b --- /dev/null +++ b/roles/old/x509-r/handlers/main.yml @@ -0,0 +1,4 @@ +--- + - name: restart ipsec + service: name=ipsec state=restarted + diff --git a/roles/old/x509-r/tasks/main.yml b/roles/old/x509-r/tasks/main.yml new file mode 100644 index 0000000..edf5992 --- /dev/null +++ b/roles/old/x509-r/tasks/main.yml @@ -0,0 +1,36 @@ +--- +#Installation ipsec strongswan côté droit pour la communication via certificat + - name: install strongswan, com via certificat + apt: name=strongswan state=present + + - name: install strongswan-pki + apt: name=strongswan-pki state=present + + - name: install tcpdump + apt: name=tcpdump state=present update_cache=yes + + - name: activation du routage + copy: src=sysctl.conf dest=/etc/sysctl.conf + + - name: Copie fichier ipsec.conf + copy: src=ipsec.conf dest=/etc/ipsec.conf + notify: restart ipsec + + - name: Copie fichier ipsec.secrets + copy: src=ipsec.secrets dest=/etc/ipsec.secrets + notify: restart ipsec + + - name: Copie fichier generate.sh + copy: src=generate.sh dest=/root/ + + - name: Generation de la CA et des certificats + shell: /bin/bash /root/generate.sh >> generate-log.txt + + - name: Copie fichier recupKey.sh + copy: src=recupKey.sh dest=/root/ + + - name: Lancement recupKey.sh + shell: /bin/bash /root/recupKey.sh + + - name: Message d'information + debug: msg="Veuillez consulter le document "r-vp.txt" dans ansible/gsb/doc" \ No newline at end of file diff --git a/roles/php-fpm/handlers/main.yml b/roles/php-fpm/handlers/main.yml new file mode 100644 index 0000000..b45a971 --- /dev/null +++ b/roles/php-fpm/handlers/main.yml @@ -0,0 +1,3 @@ +--- + - name: restart php7.0-fpm + service: name=php7.0-fpm state=restarted diff --git a/roles/php-fpm/tasks/main.yml b/roles/php-fpm/tasks/main.yml new file mode 100644 index 0000000..eb78510 --- /dev/null +++ b/roles/php-fpm/tasks/main.yml @@ -0,0 +1,9 @@ +--- + - name: Install php-fpm and deps + apt: name={{ item }} state=present + with_items: + - php + - php-fpm + - php-mysql + notify: + - restart php7.0-fpm diff --git a/roles/php-fpm/templates/main.yml b/roles/php-fpm/templates/main.yml new file mode 100644 index 0000000..23080b5 --- /dev/null +++ b/roles/php-fpm/templates/main.yml @@ -0,0 +1,15 @@ +[wordpress] +listen = /var/run/php-fpm/wordpress.sock +listen.owner = apache2 +listen.group = apache2 +listen.mode = 0660 +user = wordpress +group = wordpress +pm = dynamic +pm.max_children = 10 +pm.start_servers = 1 +pm.min_spare_servers = 1 +pm.max_spare_servers = 3 +pm.max_requests = 500 +chdir = /srv/wordpress/ +php_admin_value[open_basedir] = /srv/wordpress/:/tmp diff --git a/roles/post/README.md b/roles/post/README.md new file mode 100644 index 0000000..c00ce24 --- /dev/null +++ b/roles/post/README.md @@ -0,0 +1,7 @@ +# Rôle Post + +Le rôle "post" copie la configuration des interfaces des cartes réseaux nécessaires selon la machine sur laquelle on exécute le rôle. Il place cette configuration dans /etc/network/interfaces. + +Ensuite, on copie le fichier "resolv.conf" dans /etc/ lorsque que la machine qui exécute le rôle n'est pas "s-adm", "s-proxy" ou "r-vp2". + +Cependant, si la machine qui exécute le rôle est "s-proxy", on copie le fichier "resolv.conf.s-proxy" dans /etc/resolv.conf \ No newline at end of file diff --git a/roles/post/files/interfaces.graylog-pont b/roles/post/files/interfaces.graylog-pont new file mode 100644 index 0000000..db5ebd9 --- /dev/null +++ b/roles/post/files/interfaces.graylog-pont @@ -0,0 +1,12 @@ +#This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + +# Accès par pont +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.0.50 + netmask 255.255.255.0 diff --git a/roles/post/files/interfaces.r-ext b/roles/post/files/interfaces.r-ext new file mode 100644 index 0000000..f67ad75 --- /dev/null +++ b/roles/post/files/interfaces.r-ext @@ -0,0 +1,38 @@ +### 0.2 - putconf - jeudi 7 janvier 2016, 16:18:49 (UTC+0100) + +# The loopback network interface +auto lo +iface lo inet loopback + +# carte reseau admin +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.13 + netmask 255.255.255.0 + +# Réseau DMZ +allow-hotplug enp0s8 +iface enp0s8 inet static + address 192.168.100.254 + netmask 255.255.255.0 + +# carte en bridge +allow-hotplug enp0s9 +iface enp0s9 inet dhcp + up /root/nat.sh + +# Réseau VPN +allow-hotplug enp0s10 +iface enp0s10 inet static + address 192.168.1.1 + netmask 255.255.255.0 + up ip route add 172.16.128.0/24 via 192.168.1.2 + + +# Réseau liaison entre routeur +allow-hotplug enp0s16 +iface enp0s16 inet static + address 192.168.200.253 + netmask 255.255.255.0 + up ip route add 172.16.0.0/24 via 192.168.200.254 + up ip route add 172.16.64.0/24 via 192.168.200.254 diff --git a/roles/post/files/interfaces.r-int b/roles/post/files/interfaces.r-int new file mode 100644 index 0000000..8398171 --- /dev/null +++ b/roles/post/files/interfaces.r-int @@ -0,0 +1,44 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + +# Reseau N-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.12 + netmask 255.255.255.0 + + +# Reseau liaison avec r-ext +allow-hotplug enp0s8 +iface enp0s8 inet static + address 192.168.200.254 + netmask 255.255.255.0 + gateway 192.168.200.253 + up ip route add default via 192.168.200.253 + + +# Reseau wifi +allow-hotplug enp0s9 +iface enp0s9 inet static + address 172.16.65.254 + netmask 255.255.255.0 + + +# Reseau user +allow-hotplug enp0s10 +iface enp0s10 inet static + address 172.16.64.254 + netmask 255.255.255.0 + + +# Reseau infra +allow-hotplug enp0s16 +iface enp0s16 inet static + address 172.16.0.254 + netmask 255.255.255.0 + up /root/routagenat + diff --git a/roles/post/files/interfaces.r-vp1 b/roles/post/files/interfaces.r-vp1 new file mode 100755 index 0000000..ddb2fd1 --- /dev/null +++ b/roles/post/files/interfaces.r-vp1 @@ -0,0 +1,31 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). +# The loopback network interface +#auto lo +#iface lo inet loopback + +#cote N-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.112 + netmask 255.255.255.0 + +# réseaux interne n-linkv +allow-hotplug enp0s8 +iface enp0s8 inet static + address 192.168.1.2 + netmask 255.255.255.0 + +# accés par pont et entre vpn +allow-hotplug enp0s9 +iface enp0s9 inet static + address 192.168.0.51 + netmask 255.255.255.0 + up ip route add 192.168.200.0/24 via 192.168.1.1 + up ip route add 172.16.0.0/24 via 192.168.1.1 +# up ip route add 192.168.0.0/24 via 192.168.0.51 +# up ip route add 192.168.1.0/24 via 192.168.1.2 +# up route add -net 172.16.128.0/24 gw 192.168.0.52 +# up route add default gw 192.168.1.1 +# post-up /bin/bash /root/iptables-vpn +# post-up /etc/init.d/ipsec restart diff --git a/roles/post/files/interfaces.r-vp1-cs b/roles/post/files/interfaces.r-vp1-cs new file mode 100644 index 0000000..4a3abe3 --- /dev/null +++ b/roles/post/files/interfaces.r-vp1-cs @@ -0,0 +1,26 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +#auto lo +#iface lo inet loopback + +#cote N-adm +allow-hotplug enp0s3 +iface enp0s3 inet dhcp + +# reseau entre vpn +allow-hotplug enp0s8 +iface enp0s8 inet static + address 192.168.0.51 + netmask 255.255.255.0 + +# reseau interne n-linkv +allow-hotplug enp0s9 +iface enp0s9 inet static + address 192.168.1.2 + netmask 255.255.255.0 + up route add -net 172.16.128.0/24 gw 192.168.1.2 + up route add default gw 192.168.1.1 +# post-up /bin/bash /root/iptables-vpn + post-up /etc/init.d/ipsec restart \ No newline at end of file diff --git a/roles/post/files/interfaces.r-vp2 b/roles/post/files/interfaces.r-vp2 new file mode 100644 index 0000000..68bdfb8 --- /dev/null +++ b/roles/post/files/interfaces.r-vp2 @@ -0,0 +1,29 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). +# The loopback network interface +#auto lo +#iface lo inet loopback + +# cote N-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.102 + netmask 255.255.255.0 + +# cote Agence +allow-hotplug enp0s8 +iface enp0s8 inet static + address 172.16.128.254 + netmask 255.255.255.0 + +# cote VPN +allow-hotplug enp0s9 +iface enp0s9 inet static + address 192.168.0.52 + netmask 255.255.255.0 +# post-up /usr/sbin/ip route add 192.168.1.0/24 via 172.16.128.254/24 +# post-up /usr/sbin/ip route add 172.16.0.0/24 via 172.16.128.254/24 + +# up route add -net 192.168.1.0/24 gw 192.168.0.52 +# post-up /bin/bash /root/iptables-vpn +# post-up /etc/init.d/ipsec restart diff --git a/roles/post/files/interfaces.r-vp2-cs b/roles/post/files/interfaces.r-vp2-cs new file mode 100644 index 0000000..d5f8539 --- /dev/null +++ b/roles/post/files/interfaces.r-vp2-cs @@ -0,0 +1,25 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +#auto lo +#iface lo inet loopback + +# cote N-adm +allow-hotplug enp0s3 +iface enp0s3 inet dhcp + +# cote Agence +allow-hotplug enp0s8 +iface enp0s8 inet static + address 172.16.128.254 + netmask 255.255.255.0 + +# cote VPN +allow-hotplug enp0s9 +iface enp0s9 inet static + address 192.168.0.52 + netmask 255.255.255.0 + up route add -net 192.168.1.0/24 gw 172.16.128.254 +# post-up /bin/bash /root/iptables-vpn + post-up /etc/init.d/ipsec restart \ No newline at end of file diff --git a/roles/post/files/interfaces.s-adm b/roles/post/files/interfaces.s-adm new file mode 100644 index 0000000..6d8d72c --- /dev/null +++ b/roles/post/files/interfaces.s-adm @@ -0,0 +1,20 @@ +#This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + +# cote public +allow-hotplug enp0s3 +iface enp0s3 inet dhcp + post-up iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE + post-up echo "1" > /proc/sys/net/ipv4/ip_forward + +# cote N-adm +allow-hotplug enp0s8 +iface enp0s8 inet static + address 192.168.99.99 + netmask 255.255.255.0 + + diff --git a/roles/post/files/interfaces.s-agence b/roles/post/files/interfaces.s-agence new file mode 100644 index 0000000..be903f4 --- /dev/null +++ b/roles/post/files/interfaces.s-agence @@ -0,0 +1,14 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + +# cote n-ag +allow-hotplug enp0s3 +iface enp0s3 inet dhcp + +allow-hotplug enp0s8 +iface enp0s8 inet dhcp + diff --git a/roles/post/files/interfaces.s-appli b/roles/post/files/interfaces.s-appli new file mode 100644 index 0000000..c52d5b0 --- /dev/null +++ b/roles/post/files/interfaces.s-appli @@ -0,0 +1,27 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + +# cote N-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.3 + netmask 255.255.255.0 + gateway 192.168.99.99 + +# cote N-infra +allow-hotplug enp0s8 +iface enp0s8 inet static + address 172.16.0.3 + netmask 255.255.255.0 + post-up route add -net 172.16.64.0/24 gw 172.16.0.254 + post-up route add -net 172.16.65.0/24 gw 172.16.0.254 + +#cote N-san +allow-hotplug enp0s9 +iface enp0s9 inet static + address 192.168.20.103 + netmask 255.255.255.0 diff --git a/roles/post/files/interfaces.s-backup b/roles/post/files/interfaces.s-backup new file mode 100644 index 0000000..120ad6b --- /dev/null +++ b/roles/post/files/interfaces.s-backup @@ -0,0 +1,25 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + +# cote N-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.4 + netmask 255.255.255.0 + gateway 192.168.99.99 + +# cote N-infra +allow-hotplug enp0s8 +iface enp0s8 inet static + address 172.16.0.4 + netmask 255.255.255.0 + +# cote N-San +allow-hotplug enp0s9 +iface enp0s9 inet static + address 192.168.20.4 + netmask 255.255.255.0 diff --git a/roles/post/files/interfaces.s-bdd b/roles/post/files/interfaces.s-bdd new file mode 100644 index 0000000..a8cb4f6 --- /dev/null +++ b/roles/post/files/interfaces.s-bdd @@ -0,0 +1,21 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + +# cote n-adm +allow-hotplug enp0s3 +iface enp0s3 inet dhcp + address 192.168.99.154 + netmask 255.255.255.0 + + +# cote N-dmz-db +allow-hotplug enp0s8 +iface enp0s8 inet static + address 192.168.102.254 + netmask 255.255.255.0 + + diff --git a/roles/post/files/interfaces.s-docker b/roles/post/files/interfaces.s-docker new file mode 100644 index 0000000..150189a --- /dev/null +++ b/roles/post/files/interfaces.s-docker @@ -0,0 +1,20 @@ +#This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + +# cote N-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.19 + netmask 255.255.255.0 + gateway 192.168.99.99 + + +# cote N-infra +allow-hotplug enp0s8 +iface enp0s8 inet static + address 172.16.0.19 + netmask 255.255.255.0 \ No newline at end of file diff --git a/roles/post/files/interfaces.s-elk b/roles/post/files/interfaces.s-elk new file mode 100644 index 0000000..2dfa1cd --- /dev/null +++ b/roles/post/files/interfaces.s-elk @@ -0,0 +1,20 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + +# cote N-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.10 + netmask 255.255.255.0 + gateway 192.168.99.99 + +# cote N-infra +allow-hotplug enp0s8 +iface enp0s8 inet static + address 172.16.0.10 + netmask 255.255.255.0 + post-up route add -net 172.16.64.0/24 gw 172.16.0.254 diff --git a/roles/post/files/interfaces.s-fog b/roles/post/files/interfaces.s-fog new file mode 100644 index 0000000..1f51117 --- /dev/null +++ b/roles/post/files/interfaces.s-fog @@ -0,0 +1,26 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + +# cote N-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.16 + netmask 255.255.255.0 + gateway 192.168.99.99 + + +# cote N-infra +allow-hotplug enp0s8 +iface enp0s8 inet static + address 172.16.0.16 + netmask 255.255.255.0 + +#cote N-user +allow-hotplug enp0s9 +iface enp0s9 inet static + address 172.16.64.16 + netmask 255.255.255.0 diff --git a/roles/post/files/interfaces.s-gestsup b/roles/post/files/interfaces.s-gestsup new file mode 100644 index 0000000..9e128c7 --- /dev/null +++ b/roles/post/files/interfaces.s-gestsup @@ -0,0 +1,24 @@ +#This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + +# cote N-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.17 + netmask 255.255.255.0 + gateway 192.168.99.99 + + +# cote N-infra +allow-hotplug enp0s8 +iface enp0s8 inet static + address 172.16.0.17 + netmask 255.255.255.0 + post-up route add -net 172.16.64.0/24 gw 172.16.0.254 + post-up route add -net 172.16.65.0/24 gw 172.16.0.254 + + diff --git a/roles/post/files/interfaces.s-graylog b/roles/post/files/interfaces.s-graylog new file mode 100644 index 0000000..8ff1151 --- /dev/null +++ b/roles/post/files/interfaces.s-graylog @@ -0,0 +1,21 @@ +#This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + +# cote N-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.20 + netmask 255.255.255.0 + + +# cote N-infra +allow-hotplug enp0s8 +iface enp0s8 inet static + address 172.16.0.20 + netmask 255.255.255.0 + up route add -net 192.168.200.0/24 gw 172.16.0.254 + up route add default gw 192.168.99.99 diff --git a/roles/post/files/interfaces.s-infra b/roles/post/files/interfaces.s-infra new file mode 100644 index 0000000..6cbf9c1 --- /dev/null +++ b/roles/post/files/interfaces.s-infra @@ -0,0 +1,24 @@ +#This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + +# cote N-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.1 + netmask 255.255.255.0 + gateway 192.168.99.99 + + +# cote N-infra +allow-hotplug enp0s8 +iface enp0s8 inet static + address 172.16.0.1 + netmask 255.255.255.0 + up ip route add 172.16.64.0/24 via 172.16.0.254 + up ip route add 172.16.128.0/24 via 172.16.0.254 + up ip route add 192.168.0.0/16 via 172.16.0.254 + diff --git a/roles/post/files/interfaces.s-itil b/roles/post/files/interfaces.s-itil new file mode 100644 index 0000000..55c474d --- /dev/null +++ b/roles/post/files/interfaces.s-itil @@ -0,0 +1,20 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + +# cote N-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.9 + netmask 255.255.255.0 + gateway 192.168.99.99 + +# cote N-infra +allow-hotplug enp0s8 +iface enp0s8 inet static + address 172.16.0.9 + netmask 255.255.255.0 + up ip route add 172.16.64.0/24 via 172.16.0.254 diff --git a/roles/post/files/interfaces.s-itil-cs b/roles/post/files/interfaces.s-itil-cs new file mode 100644 index 0000000..e2b1200 --- /dev/null +++ b/roles/post/files/interfaces.s-itil-cs @@ -0,0 +1,24 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + +# cote N-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.9 + netmask 255.255.255.0 + + +# cote N-infra +allow-hotplug enp0s8 +iface enp0s8 inet static + address 172.16.0.9 + netmask 255.255.255.0 +# routage statique + post-up route add -net 172.16.64.0/24 gw 172.16.0.254 + +allow-hotplug enp0s9 +iface enp0s9 inet dhcp \ No newline at end of file diff --git a/roles/post/files/interfaces.s-lb b/roles/post/files/interfaces.s-lb new file mode 100644 index 0000000..d7bdea3 --- /dev/null +++ b/roles/post/files/interfaces.s-lb @@ -0,0 +1,27 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + +# cote N-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.100 + netmask 255.255.255.0 + +# cote N-dmz +allow-hotplug enp0s8 +iface enp0s8 inet static + address 192.168.100.10 + netmask 255.255.255.0 + gateway 192.168.100.254 + up ip route add 192.168.200.0/24 via 192.168.100.254 + up ip route add 172.16.0.0/24 via 192.168.100.254 + +# cote N-dmz-lb +allow-hotplug enp0s9 +iface enp0s9 inet static + address 192.168.101.100 + netmask 255.255.255.0 diff --git a/roles/post/files/interfaces.s-lb-bd b/roles/post/files/interfaces.s-lb-bd new file mode 100644 index 0000000..1ddd2b6 --- /dev/null +++ b/roles/post/files/interfaces.s-lb-bd @@ -0,0 +1,21 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + +# cote n-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.154 + netmask 255.255.255.0 + + +# cote N-dmz-db +allow-hotplug enp0s8 +iface enp0s8 inet static + address 192.168.102.254 + netmask 255.255.255.0 + + diff --git a/roles/post/files/interfaces.s-lb-web1 b/roles/post/files/interfaces.s-lb-web1 new file mode 100644 index 0000000..fc76724 --- /dev/null +++ b/roles/post/files/interfaces.s-lb-web1 @@ -0,0 +1,27 @@ +### 0.2 - putconf - jeudi 7 janvier 2016, 16:18:49 (UTC+0100) + +# The loopback network interface +auto lo +iface lo inet loopback + +# carte n-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.101 + netmask 255.255.255.0 + +# Réseau n-dmz-lb +allow-hotplug enp0s8 +iface enp0s8 inet static + address 192.168.101.1 + netmask 255.255.255.0 + +# réseau n-dmz-db +allow-hotplug enp0s9 +iface enp0s9 inet static + address 192.168.102.1 + netmask 255.255.255.0 + + + + diff --git a/roles/post/files/interfaces.s-lb-web2 b/roles/post/files/interfaces.s-lb-web2 new file mode 100644 index 0000000..53defed --- /dev/null +++ b/roles/post/files/interfaces.s-lb-web2 @@ -0,0 +1,25 @@ +### 0.2 - putconf - jeudi 7 janvier 2016, 16:18:49 (UTC+0100) + +# The loopback network interface +auto lo +iface lo inet loopback + +# n-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.102 + netmask 255.255.255.0 + +# n-dmz-lb +allow-hotplug enp0s8 +iface enp0s8 inet static + address 192.168.101.2 + netmask 255.255.255.0 + +# n-dmz-db +allow-hotplug enp0s9 +iface enp0s9 inet static + address 192.168.102.2 + netmask 255.255.255.0 + + diff --git a/roles/post/files/interfaces.s-lb-web3 b/roles/post/files/interfaces.s-lb-web3 new file mode 100644 index 0000000..656d503 --- /dev/null +++ b/roles/post/files/interfaces.s-lb-web3 @@ -0,0 +1,25 @@ +### 0.2 - putconf - jeudi 7 janvier 2016, 16:18:49 (UTC+0100) + +# The loopback network interface +auto lo +iface lo inet loopback + +# n-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.103 + netmask 255.255.255.0 + +# n-dmz-lb +allow-hotplug enp0s8 +iface enp0s8 inet static + address 192.168.101.3 + netmask 255.255.255.0 + +# n-dmz-db +allow-hotplug enp0s9 +iface enp0s9 inet static + address 192.168.102.3 + netmask 255.255.255.0 + + diff --git a/roles/post/files/interfaces.s-lb-wordpress b/roles/post/files/interfaces.s-lb-wordpress new file mode 100644 index 0000000..6c41c2a --- /dev/null +++ b/roles/post/files/interfaces.s-lb-wordpress @@ -0,0 +1,39 @@ +### 0.2 - putconf - jeudi 7 janvier 2016, 16:18:49 (UTC+0100) + +# The loopback network interface +auto lo +iface lo inet loopback + +# carte reseau admin +allow-hotplug enp0s3 +iface enp0s3 inet dhcp + address 192.168.99.11 + netmask 255.255.255.0 + +# Réseau N-lb-f +allow-hotplug enp0s8 +iface enp0s8 inet static + address 192.168.101.1 + netmask 255.255.255.0 + +# réseau N-lb-b +allow-hotplug enp0s9 +iface enp0s9 inet static + address 192.168.102.1 + netmask 255.255.255.0 +# up /root/nat.sh + +# Réseau VPN +#allow-hotplug enp0s10 +#iface enp0s10 inet static +# address 192.168.1.1 +# netmask 255.255.255.0 + + + +# Réseau liaison entre routeur +#allow-hotplug enp0s16 +#iface enp0s16 inet static +# address 192.168.200.253 +# netmask 255.255.255.0 + diff --git a/roles/post/files/interfaces.s-lb-wordpress2 b/roles/post/files/interfaces.s-lb-wordpress2 new file mode 100644 index 0000000..8667576 --- /dev/null +++ b/roles/post/files/interfaces.s-lb-wordpress2 @@ -0,0 +1,39 @@ +### 0.2 - putconf - jeudi 7 janvier 2016, 16:18:49 (UTC+0100) + +# The loopback network interface +auto lo +iface lo inet loopback + +# carte reseau admin +allow-hotplug enp0s3 +iface enp0s3 inet dhcp + address 192.168.99.12 + netmask 255.255.255.0 + +# Réseau N-lb-f +allow-hotplug enp0s8 +iface enp0s8 inet static + address 192.168.101.2 + netmask 255.255.255.0 + +# réseau N-lb-b +allow-hotplug enp0s9 +iface enp0s9 inet static + address 192.168.102.2 + netmask 255.255.255.0 +# up /root/nat.sh + +# Réseau VPN +#allow-hotplug enp0s10 +#iface enp0s10 inet static +# address 192.168.1.1 +# netmask 255.255.255.0 + + + +# Réseau liaison entre routeur +#allow-hotplug enp0s16 +#iface enp0s16 inet static +# address 192.168.200.253 +# netmask 255.255.255.0 + diff --git a/roles/post/files/interfaces.s-lb-wordpress3 b/roles/post/files/interfaces.s-lb-wordpress3 new file mode 100644 index 0000000..1947d94 --- /dev/null +++ b/roles/post/files/interfaces.s-lb-wordpress3 @@ -0,0 +1,39 @@ +### 0.2 - putconf - jeudi 7 janvier 2016, 16:18:49 (UTC+0100) + +# The loopback network interface +auto lo +iface lo inet loopback + +# carte reseau admin +allow-hotplug enp0s3 +iface enp0s3 inet dhcp + address 192.168.99.13 + netmask 255.255.255.0 + +# Réseau N-lb-f +allow-hotplug enp0s8 +iface enp0s8 inet static + address 192.168.101.3 + netmask 255.255.255.0 + +# réseau N-lb-b +allow-hotplug enp0s9 +iface enp0s9 inet static + address 192.168.102.3 + netmask 255.255.255.0 +# up /root/nat.sh + +# Réseau VPN +#allow-hotplug enp0s10 +#iface enp0s10 inet static +# address 192.168.1.1 +# netmask 255.255.255.0 + + + +# Réseau liaison entre routeur +#allow-hotplug enp0s16 +#iface enp0s16 inet static +# address 192.168.200.253 +# netmask 255.255.255.0 + diff --git a/roles/post/files/interfaces.s-mess b/roles/post/files/interfaces.s-mess new file mode 100644 index 0000000..9eff04c --- /dev/null +++ b/roles/post/files/interfaces.s-mess @@ -0,0 +1,24 @@ +#This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + +# cote N-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.7 + netmask 255.255.255.0 + gateway 192.168.99.99 + + +# cote N-infra +allow-hotplug enp0s8 +iface enp0s8 inet static + address 172.16.0.7 + netmask 255.255.255.0 + post-up route add -net 172.16.64.0/24 gw 172.16.0.254 + post-up route add -net 172.16.65.0/24 gw 172.16.0.254 + + diff --git a/roles/post/files/interfaces.s-mon b/roles/post/files/interfaces.s-mon new file mode 100644 index 0000000..09035d9 --- /dev/null +++ b/roles/post/files/interfaces.s-mon @@ -0,0 +1,23 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +source /etc/network/interfaces.d/* + +# The loopback network interface +auto lo +iface lo inet loopback + +# cote n-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.104/24 + gateway 192.168.99.99 + +# Cote n-infra +allow-hotplug enp0s8 +iface enp0s8 inet static + address 172.16.0.8/24 + up ip route add 172.16.64.0/24 via 172.16.0.254 + up ip route add 172.16.128.0/24 via 172.16.0.254 + up ip route add 192.168.0.0/16 via 172.16.0.254 + up ip route add 192.168.200.0/24 via 172.16.0.254 \ No newline at end of file diff --git a/roles/post/files/interfaces.s-mon-gm b/roles/post/files/interfaces.s-mon-gm new file mode 100644 index 0000000..a0a172b --- /dev/null +++ b/roles/post/files/interfaces.s-mon-gm @@ -0,0 +1,22 @@ +#This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + +# cote N-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.8 + netmask 255.255.255.0 + + +# cote N-infra +allow-hotplug enp0s8 +iface enp0s8 inet static + address 172.16.0.8 + netmask 255.255.255.0 + up route add -net 192.168.200.0/24 gw 172.16.0.254 + up route add -net 192.168.100.0/24 gw 172.16.0.254 + up route add default gw 192.168.99.99 diff --git a/roles/post/files/interfaces.s-mon-kb b/roles/post/files/interfaces.s-mon-kb new file mode 100644 index 0000000..a0a172b --- /dev/null +++ b/roles/post/files/interfaces.s-mon-kb @@ -0,0 +1,22 @@ +#This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + +# cote N-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.8 + netmask 255.255.255.0 + + +# cote N-infra +allow-hotplug enp0s8 +iface enp0s8 inet static + address 172.16.0.8 + netmask 255.255.255.0 + up route add -net 192.168.200.0/24 gw 172.16.0.254 + up route add -net 192.168.100.0/24 gw 172.16.0.254 + up route add default gw 192.168.99.99 diff --git a/roles/post/files/interfaces.s-mon-yb b/roles/post/files/interfaces.s-mon-yb new file mode 100644 index 0000000..8e67e37 --- /dev/null +++ b/roles/post/files/interfaces.s-mon-yb @@ -0,0 +1,22 @@ +#This file describes the network interfaces available on your system +#and how to activate them. For more information, see interfaces(5). + +#The loopback network interface +auto lo +iface lo inet loopback + +#cote N-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.8 + netmask 255.255.255.0 + + +#cote N-infra +allow-hotplug enp0s8 +iface enp0s8 inet static + address 172.16.0.8 + netmask 255.255.255.0 + up route add -net 192.168.200.0/24 gw 172.16.0.254 + up route add -net 192.168.100.0/24 gw 172.16.0.254 + up route add default gw 192.168.99.99 diff --git a/roles/post/files/interfaces.s-mon2 b/roles/post/files/interfaces.s-mon2 new file mode 100644 index 0000000..ef79346 --- /dev/null +++ b/roles/post/files/interfaces.s-mon2 @@ -0,0 +1,21 @@ +#This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + +# cote N-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.8 + netmask 255.255.255.0 + + +# cote N-infra +allow-hotplug enp0s8 +iface enp0s8 inet static + address 172.16.0.8 + netmask 255.255.255.0 + gateway 172.16.0.254 + diff --git a/roles/post/files/interfaces.s-mon3 b/roles/post/files/interfaces.s-mon3 new file mode 100644 index 0000000..4ab3b9b --- /dev/null +++ b/roles/post/files/interfaces.s-mon3 @@ -0,0 +1,24 @@ +#This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + +# cote N-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.8 + netmask 255.255.255.0 + + +# cote N-infra +allow-hotplug enp0s8 +iface enp0s8 inet static + address 172.16.0.8 + netmask 255.255.255.0 + up route add default gw 172.16.0.254 + up route add default gw 192.168.99.99 + +# bridge +iface enp0s9 inet dhcp \ No newline at end of file diff --git a/roles/post/files/interfaces.s-nas b/roles/post/files/interfaces.s-nas new file mode 100644 index 0000000..94c3eaf --- /dev/null +++ b/roles/post/files/interfaces.s-nas @@ -0,0 +1,17 @@ +source /etc/network/interfaces.d/* + +# The loopback network interface +auto lo +iface lo inet loopback + +# n-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.153 + netmask 255.255.255.0 + +# n-dmz-db +allow-hotplug enp0s8 +iface enp0s8 inet static + address 192.168.102.253 + netmask 255.255.255.0 \ No newline at end of file diff --git a/roles/post/files/interfaces.s-nxc b/roles/post/files/interfaces.s-nxc new file mode 100644 index 0000000..9eff04c --- /dev/null +++ b/roles/post/files/interfaces.s-nxc @@ -0,0 +1,24 @@ +#This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + +# cote N-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.7 + netmask 255.255.255.0 + gateway 192.168.99.99 + + +# cote N-infra +allow-hotplug enp0s8 +iface enp0s8 inet static + address 172.16.0.7 + netmask 255.255.255.0 + post-up route add -net 172.16.64.0/24 gw 172.16.0.254 + post-up route add -net 172.16.65.0/24 gw 172.16.0.254 + + diff --git a/roles/post/files/interfaces.s-proxy b/roles/post/files/interfaces.s-proxy new file mode 100644 index 0000000..850da12 --- /dev/null +++ b/roles/post/files/interfaces.s-proxy @@ -0,0 +1,22 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + +# cote N-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.2 + netmask 255.255.255.0 + + +# cote N-infra +allow-hotplug enp0s8 +iface enp0s8 inet static + address 172.16.0.2 + netmask 255.255.255.0 + gateway 172.16.0.254 + + diff --git a/roles/post/files/interfaces.s-san b/roles/post/files/interfaces.s-san new file mode 100644 index 0000000..ff01320 --- /dev/null +++ b/roles/post/files/interfaces.s-san @@ -0,0 +1,25 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + +# cote N-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.15 + netmask 255.255.255.0 + gateway 192.168.99.99 + +# cote S-appli +allow-hotplug enp0s8 +iface enp0s8 inet static + address 192.168.20.103 + netmask 255.255.255.0 + +# cote s-Backup +#allow-hotplug enp0s9 +#iface enp0s9 inet static +# address 192.168.20.104 +# netmask 255.255.255.0 diff --git a/roles/post/files/interfaces.s-sspec b/roles/post/files/interfaces.s-sspec new file mode 100644 index 0000000..03d8686 --- /dev/null +++ b/roles/post/files/interfaces.s-sspec @@ -0,0 +1,22 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + +# cote N-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.10 + netmask 255.255.255.0 + + +# cote N-infra +allow-hotplug enp0s8 +iface enp0s8 inet static + address 172.16.0.10 + netmask 255.255.255.0 + gateway 172.16.0.254 + + diff --git a/roles/post/files/interfaces.s-test b/roles/post/files/interfaces.s-test new file mode 100644 index 0000000..d1005fd --- /dev/null +++ b/roles/post/files/interfaces.s-test @@ -0,0 +1,21 @@ +#This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + +# cote n-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.18 + netmask 255.255.255.0 + gateway 192.168.99.99 + + +# cote n-dmz +allow-hotplug enp0s8 +iface enp0s8 inet static + address 192.168.100.150 + netmask 255.255.255.0 + gateway 192.168.100.254 diff --git a/roles/post/files/interfaces.s-web b/roles/post/files/interfaces.s-web new file mode 100644 index 0000000..9c82c9a --- /dev/null +++ b/roles/post/files/interfaces.s-web @@ -0,0 +1,20 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + + + +# cote N-dmz +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.100.11 + netmask 255.255.255.0 + +# cote N-adm +allow-hotplug enp0s8 +iface enp0s8 inet static + address 192.168.99.14 + netmask 255.255.255.0 diff --git a/roles/post/files/interfaces.s-web1 b/roles/post/files/interfaces.s-web1 new file mode 100644 index 0000000..fc76724 --- /dev/null +++ b/roles/post/files/interfaces.s-web1 @@ -0,0 +1,27 @@ +### 0.2 - putconf - jeudi 7 janvier 2016, 16:18:49 (UTC+0100) + +# The loopback network interface +auto lo +iface lo inet loopback + +# carte n-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.101 + netmask 255.255.255.0 + +# Réseau n-dmz-lb +allow-hotplug enp0s8 +iface enp0s8 inet static + address 192.168.101.1 + netmask 255.255.255.0 + +# réseau n-dmz-db +allow-hotplug enp0s9 +iface enp0s9 inet static + address 192.168.102.1 + netmask 255.255.255.0 + + + + diff --git a/roles/post/files/interfaces.s-web2 b/roles/post/files/interfaces.s-web2 new file mode 100644 index 0000000..53defed --- /dev/null +++ b/roles/post/files/interfaces.s-web2 @@ -0,0 +1,25 @@ +### 0.2 - putconf - jeudi 7 janvier 2016, 16:18:49 (UTC+0100) + +# The loopback network interface +auto lo +iface lo inet loopback + +# n-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.102 + netmask 255.255.255.0 + +# n-dmz-lb +allow-hotplug enp0s8 +iface enp0s8 inet static + address 192.168.101.2 + netmask 255.255.255.0 + +# n-dmz-db +allow-hotplug enp0s9 +iface enp0s9 inet static + address 192.168.102.2 + netmask 255.255.255.0 + + diff --git a/roles/post/files/interfaces.s-web3 b/roles/post/files/interfaces.s-web3 new file mode 100644 index 0000000..fb242ac --- /dev/null +++ b/roles/post/files/interfaces.s-web3 @@ -0,0 +1,27 @@ +### 0.2 - putconf - jeudi 7 janvier 2016, 16:18:49 (UTC+0100) + +# The loopback network interface +auto lo +iface lo inet loopback + +# carte n-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.103 + netmask 255.255.255.0 + +# Réseau n-dmz-lb +allow-hotplug enp0s8 +iface enp0s8 inet static + address 192.168.101.3 + netmask 255.255.255.0 + +# réseau n-dmz-db +allow-hotplug enp0s9 +iface enp0s9 inet static + address 192.168.102.3 + netmask 255.255.255.0 + + + + diff --git a/roles/post/files/interfaces.user-yb b/roles/post/files/interfaces.user-yb new file mode 100644 index 0000000..c52ea13 --- /dev/null +++ b/roles/post/files/interfaces.user-yb @@ -0,0 +1,23 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + +# cote n-dmz +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.100.20/24 + +# cote N-adm +allow-hotplug enp0s8 +iface enp0s8 inet static + address 192.168.99.20 + netmask 255.255.255.0 + +# cote N-infra +allow-hotplug enp0s9 +iface enp0s9 inet static + address 172.16.0.20 + netmask 255.255.255.0 \ No newline at end of file diff --git a/roles/post/files/resolv.conf b/roles/post/files/resolv.conf new file mode 100644 index 0000000..ae3fdec --- /dev/null +++ b/roles/post/files/resolv.conf @@ -0,0 +1,4 @@ +search gsb.lan +domain gsb.lan +nameserver 172.16.0.1 + diff --git a/roles/post/files/resolv.conf.s-proxy b/roles/post/files/resolv.conf.s-proxy new file mode 100644 index 0000000..ae3fdec --- /dev/null +++ b/roles/post/files/resolv.conf.s-proxy @@ -0,0 +1,4 @@ +search gsb.lan +domain gsb.lan +nameserver 172.16.0.1 + diff --git a/roles/post/tasks/main.yml b/roles/post/tasks/main.yml new file mode 100644 index 0000000..ea88111 --- /dev/null +++ b/roles/post/tasks/main.yml @@ -0,0 +1,24 @@ +--- + + +- name: Copie interfaces + copy: src=interfaces.{{ ansible_hostname }} dest=/etc/network/interfaces + +- name: Copie resolv.conf + copy: src=resolv.conf dest=/etc/ + when: ansible_hostname != "s-adm" and ansible_hostname != "s-proxy" + +- name: pas de chgt resolv.conf pour r-vp2 + meta: end_play + when: ansible_hostname == "r-vp2" + +- name: Copie resolv.conf pour s-proxy + copy: src=resolv.conf.s-proxy dest=/etc/resolv.conf + when: ansible_hostname == "s-proxy" + +#- name: Confirm +# prompt: " pour redemarrer ..." + +#- name: Reboot +# shell: reboot + diff --git a/roles/postfix-gestsup/README.md b/roles/postfix-gestsup/README.md new file mode 100644 index 0000000..5c684e2 --- /dev/null +++ b/roles/postfix-gestsup/README.md @@ -0,0 +1,12 @@ +# PostFix + +On va désormais s'occuper de l'installation de PostFix qui permettra l'envoi de notifications lors de problèmes sur certains services des machines. + +On installe postfix et mailutils, on indique dans les différents fichiers de conf le mot de passe de l'adresse mail et l'adresse mail a qui envoyer les notifications. + +**ATTENTION: Il faut activer les applications moins sécurisées sur le compte gmail** + +Compte gmail pour les notifications: id: nagios.gsb22@gmail.com + mdp: Azerty1+ + +Suivre ce tuto: [Lien](https://vulgumtechus.com/Autoriser_les_applications_moins_s%C3%A9curis%C3%A9es_%C3%A0_acc%C3%A9der_%C3%A0_Gmail) \ No newline at end of file diff --git a/roles/postfix-gestsup/files/sasl_passwd b/roles/postfix-gestsup/files/sasl_passwd new file mode 100644 index 0000000..d0a5950 --- /dev/null +++ b/roles/postfix-gestsup/files/sasl_passwd @@ -0,0 +1,2 @@ +[smtp.gmail.com]:587 gsb.gestsup@gmail.com:GadminAzerty1++ +chmod 600 /etc/postfix/sasl/sasl_passwd diff --git a/roles/postfix-gestsup/handlers/main.yml b/roles/postfix-gestsup/handlers/main.yml new file mode 100644 index 0000000..f6ce8cc --- /dev/null +++ b/roles/postfix-gestsup/handlers/main.yml @@ -0,0 +1,6 @@ +--- + - name: restart postfix + service: + name: postfix + state: restarted + enabled: yes \ No newline at end of file diff --git a/roles/postfix-gestsup/tasks/main.yml b/roles/postfix-gestsup/tasks/main.yml new file mode 100644 index 0000000..e1c6fe8 --- /dev/null +++ b/roles/postfix-gestsup/tasks/main.yml @@ -0,0 +1,28 @@ +- name: Installation de postfix et de mailutils + tags: install postfix + apt: + name: + - postfix + - mailutils + state: latest + +- name: Copie du fichier sasl_passwd + tags: sasl_passwd + copy: + src: sasl_passwd + dest: /etc/postfix/sasl/ + +- name: Copie du fichier main.cf + tags: main.cf + template: + src: main.cf.j2 + dest: /etc/postfix.main.cf + +- name: Commande postmap + tags: postmap + command: postmap /etc/postfix/sasl/sasl_passwd + notify: restart postfix + +- name: message d'information pour gmail + tags: msg2 + debug: msg="Il faut activer les applications moins sécurisées sur le compte google" \ No newline at end of file diff --git a/roles/postfix-gestsup/templates/main.cf.j2 b/roles/postfix-gestsup/templates/main.cf.j2 new file mode 100644 index 0000000..a47b0cb --- /dev/null +++ b/roles/postfix-gestsup/templates/main.cf.j2 @@ -0,0 +1,10 @@ +#On active l'authentification SASL +smtp_sasl_auth_enable=yes +#Les méthodes pour l'authenfication anonyme +smtp_sasl_security_options=noanonymous +#Le chemin de sasl_passwd +smtp_sasl_password_maps=hash:/etc/postfix/sasl/sasl_passwd +#On active le cryptage STARTTLS +smtp_tls_security_level=encrypt +#Chemin des certificats CA +smtp_tls_CAfile=/etc/ssl/certs/ca-certificate.crt diff --git a/roles/postfix-nd/files/main.cf b/roles/postfix-nd/files/main.cf new file mode 100644 index 0000000..22d044b --- /dev/null +++ b/roles/postfix-nd/files/main.cf @@ -0,0 +1,49 @@ +# See /usr/share/postfix/main.cf.dist for a commented, more complete version + + +# Debian specific: Specifying a file name will cause the first +# line of that file to be used as the name. The Debian default +# is /etc/mailname. +#myorigin = /etc/mailname + +smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) +biff = no + +# appending .domain is the MUA's job. +append_dot_mydomain = no + +# Uncomment the next line to generate "delayed mail" warnings +#delay_warning_time = 4h + +readme_directory = no + +# TLS parameters +smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem +smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key +smtpd_use_tls=yes +smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache +smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache + +# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for +# information on enabling SSL in the smtp client. + +mydomain = gsb.lan +myhostname = s-mon.gsb.lan +alias_maps = hash:/etc/aliases +alias_database = hash:/etc/aliases +mydestination = wheezy, localhost.localdomain, localhost +relayhost = [smtp.gmail.com]:587 +mynetworks = 172.16.0.0/24 +mailbox_command = procmail -a "$EXTENSION" +mailbox_size_limit = 0 +recipient_delimiter = + +inet_interfaces = loopback-only +default_transport = smtp +relay_transport = smtp + +smtp_sasl_auth_enable = yes +smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd +smtp_sasl_security_options = noanonymous +smtp_tls_CAfile = /etc/postfix/cacert.pem +smtp_use_tls = yes + diff --git a/roles/postfix-nd/files/sasl_passwd b/roles/postfix-nd/files/sasl_passwd new file mode 100644 index 0000000..97c93d0 --- /dev/null +++ b/roles/postfix-nd/files/sasl_passwd @@ -0,0 +1 @@ +[smtp.gmail.com]:587 dahmouninabil21@gmail.com:POISSON21 \ No newline at end of file diff --git a/roles/postfix-nd/files/thawte_Premium_Server_CA.pem b/roles/postfix-nd/files/thawte_Premium_Server_CA.pem new file mode 100644 index 0000000..29cf7e1 --- /dev/null +++ b/roles/postfix-nd/files/thawte_Premium_Server_CA.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDNjCCAp+gAwIBAgIQNhIilsXjOKUgodJfTNcJVDANBgkqhkiG9w0BAQUFADCB +zjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJ +Q2FwZSBUb3duMR0wGwYDVQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UE +CxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhh +d3RlIFByZW1pdW0gU2VydmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNl +cnZlckB0aGF3dGUuY29tMB4XDTk2MDgwMTAwMDAwMFoXDTIxMDEwMTIzNTk1OVow +gc4xCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcT +CUNhcGUgVG93bjEdMBsGA1UEChMUVGhhd3RlIENvbnN1bHRpbmcgY2MxKDAmBgNV +BAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24xITAfBgNVBAMTGFRo +YXd0ZSBQcmVtaXVtIFNlcnZlciBDQTEoMCYGCSqGSIb3DQEJARYZcHJlbWl1bS1z +ZXJ2ZXJAdGhhd3RlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0jY2 +aovXwlue2oFBYo847kkEVdbQ7xwblRZH7xhINTpS9CtqBo87L+pW46+GjZ4X9560 +ZXUCTe/LCaIhUdib0GfQug2SBhRz1JPLlyoAnFxODLz6FVL88kRu2hFKbgifLy3j ++ao6hnO2RlNYyIkFvYMRuHM/qgeN9EJN50CdHDcCAwEAAaMTMBEwDwYDVR0TAQH/ +BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQBlkKyID1bZ5jA01CbH0FDxkt5r1DmI +CSLGpmODA/eZd9iy5Ri4XWPz1HP7bJyZePFLeH0ZJMMrAoT4vCLZiiLXoPxx7JGH +IPG47LHlVYCsPVLIOQ7C8MAFT9aCdYy9X9LcdpoFEsmvcsPcJX6kTY4XpeCHf+Ga +WuFg3GQjPEIuTQ== +-----END CERTIFICATE----- \ No newline at end of file diff --git a/roles/postfix-nd/handlers/main.yml b/roles/postfix-nd/handlers/main.yml new file mode 100644 index 0000000..6f511d5 --- /dev/null +++ b/roles/postfix-nd/handlers/main.yml @@ -0,0 +1,3 @@ +--- + - name: restart postfix + service: name=postfix state=restarted diff --git a/roles/postfix-nd/tasks/main.yml b/roles/postfix-nd/tasks/main.yml new file mode 100644 index 0000000..c79ca11 --- /dev/null +++ b/roles/postfix-nd/tasks/main.yml @@ -0,0 +1,36 @@ +--- +- name: Installation Postfix + apt: name=postfix state=present + +- name: Installation mailutils + apt: name=mailutils state=present + +- name: Installation libsasl2-2 + apt: name=libsasl2-2 state=present + +- name: Installation ca-certificates + apt: name=ca-certificates state=present + +- name: Installation libsasl2-modules + apt: name=libsasl2-modules state=present + +- name: Copie main.cf + copy: remote_src=true src=main.cf dest=/etc/postfix/ + +- name: Copie sasl_passwd + copy: remote_src=true src=sasl_passwd dest=/etc/postfix + +- name: attribution des droits sasl_passwd + shell: chmod 400 /etc/postfix/sasl_passwd + +- name: postmap + shell: postmap /etc/postfix/sasl_passwd + +- name: Copie thawte_Premium_Server_CA.pem + copy: remote_src=true src=thawte_Premium_Server_CA.pem dest=/etc/ssl/certs/ + +- name: Certificats + shell: cat /etc/ssl/certs/thawte_Premium_Server_CA.pem |tee -a /etc/postfix/cacert.pem + notify: + - restart postfix + diff --git a/roles/postfix/README.md b/roles/postfix/README.md new file mode 100644 index 0000000..5c684e2 --- /dev/null +++ b/roles/postfix/README.md @@ -0,0 +1,12 @@ +# PostFix + +On va désormais s'occuper de l'installation de PostFix qui permettra l'envoi de notifications lors de problèmes sur certains services des machines. + +On installe postfix et mailutils, on indique dans les différents fichiers de conf le mot de passe de l'adresse mail et l'adresse mail a qui envoyer les notifications. + +**ATTENTION: Il faut activer les applications moins sécurisées sur le compte gmail** + +Compte gmail pour les notifications: id: nagios.gsb22@gmail.com + mdp: Azerty1+ + +Suivre ce tuto: [Lien](https://vulgumtechus.com/Autoriser_les_applications_moins_s%C3%A9curis%C3%A9es_%C3%A0_acc%C3%A9der_%C3%A0_Gmail) \ No newline at end of file diff --git a/roles/postfix/files/sasl_passwd b/roles/postfix/files/sasl_passwd new file mode 100644 index 0000000..861c6a3 --- /dev/null +++ b/roles/postfix/files/sasl_passwd @@ -0,0 +1,2 @@ +[smtp.gmail.com]:587 nagios.gsb22@gmail.com:Azerty1+ +chmod 600 /etc/postfix/sasl_passwd diff --git a/roles/postfix/handlers/main.yml b/roles/postfix/handlers/main.yml new file mode 100644 index 0000000..f6ce8cc --- /dev/null +++ b/roles/postfix/handlers/main.yml @@ -0,0 +1,6 @@ +--- + - name: restart postfix + service: + name: postfix + state: restarted + enabled: yes \ No newline at end of file diff --git a/roles/postfix/tasks/main.yml b/roles/postfix/tasks/main.yml new file mode 100644 index 0000000..e1c6fe8 --- /dev/null +++ b/roles/postfix/tasks/main.yml @@ -0,0 +1,28 @@ +- name: Installation de postfix et de mailutils + tags: install postfix + apt: + name: + - postfix + - mailutils + state: latest + +- name: Copie du fichier sasl_passwd + tags: sasl_passwd + copy: + src: sasl_passwd + dest: /etc/postfix/sasl/ + +- name: Copie du fichier main.cf + tags: main.cf + template: + src: main.cf.j2 + dest: /etc/postfix.main.cf + +- name: Commande postmap + tags: postmap + command: postmap /etc/postfix/sasl/sasl_passwd + notify: restart postfix + +- name: message d'information pour gmail + tags: msg2 + debug: msg="Il faut activer les applications moins sécurisées sur le compte google" \ No newline at end of file diff --git a/roles/postfix/templates/main.cf.j2 b/roles/postfix/templates/main.cf.j2 new file mode 100644 index 0000000..a47b0cb --- /dev/null +++ b/roles/postfix/templates/main.cf.j2 @@ -0,0 +1,10 @@ +#On active l'authentification SASL +smtp_sasl_auth_enable=yes +#Les méthodes pour l'authenfication anonyme +smtp_sasl_security_options=noanonymous +#Le chemin de sasl_passwd +smtp_sasl_password_maps=hash:/etc/postfix/sasl/sasl_passwd +#On active le cryptage STARTTLS +smtp_tls_security_level=encrypt +#Chemin des certificats CA +smtp_tls_CAfile=/etc/ssl/certs/ca-certificate.crt diff --git a/roles/r-ext/files/ferm.conf b/roles/r-ext/files/ferm.conf new file mode 100644 index 0000000..52fe584 --- /dev/null +++ b/roles/r-ext/files/ferm.conf @@ -0,0 +1,113 @@ +# -*- shell-script -*- +# +# Configuration file for ferm(1). +# + +@def $DEV_ADM = enp0s3; +@def $DEV_DMZ = enp0s8; +@def $DEV_WORLD = enp0s9; +@def $DEV_VPN = enp0s10; +@def $DEV_LINK = enp0s16; + +@def $NET_ADM = 192.168.99.0/24; +@def $NET_DMZ = 192.168.100.0/24; +@def $NET_WORLD = 192.168.0.0/24; +@def $NET_LINKV = 192.168.1.0/30; +@def $NET_LINK = 192.168.200.0/24; + +# mon ip static +#@def $HOST_STATIC = +@include '/root/tools/ansible/gsb2022/roles/r-ext/files/mkferm |'; +#@def $HOST_PASSERELLEDMZ = 172.16.0.1; + +@def &FORWARD_TCP($proto, $port, $dest) = { + table filter chain FORWARD interface $DEV_WORLD outerface $DEV_DMZ daddr $dest proto $proto dport $port ACCEPT; + table nat chain PREROUTING interface $DEV_WORLD daddr $HOST_STATIC proto $proto dport $port DNAT to $dest; +} +#@def &FORWARD($proto, $port, $dest) = { +# table filter chain FORWARD interface $DEV_DMZ outerface $DEV_PRIVATE daddr $dest proto $proto dport $port ACCEPT; +# table nat chain PREROUTING interface $DEV_DMZ daddr $HOST_PASSERELLEDMZ proto $proto dport $port DNAT to $dest; +#} + +#&FORWARD(tcp, 3306, 10.0.0.2); +#&FORWARD_TCP(tcp, http, 192.168.100.254); +#&FORWARD_TCP(tcp, smtp, 192.168.1.3); + +table filter { + chain INPUT { + policy DROP; + + # connection tracking + mod state state INVALID DROP; + mod state state (ESTABLISHED RELATED) ACCEPT; + + # allow local packet + interface lo ACCEPT; + + # respond to ping + proto icmp ACCEPT; + + # allow IPsec + interface ($DEV_LINK) { + proto udp dport 500 ACCEPT; + proto (esp ah) ACCEPT; + } + # allow SSH connections + interface ($DEV_ADM) { + proto tcp dport ssh ACCEPT; + } + # we provide DNS for the internal net + interface ($DEV_WORLD $DEV_DMZ) { + proto (udp tcp) dport domain ACCEPT; + proto (tcp) dport http ACCEPT; + } + + } + chain OUTPUT { + policy ACCEPT; + + # connection tracking + #mod state state INVALID DROP; + mod state state (ESTABLISHED RELATED) ACCEPT; + } + chain FORWARD { + policy DROP; + + # connection tracking + mod state state INVALID DROP; + mod state state (ESTABLISHED RELATED) ACCEPT; + + # the DMZ may only access the internet + interface ($DEV_DMZ $DEV_LINK) { + outerface $DEV_WORLD ACCEPT; + # report failure gracefully + REJECT reject-with icmp-net-prohibited; + } + + interface ($DEV_WORLD) { + proto tcp dport http outerface $DEV_DMZ ACCEPT; + # report failure gracefully + REJECT reject-with icmp-net-prohibited; + } + } +} + +table nat { + chain POSTROUTING { + # masquerade private IP addresses + saddr ($NET_LINK) outerface $DEV_WORLD SNAT to $HOST_STATIC; + } +} + + + +# IPv6: +#domain ip6 { +# table filter { +# chain INPUT { +# policy ACCEPT; +# # ... +# } +# # ... +# } +#} diff --git a/roles/r-ext/files/ipFerm.sh b/roles/r-ext/files/ipFerm.sh new file mode 100755 index 0000000..ce4ce5d --- /dev/null +++ b/roles/r-ext/files/ipFerm.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +ip a show dev enp0s9|grep "inet "|cut -d/ -f1 | cut -dt -f2 diff --git a/roles/r-ext/files/mkferm b/roles/r-ext/files/mkferm new file mode 100755 index 0000000..6a69749 --- /dev/null +++ b/roles/r-ext/files/mkferm @@ -0,0 +1,7 @@ +#!/bin/bash +#IPADD=$(root/ipFerm.sh| tr -d '\n') +#MSG="@def $HOST_STATIC = $ +echo -n -E "@def \$HOST_STATIC =" +/root/tools/ansible/gsb2022/roles/r-ext/files/ipFerm.sh |tr -d '\n' +echo ";" + diff --git a/roles/r-ext/files/nat.sh b/roles/r-ext/files/nat.sh new file mode 100755 index 0000000..5a065ca --- /dev/null +++ b/roles/r-ext/files/nat.sh @@ -0,0 +1,4 @@ +#!/bin/bash +echo "1" > /proc/sys/net/ipv4/ip_forward +iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE +iptables -t nat -A POSTROUTING -o enp0s9 -j MASQUERADE \ No newline at end of file diff --git a/roles/r-ext/files/routagenat b/roles/r-ext/files/routagenat new file mode 100755 index 0000000..c58086c --- /dev/null +++ b/roles/r-ext/files/routagenat @@ -0,0 +1,3 @@ +#!/usr/bin/perl + +qx(route add -net 0.0.0.0 netmask 0.0.0.0 gw 192.168.200.253); diff --git a/roles/r-ext/files/sysctl.conf b/roles/r-ext/files/sysctl.conf new file mode 100644 index 0000000..b138754 --- /dev/null +++ b/roles/r-ext/files/sysctl.conf @@ -0,0 +1,60 @@ +# +# /etc/sysctl.conf - Configuration file for setting system variables +# See /etc/sysctl.d/ for additonal system variables +# See sysctl.conf (5) for information. +# + +#kernel.domainname = example.com + +# Uncomment the following to stop low-level messages on console +#kernel.printk = 3 4 1 3 + +##############################################################3 +# Functions previously found in netbase +# + +# Uncomment the next two lines to enable Spoof protection (reverse-path filter) +# Turn on Source Address Verification in all interfaces to +# prevent some spoofing attacks +#net.ipv4.conf.default.rp_filter=1 +#net.ipv4.conf.all.rp_filter=1 + +# Uncomment the next line to enable TCP/IP SYN cookies +# See http://lwn.net/Articles/277146/ +# Note: This may impact IPv6 TCP sessions too +#net.ipv4.tcp_syncookies=1 + +# Uncomment the next line to enable packet forwarding for IPv4 +net.ipv4.ip_forward=1 + +# Uncomment the next line to enable packet forwarding for IPv6 +# Enabling this option disables Stateless Address Autoconfiguration +# based on Router Advertisements for this host +#net.ipv6.conf.all.forwarding=1 + + +################################################################### +# Additional settings - these settings can improve the network +# security of the host and prevent against some network attacks +# including spoofing attacks and man in the middle attacks through +# redirection. Some network environments, however, require that these +# settings are disabled so review and enable them as needed. +# +# Do not accept ICMP redirects (prevent MITM attacks) +#net.ipv4.conf.all.accept_redirects = 0 +#net.ipv6.conf.all.accept_redirects = 0 +# _or_ +# Accept ICMP redirects only for gateways listed in our default +# gateway list (enabled by default) +# net.ipv4.conf.all.secure_redirects = 1 +# +# Do not send ICMP redirects (we are not a router) +#net.ipv4.conf.all.send_redirects = 0 +# +# Do not accept IP source route packets (we are not a router) +#net.ipv4.conf.all.accept_source_route = 0 +#net.ipv6.conf.all.accept_source_route = 0 +# +# Log Martian Packets +#net.ipv4.conf.all.log_martians = 1 +# diff --git a/roles/r-ext/tasks/main.yml b/roles/r-ext/tasks/main.yml new file mode 100644 index 0000000..6988cd7 --- /dev/null +++ b/roles/r-ext/tasks/main.yml @@ -0,0 +1,24 @@ +--- + +- name: Copie du fichier sysctl.conf + copy: + src: sysctl.conf + dest: /etc/ + +- name: copier le script de routage + copy: + src: nat.sh + dest: /root/ + mode: '0755' + +- name: installer ferm + apt: + name: ferm + state: present + update_cache: yes + +- name: copier le fichier ferm.conf + copy: + src: ferm.conf + dest: /etc/ferm/ + diff --git a/roles/r-int/files/routagenat b/roles/r-int/files/routagenat new file mode 100755 index 0000000..e1d2295 --- /dev/null +++ b/roles/r-int/files/routagenat @@ -0,0 +1,3 @@ +#!/bin/bash + +ip route add default via 192.168.200.253 diff --git a/roles/r-int/files/sysctl.conf b/roles/r-int/files/sysctl.conf new file mode 100644 index 0000000..b138754 --- /dev/null +++ b/roles/r-int/files/sysctl.conf @@ -0,0 +1,60 @@ +# +# /etc/sysctl.conf - Configuration file for setting system variables +# See /etc/sysctl.d/ for additonal system variables +# See sysctl.conf (5) for information. +# + +#kernel.domainname = example.com + +# Uncomment the following to stop low-level messages on console +#kernel.printk = 3 4 1 3 + +##############################################################3 +# Functions previously found in netbase +# + +# Uncomment the next two lines to enable Spoof protection (reverse-path filter) +# Turn on Source Address Verification in all interfaces to +# prevent some spoofing attacks +#net.ipv4.conf.default.rp_filter=1 +#net.ipv4.conf.all.rp_filter=1 + +# Uncomment the next line to enable TCP/IP SYN cookies +# See http://lwn.net/Articles/277146/ +# Note: This may impact IPv6 TCP sessions too +#net.ipv4.tcp_syncookies=1 + +# Uncomment the next line to enable packet forwarding for IPv4 +net.ipv4.ip_forward=1 + +# Uncomment the next line to enable packet forwarding for IPv6 +# Enabling this option disables Stateless Address Autoconfiguration +# based on Router Advertisements for this host +#net.ipv6.conf.all.forwarding=1 + + +################################################################### +# Additional settings - these settings can improve the network +# security of the host and prevent against some network attacks +# including spoofing attacks and man in the middle attacks through +# redirection. Some network environments, however, require that these +# settings are disabled so review and enable them as needed. +# +# Do not accept ICMP redirects (prevent MITM attacks) +#net.ipv4.conf.all.accept_redirects = 0 +#net.ipv6.conf.all.accept_redirects = 0 +# _or_ +# Accept ICMP redirects only for gateways listed in our default +# gateway list (enabled by default) +# net.ipv4.conf.all.secure_redirects = 1 +# +# Do not send ICMP redirects (we are not a router) +#net.ipv4.conf.all.send_redirects = 0 +# +# Do not accept IP source route packets (we are not a router) +#net.ipv4.conf.all.accept_source_route = 0 +#net.ipv6.conf.all.accept_source_route = 0 +# +# Log Martian Packets +#net.ipv4.conf.all.log_martians = 1 +# diff --git a/roles/r-int/tasks/main.yml b/roles/r-int/tasks/main.yml new file mode 100644 index 0000000..01356a7 --- /dev/null +++ b/roles/r-int/tasks/main.yml @@ -0,0 +1,19 @@ +--- + +- name: Copie du fichier sysctl.conf + copy: src=sysctl.conf dest=/etc/ + +- name: copier le script de routage + copy: src=routagenat dest=/root/ + +- name: rendre executabe le script + shell: chmod +x /root/routagenat + + #- name: exectuer le script + # script: /root/routagenat + + #- name: copier fog server + #get_url: url="http://depl/gsbstore/fog_1.4.4.tar.gz" dest=/tmp/fog.tar.gz + + #- name: extraction fog.tar.gz + #unarchive: src=/tmp/fog.tar.gz dest=/var/www/ copy=no diff --git a/roles/s-lb-ab/README.md b/roles/s-lb-ab/README.md new file mode 100644 index 0000000..4b6a48a --- /dev/null +++ b/roles/s-lb-ab/README.md @@ -0,0 +1,4 @@ +##Installation du load-balancer + +Ce rôle sert à installer HAproxy et de mettre un fichier de configuration avec les serveur web à répartir. +Ce rôle est utilisé par s-lb diff --git a/roles/s-lb-ab/files/actu.sh b/roles/s-lb-ab/files/actu.sh new file mode 100755 index 0000000..c9b86ed --- /dev/null +++ b/roles/s-lb-ab/files/actu.sh @@ -0,0 +1,5 @@ +#!/bin/bash +while true +do +curl 192.168.100.10 +done diff --git a/roles/s-lb-ab/files/haproxy.cfg b/roles/s-lb-ab/files/haproxy.cfg new file mode 100644 index 0000000..3716966 --- /dev/null +++ b/roles/s-lb-ab/files/haproxy.cfg @@ -0,0 +1,55 @@ +global + log /dev/log local0 + log /dev/log local1 notice + chroot /var/lib/haproxy + stats socket /run/haproxy/admin.sock mode 660 level admin + stats timeout 30s + user haproxy + group haproxy + daemon + + # Default SSL material locations + ca-base /etc/ssl/certs + crt-base /etc/ssl/private + + # Default ciphers to use on SSL-enabled listening sockets. + # For more information, see ciphers(1SSL). This list is from: + # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ + ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS + ssl-default-bind-options no-sslv3 + +defaults + log global + mode http + option httplog + option dontlognull + timeout connect 5000 + timeout client 50000 + timeout server 50000 + errorfile 400 /etc/haproxy/errors/400.http + errorfile 403 /etc/haproxy/errors/403.http + errorfile 408 /etc/haproxy/errors/408.http + errorfile 500 /etc/haproxy/errors/500.http + errorfile 502 /etc/haproxy/errors/502.http + errorfile 503 /etc/haproxy/errors/503.http + errorfile 504 /etc/haproxy/errors/504.http + +frontend proxypublic + bind 192.168.100.10:80 + default_backend fermeweb + +backend fermeweb + balance roundrobin + option httpclose + #option httpchk HEAD / HTTP/1.0 + server s-lb-web1 192.168.101.1:80 check + server s-lb-web2 192.168.101.2:80 check + server s-lb-web3 192.168.101.3:80 check + +listen stats + bind *:8080 + stats enable + stats uri /haproxy + stats auth admin:admin + + diff --git a/roles/s-lb-ab/handlers/main.yml b/roles/s-lb-ab/handlers/main.yml new file mode 100644 index 0000000..27f130b --- /dev/null +++ b/roles/s-lb-ab/handlers/main.yml @@ -0,0 +1,3 @@ +--- + - name: restart haproxy + service: name=haproxy state=restarted diff --git a/roles/s-lb-ab/tasks/main.yml b/roles/s-lb-ab/tasks/main.yml new file mode 100644 index 0000000..83e62ee --- /dev/null +++ b/roles/s-lb-ab/tasks/main.yml @@ -0,0 +1,29 @@ +--- +- name: Installation d'HAproxy + apt: + name: + - haproxy + state: present + +- name: Copie du fichier de configuration + copy: + src: haproxy.cfg + dest: /etc/haproxy/haproxy.cfg + notify: + - restart haproxy + +- name: + file: + path: /root/script + state: directory + +- name: Copie du fichier actu.sh + copy: + src: actu.sh + dest: /root/script/ + +- name: On rend exécutable le script actu.sh + file: + path: /root/script/actu.sh + mode: 0777 + diff --git a/roles/s-lb-bd-ab/README.txt b/roles/s-lb-bd-ab/README.txt new file mode 100644 index 0000000..1159174 --- /dev/null +++ b/roles/s-lb-bd-ab/README.txt @@ -0,0 +1,11 @@ +Apres avoir lancer le bash pull config: + +Creer un utilisateur autre que root dans la base de donnee +CREATE USER 'admin'@'localhost'IDENTIFIED BY 'Azerty1+'; +GRANT ALL PRIVILEGES ON *.* TO 'admin'@'localhost'; + +Puis executer le script dans files/installmysql.sh qui bloquera les connexions root en localhost et distantes + +Enfin se connecter en tant que admin et creer un autre compte pour les utilisateurs +CREATE USER 'user'@'192.168.102.%'IDENTIFIED BY 'password'; +Le % permet d'autoriser la connexion de tous les postes du reseau 192.168.102.0/24 diff --git a/roles/s-lb-bd-ab/files/.my.cnf b/roles/s-lb-bd-ab/files/.my.cnf new file mode 100644 index 0000000..34d0e25 --- /dev/null +++ b/roles/s-lb-bd-ab/files/.my.cnf @@ -0,0 +1,3 @@ +[client] +user=root +password=root diff --git a/roles/s-lb-bd-ab/files/installmysql.sh b/roles/s-lb-bd-ab/files/installmysql.sh new file mode 100755 index 0000000..26d01b4 --- /dev/null +++ b/roles/s-lb-bd-ab/files/installmysql.sh @@ -0,0 +1,16 @@ +# Download and Install the Latest Updates for the OS +apt-get update && apt-get upgrade -y + +# Install MySQL Server in a Non-Interactive mode. Default root password will be "root" +echo "mysql-server mysql-server/root_password password root" | debconf-set-selections +echo "mysql-server mysql-server/root_password_again password root" | debconf-set-selections +apt-get -y install mysql-server + + +# Run the MySQL Secure Installation wizard +mysql_secure_installation + +sed -i 's/127\.0\.0\.1/0\.0\.0\.0/g' /etc/mysql/my.cnf +mysql -uroot -p -e 'USE mysql; UPDATE `user` SET `Host`="%" WHERE `User`="root" AND `Host`="localhost"; DELETE FROM `user` WHERE `Host` != "%" AND `User`="root"; FLUSH PRIVILEGES;' + +service mysql restart diff --git a/roles/s-lb-bd-ab/files/my.cnf b/roles/s-lb-bd-ab/files/my.cnf new file mode 100644 index 0000000..1308652 --- /dev/null +++ b/roles/s-lb-bd-ab/files/my.cnf @@ -0,0 +1,128 @@ +# +# The MySQL database server configuration file. +# +# You can copy this to one of: +# - "/etc/mysql/my.cnf" to set global options, +# - "~/.my.cnf" to set user-specific options. +# +# One can use all long options that the program supports. +# Run program with --help to get a list of available options and with +# --print-defaults to see which it would actually understand and use. +# +# For explanations see +# http://dev.mysql.com/doc/mysql/en/server-system-variables.html + +# This will be passed to all mysql clients +# It has been reported that passwords should be enclosed with ticks/quotes +# escpecially if they contain "#" chars... +# Remember to edit /etc/mysql/debian.cnf when changing the socket location. +[client] +port = 3306 +socket = /var/run/mysqld/mysqld.sock + +# Here is entries for some specific programs +# The following values assume you have at least 32M ram + +# This was formally known as [safe_mysqld]. Both versions are currently parsed. +[mysqld_safe] +socket = /var/run/mysqld/mysqld.sock +nice = 0 + +[mysqld] +# +# * Basic Settings +# +user = mysql +pid-file = /var/run/mysqld/mysqld.pid +socket = /var/run/mysqld/mysqld.sock +port = 3306 +basedir = /usr +datadir = /var/lib/mysql +tmpdir = /tmp +lc-messages-dir = /usr/share/mysql +skip-external-locking +# +# Instead of skip-networking the default is now to listen only on +# localhost which is more compatible and is not less secure. +#bind-address = 127.0.0.1 +# +# * Fine Tuning +# +key_buffer = 16M +max_allowed_packet = 16M +thread_stack = 192K +thread_cache_size = 8 +# This replaces the startup script and checks MyISAM tables if needed +# the first time they are touched +myisam-recover = BACKUP +#max_connections = 100 +#table_cache = 64 +#thread_concurrency = 10 +# +# * Query Cache Configuration +# +query_cache_limit = 1M +query_cache_size = 16M +# +# * Logging and Replication +# +# Both location gets rotated by the cronjob. +# Be aware that this log type is a performance killer. +# As of 5.1 you can enable the log at runtime! +#general_log_file = /var/log/mysql/mysql.log +#general_log = 1 +# +# Error log - should be very few entries. +# +log_error = /var/log/mysql/error.log +# +# Here you can see queries with especially long duration +#slow_query_log_file = /var/log/mysql/mysql-slow.log +#slow_query_log = 1 +#long_query_time = 2 +#log_queries_not_using_indexes +# +# The following can be used as easy to replay backup logs or for replication. +# note: if you are setting up a replication slave, see README.Debian about +# other settings you may need to change. +#server-id = 1 +#log_bin = /var/log/mysql/mysql-bin.log +expire_logs_days = 10 +max_binlog_size = 100M +#binlog_do_db = include_database_name +#binlog_ignore_db = include_database_name +# +# * InnoDB +# +# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/. +# Read the manual for more InnoDB related options. There are many! +# +# * Security Features +# +# Read the manual, too, if you want chroot! +# chroot = /var/lib/mysql/ +# +# For generating SSL certificates I recommend the OpenSSL GUI "tinyca". +# +# ssl-ca=/etc/mysql/cacert.pem +# ssl-cert=/etc/mysql/server-cert.pem +# ssl-key=/etc/mysql/server-key.pem + + + +[mysqldump] +quick +quote-names +max_allowed_packet = 16M + +[mysql] +#no-auto-rehash # faster start of mysql but no tab completition + +[isamchk] +key_buffer = 16M + +# +# * IMPORTANT: Additional settings that can override those from this file! +# The files must end with '.cnf', otherwise they'll be ignored. +# +!includedir /etc/mysql/conf.d/ diff --git a/roles/s-lb-bd-ab/handlers/main.yml b/roles/s-lb-bd-ab/handlers/main.yml new file mode 100644 index 0000000..caa5308 --- /dev/null +++ b/roles/s-lb-bd-ab/handlers/main.yml @@ -0,0 +1,3 @@ +--- + - name: restart mysql-server + service: name=mysql-server state=restarted diff --git a/roles/s-lb-bd/files/.my.cnf b/roles/s-lb-bd/files/.my.cnf new file mode 100644 index 0000000..34d0e25 --- /dev/null +++ b/roles/s-lb-bd/files/.my.cnf @@ -0,0 +1,3 @@ +[client] +user=root +password=root diff --git a/roles/s-lb-bd/files/installmysql.sh b/roles/s-lb-bd/files/installmysql.sh new file mode 100755 index 0000000..9ee2508 --- /dev/null +++ b/roles/s-lb-bd/files/installmysql.sh @@ -0,0 +1,16 @@ +# Download and Install the Latest Updates for the OS +apt-get update && apt-get upgrade -y + +# Install MySQL Server in a Non-Interactive mode. Default root password will be "root" +echo "mysql-server mysql-server/root_password password root" | debconf-set-selections +echo "mysql-server mysql-server/root_password_again password root" | debconf-set-selections +apt-get -y install mysql-server + + +# Run the MySQL Secure Installation wizard +mysql_secure_installation + +sed -i 's/127\.0\.0\.1/0\.0\.0\.0/g' /etc/mysql/my.cnf +mysql -uroot -p -e 'USE mysql; UPDATE `user` SET `Host`="%" WHERE `User`="root" AND `Host`="localhost"; DELETE FROM `user` WHERE `Host` != "%" AND `User`="root"; FLUSH PRIVILEGES;' + +service mysql restart \ No newline at end of file diff --git a/roles/s-lb-bd/files/my.cnf b/roles/s-lb-bd/files/my.cnf new file mode 100644 index 0000000..1308652 --- /dev/null +++ b/roles/s-lb-bd/files/my.cnf @@ -0,0 +1,128 @@ +# +# The MySQL database server configuration file. +# +# You can copy this to one of: +# - "/etc/mysql/my.cnf" to set global options, +# - "~/.my.cnf" to set user-specific options. +# +# One can use all long options that the program supports. +# Run program with --help to get a list of available options and with +# --print-defaults to see which it would actually understand and use. +# +# For explanations see +# http://dev.mysql.com/doc/mysql/en/server-system-variables.html + +# This will be passed to all mysql clients +# It has been reported that passwords should be enclosed with ticks/quotes +# escpecially if they contain "#" chars... +# Remember to edit /etc/mysql/debian.cnf when changing the socket location. +[client] +port = 3306 +socket = /var/run/mysqld/mysqld.sock + +# Here is entries for some specific programs +# The following values assume you have at least 32M ram + +# This was formally known as [safe_mysqld]. Both versions are currently parsed. +[mysqld_safe] +socket = /var/run/mysqld/mysqld.sock +nice = 0 + +[mysqld] +# +# * Basic Settings +# +user = mysql +pid-file = /var/run/mysqld/mysqld.pid +socket = /var/run/mysqld/mysqld.sock +port = 3306 +basedir = /usr +datadir = /var/lib/mysql +tmpdir = /tmp +lc-messages-dir = /usr/share/mysql +skip-external-locking +# +# Instead of skip-networking the default is now to listen only on +# localhost which is more compatible and is not less secure. +#bind-address = 127.0.0.1 +# +# * Fine Tuning +# +key_buffer = 16M +max_allowed_packet = 16M +thread_stack = 192K +thread_cache_size = 8 +# This replaces the startup script and checks MyISAM tables if needed +# the first time they are touched +myisam-recover = BACKUP +#max_connections = 100 +#table_cache = 64 +#thread_concurrency = 10 +# +# * Query Cache Configuration +# +query_cache_limit = 1M +query_cache_size = 16M +# +# * Logging and Replication +# +# Both location gets rotated by the cronjob. +# Be aware that this log type is a performance killer. +# As of 5.1 you can enable the log at runtime! +#general_log_file = /var/log/mysql/mysql.log +#general_log = 1 +# +# Error log - should be very few entries. +# +log_error = /var/log/mysql/error.log +# +# Here you can see queries with especially long duration +#slow_query_log_file = /var/log/mysql/mysql-slow.log +#slow_query_log = 1 +#long_query_time = 2 +#log_queries_not_using_indexes +# +# The following can be used as easy to replay backup logs or for replication. +# note: if you are setting up a replication slave, see README.Debian about +# other settings you may need to change. +#server-id = 1 +#log_bin = /var/log/mysql/mysql-bin.log +expire_logs_days = 10 +max_binlog_size = 100M +#binlog_do_db = include_database_name +#binlog_ignore_db = include_database_name +# +# * InnoDB +# +# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/. +# Read the manual for more InnoDB related options. There are many! +# +# * Security Features +# +# Read the manual, too, if you want chroot! +# chroot = /var/lib/mysql/ +# +# For generating SSL certificates I recommend the OpenSSL GUI "tinyca". +# +# ssl-ca=/etc/mysql/cacert.pem +# ssl-cert=/etc/mysql/server-cert.pem +# ssl-key=/etc/mysql/server-key.pem + + + +[mysqldump] +quick +quote-names +max_allowed_packet = 16M + +[mysql] +#no-auto-rehash # faster start of mysql but no tab completition + +[isamchk] +key_buffer = 16M + +# +# * IMPORTANT: Additional settings that can override those from this file! +# The files must end with '.cnf', otherwise they'll be ignored. +# +!includedir /etc/mysql/conf.d/ diff --git a/roles/s-lb-bd/handlers/main.yml b/roles/s-lb-bd/handlers/main.yml new file mode 100644 index 0000000..caa5308 --- /dev/null +++ b/roles/s-lb-bd/handlers/main.yml @@ -0,0 +1,3 @@ +--- + - name: restart mysql-server + service: name=mysql-server state=restarted diff --git a/roles/s-lb-bd/tasks/main.yml b/roles/s-lb-bd/tasks/main.yml new file mode 100644 index 0000000..9f65e0e --- /dev/null +++ b/roles/s-lb-bd/tasks/main.yml @@ -0,0 +1,4 @@ +--- +- name: Install paquets + apt: name=mysql-server state=present force=yes + diff --git a/roles/s-lb-web-ab/files/.my.cnf b/roles/s-lb-web-ab/files/.my.cnf new file mode 100644 index 0000000..34d0e25 --- /dev/null +++ b/roles/s-lb-web-ab/files/.my.cnf @@ -0,0 +1,3 @@ +[client] +user=root +password=root diff --git a/roles/s-lb-web-ab/files/compter.bash b/roles/s-lb-web-ab/files/compter.bash new file mode 100644 index 0000000..9d257fa --- /dev/null +++ b/roles/s-lb-web-ab/files/compter.bash @@ -0,0 +1,4 @@ +#!/bin/bash + +echo "" > /var/log/apache2/access.log +watch -n 0 wc -l /var/log/apache2/access.log diff --git a/roles/s-lb-web-ab/handlers/main.yml b/roles/s-lb-web-ab/handlers/main.yml new file mode 100644 index 0000000..e5c9101 --- /dev/null +++ b/roles/s-lb-web-ab/handlers/main.yml @@ -0,0 +1,3 @@ +--- + - name: restart apache2 + service: name=apache2 state=restarted \ No newline at end of file diff --git a/roles/s-lb-web-ab/tasks/main.yml b/roles/s-lb-web-ab/tasks/main.yml new file mode 100644 index 0000000..ba7a926 --- /dev/null +++ b/roles/s-lb-web-ab/tasks/main.yml @@ -0,0 +1,26 @@ +--- +- name: Install apache2 php php5-mysql et autres modules php + apt: + name: + - apache2 + - php + - php-mysql + - php-gd + - php-zip + - php-mbstring + - php-curl + - php-imagick + - php-xml + state: present + +- name: copie exports pour partage nfs wordpress + copy: src=compter.bash dest=/root + +- name: Changement de permission pour compter.bash + shell: chmod a+x /root/compter.bash + +#- name: Envoi d'index dans /var/www/ +# copy: src=index.html dest=/var/www/ + +#- name: Install glusterfs client +# apt: pkg=glusterfs-client state=present update_cache=yes diff --git a/roles/s-lb-web/README.md b/roles/s-lb-web/README.md new file mode 100644 index 0000000..07d485c --- /dev/null +++ b/roles/s-lb-web/README.md @@ -0,0 +1,3 @@ +##Installation des serveurs web + +Ce rôle sert à installer les paquets nécessaire pour WordPress sur les serveurs webs. diff --git a/roles/s-lb-web/files/.my.cnf b/roles/s-lb-web/files/.my.cnf new file mode 100644 index 0000000..34d0e25 --- /dev/null +++ b/roles/s-lb-web/files/.my.cnf @@ -0,0 +1,3 @@ +[client] +user=root +password=root diff --git a/roles/s-lb-web/files/compter.bash b/roles/s-lb-web/files/compter.bash new file mode 100644 index 0000000..9d257fa --- /dev/null +++ b/roles/s-lb-web/files/compter.bash @@ -0,0 +1,4 @@ +#!/bin/bash + +echo "" > /var/log/apache2/access.log +watch -n 0 wc -l /var/log/apache2/access.log diff --git a/roles/s-lb-web/handlers/main.yml b/roles/s-lb-web/handlers/main.yml new file mode 100644 index 0000000..e5c9101 --- /dev/null +++ b/roles/s-lb-web/handlers/main.yml @@ -0,0 +1,3 @@ +--- + - name: restart apache2 + service: name=apache2 state=restarted \ No newline at end of file diff --git a/roles/s-lb-web/tasks/main.yml b/roles/s-lb-web/tasks/main.yml new file mode 100644 index 0000000..ac73865 --- /dev/null +++ b/roles/s-lb-web/tasks/main.yml @@ -0,0 +1,12 @@ +--- +- name: Installation des paquets + apt: + name : + - apache2 + - php + - php-mysql + state: present + + + + diff --git a/roles/s-lb-wordpress/README.md b/roles/s-lb-wordpress/README.md new file mode 100644 index 0000000..1191207 --- /dev/null +++ b/roles/s-lb-wordpress/README.md @@ -0,0 +1,3 @@ +##Téléchargement et configuration de WordPress + +Ce rôle télécharge wordpress depuis s-adm puis configure le fichier wp-config.php pour la situation du gsb. diff --git a/roles/s-lb-wordpress/defaults/main.yml b/roles/s-lb-wordpress/defaults/main.yml new file mode 100644 index 0000000..9b7cc1d --- /dev/null +++ b/roles/s-lb-wordpress/defaults/main.yml @@ -0,0 +1,2 @@ +depl_url: "http://s-adm.gsb.adm/gsbstore/" +depl_wordpress: "wordpress-5.8.2-fr_FR.tar.gz" diff --git a/roles/s-lb-wordpress/files/wp-config.php b/roles/s-lb-wordpress/files/wp-config.php new file mode 100644 index 0000000..6c0623f --- /dev/null +++ b/roles/s-lb-wordpress/files/wp-config.php @@ -0,0 +1,102 @@ + + +# sysservices: The proper value for the sysServices object. +# arguments: sysservices_number +sysServices 72 + + + +########################################################################### +# SECTION: Agent Operating Mode +# +# This section defines how the agent will operate when it +# is running. + +# master: Should the agent operate as a master agent or not. +# Currently, the only supported master agent type for this token +# is "agentx". +# +# arguments: (on|yes|agentx|all|off|no) + +master agentx + +# agentaddress: The IP address and port number that the agent will listen on. +# By default the agent listens to any and all traffic from any +# interface on the default SNMP port (161). This allows you to +# specify which address, interface, transport type and port(s) that you +# want the agent to listen on. Multiple definitions of this token +# are concatenated together (using ':'s). +# arguments: [transport:]port[@interface/address],... + +#agentaddress 127.0.0.1,[::1] +agentaddress udp:161 + + + +########################################################################### +# SECTION: Access Control Setup +# +# This section defines who is allowed to talk to your running +# snmp agent. + +# Views +# arguments viewname included [oid] + +# system + hrSystem groups only +view systemonly included .1.3.6.1.2.1.1 +view systemonly included .1.3.6.1.2.1.25.1 + + +# rocommunity: a SNMPv1/SNMPv2c read-only access community name +# arguments: community [default|hostname|network/bits] [oid | -V view] + +# Read-only access to everyone to the systemonly view +#rocommunity public default -V systemonly +#rocommunity6 public default -V systemonly +rocommunity public default +# SNMPv3 doesn't use communities, but users with (optionally) an +# authentication and encryption string. This user needs to be created +# with what they can view with rouser/rwuser lines in this file. +# +# createUser username (MD5|SHA|SHA-512|SHA-384|SHA-256|SHA-224) authpassphrase [DES|AES] [privpassphrase] +# e.g. +# createuser authPrivUser SHA-512 myauthphrase AES myprivphrase +# +# This should be put into /var/lib/snmp/snmpd.conf +# +# rouser: a SNMPv3 read-only access username +# arguments: username [noauth|auth|priv [OID | -V VIEW [CONTEXT]]] +rouser authPrivUser authpriv -V systemonly diff --git a/roles/snmp-agent/handlers/main.yml b/roles/snmp-agent/handlers/main.yml new file mode 100644 index 0000000..00b3490 --- /dev/null +++ b/roles/snmp-agent/handlers/main.yml @@ -0,0 +1,4 @@ +- name: restart snmpd + service: + name: snmpd + state: restarted diff --git a/roles/snmp-agent/tasks/main.yml b/roles/snmp-agent/tasks/main.yml new file mode 100644 index 0000000..3914b8e --- /dev/null +++ b/roles/snmp-agent/tasks/main.yml @@ -0,0 +1,16 @@ + - name: Installation snmpd + apt: + name: snmpd + state: present + + - name: Installation snmp + apt: + name: snmp + state: present + + - name: Copie du fichier snmpd.conf + copy: + src: snmpd.conf + dest: /etc/snmp/ + notify: + - restart snmpd diff --git a/roles/squid/files/squid.s-adm.conf b/roles/squid/files/squid.s-adm.conf new file mode 100644 index 0000000..af62dd5 --- /dev/null +++ b/roles/squid/files/squid.s-adm.conf @@ -0,0 +1,7961 @@ +# WELCOME TO SQUID 3.5.23 +# ---------------------------- +# +# This is the documentation for the Squid configuration file. +# This documentation can also be found online at: +# http://www.squid-cache.org/Doc/config/ +# +# You may wish to look at the Squid home page and wiki for the +# FAQ and other documentation: +# http://www.squid-cache.org/ +# http://wiki.squid-cache.org/SquidFaq +# http://wiki.squid-cache.org/ConfigExamples +# +# This documentation shows what the defaults for various directives +# happen to be. If you don't need to change the default, you should +# leave the line out of your squid.conf in most cases. +# +# In some cases "none" refers to no default setting at all, +# while in other cases it refers to the value of the option +# - the comments for that keyword indicate if this is the case. +# + +# Configuration options can be included using the "include" directive. +# Include takes a list of files to include. Quoting and wildcards are +# supported. +# +# For example, +# +# include /path/to/included/file/squid.acl.config +# +# Includes can be nested up to a hard-coded depth of 16 levels. +# This arbitrary restriction is to prevent recursive include references +# from causing Squid entering an infinite loop whilst trying to load +# configuration files. +# +# Values with byte units +# +# Squid accepts size units on some size related directives. All +# such directives are documented with a default value displaying +# a unit. +# +# Units accepted by Squid are: +# bytes - byte +# KB - Kilobyte (1024 bytes) +# MB - Megabyte +# GB - Gigabyte +# +# Values with spaces, quotes, and other special characters +# +# Squid supports directive parameters with spaces, quotes, and other +# special characters. Surround such parameters with "double quotes". Use +# the configuration_includes_quoted_values directive to enable or +# disable that support. +# +# Squid supports reading configuration option parameters from external +# files using the syntax: +# parameters("/path/filename") +# For example: +# acl whitelist dstdomain parameters("/etc/squid/whitelist.txt") +# +# Conditional configuration +# +# If-statements can be used to make configuration directives +# depend on conditions: +# +# if +# ... regular configuration directives ... +# [else +# ... regular configuration directives ...] +# endif +# +# The else part is optional. The keywords "if", "else", and "endif" +# must be typed on their own lines, as if they were regular +# configuration directives. +# +# NOTE: An else-if condition is not supported. +# +# These individual conditions types are supported: +# +# true +# Always evaluates to true. +# false +# Always evaluates to false. +# = +# Equality comparison of two integer numbers. +# +# +# SMP-Related Macros +# +# The following SMP-related preprocessor macros can be used. +# +# ${process_name} expands to the current Squid process "name" +# (e.g., squid1, squid2, or cache1). +# +# ${process_number} expands to the current Squid process +# identifier, which is an integer number (e.g., 1, 2, 3) unique +# across all Squid processes of the current service instance. +# +# ${service_name} expands into the current Squid service instance +# name identifier which is provided by -n on the command line. +# + +# TAG: broken_vary_encoding +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: cache_vary +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: error_map +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: external_refresh_check +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: location_rewrite_program +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: refresh_stale_hit +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: hierarchy_stoplist +# Remove this line. Use always_direct or cache_peer_access ACLs instead if you need to prevent cache_peer use. +#Default: +# none + +# TAG: log_access +# Remove this line. Use acls with access_log directives to control access logging +#Default: +# none + +# TAG: log_icap +# Remove this line. Use acls with icap_log directives to control icap logging +#Default: +# none + +# TAG: ignore_ims_on_miss +# Remove this line. The HTTP/1.1 feature is now configured by 'cache_miss_revalidate'. +#Default: +# none + +# TAG: chunked_request_body_max_size +# Remove this line. Squid is now HTTP/1.1 compliant. +#Default: +# none + +# TAG: dns_v4_fallback +# Remove this line. Squid performs a 'Happy Eyeballs' algorithm, the 'fallback' algorithm is no longer relevant. +#Default: +# none + +# TAG: emulate_httpd_log +# Replace this with an access_log directive using the format 'common' or 'combined'. +#Default: +# none + +# TAG: forward_log +# Use a regular access.log with ACL limiting it to MISS events. +#Default: +# none + +# TAG: ftp_list_width +# Remove this line. Configure FTP page display using the CSS controls in errorpages.css instead. +#Default: +# none + +# TAG: ignore_expect_100 +# Remove this line. The HTTP/1.1 feature is now fully supported by default. +#Default: +# none + +# TAG: log_fqdn +# Remove this option from your config. To log FQDN use %>A in the log format. +#Default: +# none + +# TAG: log_ip_on_direct +# Remove this option from your config. To log server or peer names use % +##auth_param negotiate children 20 startup=0 idle=1 +##auth_param negotiate keep_alive on +## +##auth_param digest program +##auth_param digest children 20 startup=0 idle=1 +##auth_param digest realm Squid proxy-caching web server +##auth_param digest nonce_garbage_interval 5 minutes +##auth_param digest nonce_max_duration 30 minutes +##auth_param digest nonce_max_count 50 +## +##auth_param ntlm program +##auth_param ntlm children 20 startup=0 idle=1 +##auth_param ntlm keep_alive on +## +##auth_param basic program +##auth_param basic children 5 startup=5 idle=1 +##auth_param basic realm Squid proxy-caching web server +##auth_param basic credentialsttl 2 hours +#Default: +# none + +# TAG: authenticate_cache_garbage_interval +# The time period between garbage collection across the username cache. +# This is a trade-off between memory utilization (long intervals - say +# 2 days) and CPU (short intervals - say 1 minute). Only change if you +# have good reason to. +#Default: +# authenticate_cache_garbage_interval 1 hour + +# TAG: authenticate_ttl +# The time a user & their credentials stay in the logged in +# user cache since their last request. When the garbage +# interval passes, all user credentials that have passed their +# TTL are removed from memory. +#Default: +# authenticate_ttl 1 hour + +# TAG: authenticate_ip_ttl +# If you use proxy authentication and the 'max_user_ip' ACL, +# this directive controls how long Squid remembers the IP +# addresses associated with each user. Use a small value +# (e.g., 60 seconds) if your users might change addresses +# quickly, as is the case with dialup. You might be safe +# using a larger value (e.g., 2 hours) in a corporate LAN +# environment with relatively static address assignments. +#Default: +# authenticate_ip_ttl 1 second + +# ACCESS CONTROLS +# ----------------------------------------------------------------------------- + +# TAG: external_acl_type +# This option defines external acl classes using a helper program +# to look up the status +# +# external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..] +# +# Options: +# +# ttl=n TTL in seconds for cached results (defaults to 3600 +# for 1 hour) +# +# negative_ttl=n +# TTL for cached negative lookups (default same +# as ttl) +# +# grace=n Percentage remaining of TTL where a refresh of a +# cached entry should be initiated without needing to +# wait for a new reply. (default is for no grace period) +# +# cache=n The maximum number of entries in the result cache. The +# default limit is 262144 entries. Each cache entry usually +# consumes at least 256 bytes. Squid currently does not remove +# expired cache entries until the limit is reached, so a proxy +# will sooner or later reach the limit. The expanded FORMAT +# value is used as the cache key, so if the details in FORMAT +# are highly variable, a larger cache may be needed to produce +# reduction in helper load. +# +# children-max=n +# Maximum number of acl helper processes spawned to service +# external acl lookups of this type. (default 5) +# +# children-startup=n +# Minimum number of acl helper processes to spawn during +# startup and reconfigure to service external acl lookups +# of this type. (default 0) +# +# children-idle=n +# Number of acl helper processes to keep ahead of traffic +# loads. Squid will spawn this many at once whenever load +# rises above the capabilities of existing processes. +# Up to the value of children-max. (default 1) +# +# concurrency=n concurrency level per process. Only used with helpers +# capable of processing more than one query at a time. +# +# protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers. +# +# ipv4 / ipv6 IP protocol used to communicate with this helper. +# The default is to auto-detect IPv6 and use it when available. +# +# +# FORMAT specifications +# +# %LOGIN Authenticated user login name +# %un A user name. Expands to the first available name +# from the following list of information sources: +# - authenticated user name, like %ul or %LOGIN +# - user name sent by an external ACL, like %EXT_USER +# - SSL client name, like %us in logformat +# - ident user name, like %ui in logformat +# %EXT_USER Username from previous external acl +# %EXT_LOG Log details from previous external acl +# %EXT_TAG Tag from previous external acl +# %IDENT Ident user name +# %SRC Client IP +# %SRCPORT Client source port +# %URI Requested URI +# %DST Requested host +# %PROTO Requested URL scheme +# %PORT Requested port +# %PATH Requested URL path +# %METHOD Request method +# %MYADDR Squid interface address +# %MYPORT Squid http_port number +# %PATH Requested URL-path (including query-string if any) +# %USER_CERT SSL User certificate in PEM format +# %USER_CERTCHAIN SSL User certificate chain in PEM format +# %USER_CERT_xx SSL User certificate subject attribute xx +# %USER_CA_CERT_xx SSL User certificate issuer attribute xx +# %ssl::>sni SSL client SNI sent to Squid +# %ssl::{Header} HTTP request header "Header" +# %>{Hdr:member} +# HTTP request header "Hdr" list member "member" +# %>{Hdr:;member} +# HTTP request header list member using ; as +# list separator. ; can be any non-alphanumeric +# character. +# +# %<{Header} HTTP reply header "Header" +# %<{Hdr:member} +# HTTP reply header "Hdr" list member "member" +# %<{Hdr:;member} +# HTTP reply header list member using ; as +# list separator. ; can be any non-alphanumeric +# character. +# +# %ACL The name of the ACL being tested. +# %DATA The ACL arguments. If not used then any arguments +# is automatically added at the end of the line +# sent to the helper. +# NOTE: this will encode the arguments as one token, +# whereas the default will pass each separately. +# +# %% The percent sign. Useful for helpers which need +# an unchanging input format. +# +# +# General request syntax: +# +# [channel-ID] FORMAT-values [acl-values ...] +# +# +# FORMAT-values consists of transaction details expanded with +# whitespace separation per the config file FORMAT specification +# using the FORMAT macros listed above. +# +# acl-values consists of any string specified in the referencing +# config 'acl ... external' line. see the "acl external" directive. +# +# Request values sent to the helper are URL escaped to protect +# each value in requests against whitespaces. +# +# If using protocol=2.5 then the request sent to the helper is not +# URL escaped to protect against whitespace. +# +# NOTE: protocol=3.0 is deprecated as no longer necessary. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# +# The helper receives lines expanded per the above format specification +# and for each input line returns 1 line starting with OK/ERR/BH result +# code and optionally followed by additional keywords with more details. +# +# +# General result syntax: +# +# [channel-ID] result keyword=value ... +# +# Result consists of one of the codes: +# +# OK +# the ACL test produced a match. +# +# ERR +# the ACL test does not produce a match. +# +# BH +# An internal error occurred in the helper, preventing +# a result being identified. +# +# The meaning of 'a match' is determined by your squid.conf +# access control configuration. See the Squid wiki for details. +# +# Defined keywords: +# +# user= The users name (login) +# +# password= The users password (for login= cache_peer option) +# +# message= Message describing the reason for this response. +# Available as %o in error pages. +# Useful on (ERR and BH results). +# +# tag= Apply a tag to a request. Only sets a tag once, +# does not alter existing tags. +# +# log= String to be logged in access.log. Available as +# %ea in logformat specifications. +# +# clt_conn_tag= Associates a TAG with the client TCP connection. +# Please see url_rewrite_program related documentation +# for this kv-pair. +# +# Any keywords may be sent on any response whether OK, ERR or BH. +# +# All response keyword values need to be a single token with URL +# escaping, or enclosed in double quotes (") and escaped using \ on +# any double quotes or \ characters within the value. The wrapping +# double quotes are removed before the value is interpreted by Squid. +# \r and \n are also replace by CR and LF. +# +# Some example key values: +# +# user=John%20Smith +# user="John Smith" +# user="J. \"Bob\" Smith" +#Default: +# none + +# TAG: acl +# Defining an Access List +# +# Every access list definition must begin with an aclname and acltype, +# followed by either type-specific arguments or a quoted filename that +# they are read from. +# +# acl aclname acltype argument ... +# acl aclname acltype "file" ... +# +# When using "file", the file should contain one item per line. +# +# Some acl types supports options which changes their default behaviour. +# The available options are: +# +# -i,+i By default, regular expressions are CASE-SENSITIVE. To make them +# case-insensitive, use the -i option. To return case-sensitive +# use the +i option between patterns, or make a new ACL line +# without -i. +# +# -n Disable lookups and address type conversions. If lookup or +# conversion is required because the parameter type (IP or +# domain name) does not match the message address type (domain +# name or IP), then the ACL would immediately declare a mismatch +# without any warnings or lookups. +# +# -- Used to stop processing all options, in the case the first acl +# value has '-' character as first character (for example the '-' +# is a valid domain name) +# +# Some acl types require suspending the current request in order +# to access some external data source. +# Those which do are marked with the tag [slow], those which +# don't are marked as [fast]. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl +# for further information +# +# ***** ACL TYPES AVAILABLE ***** +# +# acl aclname src ip-address/mask ... # clients IP address [fast] +# acl aclname src addr1-addr2/mask ... # range of addresses [fast] +# acl aclname dst [-n] ip-address/mask ... # URL host's IP address [slow] +# acl aclname localip ip-address/mask ... # IP address the client connected to [fast] +# +# acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation) +# # [fast] +# # The 'arp' ACL code is not portable to all operating systems. +# # It works on Linux, Solaris, Windows, FreeBSD, and some other +# # BSD variants. +# # +# # NOTE: Squid can only determine the MAC/EUI address for IPv4 +# # clients that are on the same subnet. If the client is on a +# # different subnet, then Squid cannot find out its address. +# # +# # NOTE 2: IPv6 protocol does not contain ARP. MAC/EUI is either +# # encoded directly in the IPv6 address or not available. +# +# acl aclname srcdomain .foo.com ... +# # reverse lookup, from client IP [slow] +# acl aclname dstdomain [-n] .foo.com ... +# # Destination server from URL [fast] +# acl aclname srcdom_regex [-i] \.foo\.com ... +# # regex matching client name [slow] +# acl aclname dstdom_regex [-n] [-i] \.foo\.com ... +# # regex matching server [fast] +# # +# # For dstdomain and dstdom_regex a reverse lookup is tried if a IP +# # based URL is used and no match is found. The name "none" is used +# # if the reverse lookup fails. +# +# acl aclname src_as number ... +# acl aclname dst_as number ... +# # [fast] +# # Except for access control, AS numbers can be used for +# # routing of requests to specific caches. Here's an +# # example for routing all requests for AS#1241 and only +# # those to mycache.mydomain.net: +# # acl asexample dst_as 1241 +# # cache_peer_access mycache.mydomain.net allow asexample +# # cache_peer_access mycache_mydomain.net deny all +# +# acl aclname peername myPeer ... +# # [fast] +# # match against a named cache_peer entry +# # set unique name= on cache_peer lines for reliable use. +# +# acl aclname time [day-abbrevs] [h1:m1-h2:m2] +# # [fast] +# # day-abbrevs: +# # S - Sunday +# # M - Monday +# # T - Tuesday +# # W - Wednesday +# # H - Thursday +# # F - Friday +# # A - Saturday +# # h1:m1 must be less than h2:m2 +# +# acl aclname url_regex [-i] ^http:// ... +# # regex matching on whole URL [fast] +# acl aclname urllogin [-i] [^a-zA-Z0-9] ... +# # regex matching on URL login field +# acl aclname urlpath_regex [-i] \.gif$ ... +# # regex matching on URL path [fast] +# +# acl aclname port 80 70 21 0-1024... # destination TCP port [fast] +# # ranges are alloed +# acl aclname localport 3128 ... # TCP port the client connected to [fast] +# # NP: for interception mode this is usually '80' +# +# acl aclname myportname 3128 ... # *_port name [fast] +# +# acl aclname proto HTTP FTP ... # request protocol [fast] +# +# acl aclname method GET POST ... # HTTP request method [fast] +# +# acl aclname http_status 200 301 500- 400-403 ... +# # status code in reply [fast] +# +# acl aclname browser [-i] regexp ... +# # pattern match on User-Agent header (see also req_header below) [fast] +# +# acl aclname referer_regex [-i] regexp ... +# # pattern match on Referer header [fast] +# # Referer is highly unreliable, so use with care +# +# acl aclname ident username ... +# acl aclname ident_regex [-i] pattern ... +# # string match on ident output [slow] +# # use REQUIRED to accept any non-null ident. +# +# acl aclname proxy_auth [-i] username ... +# acl aclname proxy_auth_regex [-i] pattern ... +# # perform http authentication challenge to the client and match against +# # supplied credentials [slow] +# # +# # takes a list of allowed usernames. +# # use REQUIRED to accept any valid username. +# # +# # Will use proxy authentication in forward-proxy scenarios, and plain +# # http authenticaiton in reverse-proxy scenarios +# # +# # NOTE: when a Proxy-Authentication header is sent but it is not +# # needed during ACL checking the username is NOT logged +# # in access.log. +# # +# # NOTE: proxy_auth requires a EXTERNAL authentication program +# # to check username/password combinations (see +# # auth_param directive). +# # +# # NOTE: proxy_auth can't be used in a transparent/intercepting proxy +# # as the browser needs to be configured for using a proxy in order +# # to respond to proxy authentication. +# +# acl aclname snmp_community string ... +# # A community string to limit access to your SNMP Agent [fast] +# # Example: +# # +# # acl snmppublic snmp_community public +# +# acl aclname maxconn number +# # This will be matched when the client's IP address has +# # more than TCP connections established. [fast] +# # NOTE: This only measures direct TCP links so X-Forwarded-For +# # indirect clients are not counted. +# +# acl aclname max_user_ip [-s] number +# # This will be matched when the user attempts to log in from more +# # than different ip addresses. The authenticate_ip_ttl +# # parameter controls the timeout on the ip entries. [fast] +# # If -s is specified the limit is strict, denying browsing +# # from any further IP addresses until the ttl has expired. Without +# # -s Squid will just annoy the user by "randomly" denying requests. +# # (the counter is reset each time the limit is reached and a +# # request is denied) +# # NOTE: in acceleration mode or where there is mesh of child proxies, +# # clients may appear to come from multiple addresses if they are +# # going through proxy farms, so a limit of 1 may cause user problems. +# +# acl aclname random probability +# # Pseudo-randomly match requests. Based on the probability given. +# # Probability may be written as a decimal (0.333), fraction (1/3) +# # or ratio of matches:non-matches (3:5). +# +# acl aclname req_mime_type [-i] mime-type ... +# # regex match against the mime type of the request generated +# # by the client. Can be used to detect file upload or some +# # types HTTP tunneling requests [fast] +# # NOTE: This does NOT match the reply. You cannot use this +# # to match the returned file type. +# +# acl aclname req_header header-name [-i] any\.regex\.here +# # regex match against any of the known request headers. May be +# # thought of as a superset of "browser", "referer" and "mime-type" +# # ACL [fast] +# +# acl aclname rep_mime_type [-i] mime-type ... +# # regex match against the mime type of the reply received by +# # squid. Can be used to detect file download or some +# # types HTTP tunneling requests. [fast] +# # NOTE: This has no effect in http_access rules. It only has +# # effect in rules that affect the reply data stream such as +# # http_reply_access. +# +# acl aclname rep_header header-name [-i] any\.regex\.here +# # regex match against any of the known reply headers. May be +# # thought of as a superset of "browser", "referer" and "mime-type" +# # ACLs [fast] +# +# acl aclname external class_name [arguments...] +# # external ACL lookup via a helper class defined by the +# # external_acl_type directive [slow] +# +# acl aclname user_cert attribute values... +# # match against attributes in a user SSL certificate +# # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast] +# +# acl aclname ca_cert attribute values... +# # match against attributes a users issuing CA SSL certificate +# # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast] +# +# acl aclname ext_user username ... +# acl aclname ext_user_regex [-i] pattern ... +# # string match on username returned by external acl helper [slow] +# # use REQUIRED to accept any non-null user name. +# +# acl aclname tag tagvalue ... +# # string match on tag returned by external acl helper [fast] +# # DEPRECATED. Only the first tag will match with this ACL. +# # Use the 'note' ACL instead for handling multiple tag values. +# +# acl aclname hier_code codename ... +# # string match against squid hierarchy code(s); [fast] +# # e.g., DIRECT, PARENT_HIT, NONE, etc. +# # +# # NOTE: This has no effect in http_access rules. It only has +# # effect in rules that affect the reply data stream such as +# # http_reply_access. +# +# acl aclname note name [value ...] +# # match transaction annotation [fast] +# # Without values, matches any annotation with a given name. +# # With value(s), matches any annotation with a given name that +# # also has one of the given values. +# # Names and values are compared using a string equality test. +# # Annotation sources include note and adaptation_meta directives +# # as well as helper and eCAP responses. +# +# acl aclname adaptation_service service ... +# # Matches the name of any icap_service, ecap_service, +# # adaptation_service_set, or adaptation_service_chain that Squid +# # has used (or attempted to use) for the master transaction. +# # This ACL must be defined after the corresponding adaptation +# # service is named in squid.conf. This ACL is usable with +# # adaptation_meta because it starts matching immediately after +# # the service has been selected for adaptation. +# +# acl aclname any-of acl1 acl2 ... +# # match any one of the acls [fast or slow] +# # The first matching ACL stops further ACL evaluation. +# # +# # ACLs from multiple any-of lines with the same name are ORed. +# # For example, A = (a1 or a2) or (a3 or a4) can be written as +# # acl A any-of a1 a2 +# # acl A any-of a3 a4 +# # +# # This group ACL is fast if all evaluated ACLs in the group are fast +# # and slow otherwise. +# +# acl aclname all-of acl1 acl2 ... +# # match all of the acls [fast or slow] +# # The first mismatching ACL stops further ACL evaluation. +# # +# # ACLs from multiple all-of lines with the same name are ORed. +# # For example, B = (b1 and b2) or (b3 and b4) can be written as +# # acl B all-of b1 b2 +# # acl B all-of b3 b4 +# # +# # This group ACL is fast if all evaluated ACLs in the group are fast +# # and slow otherwise. +# +# Examples: +# acl macaddress arp 09:00:2b:23:45:67 +# acl myexample dst_as 1241 +# acl password proxy_auth REQUIRED +# acl fileupload req_mime_type -i ^multipart/form-data$ +# acl javascript rep_mime_type -i ^application/x-javascript$ +# +#Default: +# ACLs all, manager, localhost, and to_localhost are predefined. +# +# +# Recommended minimum configuration: +# + +# Example rule allowing access from your local networks. +# Adapt to list your (internal) IP networks from where browsing +# should be allowed +#acl localnet src 10.0.0.0/8 # RFC1918 possible internal network +#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network +acl localnet src 192.168.0.0/16 # RFC1918 possible internal network +#acl localnet src fc00::/7 # RFC 4193 local private network range +#acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines + +acl SSL_ports port 443 +acl Safe_ports port 80 # http +acl Safe_ports port 21 # ftp +acl Safe_ports port 443 # https +acl Safe_ports port 70 # gopher +acl Safe_ports port 210 # wais +acl Safe_ports port 1025-65535 # unregistered ports +acl Safe_ports port 280 # http-mgmt +acl Safe_ports port 488 # gss-http +acl Safe_ports port 591 # filemaker +acl Safe_ports port 777 # multiling http +acl CONNECT method CONNECT + +# TAG: proxy_protocol_access +# Determine which client proxies can be trusted to provide correct +# information regarding real client IP address using PROXY protocol. +# +# Requests may pass through a chain of several other proxies +# before reaching us. The original source details may by sent in: +# * HTTP message Forwarded header, or +# * HTTP message X-Forwarded-For header, or +# * PROXY protocol connection header. +# +# This directive is solely for validating new PROXY protocol +# connections received from a port flagged with require-proxy-header. +# It is checked only once after TCP connection setup. +# +# A deny match results in TCP connection closure. +# +# An allow match is required for Squid to permit the corresponding +# TCP connection, before Squid even looks for HTTP request headers. +# If there is an allow match, Squid starts using PROXY header information +# to determine the source address of the connection for all future ACL +# checks, logging, etc. +# +# SECURITY CONSIDERATIONS: +# +# Any host from which we accept client IP details can place +# incorrect information in the relevant header, and Squid +# will use the incorrect information as if it were the +# source address of the request. This may enable remote +# hosts to bypass any access control restrictions that are +# based on the client's source addresses. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# all TCP connections to ports with require-proxy-header will be denied + +# TAG: follow_x_forwarded_for +# Determine which client proxies can be trusted to provide correct +# information regarding real client IP address. +# +# Requests may pass through a chain of several other proxies +# before reaching us. The original source details may by sent in: +# * HTTP message Forwarded header, or +# * HTTP message X-Forwarded-For header, or +# * PROXY protocol connection header. +# +# PROXY protocol connections are controlled by the proxy_protocol_access +# directive which is checked before this. +# +# If a request reaches us from a source that is allowed by this +# directive, then we trust the information it provides regarding +# the IP of the client it received from (if any). +# +# For the purpose of ACLs used in this directive the src ACL type always +# matches the address we are testing and srcdomain matches its rDNS. +# +# On each HTTP request Squid checks for X-Forwarded-For header fields. +# If found the header values are iterated in reverse order and an allow +# match is required for Squid to continue on to the next value. +# The verification ends when a value receives a deny match, cannot be +# tested, or there are no more values to test. +# NOTE: Squid does not yet follow the Forwarded HTTP header. +# +# The end result of this process is an IP address that we will +# refer to as the indirect client address. This address may +# be treated as the client address for access control, ICAP, delay +# pools and logging, depending on the acl_uses_indirect_client, +# icap_uses_indirect_client, delay_pool_uses_indirect_client, +# log_uses_indirect_client and tproxy_uses_indirect_client options. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# SECURITY CONSIDERATIONS: +# +# Any host from which we accept client IP details can place +# incorrect information in the relevant header, and Squid +# will use the incorrect information as if it were the +# source address of the request. This may enable remote +# hosts to bypass any access control restrictions that are +# based on the client's source addresses. +# +# For example: +# +# acl localhost src 127.0.0.1 +# acl my_other_proxy srcdomain .proxy.example.com +# follow_x_forwarded_for allow localhost +# follow_x_forwarded_for allow my_other_proxy +#Default: +# X-Forwarded-For header will be ignored. + +# TAG: acl_uses_indirect_client on|off +# Controls whether the indirect client address +# (see follow_x_forwarded_for) is used instead of the +# direct client address in acl matching. +# +# NOTE: maxconn ACL considers direct TCP links and indirect +# clients will always have zero. So no match. +#Default: +# acl_uses_indirect_client on + +# TAG: delay_pool_uses_indirect_client on|off +# Controls whether the indirect client address +# (see follow_x_forwarded_for) is used instead of the +# direct client address in delay pools. +#Default: +# delay_pool_uses_indirect_client on + +# TAG: log_uses_indirect_client on|off +# Controls whether the indirect client address +# (see follow_x_forwarded_for) is used instead of the +# direct client address in the access log. +#Default: +# log_uses_indirect_client on + +# TAG: tproxy_uses_indirect_client on|off +# Controls whether the indirect client address +# (see follow_x_forwarded_for) is used instead of the +# direct client address when spoofing the outgoing client. +# +# This has no effect on requests arriving in non-tproxy +# mode ports. +# +# SECURITY WARNING: Usage of this option is dangerous +# and should not be used trivially. Correct configuration +# of follow_x_forwarded_for with a limited set of trusted +# sources is required to prevent abuse of your proxy. +#Default: +# tproxy_uses_indirect_client off + +# TAG: spoof_client_ip +# Control client IP address spoofing of TPROXY traffic based on +# defined access lists. +# +# spoof_client_ip allow|deny [!]aclname ... +# +# If there are no "spoof_client_ip" lines present, the default +# is to "allow" spoofing of any suitable request. +# +# Note that the cache_peer "no-tproxy" option overrides this ACL. +# +# This clause supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow spoofing on all TPROXY traffic. + +# TAG: http_access +# Allowing or Denying access based on defined access lists +# +# To allow or deny a message received on an HTTP, HTTPS, or FTP port: +# http_access allow|deny [!]aclname ... +# +# NOTE on default values: +# +# If there are no "access" lines present, the default is to deny +# the request. +# +# If none of the "access" lines cause a match, the default is the +# opposite of the last line in the list. If the last line was +# deny, the default is allow. Conversely, if the last line +# is allow, the default will be deny. For these reasons, it is a +# good idea to have an "deny all" entry at the end of your access +# lists to avoid potential confusion. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +#Default: +# Deny, unless rules exist in squid.conf. +# + +# +# Recommended minimum Access Permission configuration: +# +# Deny requests to certain unsafe ports +http_access deny !Safe_ports + +# Deny CONNECT to other than secure SSL ports +http_access deny CONNECT !SSL_ports + +# Only allow cachemgr access from localhost +http_access allow localhost manager +http_access deny manager + +# We strongly recommend the following be uncommented to protect innocent +# web applications running on the proxy server who think the only +# one who can access services on "localhost" is a local user +#http_access deny to_localhost + +# +# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS +# + +# Example rule allowing access from your local networks. +# Adapt localnet in the ACL section to list your (internal) IP networks +# from where browsing should be allowed +#http_access allow localnet +http_access allow localhost +http_access allow localnet + +# And finally deny all other access to this proxy +http_access deny all + +# TAG: adapted_http_access +# Allowing or Denying access based on defined access lists +# +# Essentially identical to http_access, but runs after redirectors +# and ICAP/eCAP adaptation. Allowing access control based on their +# output. +# +# If not set then only http_access is used. +#Default: +# Allow, unless rules exist in squid.conf. + +# TAG: http_reply_access +# Allow replies to client requests. This is complementary to http_access. +# +# http_reply_access allow|deny [!] aclname ... +# +# NOTE: if there are no access lines present, the default is to allow +# all replies. +# +# If none of the access lines cause a match the opposite of the +# last line will apply. Thus it is good practice to end the rules +# with an "allow all" or "deny all" entry. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow, unless rules exist in squid.conf. + +# TAG: icp_access +# Allowing or Denying access to the ICP port based on defined +# access lists +# +# icp_access allow|deny [!]aclname ... +# +# NOTE: The default if no icp_access lines are present is to +# deny all traffic. This default may cause problems with peers +# using ICP. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +## Allow ICP queries from local networks only +##icp_access allow localnet +##icp_access deny all +#Default: +# Deny, unless rules exist in squid.conf. + +# TAG: htcp_access +# Allowing or Denying access to the HTCP port based on defined +# access lists +# +# htcp_access allow|deny [!]aclname ... +# +# See also htcp_clr_access for details on access control for +# cache purge (CLR) HTCP messages. +# +# NOTE: The default if no htcp_access lines are present is to +# deny all traffic. This default may cause problems with peers +# using the htcp option. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +## Allow HTCP queries from local networks only +##htcp_access allow localnet +##htcp_access deny all +#Default: +# Deny, unless rules exist in squid.conf. + +# TAG: htcp_clr_access +# Allowing or Denying access to purge content using HTCP based +# on defined access lists. +# See htcp_access for details on general HTCP access control. +# +# htcp_clr_access allow|deny [!]aclname ... +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +## Allow HTCP CLR requests from trusted peers +#acl htcp_clr_peer src 192.0.2.2 2001:DB8::2 +#htcp_clr_access allow htcp_clr_peer +#htcp_clr_access deny all +#Default: +# Deny, unless rules exist in squid.conf. + +# TAG: miss_access +# Determines whether network access is permitted when satisfying a request. +# +# For example; +# to force your neighbors to use you as a sibling instead of +# a parent. +# +# acl localclients src 192.0.2.0/24 2001:DB8::a:0/64 +# miss_access deny !localclients +# miss_access allow all +# +# This means only your local clients are allowed to fetch relayed/MISS +# replies from the network and all other clients can only fetch cached +# objects (HITs). +# +# The default for this setting allows all clients who passed the +# http_access rules to relay via this proxy. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow, unless rules exist in squid.conf. + +# TAG: ident_lookup_access +# A list of ACL elements which, if matched, cause an ident +# (RFC 931) lookup to be performed for this request. For +# example, you might choose to always perform ident lookups +# for your main multi-user Unix boxes, but not for your Macs +# and PCs. By default, ident lookups are not performed for +# any requests. +# +# To enable ident lookups for specific client addresses, you +# can follow this example: +# +# acl ident_aware_hosts src 198.168.1.0/24 +# ident_lookup_access allow ident_aware_hosts +# ident_lookup_access deny all +# +# Only src type ACL checks are fully supported. A srcdomain +# ACL might work at times, but it will not always provide +# the correct result. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Unless rules exist in squid.conf, IDENT is not fetched. + +# TAG: reply_body_max_size size [acl acl...] +# This option specifies the maximum size of a reply body. It can be +# used to prevent users from downloading very large files, such as +# MP3's and movies. When the reply headers are received, the +# reply_body_max_size lines are processed, and the first line where +# all (if any) listed ACLs are true is used as the maximum body size +# for this reply. +# +# This size is checked twice. First when we get the reply headers, +# we check the content-length value. If the content length value exists +# and is larger than the allowed size, the request is denied and the +# user receives an error message that says "the request or reply +# is too large." If there is no content-length, and the reply +# size exceeds this limit, the client's connection is just closed +# and they will receive a partial reply. +# +# WARNING: downstream caches probably can not detect a partial reply +# if there is no content-length header, so they will cache +# partial responses and give them out as hits. You should NOT +# use this option if you have downstream caches. +# +# WARNING: A maximum size smaller than the size of squid's error messages +# will cause an infinite loop and crash squid. Ensure that the smallest +# non-zero value you use is greater that the maximum header size plus +# the size of your largest error page. +# +# If you set this parameter none (the default), there will be +# no limit imposed. +# +# Configuration Format is: +# reply_body_max_size SIZE UNITS [acl ...] +# ie. +# reply_body_max_size 10 MB +# +#Default: +# No limit is applied. + +# NETWORK OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: http_port +# Usage: port [mode] [options] +# hostname:port [mode] [options] +# 1.2.3.4:port [mode] [options] +# +# The socket addresses where Squid will listen for HTTP client +# requests. You may specify multiple socket addresses. +# There are three forms: port alone, hostname with port, and +# IP address with port. If you specify a hostname or IP +# address, Squid binds the socket to that specific +# address. Most likely, you do not need to bind to a specific +# address, so you can use the port number alone. +# +# If you are running Squid in accelerator mode, you +# probably want to listen on port 80 also, or instead. +# +# The -a command line option may be used to specify additional +# port(s) where Squid listens for proxy request. Such ports will +# be plain proxy ports with no options. +# +# You may specify multiple socket addresses on multiple lines. +# +# Modes: +# +# intercept Support for IP-Layer NAT interception delivering +# traffic to this Squid port. +# NP: disables authentication on the port. +# +# tproxy Support Linux TPROXY (or BSD divert-to) with spoofing +# of outgoing connections using the client IP address. +# NP: disables authentication on the port. +# +# accel Accelerator / reverse proxy mode +# +# ssl-bump For each CONNECT request allowed by ssl_bump ACLs, +# establish secure connection with the client and with +# the server, decrypt HTTPS messages as they pass through +# Squid, and treat them as unencrypted HTTP messages, +# becoming the man-in-the-middle. +# +# The ssl_bump option is required to fully enable +# bumping of CONNECT requests. +# +# Omitting the mode flag causes default forward proxy mode to be used. +# +# +# Accelerator Mode Options: +# +# defaultsite=domainname +# What to use for the Host: header if it is not present +# in a request. Determines what site (not origin server) +# accelerators should consider the default. +# +# no-vhost Disable using HTTP/1.1 Host header for virtual domain support. +# +# protocol= Protocol to reconstruct accelerated and intercepted +# requests with. Defaults to HTTP/1.1 for http_port and +# HTTPS/1.1 for https_port. +# When an unsupported value is configured Squid will +# produce a FATAL error. +# Values: HTTP or HTTP/1.1, HTTPS or HTTPS/1.1 +# +# vport Virtual host port support. Using the http_port number +# instead of the port passed on Host: headers. +# +# vport=NN Virtual host port support. Using the specified port +# number instead of the port passed on Host: headers. +# +# act-as-origin +# Act as if this Squid is the origin server. +# This currently means generate new Date: and Expires: +# headers on HIT instead of adding Age:. +# +# ignore-cc Ignore request Cache-Control headers. +# +# WARNING: This option violates HTTP specifications if +# used in non-accelerator setups. +# +# allow-direct Allow direct forwarding in accelerator mode. Normally +# accelerated requests are denied direct forwarding as if +# never_direct was used. +# +# WARNING: this option opens accelerator mode to security +# vulnerabilities usually only affecting in interception +# mode. Make sure to protect forwarding with suitable +# http_access rules when using this. +# +# +# SSL Bump Mode Options: +# In addition to these options ssl-bump requires TLS/SSL options. +# +# generate-host-certificates[=] +# Dynamically create SSL server certificates for the +# destination hosts of bumped CONNECT requests.When +# enabled, the cert and key options are used to sign +# generated certificates. Otherwise generated +# certificate will be selfsigned. +# If there is a CA certificate lifetime of the generated +# certificate equals lifetime of the CA certificate. If +# generated certificate is selfsigned lifetime is three +# years. +# This option is disabled by default. See the ssl-bump +# option above for more information. +# +# dynamic_cert_mem_cache_size=SIZE +# Approximate total RAM size spent on cached generated +# certificates. If set to zero, caching is disabled. +# +# TLS / SSL Options: +# +# cert= Path to SSL certificate (PEM format). +# +# key= Path to SSL private key file (PEM format) +# if not specified, the certificate file is +# assumed to be a combined certificate and +# key file. +# +# version= The version of SSL/TLS supported +# 1 automatic (default) +# 2 SSLv2 only +# 3 SSLv3 only +# 4 TLSv1.0 only +# 5 TLSv1.1 only +# 6 TLSv1.2 only +# +# cipher= Colon separated list of supported ciphers. +# NOTE: some ciphers such as EDH ciphers depend on +# additional settings. If those settings are +# omitted the ciphers may be silently ignored +# by the OpenSSL library. +# +# options= Various SSL implementation options. The most important +# being: +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# SINGLE_DH_USE Always create a new key when using +# temporary/ephemeral DH key exchanges +# NO_TICKET Disables TLS tickets extension +# +# SINGLE_ECDH_USE +# Enable ephemeral ECDH key exchange. +# The adopted curve should be specified +# using the tls-dh option. +# +# ALL Enable various bug workarounds +# suggested as "harmless" by OpenSSL +# Be warned that this reduces SSL/TLS +# strength to some attacks. +# See OpenSSL SSL_CTX_set_options documentation for a +# complete list of options. +# +# clientca= File containing the list of CAs to use when +# requesting a client certificate. +# +# cafile= File containing additional CA certificates to +# use when verifying client certificates. If unset +# clientca will be used. +# +# capath= Directory containing additional CA certificates +# and CRL lists to use when verifying client certificates. +# +# crlfile= File of additional CRL lists to use when verifying +# the client certificate, in addition to CRLs stored in +# the capath. Implies VERIFY_CRL flag below. +# +# tls-dh=[curve:]file +# File containing DH parameters for temporary/ephemeral DH key +# exchanges, optionally prefixed by a curve for ephemeral ECDH +# key exchanges. +# See OpenSSL documentation for details on how to create the +# DH parameter file. Supported curves for ECDH can be listed +# using the "openssl ecparam -list_curves" command. +# WARNING: EDH and EECDH ciphers will be silently disabled if +# this option is not set. +# +# sslflags= Various flags modifying the use of SSL: +# DELAYED_AUTH +# Don't request client certificates +# immediately, but wait until acl processing +# requires a certificate (not yet implemented). +# NO_DEFAULT_CA +# Don't use the default CA lists built in +# to OpenSSL. +# NO_SESSION_REUSE +# Don't allow for session reuse. Each connection +# will result in a new SSL session. +# VERIFY_CRL +# Verify CRL lists when accepting client +# certificates. +# VERIFY_CRL_ALL +# Verify CRL lists for all certificates in the +# client certificate chain. +# +# sslcontext= SSL session ID context identifier. +# +# Other Options: +# +# connection-auth[=on|off] +# use connection-auth=off to tell Squid to prevent +# forwarding Microsoft connection oriented authentication +# (NTLM, Negotiate and Kerberos) +# +# disable-pmtu-discovery= +# Control Path-MTU discovery usage: +# off lets OS decide on what to do (default). +# transparent disable PMTU discovery when transparent +# support is enabled. +# always disable always PMTU discovery. +# +# In many setups of transparently intercepting proxies +# Path-MTU discovery can not work on traffic towards the +# clients. This is the case when the intercepting device +# does not fully track connections and fails to forward +# ICMP must fragment messages to the cache server. If you +# have such setup and experience that certain clients +# sporadically hang or never complete requests set +# disable-pmtu-discovery option to 'transparent'. +# +# name= Specifies a internal name for the port. Defaults to +# the port specification (port or addr:port) +# +# tcpkeepalive[=idle,interval,timeout] +# Enable TCP keepalive probes of idle connections. +# In seconds; idle is the initial time before TCP starts +# probing the connection, interval how often to probe, and +# timeout the time before giving up. +# +# require-proxy-header +# Require PROXY protocol version 1 or 2 connections. +# The proxy_protocol_access is required to whitelist +# downstream proxies which can be trusted. +# +# If you run Squid on a dual-homed machine with an internal +# and an external interface we recommend you to specify the +# internal address:port in http_port. This way Squid will only be +# visible on the internal address. +# +# + +# Squid normally listens to port 3128 +#http_port 3128 +http_port 8080 + +# TAG: https_port +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Usage: [ip:]port cert=certificate.pem [key=key.pem] [mode] [options...] +# +# The socket address where Squid will listen for client requests made +# over TLS or SSL connections. Commonly referred to as HTTPS. +# +# This is most useful for situations where you are running squid in +# accelerator mode and you want to do the SSL work at the accelerator level. +# +# You may specify multiple socket addresses on multiple lines, +# each with their own SSL certificate and/or options. +# +# Modes: +# +# accel Accelerator / reverse proxy mode +# +# intercept Support for IP-Layer interception of +# outgoing requests without browser settings. +# NP: disables authentication and IPv6 on the port. +# +# tproxy Support Linux TPROXY for spoofing outgoing +# connections using the client IP address. +# NP: disables authentication and maybe IPv6 on the port. +# +# ssl-bump For each intercepted connection allowed by ssl_bump +# ACLs, establish a secure connection with the client and with +# the server, decrypt HTTPS messages as they pass through +# Squid, and treat them as unencrypted HTTP messages, +# becoming the man-in-the-middle. +# +# An "ssl_bump server-first" match is required to +# fully enable bumping of intercepted SSL connections. +# +# Requires tproxy or intercept. +# +# Omitting the mode flag causes default forward proxy mode to be used. +# +# +# See http_port for a list of generic options +# +# +# SSL Options: +# +# cert= Path to SSL certificate (PEM format). +# +# key= Path to SSL private key file (PEM format) +# if not specified, the certificate file is +# assumed to be a combined certificate and +# key file. +# +# version= The version of SSL/TLS supported +# 1 automatic (default) +# 2 SSLv2 only +# 3 SSLv3 only +# 4 TLSv1 only +# +# cipher= Colon separated list of supported ciphers. +# +# options= Various SSL engine options. The most important +# being: +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1 +# +# SINGLE_DH_USE Always create a new key when using +# temporary/ephemeral DH key exchanges +# +# SINGLE_ECDH_USE +# Enable ephemeral ECDH key exchange. +# The adopted curve should be specified +# using the tls-dh option. +# +# See src/ssl_support.c or OpenSSL SSL_CTX_set_options +# documentation for a complete list of options. +# +# clientca= File containing the list of CAs to use when +# requesting a client certificate. +# +# cafile= File containing additional CA certificates to +# use when verifying client certificates. If unset +# clientca will be used. +# +# capath= Directory containing additional CA certificates +# and CRL lists to use when verifying client certificates. +# +# crlfile= File of additional CRL lists to use when verifying +# the client certificate, in addition to CRLs stored in +# the capath. Implies VERIFY_CRL flag below. +# +# tls-dh=[curve:]file +# File containing DH parameters for temporary/ephemeral DH key +# exchanges, optionally prefixed by a curve for ephemeral ECDH +# key exchanges. +# +# sslflags= Various flags modifying the use of SSL: +# DELAYED_AUTH +# Don't request client certificates +# immediately, but wait until acl processing +# requires a certificate (not yet implemented). +# NO_DEFAULT_CA +# Don't use the default CA lists built in +# to OpenSSL. +# NO_SESSION_REUSE +# Don't allow for session reuse. Each connection +# will result in a new SSL session. +# VERIFY_CRL +# Verify CRL lists when accepting client +# certificates. +# VERIFY_CRL_ALL +# Verify CRL lists for all certificates in the +# client certificate chain. +# +# sslcontext= SSL session ID context identifier. +# +# generate-host-certificates[=] +# Dynamically create SSL server certificates for the +# destination hosts of bumped SSL requests.When +# enabled, the cert and key options are used to sign +# generated certificates. Otherwise generated +# certificate will be selfsigned. +# If there is CA certificate life time of generated +# certificate equals lifetime of CA certificate. If +# generated certificate is selfsigned lifetime is three +# years. +# This option is disabled by default. See the ssl-bump +# option above for more information. +# +# dynamic_cert_mem_cache_size=SIZE +# Approximate total RAM size spent on cached generated +# certificates. If set to zero, caching is disabled. +# +# See http_port for a list of available options. +#Default: +# none + +# TAG: ftp_port +# Enables Native FTP proxy by specifying the socket address where Squid +# listens for FTP client requests. See http_port directive for various +# ways to specify the listening address and mode. +# +# Usage: ftp_port address [mode] [options] +# +# WARNING: This is a new, experimental, complex feature that has seen +# limited production exposure. Some Squid modules (e.g., caching) do not +# currently work with native FTP proxying, and many features have not +# even been tested for compatibility. Test well before deploying! +# +# Native FTP proxying differs substantially from proxying HTTP requests +# with ftp:// URIs because Squid works as an FTP server and receives +# actual FTP commands (rather than HTTP requests with FTP URLs). +# +# Native FTP commands accepted at ftp_port are internally converted or +# wrapped into HTTP-like messages. The same happens to Native FTP +# responses received from FTP origin servers. Those HTTP-like messages +# are shoveled through regular access control and adaptation layers +# between the FTP client and the FTP origin server. This allows Squid to +# examine, adapt, block, and log FTP exchanges. Squid reuses most HTTP +# mechanisms when shoveling wrapped FTP messages. For example, +# http_access and adaptation_access directives are used. +# +# Modes: +# +# intercept Same as http_port intercept. The FTP origin address is +# determined based on the intended destination of the +# intercepted connection. +# +# tproxy Support Linux TPROXY for spoofing outgoing +# connections using the client IP address. +# NP: disables authentication and maybe IPv6 on the port. +# +# By default (i.e., without an explicit mode option), Squid extracts the +# FTP origin address from the login@origin parameter of the FTP USER +# command. Many popular FTP clients support such native FTP proxying. +# +# Options: +# +# name=token Specifies an internal name for the port. Defaults to +# the port address. Usable with myportname ACL. +# +# ftp-track-dirs +# Enables tracking of FTP directories by injecting extra +# PWD commands and adjusting Request-URI (in wrapping +# HTTP requests) to reflect the current FTP server +# directory. Tracking is disabled by default. +# +# protocol=FTP Protocol to reconstruct accelerated and intercepted +# requests with. Defaults to FTP. No other accepted +# values have been tested with. An unsupported value +# results in a FATAL error. Accepted values are FTP, +# HTTP (or HTTP/1.1), and HTTPS (or HTTPS/1.1). +# +# Other http_port modes and options that are not specific to HTTP and +# HTTPS may also work. +#Default: +# none + +# TAG: tcp_outgoing_tos +# Allows you to select a TOS/Diffserv value for packets outgoing +# on the server side, based on an ACL. +# +# tcp_outgoing_tos ds-field [!]aclname ... +# +# Example where normal_service_net uses the TOS value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# tcp_outgoing_tos 0x00 normal_service_net +# tcp_outgoing_tos 0x20 good_service_net +# +# TOS/DSCP values really only have local significance - so you should +# know what you're specifying. For more information, see RFC2474, +# RFC2475, and RFC3260. +# +# The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or +# "default" to use whatever default your host has. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. +# +# Processing proceeds in the order specified, and stops at first fully +# matching line. +# +# Only fast ACLs are supported. +#Default: +# none + +# TAG: clientside_tos +# Allows you to select a TOS/DSCP value for packets being transmitted +# on the client-side, based on an ACL. +# +# clientside_tos ds-field [!]aclname ... +# +# Example where normal_service_net uses the TOS value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# clientside_tos 0x00 normal_service_net +# clientside_tos 0x20 good_service_net +# +# Note: This feature is incompatible with qos_flows. Any TOS values set here +# will be overwritten by TOS values in qos_flows. +# +# The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or +# "default" to use whatever default your host has. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. +# +#Default: +# none + +# TAG: tcp_outgoing_mark +# Note: This option is only available if Squid is rebuilt with the +# Packet MARK (Linux) +# +# Allows you to apply a Netfilter mark value to outgoing packets +# on the server side, based on an ACL. +# +# tcp_outgoing_mark mark-value [!]aclname ... +# +# Example where normal_service_net uses the mark value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# tcp_outgoing_mark 0x00 normal_service_net +# tcp_outgoing_mark 0x20 good_service_net +# +# Only fast ACLs are supported. +#Default: +# none + +# TAG: clientside_mark +# Note: This option is only available if Squid is rebuilt with the +# Packet MARK (Linux) +# +# Allows you to apply a Netfilter mark value to packets being transmitted +# on the client-side, based on an ACL. +# +# clientside_mark mark-value [!]aclname ... +# +# Example where normal_service_net uses the mark value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# clientside_mark 0x00 normal_service_net +# clientside_mark 0x20 good_service_net +# +# Note: This feature is incompatible with qos_flows. Any mark values set here +# will be overwritten by mark values in qos_flows. +#Default: +# none + +# TAG: qos_flows +# Allows you to select a TOS/DSCP value to mark outgoing +# connections to the client, based on where the reply was sourced. +# For platforms using netfilter, allows you to set a netfilter mark +# value instead of, or in addition to, a TOS value. +# +# By default this functionality is disabled. To enable it with the default +# settings simply use "qos_flows mark" or "qos_flows tos". Default +# settings will result in the netfilter mark or TOS value being copied +# from the upstream connection to the client. Note that it is the connection +# CONNMARK value not the packet MARK value that is copied. +# +# It is not currently possible to copy the mark or TOS value from the +# client to the upstream connection request. +# +# TOS values really only have local significance - so you should +# know what you're specifying. For more information, see RFC2474, +# RFC2475, and RFC3260. +# +# The TOS/DSCP byte must be exactly that - a octet value 0 - 255. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. +# +# Mark values can be any unsigned 32-bit integer value. +# +# This setting is configured by setting the following values: +# +# tos|mark Whether to set TOS or netfilter mark values +# +# local-hit=0xFF Value to mark local cache hits. +# +# sibling-hit=0xFF Value to mark hits from sibling peers. +# +# parent-hit=0xFF Value to mark hits from parent peers. +# +# miss=0xFF[/mask] Value to mark cache misses. Takes precedence +# over the preserve-miss feature (see below), unless +# mask is specified, in which case only the bits +# specified in the mask are written. +# +# The TOS variant of the following features are only possible on Linux +# and require your kernel to be patched with the TOS preserving ZPH +# patch, available from http://zph.bratcheda.org +# No patch is needed to preserve the netfilter mark, which will work +# with all variants of netfilter. +# +# disable-preserve-miss +# This option disables the preservation of the TOS or netfilter +# mark. By default, the existing TOS or netfilter mark value of +# the response coming from the remote server will be retained +# and masked with miss-mark. +# NOTE: in the case of a netfilter mark, the mark must be set on +# the connection (using the CONNMARK target) not on the packet +# (MARK target). +# +# miss-mask=0xFF +# Allows you to mask certain bits in the TOS or mark value +# received from the remote server, before copying the value to +# the TOS sent towards clients. +# Default for tos: 0xFF (TOS from server is not changed). +# Default for mark: 0xFFFFFFFF (mark from server is not changed). +# +# All of these features require the --enable-zph-qos compilation flag +# (enabled by default). Netfilter marking also requires the +# libnetfilter_conntrack libraries (--with-netfilter-conntrack) and +# libcap 2.09+ (--with-libcap). +# +#Default: +# none + +# TAG: tcp_outgoing_address +# Allows you to map requests to different outgoing IP addresses +# based on the username or source address of the user making +# the request. +# +# tcp_outgoing_address ipaddr [[!]aclname] ... +# +# For example; +# Forwarding clients with dedicated IPs for certain subnets. +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.2.0/24 +# +# tcp_outgoing_address 2001:db8::c001 good_service_net +# tcp_outgoing_address 10.1.0.2 good_service_net +# +# tcp_outgoing_address 2001:db8::beef normal_service_net +# tcp_outgoing_address 10.1.0.1 normal_service_net +# +# tcp_outgoing_address 2001:db8::1 +# tcp_outgoing_address 10.1.0.3 +# +# Processing proceeds in the order specified, and stops at first fully +# matching line. +# +# Squid will add an implicit IP version test to each line. +# Requests going to IPv4 websites will use the outgoing 10.1.0.* addresses. +# Requests going to IPv6 websites will use the outgoing 2001:db8:* addresses. +# +# +# NOTE: The use of this directive using client dependent ACLs is +# incompatible with the use of server side persistent connections. To +# ensure correct results it is best to set server_persistent_connections +# to off when using this directive in such configurations. +# +# NOTE: The use of this directive to set a local IP on outgoing TCP links +# is incompatible with using TPROXY to set client IP out outbound TCP links. +# When needing to contact peers use the no-tproxy cache_peer option and the +# client_dst_passthru directive re-enable normal forwarding such as this. +# +#Default: +# Address selection is performed by the operating system. + +# TAG: host_verify_strict +# Regardless of this option setting, when dealing with intercepted +# traffic, Squid always verifies that the destination IP address matches +# the Host header domain or IP (called 'authority form URL'). +# +# This enforcement is performed to satisfy a MUST-level requirement in +# RFC 2616 section 14.23: "The Host field value MUST represent the naming +# authority of the origin server or gateway given by the original URL". +# +# When set to ON: +# Squid always responds with an HTTP 409 (Conflict) error +# page and logs a security warning if there is no match. +# +# Squid verifies that the destination IP address matches +# the Host header for forward-proxy and reverse-proxy traffic +# as well. For those traffic types, Squid also enables the +# following checks, comparing the corresponding Host header +# and Request-URI components: +# +# * The host names (domain or IP) must be identical, +# but valueless or missing Host header disables all checks. +# For the two host names to match, both must be either IP +# or FQDN. +# +# * Port numbers must be identical, but if a port is missing +# the scheme-default port is assumed. +# +# +# When set to OFF (the default): +# Squid allows suspicious requests to continue but logs a +# security warning and blocks caching of the response. +# +# * Forward-proxy traffic is not checked at all. +# +# * Reverse-proxy traffic is not checked at all. +# +# * Intercepted traffic which passes verification is handled +# according to client_dst_passthru. +# +# * Intercepted requests which fail verification are sent +# to the client original destination instead of DIRECT. +# This overrides 'client_dst_passthru off'. +# +# For now suspicious intercepted CONNECT requests are always +# responded to with an HTTP 409 (Conflict) error page. +# +# +# SECURITY NOTE: +# +# As described in CVE-2009-0801 when the Host: header alone is used +# to determine the destination of a request it becomes trivial for +# malicious scripts on remote websites to bypass browser same-origin +# security policy and sandboxing protections. +# +# The cause of this is that such applets are allowed to perform their +# own HTTP stack, in which case the same-origin policy of the browser +# sandbox only verifies that the applet tries to contact the same IP +# as from where it was loaded at the IP level. The Host: header may +# be different from the connected IP and approved origin. +# +#Default: +# host_verify_strict off + +# TAG: client_dst_passthru +# With NAT or TPROXY intercepted traffic Squid may pass the request +# directly to the original client destination IP or seek a faster +# source using the HTTP Host header. +# +# Using Host to locate alternative servers can provide faster +# connectivity with a range of failure recovery options. +# But can also lead to connectivity trouble when the client and +# server are attempting stateful interactions unaware of the proxy. +# +# This option (on by default) prevents alternative DNS entries being +# located to send intercepted traffic DIRECT to an origin server. +# The clients original destination IP and port will be used instead. +# +# Regardless of this option setting, when dealing with intercepted +# traffic Squid will verify the Host: header and any traffic which +# fails Host verification will be treated as if this option were ON. +# +# see host_verify_strict for details on the verification process. +#Default: +# client_dst_passthru on + +# SSL OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: ssl_unclean_shutdown +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Some browsers (especially MSIE) bugs out on SSL shutdown +# messages. +#Default: +# ssl_unclean_shutdown off + +# TAG: ssl_engine +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# The OpenSSL engine to use. You will need to set this if you +# would like to use hardware SSL acceleration for example. +#Default: +# none + +# TAG: sslproxy_client_certificate +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Client SSL Certificate to use when proxying https:// URLs +#Default: +# none + +# TAG: sslproxy_client_key +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Client SSL Key to use when proxying https:// URLs +#Default: +# none + +# TAG: sslproxy_version +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# SSL version level to use when proxying https:// URLs +# +# The versions of SSL/TLS supported: +# +# 1 automatic (default) +# 2 SSLv2 only +# 3 SSLv3 only +# 4 TLSv1.0 only +# 5 TLSv1.1 only +# 6 TLSv1.2 only +#Default: +# automatic SSL/TLS version negotiation + +# TAG: sslproxy_options +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Colon (:) or comma (,) separated list of SSL implementation options +# to use when proxying https:// URLs +# +# The most important being: +# +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# +# SINGLE_DH_USE +# Always create a new key when using temporary/ephemeral +# DH key exchanges +# +# NO_TICKET +# Disable use of RFC5077 session tickets. Some servers +# may have problems understanding the TLS extension due +# to ambiguous specification in RFC4507. +# +# ALL Enable various bug workarounds suggested as "harmless" +# by OpenSSL. Be warned that this may reduce SSL/TLS +# strength to some attacks. +# +# See the OpenSSL SSL_CTX_set_options documentation for a +# complete list of possible options. +# +# WARNING: This directive takes a single token. If a space is used +# the value(s) after that space are SILENTLY IGNORED. +#Default: +# none + +# TAG: sslproxy_cipher +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# SSL cipher list to use when proxying https:// URLs +# +# Colon separated list of supported ciphers. +#Default: +# none + +# TAG: sslproxy_cafile +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# file containing CA certificates to use when verifying server +# certificates while proxying https:// URLs +#Default: +# none + +# TAG: sslproxy_capath +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# directory containing CA certificates to use when verifying +# server certificates while proxying https:// URLs +#Default: +# none + +# TAG: sslproxy_session_ttl +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the timeout value for SSL sessions +#Default: +# sslproxy_session_ttl 300 + +# TAG: sslproxy_session_cache_size +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the cache size to use for ssl session +#Default: +# sslproxy_session_cache_size 2 MB + +# TAG: sslproxy_foreign_intermediate_certs +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Many origin servers fail to send their full server certificate +# chain for verification, assuming the client already has or can +# easily locate any missing intermediate certificates. +# +# Squid uses the certificates from the specified file to fill in +# these missing chains when trying to validate origin server +# certificate chains. +# +# The file is expected to contain zero or more PEM-encoded +# intermediate certificates. These certificates are not treated +# as trusted root certificates, and any self-signed certificate in +# this file will be ignored. +#Default: +# none + +# TAG: sslproxy_cert_sign_hash +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the hashing algorithm to use when signing generated certificates. +# Valid algorithm names depend on the OpenSSL library used. The following +# names are usually available: sha1, sha256, sha512, and md5. Please see +# your OpenSSL library manual for the available hashes. By default, Squids +# that support this option use sha256 hashes. +# +# Squid does not forcefully purge cached certificates that were generated +# with an algorithm other than the currently configured one. They remain +# in the cache, subject to the regular cache eviction policy, and become +# useful if the algorithm changes again. +#Default: +# none + +# TAG: ssl_bump +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# This option is consulted when a CONNECT request is received on +# an http_port (or a new connection is intercepted at an +# https_port), provided that port was configured with an ssl-bump +# flag. The subsequent data on the connection is either treated as +# HTTPS and decrypted OR tunneled at TCP level without decryption, +# depending on the first matching bumping "action". +# +# ssl_bump [!]acl ... +# +# The following bumping actions are currently supported: +# +# splice +# Become a TCP tunnel without decrypting proxied traffic. +# This is the default action. +# +# bump +# Establish a secure connection with the server and, using a +# mimicked server certificate, with the client. +# +# peek +# Receive client (step SslBump1) or server (step SslBump2) +# certificate while preserving the possibility of splicing the +# connection. Peeking at the server certificate (during step 2) +# usually precludes bumping of the connection at step 3. +# +# stare +# Receive client (step SslBump1) or server (step SslBump2) +# certificate while preserving the possibility of bumping the +# connection. Staring at the server certificate (during step 2) +# usually precludes splicing of the connection at step 3. +# +# terminate +# Close client and server connections. +# +# Backward compatibility actions available at step SslBump1: +# +# client-first +# Bump the connection. Establish a secure connection with the +# client first, then connect to the server. This old mode does +# not allow Squid to mimic server SSL certificate and does not +# work with intercepted SSL connections. +# +# server-first +# Bump the connection. Establish a secure connection with the +# server first, then establish a secure connection with the +# client, using a mimicked server certificate. Works with both +# CONNECT requests and intercepted SSL connections, but does +# not allow to make decisions based on SSL handshake info. +# +# peek-and-splice +# Decide whether to bump or splice the connection based on +# client-to-squid and server-to-squid SSL hello messages. +# XXX: Remove. +# +# none +# Same as the "splice" action. +# +# All ssl_bump rules are evaluated at each of the supported bumping +# steps. Rules with actions that are impossible at the current step are +# ignored. The first matching ssl_bump action wins and is applied at the +# end of the current step. If no rules match, the splice action is used. +# See the at_step ACL for a list of the supported SslBump steps. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# See also: http_port ssl-bump, https_port ssl-bump, and acl at_step. +# +# +# # Example: Bump all TLS connections except those originating from +# # localhost or those going to example.com. +# +# acl broken_sites ssl::server_name .example.com +# ssl_bump splice localhost +# ssl_bump splice broken_sites +# ssl_bump bump all +#Default: +# Become a TCP tunnel without decrypting proxied traffic. + +# TAG: sslproxy_flags +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Various flags modifying the use of SSL while proxying https:// URLs: +# DONT_VERIFY_PEER Accept certificates that fail verification. +# For refined control, see sslproxy_cert_error. +# NO_DEFAULT_CA Don't use the default CA list built in +# to OpenSSL. +#Default: +# none + +# TAG: sslproxy_cert_error +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Use this ACL to bypass server certificate validation errors. +# +# For example, the following lines will bypass all validation errors +# when talking to servers for example.com. All other +# validation errors will result in ERR_SECURE_CONNECT_FAIL error. +# +# acl BrokenButTrustedServers dstdomain example.com +# sslproxy_cert_error allow BrokenButTrustedServers +# sslproxy_cert_error deny all +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# Using slow acl types may result in server crashes +# +# Without this option, all server certificate validation errors +# terminate the transaction to protect Squid and the client. +# +# SQUID_X509_V_ERR_INFINITE_VALIDATION error cannot be bypassed +# but should not happen unless your OpenSSL library is buggy. +# +# SECURITY WARNING: +# Bypassing validation errors is dangerous because an +# error usually implies that the server cannot be trusted +# and the connection may be insecure. +# +# See also: sslproxy_flags and DONT_VERIFY_PEER. +#Default: +# Server certificate errors terminate the transaction. + +# TAG: sslproxy_cert_sign +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# +# sslproxy_cert_sign acl ... +# +# The following certificate signing algorithms are supported: +# +# signTrusted +# Sign using the configured CA certificate which is usually +# placed in and trusted by end-user browsers. This is the +# default for trusted origin server certificates. +# +# signUntrusted +# Sign to guarantee an X509_V_ERR_CERT_UNTRUSTED browser error. +# This is the default for untrusted origin server certificates +# that are not self-signed (see ssl::certUntrusted). +# +# signSelf +# Sign using a self-signed certificate with the right CN to +# generate a X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT error in the +# browser. This is the default for self-signed origin server +# certificates (see ssl::certSelfSigned). +# +# This clause only supports fast acl types. +# +# When sslproxy_cert_sign acl(s) match, Squid uses the corresponding +# signing algorithm to generate the certificate and ignores all +# subsequent sslproxy_cert_sign options (the first match wins). If no +# acl(s) match, the default signing algorithm is determined by errors +# detected when obtaining and validating the origin server certificate. +# +# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can +# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a +# CONNECT request that carries a domain name. In all other cases (CONNECT +# to an IP address or an intercepted SSL connection), Squid cannot detect +# the domain mismatch at certificate generation time when +# bump-server-first is used. +#Default: +# none + +# TAG: sslproxy_cert_adapt +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# +# sslproxy_cert_adapt acl ... +# +# The following certificate adaptation algorithms are supported: +# +# setValidAfter +# Sets the "Not After" property to the "Not After" property of +# the CA certificate used to sign generated certificates. +# +# setValidBefore +# Sets the "Not Before" property to the "Not Before" property of +# the CA certificate used to sign generated certificates. +# +# setCommonName or setCommonName{CN} +# Sets Subject.CN property to the host name specified as a +# CN parameter or, if no explicit CN parameter was specified, +# extracted from the CONNECT request. It is a misconfiguration +# to use setCommonName without an explicit parameter for +# intercepted or tproxied SSL connections. +# +# This clause only supports fast acl types. +# +# Squid first groups sslproxy_cert_adapt options by adaptation algorithm. +# Within a group, when sslproxy_cert_adapt acl(s) match, Squid uses the +# corresponding adaptation algorithm to generate the certificate and +# ignores all subsequent sslproxy_cert_adapt options in that algorithm's +# group (i.e., the first match wins within each algorithm group). If no +# acl(s) match, the default mimicking action takes place. +# +# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can +# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a +# CONNECT request that carries a domain name. In all other cases (CONNECT +# to an IP address or an intercepted SSL connection), Squid cannot detect +# the domain mismatch at certificate generation time when +# bump-server-first is used. +#Default: +# none + +# TAG: sslpassword_program +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Specify a program used for entering SSL key passphrases +# when using encrypted SSL certificate keys. If not specified +# keys must either be unencrypted, or Squid started with the -N +# option to allow it to query interactively for the passphrase. +# +# The key file name is given as argument to the program allowing +# selection of the right password if you have multiple encrypted +# keys. +#Default: +# none + +# OPTIONS RELATING TO EXTERNAL SSL_CRTD +# ----------------------------------------------------------------------------- + +# TAG: sslcrtd_program +# Note: This option is only available if Squid is rebuilt with the +# --enable-ssl-crtd +# +# Specify the location and options of the executable for ssl_crtd process. +# /usr/lib/squid/ssl_crtd program requires -s and -M parameters +# For more information use: +# /usr/lib/squid/ssl_crtd -h +#Default: +# sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB + +# TAG: sslcrtd_children +# Note: This option is only available if Squid is rebuilt with the +# --enable-ssl-crtd +# +# The maximum number of processes spawn to service ssl server. +# The maximum this may be safely set to is 32. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup=N +# +# Sets the minimum number of processes to spawn when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few children temporary slows Squid under load while it +# tries to spawn enough additional processes to cope with traffic. +# +# idle=N +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# You must have at least one ssl_crtd process. +#Default: +# sslcrtd_children 32 startup=5 idle=1 + +# TAG: sslcrtvalidator_program +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Specify the location and options of the executable for ssl_crt_validator +# process. +# +# Usage: sslcrtvalidator_program [ttl=n] [cache=n] path ... +# +# Options: +# ttl=n TTL in seconds for cached results. The default is 60 secs +# cache=n limit the result cache size. The default value is 2048 +#Default: +# none + +# TAG: sslcrtvalidator_children +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# The maximum number of processes spawn to service SSL server. +# The maximum this may be safely set to is 32. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup=N +# +# Sets the minimum number of processes to spawn when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few children temporary slows Squid under load while it +# tries to spawn enough additional processes to cope with traffic. +# +# idle=N +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each certificate validator helper can handle in +# parallel. A value of 0 indicates the certficate validator does not +# support concurrency. Defaults to 1. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# a request ID in front of the request/response. The request +# ID from the request must be echoed back with the response +# to that request. +# +# You must have at least one ssl_crt_validator process. +#Default: +# sslcrtvalidator_children 32 startup=5 idle=1 concurrency=1 + +# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM +# ----------------------------------------------------------------------------- + +# TAG: cache_peer +# To specify other caches in a hierarchy, use the format: +# +# cache_peer hostname type http-port icp-port [options] +# +# For example, +# +# # proxy icp +# # hostname type port port options +# # -------------------- -------- ----- ----- ----------- +# cache_peer parent.foo.net parent 3128 3130 default +# cache_peer sib1.foo.net sibling 3128 3130 proxy-only +# cache_peer sib2.foo.net sibling 3128 3130 proxy-only +# cache_peer example.com parent 80 0 default +# cache_peer cdn.example.com sibling 3128 0 +# +# type: either 'parent', 'sibling', or 'multicast'. +# +# proxy-port: The port number where the peer accept HTTP requests. +# For other Squid proxies this is usually 3128 +# For web servers this is usually 80 +# +# icp-port: Used for querying neighbor caches about objects. +# Set to 0 if the peer does not support ICP or HTCP. +# See ICP and HTCP options below for additional details. +# +# +# ==== ICP OPTIONS ==== +# +# You MUST also set icp_port and icp_access explicitly when using these options. +# The defaults will prevent peer traffic using ICP. +# +# +# no-query Disable ICP queries to this neighbor. +# +# multicast-responder +# Indicates the named peer is a member of a multicast group. +# ICP queries will not be sent directly to the peer, but ICP +# replies will be accepted from it. +# +# closest-only Indicates that, for ICP_OP_MISS replies, we'll only forward +# CLOSEST_PARENT_MISSes and never FIRST_PARENT_MISSes. +# +# background-ping +# To only send ICP queries to this neighbor infrequently. +# This is used to keep the neighbor round trip time updated +# and is usually used in conjunction with weighted-round-robin. +# +# +# ==== HTCP OPTIONS ==== +# +# You MUST also set htcp_port and htcp_access explicitly when using these options. +# The defaults will prevent peer traffic using HTCP. +# +# +# htcp Send HTCP, instead of ICP, queries to the neighbor. +# You probably also want to set the "icp-port" to 4827 +# instead of 3130. This directive accepts a comma separated +# list of options described below. +# +# htcp=oldsquid Send HTCP to old Squid versions (2.5 or earlier). +# +# htcp=no-clr Send HTCP to the neighbor but without +# sending any CLR requests. This cannot be used with +# only-clr. +# +# htcp=only-clr Send HTCP to the neighbor but ONLY CLR requests. +# This cannot be used with no-clr. +# +# htcp=no-purge-clr +# Send HTCP to the neighbor including CLRs but only when +# they do not result from PURGE requests. +# +# htcp=forward-clr +# Forward any HTCP CLR requests this proxy receives to the peer. +# +# +# ==== PEER SELECTION METHODS ==== +# +# The default peer selection method is ICP, with the first responding peer +# being used as source. These options can be used for better load balancing. +# +# +# default This is a parent cache which can be used as a "last-resort" +# if a peer cannot be located by any of the peer-selection methods. +# If specified more than once, only the first is used. +# +# round-robin Load-Balance parents which should be used in a round-robin +# fashion in the absence of any ICP queries. +# weight=N can be used to add bias. +# +# weighted-round-robin +# Load-Balance parents which should be used in a round-robin +# fashion with the frequency of each parent being based on the +# round trip time. Closer parents are used more often. +# Usually used for background-ping parents. +# weight=N can be used to add bias. +# +# carp Load-Balance parents which should be used as a CARP array. +# The requests will be distributed among the parents based on the +# CARP load balancing hash function based on their weight. +# +# userhash Load-balance parents based on the client proxy_auth or ident username. +# +# sourcehash Load-balance parents based on the client source IP. +# +# multicast-siblings +# To be used only for cache peers of type "multicast". +# ALL members of this multicast group have "sibling" +# relationship with it, not "parent". This is to a multicast +# group when the requested object would be fetched only from +# a "parent" cache, anyway. It's useful, e.g., when +# configuring a pool of redundant Squid proxies, being +# members of the same multicast group. +# +# +# ==== PEER SELECTION OPTIONS ==== +# +# weight=N use to affect the selection of a peer during any weighted +# peer-selection mechanisms. +# The weight must be an integer; default is 1, +# larger weights are favored more. +# This option does not affect parent selection if a peering +# protocol is not in use. +# +# basetime=N Specify a base amount to be subtracted from round trip +# times of parents. +# It is subtracted before division by weight in calculating +# which parent to fectch from. If the rtt is less than the +# base time the rtt is set to a minimal value. +# +# ttl=N Specify a TTL to use when sending multicast ICP queries +# to this address. +# Only useful when sending to a multicast group. +# Because we don't accept ICP replies from random +# hosts, you must configure other group members as +# peers with the 'multicast-responder' option. +# +# no-delay To prevent access to this neighbor from influencing the +# delay pools. +# +# digest-url=URL Tell Squid to fetch the cache digest (if digests are +# enabled) for this host from the specified URL rather +# than the Squid default location. +# +# +# ==== CARP OPTIONS ==== +# +# carp-key=key-specification +# use a different key than the full URL to hash against the peer. +# the key-specification is a comma-separated list of the keywords +# scheme, host, port, path, params +# Order is not important. +# +# ==== ACCELERATOR / REVERSE-PROXY OPTIONS ==== +# +# originserver Causes this parent to be contacted as an origin server. +# Meant to be used in accelerator setups when the peer +# is a web server. +# +# forceddomain=name +# Set the Host header of requests forwarded to this peer. +# Useful in accelerator setups where the server (peer) +# expects a certain domain name but clients may request +# others. ie example.com or www.example.com +# +# no-digest Disable request of cache digests. +# +# no-netdb-exchange +# Disables requesting ICMP RTT database (NetDB). +# +# +# ==== AUTHENTICATION OPTIONS ==== +# +# login=user:password +# If this is a personal/workgroup proxy and your parent +# requires proxy authentication. +# +# Note: The string can include URL escapes (i.e. %20 for +# spaces). This also means % must be written as %%. +# +# login=PASSTHRU +# Send login details received from client to this peer. +# Both Proxy- and WWW-Authorization headers are passed +# without alteration to the peer. +# Authentication is not required by Squid for this to work. +# +# Note: This will pass any form of authentication but +# only Basic auth will work through a proxy unless the +# connection-auth options are also used. +# +# login=PASS Send login details received from client to this peer. +# Authentication is not required by this option. +# +# If there are no client-provided authentication headers +# to pass on, but username and password are available +# from an external ACL user= and password= result tags +# they may be sent instead. +# +# Note: To combine this with proxy_auth both proxies must +# share the same user database as HTTP only allows for +# a single login (one for proxy, one for origin server). +# Also be warned this will expose your users proxy +# password to the peer. USE WITH CAUTION +# +# login=*:password +# Send the username to the upstream cache, but with a +# fixed password. This is meant to be used when the peer +# is in another administrative domain, but it is still +# needed to identify each user. +# The star can optionally be followed by some extra +# information which is added to the username. This can +# be used to identify this proxy to the peer, similar to +# the login=username:password option above. +# +# login=NEGOTIATE +# If this is a personal/workgroup proxy and your parent +# requires a secure proxy authentication. +# The first principal from the default keytab or defined by +# the environment variable KRB5_KTNAME will be used. +# +# WARNING: The connection may transmit requests from multiple +# clients. Negotiate often assumes end-to-end authentication +# and a single-client. Which is not strictly true here. +# +# login=NEGOTIATE:principal_name +# If this is a personal/workgroup proxy and your parent +# requires a secure proxy authentication. +# The principal principal_name from the default keytab or +# defined by the environment variable KRB5_KTNAME will be +# used. +# +# WARNING: The connection may transmit requests from multiple +# clients. Negotiate often assumes end-to-end authentication +# and a single-client. Which is not strictly true here. +# +# connection-auth=on|off +# Tell Squid that this peer does or not support Microsoft +# connection oriented authentication, and any such +# challenges received from there should be ignored. +# Default is auto to automatically determine the status +# of the peer. +# +# +# ==== SSL / HTTPS / TLS OPTIONS ==== +# +# ssl Encrypt connections to this peer with SSL/TLS. +# +# sslcert=/path/to/ssl/certificate +# A client SSL certificate to use when connecting to +# this peer. +# +# sslkey=/path/to/ssl/key +# The private SSL key corresponding to sslcert above. +# If 'sslkey' is not specified 'sslcert' is assumed to +# reference a combined file containing both the +# certificate and the key. +# +# sslversion=1|2|3|4|5|6 +# The SSL version to use when connecting to this peer +# 1 = automatic (default) +# 2 = SSL v2 only +# 3 = SSL v3 only +# 4 = TLS v1.0 only +# 5 = TLS v1.1 only +# 6 = TLS v1.2 only +# +# sslcipher=... The list of valid SSL ciphers to use when connecting +# to this peer. +# +# ssloptions=... Specify various SSL implementation options: +# +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# +# SINGLE_DH_USE +# Always create a new key when using +# temporary/ephemeral DH key exchanges +# +# NO_TICKET +# Disable use of RFC5077 session tickets. Some servers +# may have problems understanding the TLS extension due +# to ambiguous specification in RFC4507. +# +# ALL Enable various bug workarounds +# suggested as "harmless" by OpenSSL +# Be warned that this reduces SSL/TLS +# strength to some attacks. +# +# See the OpenSSL SSL_CTX_set_options documentation for a +# more complete list. +# +# sslcafile=... A file containing additional CA certificates to use +# when verifying the peer certificate. +# +# sslcapath=... A directory containing additional CA certificates to +# use when verifying the peer certificate. +# +# sslcrlfile=... A certificate revocation list file to use when +# verifying the peer certificate. +# +# sslflags=... Specify various flags modifying the SSL implementation: +# +# DONT_VERIFY_PEER +# Accept certificates even if they fail to +# verify. +# NO_DEFAULT_CA +# Don't use the default CA list built in +# to OpenSSL. +# DONT_VERIFY_DOMAIN +# Don't verify the peer certificate +# matches the server name +# +# ssldomain= The peer name as advertised in it's certificate. +# Used for verifying the correctness of the received peer +# certificate. If not specified the peer hostname will be +# used. +# +# front-end-https +# Enable the "Front-End-Https: On" header needed when +# using Squid as a SSL frontend in front of Microsoft OWA. +# See MS KB document Q307347 for details on this header. +# If set to auto the header will only be added if the +# request is forwarded as a https:// URL. +# +# +# ==== GENERAL OPTIONS ==== +# +# connect-timeout=N +# A peer-specific connect timeout. +# Also see the peer_connect_timeout directive. +# +# connect-fail-limit=N +# How many times connecting to a peer must fail before +# it is marked as down. Standby connection failures +# count towards this limit. Default is 10. +# +# allow-miss Disable Squid's use of only-if-cached when forwarding +# requests to siblings. This is primarily useful when +# icp_hit_stale is used by the sibling. Excessive use +# of this option may result in forwarding loops. One way +# to prevent peering loops when using this option, is to +# deny cache peer usage on requests from a peer: +# acl fromPeer ... +# cache_peer_access peerName deny fromPeer +# +# max-conn=N Limit the number of concurrent connections the Squid +# may open to this peer, including already opened idle +# and standby connections. There is no peer-specific +# connection limit by default. +# +# A peer exceeding the limit is not used for new +# requests unless a standby connection is available. +# +# max-conn currently works poorly with idle persistent +# connections: When a peer reaches its max-conn limit, +# and there are idle persistent connections to the peer, +# the peer may not be selected because the limiting code +# does not know whether Squid can reuse those idle +# connections. +# +# standby=N Maintain a pool of N "hot standby" connections to an +# UP peer, available for requests when no idle +# persistent connection is available (or safe) to use. +# By default and with zero N, no such pool is maintained. +# N must not exceed the max-conn limit (if any). +# +# At start or after reconfiguration, Squid opens new TCP +# standby connections until there are N connections +# available and then replenishes the standby pool as +# opened connections are used up for requests. A used +# connection never goes back to the standby pool, but +# may go to the regular idle persistent connection pool +# shared by all peers and origin servers. +# +# Squid never opens multiple new standby connections +# concurrently. This one-at-a-time approach minimizes +# flooding-like effect on peers. Furthermore, just a few +# standby connections should be sufficient in most cases +# to supply most new requests with a ready-to-use +# connection. +# +# Standby connections obey server_idle_pconn_timeout. +# For the feature to work as intended, the peer must be +# configured to accept and keep them open longer than +# the idle timeout at the connecting Squid, to minimize +# race conditions typical to idle used persistent +# connections. Default request_timeout and +# server_idle_pconn_timeout values ensure such a +# configuration. +# +# name=xxx Unique name for the peer. +# Required if you have multiple peers on the same host +# but different ports. +# This name can be used in cache_peer_access and similar +# directives to identify the peer. +# Can be used by outgoing access controls through the +# peername ACL type. +# +# no-tproxy Do not use the client-spoof TPROXY support when forwarding +# requests to this peer. Use normal address selection instead. +# This overrides the spoof_client_ip ACL. +# +# proxy-only objects fetched from the peer will not be stored locally. +# +#Default: +# none + +# TAG: cache_peer_domain +# Use to limit the domains for which a neighbor cache will be +# queried. +# +# Usage: +# cache_peer_domain cache-host domain [domain ...] +# cache_peer_domain cache-host !domain +# +# For example, specifying +# +# cache_peer_domain parent.foo.net .edu +# +# has the effect such that UDP query packets are sent to +# 'bigserver' only when the requested object exists on a +# server in the .edu domain. Prefixing the domainname +# with '!' means the cache will be queried for objects +# NOT in that domain. +# +# NOTE: * Any number of domains may be given for a cache-host, +# either on the same or separate lines. +# * When multiple domains are given for a particular +# cache-host, the first matched domain is applied. +# * Cache hosts with no domain restrictions are queried +# for all requests. +# * There are no defaults. +# * There is also a 'cache_peer_access' tag in the ACL +# section. +#Default: +# none + +# TAG: cache_peer_access +# Restricts usage of cache_peer proxies. +# +# Usage: +# cache_peer_access peer-name allow|deny [!]aclname ... +# +# For the required peer-name parameter, use either the value of the +# cache_peer name=value parameter or, if name=value is missing, the +# cache_peer hostname parameter. +# +# This directive narrows down the selection of peering candidates, but +# does not determine the order in which the selected candidates are +# contacted. That order is determined by the peer selection algorithms +# (see PEER SELECTION sections in the cache_peer documentation). +# +# If a deny rule matches, the corresponding peer will not be contacted +# for the current transaction -- Squid will not send ICP queries and +# will not forward HTTP requests to that peer. An allow match leaves +# the corresponding peer in the selection. The first match for a given +# peer wins for that peer. +# +# The relative order of cache_peer_access directives for the same peer +# matters. The relative order of any two cache_peer_access directives +# for different peers does not matter. To ease interpretation, it is a +# good idea to group cache_peer_access directives for the same peer +# together. +# +# A single cache_peer_access directive may be evaluated multiple times +# for a given transaction because individual peer selection algorithms +# may check it independently from each other. These redundant checks +# may be optimized away in future Squid versions. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# No peer usage restrictions. + +# TAG: neighbor_type_domain +# Modify the cache_peer neighbor type when passing requests +# about specific domains to the peer. +# +# Usage: +# neighbor_type_domain neighbor parent|sibling domain domain ... +# +# For example: +# cache_peer foo.example.com parent 3128 3130 +# neighbor_type_domain foo.example.com sibling .au .de +# +# The above configuration treats all requests to foo.example.com as a +# parent proxy unless the request is for a .au or .de ccTLD domain name. +#Default: +# The peer type from cache_peer directive is used for all requests to that peer. + +# TAG: dead_peer_timeout (seconds) +# This controls how long Squid waits to declare a peer cache +# as "dead." If there are no ICP replies received in this +# amount of time, Squid will declare the peer dead and not +# expect to receive any further ICP replies. However, it +# continues to send ICP queries, and will mark the peer as +# alive upon receipt of the first subsequent ICP reply. +# +# This timeout also affects when Squid expects to receive ICP +# replies from peers. If more than 'dead_peer' seconds have +# passed since the last ICP reply was received, Squid will not +# expect to receive an ICP reply on the next query. Thus, if +# your time between requests is greater than this timeout, you +# will see a lot of requests sent DIRECT to origin servers +# instead of to your parents. +#Default: +# dead_peer_timeout 10 seconds + +# TAG: forward_max_tries +# Controls how many different forward paths Squid will try +# before giving up. See also forward_timeout. +# +# NOTE: connect_retries (default: none) can make each of these +# possible forwarding paths be tried multiple times. +#Default: +# forward_max_tries 25 + +# MEMORY CACHE OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: cache_mem (bytes) +# NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE. +# IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL +# USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER +# THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS. +# +# 'cache_mem' specifies the ideal amount of memory to be used +# for: +# * In-Transit objects +# * Hot Objects +# * Negative-Cached objects +# +# Data for these objects are stored in 4 KB blocks. This +# parameter specifies the ideal upper limit on the total size of +# 4 KB blocks allocated. In-Transit objects take the highest +# priority. +# +# In-transit objects have priority over the others. When +# additional space is needed for incoming data, negative-cached +# and hot objects will be released. In other words, the +# negative-cached and hot objects will fill up any unused space +# not needed for in-transit objects. +# +# If circumstances require, this limit will be exceeded. +# Specifically, if your incoming request rate requires more than +# 'cache_mem' of memory to hold in-transit objects, Squid will +# exceed this limit to satisfy the new requests. When the load +# decreases, blocks will be freed until the high-water mark is +# reached. Thereafter, blocks will be used to store hot +# objects. +# +# If shared memory caching is enabled, Squid does not use the shared +# cache space for in-transit objects, but they still consume as much +# local memory as they need. For more details about the shared memory +# cache, see memory_cache_shared. +#Default: +# cache_mem 256 MB + +# TAG: maximum_object_size_in_memory (bytes) +# Objects greater than this size will not be attempted to kept in +# the memory cache. This should be set high enough to keep objects +# accessed frequently in memory to improve performance whilst low +# enough to keep larger objects from hoarding cache_mem. +#Default: +# maximum_object_size_in_memory 512 KB + +# TAG: memory_cache_shared on|off +# Controls whether the memory cache is shared among SMP workers. +# +# The shared memory cache is meant to occupy cache_mem bytes and replace +# the non-shared memory cache, although some entities may still be +# cached locally by workers for now (e.g., internal and in-transit +# objects may be served from a local memory cache even if shared memory +# caching is enabled). +# +# By default, the memory cache is shared if and only if all of the +# following conditions are satisfied: Squid runs in SMP mode with +# multiple workers, cache_mem is positive, and Squid environment +# supports required IPC primitives (e.g., POSIX shared memory segments +# and GCC-style atomic operations). +# +# To avoid blocking locks, shared memory uses opportunistic algorithms +# that do not guarantee that every cachable entity that could have been +# shared among SMP workers will actually be shared. +#Default: +# "on" where supported if doing memory caching with multiple SMP workers. + +# TAG: memory_cache_mode +# Controls which objects to keep in the memory cache (cache_mem) +# +# always Keep most recently fetched objects in memory (default) +# +# disk Only disk cache hits are kept in memory, which means +# an object must first be cached on disk and then hit +# a second time before cached in memory. +# +# network Only objects fetched from network is kept in memory +#Default: +# Keep the most recently fetched objects in memory + +# TAG: memory_replacement_policy +# The memory replacement policy parameter determines which +# objects are purged from memory when memory space is needed. +# +# See cache_replacement_policy for details on algorithms. +#Default: +# memory_replacement_policy lru + +# DISK CACHE OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: cache_replacement_policy +# The cache replacement policy parameter determines which +# objects are evicted (replaced) when disk space is needed. +# +# lru : Squid's original list based LRU policy +# heap GDSF : Greedy-Dual Size Frequency +# heap LFUDA: Least Frequently Used with Dynamic Aging +# heap LRU : LRU policy implemented using a heap +# +# Applies to any cache_dir lines listed below this directive. +# +# The LRU policies keeps recently referenced objects. +# +# The heap GDSF policy optimizes object hit rate by keeping smaller +# popular objects in cache so it has a better chance of getting a +# hit. It achieves a lower byte hit rate than LFUDA though since +# it evicts larger (possibly popular) objects. +# +# The heap LFUDA policy keeps popular objects in cache regardless of +# their size and thus optimizes byte hit rate at the expense of +# hit rate since one large, popular object will prevent many +# smaller, slightly less popular objects from being cached. +# +# Both policies utilize a dynamic aging mechanism that prevents +# cache pollution that can otherwise occur with frequency-based +# replacement policies. +# +# NOTE: if using the LFUDA replacement policy you should increase +# the value of maximum_object_size above its default of 4 MB to +# to maximize the potential byte hit rate improvement of LFUDA. +# +# For more information about the GDSF and LFUDA cache replacement +# policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html +# and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html. +#Default: +# cache_replacement_policy lru + +# TAG: minimum_object_size (bytes) +# Objects smaller than this size will NOT be saved on disk. The +# value is specified in bytes, and the default is 0 KB, which +# means all responses can be stored. +#Default: +# no limit + +# TAG: maximum_object_size (bytes) +# Set the default value for max-size parameter on any cache_dir. +# The value is specified in bytes, and the default is 4 MB. +# +# If you wish to get a high BYTES hit ratio, you should probably +# increase this (one 32 MB object hit counts for 3200 10KB +# hits). +# +# If you wish to increase hit ratio more than you want to +# save bandwidth you should leave this low. +# +# NOTE: if using the LFUDA replacement policy you should increase +# this value to maximize the byte hit rate improvement of LFUDA! +# See cache_replacement_policy for a discussion of this policy. +#Default: +# maximum_object_size 4 MB + +# TAG: cache_dir +# Format: +# cache_dir Type Directory-Name Fs-specific-data [options] +# +# You can specify multiple cache_dir lines to spread the +# cache among different disk partitions. +# +# Type specifies the kind of storage system to use. Only "ufs" +# is built by default. To enable any of the other storage systems +# see the --enable-storeio configure option. +# +# 'Directory' is a top-level directory where cache swap +# files will be stored. If you want to use an entire disk +# for caching, this can be the mount-point directory. +# The directory must exist and be writable by the Squid +# process. Squid will NOT create this directory for you. +# +# In SMP configurations, cache_dir must not precede the workers option +# and should use configuration macros or conditionals to give each +# worker interested in disk caching a dedicated cache directory. +# +# +# ==== The ufs store type ==== +# +# "ufs" is the old well-known Squid storage format that has always +# been there. +# +# Usage: +# cache_dir ufs Directory-Name Mbytes L1 L2 [options] +# +# 'Mbytes' is the amount of disk space (MB) to use under this +# directory. The default is 100 MB. Change this to suit your +# configuration. Do NOT put the size of your disk drive here. +# Instead, if you want Squid to use the entire disk drive, +# subtract 20% and use that value. +# +# 'L1' is the number of first-level subdirectories which +# will be created under the 'Directory'. The default is 16. +# +# 'L2' is the number of second-level subdirectories which +# will be created under each first-level directory. The default +# is 256. +# +# +# ==== The aufs store type ==== +# +# "aufs" uses the same storage format as "ufs", utilizing +# POSIX-threads to avoid blocking the main Squid process on +# disk-I/O. This was formerly known in Squid as async-io. +# +# Usage: +# cache_dir aufs Directory-Name Mbytes L1 L2 [options] +# +# see argument descriptions under ufs above +# +# +# ==== The diskd store type ==== +# +# "diskd" uses the same storage format as "ufs", utilizing a +# separate process to avoid blocking the main Squid process on +# disk-I/O. +# +# Usage: +# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] +# +# see argument descriptions under ufs above +# +# Q1 specifies the number of unacknowledged I/O requests when Squid +# stops opening new files. If this many messages are in the queues, +# Squid won't open new files. Default is 64 +# +# Q2 specifies the number of unacknowledged messages when Squid +# starts blocking. If this many messages are in the queues, +# Squid blocks until it receives some replies. Default is 72 +# +# When Q1 < Q2 (the default), the cache directory is optimized +# for lower response time at the expense of a decrease in hit +# ratio. If Q1 > Q2, the cache directory is optimized for +# higher hit ratio at the expense of an increase in response +# time. +# +# +# ==== The rock store type ==== +# +# Usage: +# cache_dir rock Directory-Name Mbytes [options] +# +# The Rock Store type is a database-style storage. All cached +# entries are stored in a "database" file, using fixed-size slots. +# A single entry occupies one or more slots. +# +# If possible, Squid using Rock Store creates a dedicated kid +# process called "disker" to avoid blocking Squid worker(s) on disk +# I/O. One disker kid is created for each rock cache_dir. Diskers +# are created only when Squid, running in daemon mode, has support +# for the IpcIo disk I/O module. +# +# swap-timeout=msec: Squid will not start writing a miss to or +# reading a hit from disk if it estimates that the swap operation +# will take more than the specified number of milliseconds. By +# default and when set to zero, disables the disk I/O time limit +# enforcement. Ignored when using blocking I/O module because +# blocking synchronous I/O does not allow Squid to estimate the +# expected swap wait time. +# +# max-swap-rate=swaps/sec: Artificially limits disk access using +# the specified I/O rate limit. Swap out requests that +# would cause the average I/O rate to exceed the limit are +# delayed. Individual swap in requests (i.e., hits or reads) are +# not delayed, but they do contribute to measured swap rate and +# since they are placed in the same FIFO queue as swap out +# requests, they may wait longer if max-swap-rate is smaller. +# This is necessary on file systems that buffer "too +# many" writes and then start blocking Squid and other processes +# while committing those writes to disk. Usually used together +# with swap-timeout to avoid excessive delays and queue overflows +# when disk demand exceeds available disk "bandwidth". By default +# and when set to zero, disables the disk I/O rate limit +# enforcement. Currently supported by IpcIo module only. +# +# slot-size=bytes: The size of a database "record" used for +# storing cached responses. A cached response occupies at least +# one slot and all database I/O is done using individual slots so +# increasing this parameter leads to more disk space waste while +# decreasing it leads to more disk I/O overheads. Should be a +# multiple of your operating system I/O page size. Defaults to +# 16KBytes. A housekeeping header is stored with each slot and +# smaller slot-sizes will be rejected. The header is smaller than +# 100 bytes. +# +# +# ==== COMMON OPTIONS ==== +# +# no-store no new objects should be stored to this cache_dir. +# +# min-size=n the minimum object size in bytes this cache_dir +# will accept. It's used to restrict a cache_dir +# to only store large objects (e.g. AUFS) while +# other stores are optimized for smaller objects +# (e.g. Rock). +# Defaults to 0. +# +# max-size=n the maximum object size in bytes this cache_dir +# supports. +# The value in maximum_object_size directive sets +# the default unless more specific details are +# available (ie a small store capacity). +# +# Note: To make optimal use of the max-size limits you should order +# the cache_dir lines with the smallest max-size value first. +# +#Default: +# No disk cache. Store cache ojects only in memory. +# + +# Uncomment and adjust the following to add a disk cache directory. +#cache_dir ufs /var/spool/squid 100 16 256 + +# TAG: store_dir_select_algorithm +# How Squid selects which cache_dir to use when the response +# object will fit into more than one. +# +# Regardless of which algorithm is used the cache_dir min-size +# and max-size parameters are obeyed. As such they can affect +# the selection algorithm by limiting the set of considered +# cache_dir. +# +# Algorithms: +# +# least-load +# +# This algorithm is suited to caches with similar cache_dir +# sizes and disk speeds. +# +# The disk with the least I/O pending is selected. +# When there are multiple disks with the same I/O load ranking +# the cache_dir with most available capacity is selected. +# +# When a mix of cache_dir sizes are configured the faster disks +# have a naturally lower I/O loading and larger disks have more +# capacity. So space used to store objects and data throughput +# may be very unbalanced towards larger disks. +# +# +# round-robin +# +# This algorithm is suited to caches with unequal cache_dir +# disk sizes. +# +# Each cache_dir is selected in a rotation. The next suitable +# cache_dir is used. +# +# Available cache_dir capacity is only considered in relation +# to whether the object will fit and meets the min-size and +# max-size parameters. +# +# Disk I/O loading is only considered to prevent overload on slow +# disks. This algorithm does not spread objects by size, so any +# I/O loading per-disk may appear very unbalanced and volatile. +# +# If several cache_dirs use similar min-size, max-size, or other +# limits to to reject certain responses, then do not group such +# cache_dir lines together, to avoid round-robin selection bias +# towards the first cache_dir after the group. Instead, interleave +# cache_dir lines from different groups. For example: +# +# store_dir_select_algorithm round-robin +# cache_dir rock /hdd1 ... min-size=100000 +# cache_dir rock /ssd1 ... max-size=99999 +# cache_dir rock /hdd2 ... min-size=100000 +# cache_dir rock /ssd2 ... max-size=99999 +# cache_dir rock /hdd3 ... min-size=100000 +# cache_dir rock /ssd3 ... max-size=99999 +#Default: +# store_dir_select_algorithm least-load + +# TAG: max_open_disk_fds +# To avoid having disk as the I/O bottleneck Squid can optionally +# bypass the on-disk cache if more than this amount of disk file +# descriptors are open. +# +# A value of 0 indicates no limit. +#Default: +# no limit + +# TAG: cache_swap_low (percent, 0-100) +# The low-water mark for AUFS/UFS/diskd cache object eviction by +# the cache_replacement_policy algorithm. +# +# Removal begins when the swap (disk) usage of a cache_dir is +# above this low-water mark and attempts to maintain utilization +# near the low-water mark. +# +# As swap utilization increases towards the high-water mark set +# by cache_swap_high object eviction becomes more agressive. +# +# The value difference in percentages between low- and high-water +# marks represent an eviction rate of 300 objects per second and +# the rate continues to scale in agressiveness by multiples of +# this above the high-water mark. +# +# Defaults are 90% and 95%. If you have a large cache, 5% could be +# hundreds of MB. If this is the case you may wish to set these +# numbers closer together. +# +# See also cache_swap_high and cache_replacement_policy +#Default: +# cache_swap_low 90 + +# TAG: cache_swap_high (percent, 0-100) +# The high-water mark for AUFS/UFS/diskd cache object eviction by +# the cache_replacement_policy algorithm. +# +# Removal begins when the swap (disk) usage of a cache_dir is +# above the low-water mark set by cache_swap_low and attempts to +# maintain utilization near the low-water mark. +# +# As swap utilization increases towards this high-water mark object +# eviction becomes more agressive. +# +# The value difference in percentages between low- and high-water +# marks represent an eviction rate of 300 objects per second and +# the rate continues to scale in agressiveness by multiples of +# this above the high-water mark. +# +# Defaults are 90% and 95%. If you have a large cache, 5% could be +# hundreds of MB. If this is the case you may wish to set these +# numbers closer together. +# +# See also cache_swap_low and cache_replacement_policy +#Default: +# cache_swap_high 95 + +# LOGFILE OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: logformat +# Usage: +# +# logformat +# +# Defines an access log format. +# +# The is a string with embedded % format codes +# +# % format codes all follow the same basic structure where all but +# the formatcode is optional. Output strings are automatically escaped +# as required according to their context and the output format +# modifiers are usually not needed, but can be specified if an explicit +# output format is desired. +# +# % ["|[|'|#] [-] [[0]width] [{argument}] formatcode +# +# " output in quoted string format +# [ output in squid text log format as used by log_mime_hdrs +# # output in URL quoted format +# ' output as-is +# +# - left aligned +# +# width minimum and/or maximum field width: +# [width_min][.width_max] +# When minimum starts with 0, the field is zero-padded. +# String values exceeding maximum width are truncated. +# +# {arg} argument such as header name etc +# +# Format codes: +# +# % a literal % character +# sn Unique sequence number per log line entry +# err_code The ID of an error response served by Squid or +# a similar internal error identifier. +# err_detail Additional err_code-dependent error information. +# note The annotation specified by the argument. Also +# logs the adaptation meta headers set by the +# adaptation_meta configuration parameter. +# If no argument given all annotations logged. +# The argument may include a separator to use with +# annotation values: +# name[:separator] +# By default, multiple note values are separated with "," +# and multiple notes are separated with "\r\n". +# When logging named notes with %{name}note, the +# explicitly configured separator is used between note +# values. When logging all notes with %note, the +# explicitly configured separator is used between +# individual notes. There is currently no way to +# specify both value and notes separators when logging +# all notes with %note. +# +# Connection related format codes: +# +# >a Client source IP address +# >A Client FQDN +# >p Client source port +# >eui Client source EUI (MAC address, EUI-48 or EUI-64 identifier) +# >la Local IP address the client connected to +# >lp Local port number the client connected to +# >qos Client connection TOS/DSCP value set by Squid +# >nfmark Client connection netfilter mark set by Squid +# +# la Local listening IP address the client connection was connected to. +# lp Local listening port number the client connection was connected to. +# +# . format. +# Currently, Squid considers the master transaction +# started when a complete HTTP request header initiating +# the transaction is received from the client. This is +# the same value that Squid uses to calculate transaction +# response time when logging %tr to access.log. Currently, +# Squid uses millisecond resolution for %tS values, +# similar to the default access.log "current time" field +# (%ts.%03tu). +# +# Access Control related format codes: +# +# et Tag returned by external acl +# ea Log string returned by external acl +# un User name (any available) +# ul User name from authentication +# ue User name from external acl helper +# ui User name from ident +# un A user name. Expands to the first available name +# from the following list of information sources: +# - authenticated user name, like %ul +# - user name supplied by an external ACL, like %ue +# - SSL client name, like %us +# - ident user name, like %ui +# credentials Client credentials. The exact meaning depends on +# the authentication scheme: For Basic authentication, +# it is the password; for Digest, the realm sent by the +# client; for NTLM and Negotiate, the client challenge +# or client credentials prefixed with "YR " or "KK ". +# +# HTTP related format codes: +# +# REQUEST +# +# [http::]rm Request method (GET/POST etc) +# [http::]>rm Request method from client +# [http::]ru Request URL from client +# [http::]rs Request URL scheme from client +# [http::]rd Request URL domain from client +# [http::]rP Request URL port from client +# [http::]rp Request URL path excluding hostname from client +# [http::]rv Request protocol version from client +# [http::]h Original received request header. +# Usually differs from the request header sent by +# Squid, although most fields are often preserved. +# Accepts optional header field name/value filter +# argument using name[:[separator]element] format. +# [http::]>ha Received request header after adaptation and +# redirection (pre-cache REQMOD vectoring point). +# Usually differs from the request header sent by +# Squid, although most fields are often preserved. +# Optional header name argument as for >h +# +# +# RESPONSE +# +# [http::]Hs HTTP status code sent to the client +# +# [http::]h +# +# [http::]mt MIME content type +# +# +# SIZE COUNTERS +# +# [http::]st Total size of request + reply traffic with client +# [http::]>st Total size of request received from client. +# Excluding chunked encoding bytes. +# [http::]sh Size of request headers received from client +# [http::]sni SSL client SNI sent to Squid. Available only +# after the peek, stare, or splice SSL bumping +# actions. +# +# If ICAP is enabled, the following code becomes available (as +# well as ICAP log codes documented with the icap_log option): +# +# icap::tt Total ICAP processing time for the HTTP +# transaction. The timer ticks when ICAP +# ACLs are checked and when ICAP +# transaction is in progress. +# +# If adaptation is enabled the following three codes become available: +# +# adapt::cert_subject The Subject field of the received client +# SSL certificate or a dash ('-') if Squid has +# received an invalid/malformed certificate or +# no certificate at all. Consider encoding the +# logged value because Subject often has spaces. +# +# %ssl::>cert_issuer The Issuer field of the received client +# SSL certificate or a dash ('-') if Squid has +# received an invalid/malformed certificate or +# no certificate at all. Consider encoding the +# logged value because Issuer often has spaces. +# +# The default formats available (which do not need re-defining) are: +# +#logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh +#logformat referrer %ts.%03tu %>a %{Referer}>h %ru +#logformat useragent %>a [%tl] "%{User-Agent}>h" +# +# NOTE: When the log_mime_hdrs directive is set to ON. +# The squid, common and combined formats have a safely encoded copy +# of the mime headers appended to each line within a pair of brackets. +# +# NOTE: The common and combined formats are not quite true to the Apache definition. +# The logs from Squid contain an extra status and hierarchy code appended. +# +#Default: +# The format definitions squid, common, combined, referrer, useragent are built in. + +# TAG: access_log +# Configures whether and how Squid logs HTTP and ICP transactions. +# If access logging is enabled, a single line is logged for every +# matching HTTP or ICP request. The recommended directive formats are: +# +# access_log : [option ...] [acl acl ...] +# access_log none [acl acl ...] +# +# The following directive format is accepted but may be deprecated: +# access_log : [ [acl acl ...]] +# +# In most cases, the first ACL name must not contain the '=' character +# and should not be equal to an existing logformat name. You can always +# start with an 'all' ACL to work around those restrictions. +# +# Will log to the specified module:place using the specified format (which +# must be defined in a logformat directive) those entries which match +# ALL the acl's specified (which must be defined in acl clauses). +# If no acl is specified, all requests will be logged to this destination. +# +# ===== Available options for the recommended directive format ===== +# +# logformat=name Names log line format (either built-in or +# defined by a logformat directive). Defaults +# to 'squid'. +# +# buffer-size=64KB Defines approximate buffering limit for log +# records (see buffered_logs). Squid should not +# keep more than the specified size and, hence, +# should flush records before the buffer becomes +# full to avoid overflows under normal +# conditions (the exact flushing algorithm is +# module-dependent though). The on-error option +# controls overflow handling. +# +# on-error=die|drop Defines action on unrecoverable errors. The +# 'drop' action ignores (i.e., does not log) +# affected log records. The default 'die' action +# kills the affected worker. The drop action +# support has not been tested for modules other +# than tcp. +# +# ===== Modules Currently available ===== +# +# none Do not log any requests matching these ACL. +# Do not specify Place or logformat name. +# +# stdio Write each log line to disk immediately at the completion of +# each request. +# Place: the filename and path to be written. +# +# daemon Very similar to stdio. But instead of writing to disk the log +# line is passed to a daemon helper for asychronous handling instead. +# Place: varies depending on the daemon. +# +# log_file_daemon Place: the file name and path to be written. +# +# syslog To log each request via syslog facility. +# Place: The syslog facility and priority level for these entries. +# Place Format: facility.priority +# +# where facility could be any of: +# authpriv, daemon, local0 ... local7 or user. +# +# And priority could be any of: +# err, warning, notice, info, debug. +# +# udp To send each log line as text data to a UDP receiver. +# Place: The destination host name or IP and port. +# Place Format: //host:port +# +# tcp To send each log line as text data to a TCP receiver. +# Lines may be accumulated before sending (see buffered_logs). +# Place: The destination host name or IP and port. +# Place Format: //host:port +# +# Default: +# access_log daemon:/var/log/squid/access.log squid +#Default: +# access_log daemon:/var/log/squid/access.log squid + +# TAG: icap_log +# ICAP log files record ICAP transaction summaries, one line per +# transaction. +# +# The icap_log option format is: +# icap_log [ [acl acl ...]] +# icap_log none [acl acl ...]] +# +# Please see access_log option documentation for details. The two +# kinds of logs share the overall configuration approach and many +# features. +# +# ICAP processing of a single HTTP message or transaction may +# require multiple ICAP transactions. In such cases, multiple +# ICAP transaction log lines will correspond to a single access +# log line. +# +# ICAP log supports many access.log logformat %codes. In ICAP context, +# HTTP message-related %codes are applied to the HTTP message embedded +# in an ICAP message. Logformat "%http::>..." codes are used for HTTP +# messages embedded in ICAP requests while "%http::<..." codes are used +# for HTTP messages embedded in ICAP responses. For example: +# +# http::>h To-be-adapted HTTP message headers sent by Squid to +# the ICAP service. For REQMOD transactions, these are +# HTTP request headers. For RESPMOD, these are HTTP +# response headers, but Squid currently cannot log them +# (i.e., %http::>h will expand to "-" for RESPMOD). +# +# http::st The total size of the ICAP request sent to the ICAP +# server (ICAP headers + ICAP body), including chunking +# metadata (if any). +# +# icap::h ICAP request header(s). Similar to >h. +# +# icap::A %icap::to/%03icap::Hs %icap::\n - logfile data +# R\n - rotate file +# T\n - truncate file +# O\n - reopen file +# F\n - flush file +# r\n - set rotate count to +# b\n - 1 = buffer output, 0 = don't buffer output +# +# No responses is expected. +#Default: +# logfile_daemon /usr/lib/squid/log_file_daemon + +# TAG: stats_collection allow|deny acl acl... +# This options allows you to control which requests gets accounted +# in performance counters. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow logging for all transactions. + +# TAG: cache_store_log +# Logs the activities of the storage manager. Shows which +# objects are ejected from the cache, and which objects are +# saved and for how long. +# There are not really utilities to analyze this data, so you can safely +# disable it (the default). +# +# Store log uses modular logging outputs. See access_log for the list +# of modules supported. +# +# Example: +# cache_store_log stdio:/var/log/squid/store.log +# cache_store_log daemon:/var/log/squid/store.log +#Default: +# none + +# TAG: cache_swap_state +# Location for the cache "swap.state" file. This index file holds +# the metadata of objects saved on disk. It is used to rebuild +# the cache during startup. Normally this file resides in each +# 'cache_dir' directory, but you may specify an alternate +# pathname here. Note you must give a full filename, not just +# a directory. Since this is the index for the whole object +# list you CANNOT periodically rotate it! +# +# If %s can be used in the file name it will be replaced with a +# a representation of the cache_dir name where each / is replaced +# with '.'. This is needed to allow adding/removing cache_dir +# lines when cache_swap_log is being used. +# +# If have more than one 'cache_dir', and %s is not used in the name +# these swap logs will have names such as: +# +# cache_swap_log.00 +# cache_swap_log.01 +# cache_swap_log.02 +# +# The numbered extension (which is added automatically) +# corresponds to the order of the 'cache_dir' lines in this +# configuration file. If you change the order of the 'cache_dir' +# lines in this file, these index files will NOT correspond to +# the correct 'cache_dir' entry (unless you manually rename +# them). We recommend you do NOT use this option. It is +# better to keep these index files in each 'cache_dir' directory. +#Default: +# Store the journal inside its cache_dir + +# TAG: logfile_rotate +# Specifies the number of logfile rotations to make when you +# type 'squid -k rotate'. The default is 10, which will rotate +# with extensions 0 through 9. Setting logfile_rotate to 0 will +# disable the file name rotation, but the logfiles are still closed +# and re-opened. This will enable you to rename the logfiles +# yourself just before sending the rotate signal. +# +# Note, the 'squid -k rotate' command normally sends a USR1 +# signal to the running squid process. In certain situations +# (e.g. on Linux with Async I/O), USR1 is used for other +# purposes, so -k rotate uses another signal. It is best to get +# in the habit of using 'squid -k rotate' instead of 'kill -USR1 +# '. +# +# Note, from Squid-3.1 this option is only a default for cache.log, +# that log can be rotated separately by using debug_options. +# +# Note2, for Debian/Linux the default of logfile_rotate is +# zero, since it includes external logfile-rotation methods. +#Default: +# logfile_rotate 0 + +# TAG: mime_table +# Path to Squid's icon configuration file. +# +# You shouldn't need to change this, but the default file contains +# examples and formatting information if you do. +#Default: +# mime_table /usr/share/squid/mime.conf + +# TAG: log_mime_hdrs on|off +# The Cache can record both the request and the response MIME +# headers for each HTTP transaction. The headers are encoded +# safely and will appear as two bracketed fields at the end of +# the access log (for either the native or httpd-emulated log +# formats). To enable this logging set log_mime_hdrs to 'on'. +#Default: +# log_mime_hdrs off + +# TAG: pid_filename +# A filename to write the process-id to. To disable, enter "none". +#Default: +# pid_filename /var/run/squid.pid + +# TAG: client_netmask +# A netmask for client addresses in logfiles and cachemgr output. +# Change this to protect the privacy of your cache clients. +# A netmask of 255.255.255.0 will log all IP's in that range with +# the last digit set to '0'. +#Default: +# Log full client IP address + +# TAG: strip_query_terms +# By default, Squid strips query terms from requested URLs before +# logging. This protects your user's privacy and reduces log size. +# +# When investigating HIT/MISS or other caching behaviour you +# will need to disable this to see the full URL used by Squid. +#Default: +# strip_query_terms on + +# TAG: buffered_logs on|off +# Whether to write/send access_log records ASAP or accumulate them and +# then write/send them in larger chunks. Buffering may improve +# performance because it decreases the number of I/Os. However, +# buffering increases the delay before log records become available to +# the final recipient (e.g., a disk file or logging daemon) and, +# hence, increases the risk of log records loss. +# +# Note that even when buffered_logs are off, Squid may have to buffer +# records if it cannot write/send them immediately due to pending I/Os +# (e.g., the I/O writing the previous log record) or connectivity loss. +# +# Currently honored by 'daemon' and 'tcp' access_log modules only. +#Default: +# buffered_logs off + +# TAG: netdb_filename +# Where Squid stores it's netdb journal. +# When enabled this journal preserves netdb state between restarts. +# +# To disable, enter "none". +#Default: +# netdb_filename stdio:/var/log/squid/netdb.state + +# OPTIONS FOR TROUBLESHOOTING +# ----------------------------------------------------------------------------- + +# TAG: cache_log +# Squid administrative logging file. +# +# This is where general information about Squid behavior goes. You can +# increase the amount of data logged to this file and how often it is +# rotated with "debug_options" +#Default: +# cache_log /var/log/squid/cache.log + +# TAG: debug_options +# Logging options are set as section,level where each source file +# is assigned a unique section. Lower levels result in less +# output, Full debugging (level 9) can result in a very large +# log file, so be careful. +# +# The magic word "ALL" sets debugging levels for all sections. +# The default is to run with "ALL,1" to record important warnings. +# +# The rotate=N option can be used to keep more or less of these logs +# than would otherwise be kept by logfile_rotate. +# For most uses a single log should be enough to monitor current +# events affecting Squid. +#Default: +# Log all critical and important messages. + +# TAG: coredump_dir +# By default Squid leaves core files in the directory from where +# it was started. If you set 'coredump_dir' to a directory +# that exists, Squid will chdir() to that directory at startup +# and coredump files will be left there. +# +#Default: +# Use the directory from where Squid was started. +# + +# Leave coredumps in the first cache dir +coredump_dir /var/spool/squid + +# OPTIONS FOR FTP GATEWAYING +# ----------------------------------------------------------------------------- + +# TAG: ftp_user +# If you want the anonymous login password to be more informative +# (and enable the use of picky FTP servers), set this to something +# reasonable for your domain, like wwwuser@somewhere.net +# +# The reason why this is domainless by default is the +# request can be made on the behalf of a user in any domain, +# depending on how the cache is used. +# Some FTP server also validate the email address is valid +# (for example perl.com). +#Default: +# ftp_user Squid@ + +# TAG: ftp_passive +# If your firewall does not allow Squid to use passive +# connections, turn off this option. +# +# Use of ftp_epsv_all option requires this to be ON. +#Default: +# ftp_passive on + +# TAG: ftp_epsv_all +# FTP Protocol extensions permit the use of a special "EPSV ALL" command. +# +# NATs may be able to put the connection on a "fast path" through the +# translator, as the EPRT command will never be used and therefore, +# translation of the data portion of the segments will never be needed. +# +# When a client only expects to do two-way FTP transfers this may be +# useful. +# If squid finds that it must do a three-way FTP transfer after issuing +# an EPSV ALL command, the FTP session will fail. +# +# If you have any doubts about this option do not use it. +# Squid will nicely attempt all other connection methods. +# +# Requires ftp_passive to be ON (default) for any effect. +#Default: +# ftp_epsv_all off + +# TAG: ftp_epsv +# FTP Protocol extensions permit the use of a special "EPSV" command. +# +# NATs may be able to put the connection on a "fast path" through the +# translator using EPSV, as the EPRT command will never be used +# and therefore, translation of the data portion of the segments +# will never be needed. +# +# EPSV is often required to interoperate with FTP servers on IPv6 +# networks. On the other hand, it may break some IPv4 servers. +# +# By default, EPSV may try EPSV with any FTP server. To fine tune +# that decision, you may restrict EPSV to certain clients or servers +# using ACLs: +# +# ftp_epsv allow|deny al1 acl2 ... +# +# WARNING: Disabling EPSV may cause problems with external NAT and IPv6. +# +# Only fast ACLs are supported. +# Requires ftp_passive to be ON (default) for any effect. +#Default: +# none + +# TAG: ftp_eprt +# FTP Protocol extensions permit the use of a special "EPRT" command. +# +# This extension provides a protocol neutral alternative to the +# IPv4-only PORT command. When supported it enables active FTP data +# channels over IPv6 and efficient NAT handling. +# +# Turning this OFF will prevent EPRT being attempted and will skip +# straight to using PORT for IPv4 servers. +# +# Some devices are known to not handle this extension correctly and +# may result in crashes. Devices which suport EPRT enough to fail +# cleanly will result in Squid attempting PORT anyway. This directive +# should only be disabled when EPRT results in device failures. +# +# WARNING: Doing so will convert Squid back to the old behavior with all +# the related problems with external NAT devices/layers and IPv4-only FTP. +#Default: +# ftp_eprt on + +# TAG: ftp_sanitycheck +# For security and data integrity reasons Squid by default performs +# sanity checks of the addresses of FTP data connections ensure the +# data connection is to the requested server. If you need to allow +# FTP connections to servers using another IP address for the data +# connection turn this off. +#Default: +# ftp_sanitycheck on + +# TAG: ftp_telnet_protocol +# The FTP protocol is officially defined to use the telnet protocol +# as transport channel for the control connection. However, many +# implementations are broken and does not respect this aspect of +# the FTP protocol. +# +# If you have trouble accessing files with ASCII code 255 in the +# path or similar problems involving this ASCII code you can +# try setting this directive to off. If that helps, report to the +# operator of the FTP server in question that their FTP server +# is broken and does not follow the FTP standard. +#Default: +# ftp_telnet_protocol on + +# OPTIONS FOR EXTERNAL SUPPORT PROGRAMS +# ----------------------------------------------------------------------------- + +# TAG: diskd_program +# Specify the location of the diskd executable. +# Note this is only useful if you have compiled in +# diskd as one of the store io modules. +#Default: +# diskd_program /usr/lib/squid/diskd + +# TAG: unlinkd_program +# Specify the location of the executable for file deletion process. +#Default: +# unlinkd_program /usr/lib/squid/unlinkd + +# TAG: pinger_program +# Specify the location of the executable for the pinger process. +#Default: +# pinger_program /usr/lib/squid/pinger + +# TAG: pinger_enable +# Control whether the pinger is active at run-time. +# Enables turning ICMP pinger on and off with a simple +# squid -k reconfigure. +#Default: +# pinger_enable on + +# OPTIONS FOR URL REWRITING +# ----------------------------------------------------------------------------- + +# TAG: url_rewrite_program +# Specify the location of the executable URL rewriter to use. +# Since they can perform almost any function there isn't one included. +# +# For each requested URL, the rewriter will receive on line with the format +# +# [channel-ID ] URL [ extras] +# +# See url_rewrite_extras on how to send "extras" with optional values to +# the helper. +# After processing the request the helper must reply using the following format: +# +# [channel-ID ] result [ kv-pairs] +# +# The result code can be: +# +# OK status=30N url="..." +# Redirect the URL to the one supplied in 'url='. +# 'status=' is optional and contains the status code to send +# the client in Squids HTTP response. It must be one of the +# HTTP redirect status codes: 301, 302, 303, 307, 308. +# When no status is given Squid will use 302. +# +# OK rewrite-url="..." +# Rewrite the URL to the one supplied in 'rewrite-url='. +# The new URL is fetched directly by Squid and returned to +# the client as the response to its request. +# +# OK +# When neither of url= and rewrite-url= are sent Squid does +# not change the URL. +# +# ERR +# Do not change the URL. +# +# BH +# An internal error occurred in the helper, preventing +# a result being identified. The 'message=' key name is +# reserved for delivering a log message. +# +# +# In addition to the above kv-pairs Squid also understands the following +# optional kv-pairs received from URL rewriters: +# clt_conn_tag=TAG +# Associates a TAG with the client TCP connection. +# The TAG is treated as a regular annotation but persists across +# future requests on the client connection rather than just the +# current request. A helper may update the TAG during subsequent +# requests be returning a new kv-pair. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# WARNING: URL re-writing ability should be avoided whenever possible. +# Use the URL redirect form of response instead. +# +# Re-write creates a difference in the state held by the client +# and server. Possibly causing confusion when the server response +# contains snippets of its view state. Embeded URLs, response +# and content Location headers, etc. are not re-written by this +# interface. +# +# By default, a URL rewriter is not used. +#Default: +# none + +# TAG: url_rewrite_children +# The maximum number of redirector processes to spawn. If you limit +# it too few Squid will have to wait for them to process a backlog of +# URLs, slowing it down. If you allow too many they will use RAM +# and other system resources noticably. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup= +# +# Sets a minimum of how many processes are to be spawned when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few will cause an initial slowdown in traffic as Squid +# attempts to simultaneously spawn enough processes to cope. +# +# idle= +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each redirector helper can handle in +# parallel. Defaults to 0 which indicates the redirector +# is a old-style single threaded redirector. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# an ID in front of the request/response. The ID from the request +# must be echoed back with the response to that request. +#Default: +# url_rewrite_children 20 startup=0 idle=1 concurrency=0 + +# TAG: url_rewrite_host_header +# To preserve same-origin security policies in browsers and +# prevent Host: header forgery by redirectors Squid rewrites +# any Host: header in redirected requests. +# +# If you are running an accelerator this may not be a wanted +# effect of a redirector. This directive enables you disable +# Host: alteration in reverse-proxy traffic. +# +# WARNING: Entries are cached on the result of the URL rewriting +# process, so be careful if you have domain-virtual hosts. +# +# WARNING: Squid and other software verifies the URL and Host +# are matching, so be careful not to relay through other proxies +# or inspecting firewalls with this disabled. +#Default: +# url_rewrite_host_header on + +# TAG: url_rewrite_access +# If defined, this access list specifies which requests are +# sent to the redirector processes. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow, unless rules exist in squid.conf. + +# TAG: url_rewrite_bypass +# When this is 'on', a request will not go through the +# redirector if all the helpers are busy. If this is 'off' +# and the redirector queue grows too large, Squid will exit +# with a FATAL error and ask you to increase the number of +# redirectors. You should only enable this if the redirectors +# are not critical to your caching system. If you use +# redirectors for access control, and you enable this option, +# users may have access to pages they should not +# be allowed to request. +#Default: +# url_rewrite_bypass off + +# TAG: url_rewrite_extras +# Specifies a string to be append to request line format for the +# rewriter helper. "Quoted" format values may contain spaces and +# logformat %macros. In theory, any logformat %macro can be used. +# In practice, a %macro expands as a dash (-) if the helper request is +# sent before the required macro information is available to Squid. +#Default: +# url_rewrite_extras "%>a/%>A %un %>rm myip=%la myport=%lp" + +# OPTIONS FOR STORE ID +# ----------------------------------------------------------------------------- + +# TAG: store_id_program +# Specify the location of the executable StoreID helper to use. +# Since they can perform almost any function there isn't one included. +# +# For each requested URL, the helper will receive one line with the format +# +# [channel-ID ] URL [ extras] +# +# +# After processing the request the helper must reply using the following format: +# +# [channel-ID ] result [ kv-pairs] +# +# The result code can be: +# +# OK store-id="..." +# Use the StoreID supplied in 'store-id='. +# +# ERR +# The default is to use HTTP request URL as the store ID. +# +# BH +# An internal error occured in the helper, preventing +# a result being identified. +# +# In addition to the above kv-pairs Squid also understands the following +# optional kv-pairs received from URL rewriters: +# clt_conn_tag=TAG +# Associates a TAG with the client TCP connection. +# Please see url_rewrite_program related documentation for this +# kv-pair +# +# Helper programs should be prepared to receive and possibly ignore +# additional whitespace-separated tokens on each input line. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# NOTE: when using StoreID refresh_pattern will apply to the StoreID +# returned from the helper and not the URL. +# +# WARNING: Wrong StoreID value returned by a careless helper may result +# in the wrong cached response returned to the user. +# +# By default, a StoreID helper is not used. +#Default: +# none + +# TAG: store_id_extras +# Specifies a string to be append to request line format for the +# StoreId helper. "Quoted" format values may contain spaces and +# logformat %macros. In theory, any logformat %macro can be used. +# In practice, a %macro expands as a dash (-) if the helper request is +# sent before the required macro information is available to Squid. +#Default: +# store_id_extras "%>a/%>A %un %>rm myip=%la myport=%lp" + +# TAG: store_id_children +# The maximum number of StoreID helper processes to spawn. If you limit +# it too few Squid will have to wait for them to process a backlog of +# requests, slowing it down. If you allow too many they will use RAM +# and other system resources noticably. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup= +# +# Sets a minimum of how many processes are to be spawned when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few will cause an initial slowdown in traffic as Squid +# attempts to simultaneously spawn enough processes to cope. +# +# idle= +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each storeID helper can handle in +# parallel. Defaults to 0 which indicates the helper +# is a old-style single threaded program. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# an ID in front of the request/response. The ID from the request +# must be echoed back with the response to that request. +#Default: +# store_id_children 20 startup=0 idle=1 concurrency=0 + +# TAG: store_id_access +# If defined, this access list specifies which requests are +# sent to the StoreID processes. By default all requests +# are sent. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow, unless rules exist in squid.conf. + +# TAG: store_id_bypass +# When this is 'on', a request will not go through the +# helper if all helpers are busy. If this is 'off' +# and the helper queue grows too large, Squid will exit +# with a FATAL error and ask you to increase the number of +# helpers. You should only enable this if the helperss +# are not critical to your caching system. If you use +# helpers for critical caching components, and you enable this +# option, users may not get objects from cache. +#Default: +# store_id_bypass on + +# OPTIONS FOR TUNING THE CACHE +# ----------------------------------------------------------------------------- + +# TAG: cache +# Requests denied by this directive will not be served from the cache +# and their responses will not be stored in the cache. This directive +# has no effect on other transactions and on already cached responses. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# This and the two other similar caching directives listed below are +# checked at different transaction processing stages, have different +# access to response information, affect different cache operations, +# and differ in slow ACLs support: +# +# * cache: Checked before Squid makes a hit/miss determination. +# No access to reply information! +# Denies both serving a hit and storing a miss. +# Supports both fast and slow ACLs. +# * send_hit: Checked after a hit was detected. +# Has access to reply (hit) information. +# Denies serving a hit only. +# Supports fast ACLs only. +# * store_miss: Checked before storing a cachable miss. +# Has access to reply (miss) information. +# Denies storing a miss only. +# Supports fast ACLs only. +# +# If you are not sure which of the three directives to use, apply the +# following decision logic: +# +# * If your ACL(s) are of slow type _and_ need response info, redesign. +# Squid does not support that particular combination at this time. +# Otherwise: +# * If your directive ACL(s) are of slow type, use "cache"; and/or +# * if your directive ACL(s) need no response info, use "cache". +# Otherwise: +# * If you do not want the response cached, use store_miss; and/or +# * if you do not want a hit on a cached response, use send_hit. +#Default: +# By default, this directive is unused and has no effect. + +# TAG: send_hit +# Responses denied by this directive will not be served from the cache +# (but may still be cached, see store_miss). This directive has no +# effect on the responses it allows and on the cached objects. +# +# Please see the "cache" directive for a summary of differences among +# store_miss, send_hit, and cache directives. +# +# Unlike the "cache" directive, send_hit only supports fast acl +# types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# For example: +# +# # apply custom Store ID mapping to some URLs +# acl MapMe dstdomain .c.example.com +# store_id_program ... +# store_id_access allow MapMe +# +# # but prevent caching of special responses +# # such as 302 redirects that cause StoreID loops +# acl Ordinary http_status 200-299 +# store_miss deny MapMe !Ordinary +# +# # and do not serve any previously stored special responses +# # from the cache (in case they were already cached before +# # the above store_miss rule was in effect). +# send_hit deny MapMe !Ordinary +#Default: +# By default, this directive is unused and has no effect. + +# TAG: store_miss +# Responses denied by this directive will not be cached (but may still +# be served from the cache, see send_hit). This directive has no +# effect on the responses it allows and on the already cached responses. +# +# Please see the "cache" directive for a summary of differences among +# store_miss, send_hit, and cache directives. See the +# send_hit directive for a usage example. +# +# Unlike the "cache" directive, store_miss only supports fast acl +# types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# By default, this directive is unused and has no effect. + +# TAG: max_stale time-units +# This option puts an upper limit on how stale content Squid +# will serve from the cache if cache validation fails. +# Can be overriden by the refresh_pattern max-stale option. +#Default: +# max_stale 1 week + +# TAG: refresh_pattern +# usage: refresh_pattern [-i] regex min percent max [options] +# +# By default, regular expressions are CASE-SENSITIVE. To make +# them case-insensitive, use the -i option. +# +# 'Min' is the time (in minutes) an object without an explicit +# expiry time should be considered fresh. The recommended +# value is 0, any higher values may cause dynamic applications +# to be erroneously cached unless the application designer +# has taken the appropriate actions. +# +# 'Percent' is a percentage of the objects age (time since last +# modification age) an object without explicit expiry time +# will be considered fresh. +# +# 'Max' is an upper limit on how long objects without an explicit +# expiry time will be considered fresh. +# +# options: override-expire +# override-lastmod +# reload-into-ims +# ignore-reload +# ignore-no-store +# ignore-must-revalidate +# ignore-private +# ignore-auth +# max-stale=NN +# refresh-ims +# store-stale +# +# override-expire enforces min age even if the server +# sent an explicit expiry time (e.g., with the +# Expires: header or Cache-Control: max-age). Doing this +# VIOLATES the HTTP standard. Enabling this feature +# could make you liable for problems which it causes. +# +# Note: override-expire does not enforce staleness - it only extends +# freshness / min. If the server returns a Expires time which +# is longer than your max time, Squid will still consider +# the object fresh for that period of time. +# +# override-lastmod enforces min age even on objects +# that were modified recently. +# +# reload-into-ims changes a client no-cache or ``reload'' +# request for a cached entry into a conditional request using +# If-Modified-Since and/or If-None-Match headers, provided the +# cached entry has a Last-Modified and/or a strong ETag header. +# Doing this VIOLATES the HTTP standard. Enabling this feature +# could make you liable for problems which it causes. +# +# ignore-reload ignores a client no-cache or ``reload'' +# header. Doing this VIOLATES the HTTP standard. Enabling +# this feature could make you liable for problems which +# it causes. +# +# ignore-no-store ignores any ``Cache-control: no-store'' +# headers received from a server. Doing this VIOLATES +# the HTTP standard. Enabling this feature could make you +# liable for problems which it causes. +# +# ignore-must-revalidate ignores any ``Cache-Control: must-revalidate`` +# headers received from a server. Doing this VIOLATES +# the HTTP standard. Enabling this feature could make you +# liable for problems which it causes. +# +# ignore-private ignores any ``Cache-control: private'' +# headers received from a server. Doing this VIOLATES +# the HTTP standard. Enabling this feature could make you +# liable for problems which it causes. +# +# ignore-auth caches responses to requests with authorization, +# as if the originserver had sent ``Cache-control: public'' +# in the response header. Doing this VIOLATES the HTTP standard. +# Enabling this feature could make you liable for problems which +# it causes. +# +# refresh-ims causes squid to contact the origin server +# when a client issues an If-Modified-Since request. This +# ensures that the client will receive an updated version +# if one is available. +# +# store-stale stores responses even if they don't have explicit +# freshness or a validator (i.e., Last-Modified or an ETag) +# present, or if they're already stale. By default, Squid will +# not cache such responses because they usually can't be +# reused. Note that such responses will be stale by default. +# +# max-stale=NN provide a maximum staleness factor. Squid won't +# serve objects more stale than this even if it failed to +# validate the object. Default: use the max_stale global limit. +# +# Basically a cached object is: +# +# FRESH if expire > now, else STALE +# STALE if age > max +# FRESH if lm-factor < percent, else STALE +# FRESH if age < min +# else STALE +# +# The refresh_pattern lines are checked in the order listed here. +# The first entry which matches is used. If none of the entries +# match the default will be used. +# +# Note, you must uncomment all the default lines if you want +# to change one. The default setting is only active if none is +# used. +# +# + +# +# Add any of your own refresh_pattern entries above these. +# +refresh_pattern ^ftp: 1440 20% 10080 +refresh_pattern ^gopher: 1440 0% 1440 +refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 +refresh_pattern . 0 20% 4320 + +# TAG: quick_abort_min (KB) +#Default: +# quick_abort_min 16 KB + +# TAG: quick_abort_max (KB) +#Default: +# quick_abort_max 16 KB + +# TAG: quick_abort_pct (percent) +# The cache by default continues downloading aborted requests +# which are almost completed (less than 16 KB remaining). This +# may be undesirable on slow (e.g. SLIP) links and/or very busy +# caches. Impatient users may tie up file descriptors and +# bandwidth by repeatedly requesting and immediately aborting +# downloads. +# +# When the user aborts a request, Squid will check the +# quick_abort values to the amount of data transferred until +# then. +# +# If the transfer has less than 'quick_abort_min' KB remaining, +# it will finish the retrieval. +# +# If the transfer has more than 'quick_abort_max' KB remaining, +# it will abort the retrieval. +# +# If more than 'quick_abort_pct' of the transfer has completed, +# it will finish the retrieval. +# +# If you do not want any retrieval to continue after the client +# has aborted, set both 'quick_abort_min' and 'quick_abort_max' +# to '0 KB'. +# +# If you want retrievals to always continue if they are being +# cached set 'quick_abort_min' to '-1 KB'. +#Default: +# quick_abort_pct 95 + +# TAG: read_ahead_gap buffer-size +# The amount of data the cache will buffer ahead of what has been +# sent to the client when retrieving an object from another server. +#Default: +# read_ahead_gap 16 KB + +# TAG: negative_ttl time-units +# Set the Default Time-to-Live (TTL) for failed requests. +# Certain types of failures (such as "connection refused" and +# "404 Not Found") are able to be negatively-cached for a short time. +# Modern web servers should provide Expires: header, however if they +# do not this can provide a minimum TTL. +# The default is not to cache errors with unknown expiry details. +# +# Note that this is different from negative caching of DNS lookups. +# +# WARNING: Doing this VIOLATES the HTTP standard. Enabling +# this feature could make you liable for problems which it +# causes. +#Default: +# negative_ttl 0 seconds + +# TAG: positive_dns_ttl time-units +# Upper limit on how long Squid will cache positive DNS responses. +# Default is 6 hours (360 minutes). This directive must be set +# larger than negative_dns_ttl. +#Default: +# positive_dns_ttl 6 hours + +# TAG: negative_dns_ttl time-units +# Time-to-Live (TTL) for negative caching of failed DNS lookups. +# This also sets the lower cache limit on positive lookups. +# Minimum value is 1 second, and it is not recommendable to go +# much below 10 seconds. +#Default: +# negative_dns_ttl 1 minutes + +# TAG: range_offset_limit size [acl acl...] +# usage: (size) [units] [[!]aclname] +# +# Sets an upper limit on how far (number of bytes) into the file +# a Range request may be to cause Squid to prefetch the whole file. +# If beyond this limit, Squid forwards the Range request as it is and +# the result is NOT cached. +# +# This is to stop a far ahead range request (lets say start at 17MB) +# from making Squid fetch the whole object up to that point before +# sending anything to the client. +# +# Multiple range_offset_limit lines may be specified, and they will +# be searched from top to bottom on each request until a match is found. +# The first match found will be used. If no line matches a request, the +# default limit of 0 bytes will be used. +# +# 'size' is the limit specified as a number of units. +# +# 'units' specifies whether to use bytes, KB, MB, etc. +# If no units are specified bytes are assumed. +# +# A size of 0 causes Squid to never fetch more than the +# client requested. (default) +# +# A size of 'none' causes Squid to always fetch the object from the +# beginning so it may cache the result. (2.0 style) +# +# 'aclname' is the name of a defined ACL. +# +# NP: Using 'none' as the byte value here will override any quick_abort settings +# that may otherwise apply to the range request. The range request will +# be fully fetched from start to finish regardless of the client +# actions. This affects bandwidth usage. +#Default: +# none + +# TAG: minimum_expiry_time (seconds) +# The minimum caching time according to (Expires - Date) +# headers Squid honors if the object can't be revalidated. +# The default is 60 seconds. +# +# In reverse proxy environments it might be desirable to honor +# shorter object lifetimes. It is most likely better to make +# your server return a meaningful Last-Modified header however. +# +# In ESI environments where page fragments often have short +# lifetimes, this will often be best set to 0. +#Default: +# minimum_expiry_time 60 seconds + +# TAG: store_avg_object_size (bytes) +# Average object size, used to estimate number of objects your +# cache can hold. The default is 13 KB. +# +# This is used to pre-seed the cache index memory allocation to +# reduce expensive reallocate operations while handling clients +# traffic. Too-large values may result in memory allocation during +# peak traffic, too-small values will result in wasted memory. +# +# Check the cache manager 'info' report metrics for the real +# object sizes seen by your Squid before tuning this. +#Default: +# store_avg_object_size 13 KB + +# TAG: store_objects_per_bucket +# Target number of objects per bucket in the store hash table. +# Lowering this value increases the total number of buckets and +# also the storage maintenance rate. The default is 20. +#Default: +# store_objects_per_bucket 20 + +# HTTP OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: request_header_max_size (KB) +# This specifies the maximum size for HTTP headers in a request. +# Request headers are usually relatively small (about 512 bytes). +# Placing a limit on the request header size will catch certain +# bugs (for example with persistent connections) and possibly +# buffer-overflow or denial-of-service attacks. +#Default: +# request_header_max_size 64 KB + +# TAG: reply_header_max_size (KB) +# This specifies the maximum size for HTTP headers in a reply. +# Reply headers are usually relatively small (about 512 bytes). +# Placing a limit on the reply header size will catch certain +# bugs (for example with persistent connections) and possibly +# buffer-overflow or denial-of-service attacks. +#Default: +# reply_header_max_size 64 KB + +# TAG: request_body_max_size (bytes) +# This specifies the maximum size for an HTTP request body. +# In other words, the maximum size of a PUT/POST request. +# A user who attempts to send a request with a body larger +# than this limit receives an "Invalid Request" error message. +# If you set this parameter to a zero (the default), there will +# be no limit imposed. +# +# See also client_request_buffer_max_size for an alternative +# limitation on client uploads which can be configured. +#Default: +# No limit. + +# TAG: client_request_buffer_max_size (bytes) +# This specifies the maximum buffer size of a client request. +# It prevents squid eating too much memory when somebody uploads +# a large file. +#Default: +# client_request_buffer_max_size 512 KB + +# TAG: broken_posts +# A list of ACL elements which, if matched, causes Squid to send +# an extra CRLF pair after the body of a PUT/POST request. +# +# Some HTTP servers has broken implementations of PUT/POST, +# and rely on an extra CRLF pair sent by some WWW clients. +# +# Quote from RFC2616 section 4.1 on this matter: +# +# Note: certain buggy HTTP/1.0 client implementations generate an +# extra CRLF's after a POST request. To restate what is explicitly +# forbidden by the BNF, an HTTP/1.1 client must not preface or follow +# a request with an extra CRLF. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +#Example: +# acl buggy_server url_regex ^http://.... +# broken_posts allow buggy_server +#Default: +# Obey RFC 2616. + +# TAG: adaptation_uses_indirect_client on|off +# Controls whether the indirect client IP address (instead of the direct +# client IP address) is passed to adaptation services. +# +# See also: follow_x_forwarded_for adaptation_send_client_ip +#Default: +# adaptation_uses_indirect_client on + +# TAG: via on|off +# If set (default), Squid will include a Via header in requests and +# replies as required by RFC2616. +#Default: +# via on + +# TAG: ie_refresh on|off +# Microsoft Internet Explorer up until version 5.5 Service +# Pack 1 has an issue with transparent proxies, wherein it +# is impossible to force a refresh. Turning this on provides +# a partial fix to the problem, by causing all IMS-REFRESH +# requests from older IE versions to check the origin server +# for fresh content. This reduces hit ratio by some amount +# (~10% in my experience), but allows users to actually get +# fresh content when they want it. Note because Squid +# cannot tell if the user is using 5.5 or 5.5SP1, the behavior +# of 5.5 is unchanged from old versions of Squid (i.e. a +# forced refresh is impossible). Newer versions of IE will, +# hopefully, continue to have the new behavior and will be +# handled based on that assumption. This option defaults to +# the old Squid behavior, which is better for hit ratios but +# worse for clients using IE, if they need to be able to +# force fresh content. +#Default: +# ie_refresh off + +# TAG: vary_ignore_expire on|off +# Many HTTP servers supporting Vary gives such objects +# immediate expiry time with no cache-control header +# when requested by a HTTP/1.0 client. This option +# enables Squid to ignore such expiry times until +# HTTP/1.1 is fully implemented. +# +# WARNING: If turned on this may eventually cause some +# varying objects not intended for caching to get cached. +#Default: +# vary_ignore_expire off + +# TAG: request_entities +# Squid defaults to deny GET and HEAD requests with request entities, +# as the meaning of such requests are undefined in the HTTP standard +# even if not explicitly forbidden. +# +# Set this directive to on if you have clients which insists +# on sending request entities in GET or HEAD requests. But be warned +# that there is server software (both proxies and web servers) which +# can fail to properly process this kind of request which may make you +# vulnerable to cache pollution attacks if enabled. +#Default: +# request_entities off + +# TAG: request_header_access +# Usage: request_header_access header_name allow|deny [!]aclname ... +# +# WARNING: Doing this VIOLATES the HTTP standard. Enabling +# this feature could make you liable for problems which it +# causes. +# +# This option replaces the old 'anonymize_headers' and the +# older 'http_anonymizer' option with something that is much +# more configurable. A list of ACLs for each header name allows +# removal of specific header fields under specific conditions. +# +# This option only applies to outgoing HTTP request headers (i.e., +# headers sent by Squid to the next HTTP hop such as a cache peer +# or an origin server). The option has no effect during cache hit +# detection. The equivalent adaptation vectoring point in ICAP +# terminology is post-cache REQMOD. +# +# The option is applied to individual outgoing request header +# fields. For each request header field F, Squid uses the first +# qualifying sets of request_header_access rules: +# +# 1. Rules with header_name equal to F's name. +# 2. Rules with header_name 'Other', provided F's name is not +# on the hard-coded list of commonly used HTTP header names. +# 3. Rules with header_name 'All'. +# +# Within that qualifying rule set, rule ACLs are checked as usual. +# If ACLs of an "allow" rule match, the header field is allowed to +# go through as is. If ACLs of a "deny" rule match, the header is +# removed and request_header_replace is then checked to identify +# if the removed header has a replacement. If no rules within the +# set have matching ACLs, the header field is left as is. +# +# For example, to achieve the same behavior as the old +# 'http_anonymizer standard' option, you should use: +# +# request_header_access From deny all +# request_header_access Referer deny all +# request_header_access User-Agent deny all +# +# Or, to reproduce the old 'http_anonymizer paranoid' feature +# you should use: +# +# request_header_access Authorization allow all +# request_header_access Proxy-Authorization allow all +# request_header_access Cache-Control allow all +# request_header_access Content-Length allow all +# request_header_access Content-Type allow all +# request_header_access Date allow all +# request_header_access Host allow all +# request_header_access If-Modified-Since allow all +# request_header_access Pragma allow all +# request_header_access Accept allow all +# request_header_access Accept-Charset allow all +# request_header_access Accept-Encoding allow all +# request_header_access Accept-Language allow all +# request_header_access Connection allow all +# request_header_access All deny all +# +# HTTP reply headers are controlled with the reply_header_access directive. +# +# By default, all headers are allowed (no anonymizing is performed). +#Default: +# No limits. + +# TAG: reply_header_access +# Usage: reply_header_access header_name allow|deny [!]aclname ... +# +# WARNING: Doing this VIOLATES the HTTP standard. Enabling +# this feature could make you liable for problems which it +# causes. +# +# This option only applies to reply headers, i.e., from the +# server to the client. +# +# This is the same as request_header_access, but in the other +# direction. Please see request_header_access for detailed +# documentation. +# +# For example, to achieve the same behavior as the old +# 'http_anonymizer standard' option, you should use: +# +# reply_header_access Server deny all +# reply_header_access WWW-Authenticate deny all +# reply_header_access Link deny all +# +# Or, to reproduce the old 'http_anonymizer paranoid' feature +# you should use: +# +# reply_header_access Allow allow all +# reply_header_access WWW-Authenticate allow all +# reply_header_access Proxy-Authenticate allow all +# reply_header_access Cache-Control allow all +# reply_header_access Content-Encoding allow all +# reply_header_access Content-Length allow all +# reply_header_access Content-Type allow all +# reply_header_access Date allow all +# reply_header_access Expires allow all +# reply_header_access Last-Modified allow all +# reply_header_access Location allow all +# reply_header_access Pragma allow all +# reply_header_access Content-Language allow all +# reply_header_access Retry-After allow all +# reply_header_access Title allow all +# reply_header_access Content-Disposition allow all +# reply_header_access Connection allow all +# reply_header_access All deny all +# +# HTTP request headers are controlled with the request_header_access directive. +# +# By default, all headers are allowed (no anonymizing is +# performed). +#Default: +# No limits. + +# TAG: request_header_replace +# Usage: request_header_replace header_name message +# Example: request_header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit) +# +# This option allows you to change the contents of headers +# denied with request_header_access above, by replacing them +# with some fixed string. +# +# This only applies to request headers, not reply headers. +# +# By default, headers are removed if denied. +#Default: +# none + +# TAG: reply_header_replace +# Usage: reply_header_replace header_name message +# Example: reply_header_replace Server Foo/1.0 +# +# This option allows you to change the contents of headers +# denied with reply_header_access above, by replacing them +# with some fixed string. +# +# This only applies to reply headers, not request headers. +# +# By default, headers are removed if denied. +#Default: +# none + +# TAG: request_header_add +# Usage: request_header_add field-name field-value acl1 [acl2] ... +# Example: request_header_add X-Client-CA "CA=%ssl::>cert_issuer" all +# +# This option adds header fields to outgoing HTTP requests (i.e., +# request headers sent by Squid to the next HTTP hop such as a +# cache peer or an origin server). The option has no effect during +# cache hit detection. The equivalent adaptation vectoring point +# in ICAP terminology is post-cache REQMOD. +# +# Field-name is a token specifying an HTTP header name. If a +# standard HTTP header name is used, Squid does not check whether +# the new header conflicts with any existing headers or violates +# HTTP rules. If the request to be modified already contains a +# field with the same name, the old field is preserved but the +# header field values are not merged. +# +# Field-value is either a token or a quoted string. If quoted +# string format is used, then the surrounding quotes are removed +# while escape sequences and %macros are processed. +# +# In theory, all of the logformat codes can be used as %macros. +# However, unlike logging (which happens at the very end of +# transaction lifetime), the transaction may not yet have enough +# information to expand a macro when the new header value is needed. +# And some information may already be available to Squid but not yet +# committed where the macro expansion code can access it (report +# such instances!). The macro will be expanded into a single dash +# ('-') in such cases. Not all macros have been tested. +# +# One or more Squid ACLs may be specified to restrict header +# injection to matching requests. As always in squid.conf, all +# ACLs in an option ACL list must be satisfied for the insertion +# to happen. The request_header_add option supports fast ACLs +# only. +#Default: +# none + +# TAG: note +# This option used to log custom information about the master +# transaction. For example, an admin may configure Squid to log +# which "user group" the transaction belongs to, where "user group" +# will be determined based on a set of ACLs and not [just] +# authentication information. +# Values of key/value pairs can be logged using %{key}note macros: +# +# note key value acl ... +# logformat myFormat ... %{key}note ... +#Default: +# none + +# TAG: relaxed_header_parser on|off|warn +# In the default "on" setting Squid accepts certain forms +# of non-compliant HTTP messages where it is unambiguous +# what the sending application intended even if the message +# is not correctly formatted. The messages is then normalized +# to the correct form when forwarded by Squid. +# +# If set to "warn" then a warning will be emitted in cache.log +# each time such HTTP error is encountered. +# +# If set to "off" then such HTTP errors will cause the request +# or response to be rejected. +#Default: +# relaxed_header_parser on + +# TAG: collapsed_forwarding (on|off) +# When enabled, instead of forwarding each concurrent request for +# the same URL, Squid just sends the first of them. The other, so +# called "collapsed" requests, wait for the response to the first +# request and, if it happens to be cachable, use that response. +# Here, "concurrent requests" means "received after the first +# request headers were parsed and before the corresponding response +# headers were parsed". +# +# This feature is disabled by default: enabling collapsed +# forwarding needlessly delays forwarding requests that look +# cachable (when they are collapsed) but then need to be forwarded +# individually anyway because they end up being for uncachable +# content. However, in some cases, such as acceleration of highly +# cachable content with periodic or grouped expiration times, the +# gains from collapsing [large volumes of simultaneous refresh +# requests] outweigh losses from such delays. +# +# Squid collapses two kinds of requests: regular client requests +# received on one of the listening ports and internal "cache +# revalidation" requests which are triggered by those regular +# requests hitting a stale cached object. Revalidation collapsing +# is currently disabled for Squid instances containing SMP-aware +# disk or memory caches and for Vary-controlled cached objects. +#Default: +# collapsed_forwarding off + +# TIMEOUTS +# ----------------------------------------------------------------------------- + +# TAG: forward_timeout time-units +# This parameter specifies how long Squid should at most attempt in +# finding a forwarding path for the request before giving up. +#Default: +# forward_timeout 4 minutes + +# TAG: connect_timeout time-units +# This parameter specifies how long to wait for the TCP connect to +# the requested server or peer to complete before Squid should +# attempt to find another path where to forward the request. +#Default: +# connect_timeout 1 minute + +# TAG: peer_connect_timeout time-units +# This parameter specifies how long to wait for a pending TCP +# connection to a peer cache. The default is 30 seconds. You +# may also set different timeout values for individual neighbors +# with the 'connect-timeout' option on a 'cache_peer' line. +#Default: +# peer_connect_timeout 30 seconds + +# TAG: read_timeout time-units +# Applied on peer server connections. +# +# After each successful read(), the timeout will be extended by this +# amount. If no data is read again after this amount of time, +# the request is aborted and logged with ERR_READ_TIMEOUT. +# +# The default is 15 minutes. +#Default: +# read_timeout 15 minutes + +# TAG: write_timeout time-units +# This timeout is tracked for all connections that have data +# available for writing and are waiting for the socket to become +# ready. After each successful write, the timeout is extended by +# the configured amount. If Squid has data to write but the +# connection is not ready for the configured duration, the +# transaction associated with the connection is terminated. The +# default is 15 minutes. +#Default: +# write_timeout 15 minutes + +# TAG: request_timeout +# How long to wait for complete HTTP request headers after initial +# connection establishment. +#Default: +# request_timeout 5 minutes + +# TAG: client_idle_pconn_timeout +# How long to wait for the next HTTP request on a persistent +# client connection after the previous request completes. +#Default: +# client_idle_pconn_timeout 2 minutes + +# TAG: ftp_client_idle_timeout +# How long to wait for an FTP request on a connection to Squid ftp_port. +# Many FTP clients do not deal with idle connection closures well, +# necessitating a longer default timeout than client_idle_pconn_timeout +# used for incoming HTTP requests. +#Default: +# ftp_client_idle_timeout 30 minutes + +# TAG: client_lifetime time-units +# The maximum amount of time a client (browser) is allowed to +# remain connected to the cache process. This protects the Cache +# from having a lot of sockets (and hence file descriptors) tied up +# in a CLOSE_WAIT state from remote clients that go away without +# properly shutting down (either because of a network failure or +# because of a poor client implementation). The default is one +# day, 1440 minutes. +# +# NOTE: The default value is intended to be much larger than any +# client would ever need to be connected to your cache. You +# should probably change client_lifetime only as a last resort. +# If you seem to have many client connections tying up +# filedescriptors, we recommend first tuning the read_timeout, +# request_timeout, persistent_request_timeout and quick_abort values. +#Default: +# client_lifetime 1 day + +# TAG: half_closed_clients +# Some clients may shutdown the sending side of their TCP +# connections, while leaving their receiving sides open. Sometimes, +# Squid can not tell the difference between a half-closed and a +# fully-closed TCP connection. +# +# By default, Squid will immediately close client connections when +# read(2) returns "no more data to read." +# +# Change this option to 'on' and Squid will keep open connections +# until a read(2) or write(2) on the socket returns an error. +# This may show some benefits for reverse proxies. But if not +# it is recommended to leave OFF. +#Default: +# half_closed_clients off + +# TAG: server_idle_pconn_timeout +# Timeout for idle persistent connections to servers and other +# proxies. +#Default: +# server_idle_pconn_timeout 1 minute + +# TAG: ident_timeout +# Maximum time to wait for IDENT lookups to complete. +# +# If this is too high, and you enabled IDENT lookups from untrusted +# users, you might be susceptible to denial-of-service by having +# many ident requests going at once. +#Default: +# ident_timeout 10 seconds + +# TAG: shutdown_lifetime time-units +# When SIGTERM or SIGHUP is received, the cache is put into +# "shutdown pending" mode until all active sockets are closed. +# This value is the lifetime to set for all open descriptors +# during shutdown mode. Any active clients after this many +# seconds will receive a 'timeout' message. +#Default: +# shutdown_lifetime 30 seconds + +# ADMINISTRATIVE PARAMETERS +# ----------------------------------------------------------------------------- + +# TAG: cache_mgr +# Email-address of local cache manager who will receive +# mail if the cache dies. The default is "webmaster". +#Default: +# cache_mgr webmaster + +# TAG: mail_from +# From: email-address for mail sent when the cache dies. +# The default is to use 'squid@unique_hostname'. +# +# See also: unique_hostname directive. +#Default: +# none + +# TAG: mail_program +# Email program used to send mail if the cache dies. +# The default is "mail". The specified program must comply +# with the standard Unix mail syntax: +# mail-program recipient < mailfile +# +# Optional command line options can be specified. +#Default: +# mail_program mail + +# TAG: cache_effective_user +# If you start Squid as root, it will change its effective/real +# UID/GID to the user specified below. The default is to change +# to UID of proxy. +# see also; cache_effective_group +#Default: +# cache_effective_user proxy + +# TAG: cache_effective_group +# Squid sets the GID to the effective user's default group ID +# (taken from the password file) and supplementary group list +# from the groups membership. +# +# If you want Squid to run with a specific GID regardless of +# the group memberships of the effective user then set this +# to the group (or GID) you want Squid to run as. When set +# all other group privileges of the effective user are ignored +# and only this GID is effective. If Squid is not started as +# root the user starting Squid MUST be member of the specified +# group. +# +# This option is not recommended by the Squid Team. +# Our preference is for administrators to configure a secure +# user account for squid with UID/GID matching system policies. +#Default: +# Use system group memberships of the cache_effective_user account + +# TAG: httpd_suppress_version_string on|off +# Suppress Squid version string info in HTTP headers and HTML error pages. +#Default: +# httpd_suppress_version_string off + +# TAG: visible_hostname +# If you want to present a special hostname in error messages, etc, +# define this. Otherwise, the return value of gethostname() +# will be used. If you have multiple caches in a cluster and +# get errors about IP-forwarding you must set them to have individual +# names with this setting. +#Default: +# Automatically detect the system host name + +# TAG: unique_hostname +# If you want to have multiple machines with the same +# 'visible_hostname' you must give each machine a different +# 'unique_hostname' so forwarding loops can be detected. +#Default: +# Copy the value from visible_hostname + +# TAG: hostname_aliases +# A list of other DNS names your cache has. +#Default: +# none + +# TAG: umask +# Minimum umask which should be enforced while the proxy +# is running, in addition to the umask set at startup. +# +# For a traditional octal representation of umasks, start +# your value with 0. +#Default: +# umask 027 + +# OPTIONS FOR THE CACHE REGISTRATION SERVICE +# ----------------------------------------------------------------------------- +# +# This section contains parameters for the (optional) cache +# announcement service. This service is provided to help +# cache administrators locate one another in order to join or +# create cache hierarchies. +# +# An 'announcement' message is sent (via UDP) to the registration +# service by Squid. By default, the announcement message is NOT +# SENT unless you enable it with 'announce_period' below. +# +# The announcement message includes your hostname, plus the +# following information from this configuration file: +# +# http_port +# icp_port +# cache_mgr +# +# All current information is processed regularly and made +# available on the Web at http://www.ircache.net/Cache/Tracker/. + +# TAG: announce_period +# This is how frequently to send cache announcements. +# +# To enable announcing your cache, just set an announce period. +# +# Example: +# announce_period 1 day +#Default: +# Announcement messages disabled. + +# TAG: announce_host +# Set the hostname where announce registration messages will be sent. +# +# See also announce_port and announce_file +#Default: +# announce_host tracker.ircache.net + +# TAG: announce_file +# The contents of this file will be included in the announce +# registration messages. +#Default: +# none + +# TAG: announce_port +# Set the port where announce registration messages will be sent. +# +# See also announce_host and announce_file +#Default: +# announce_port 3131 + +# HTTPD-ACCELERATOR OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: httpd_accel_surrogate_id +# Surrogates (http://www.esi.org/architecture_spec_1.0.html) +# need an identification token to allow control targeting. Because +# a farm of surrogates may all perform the same tasks, they may share +# an identification token. +#Default: +# visible_hostname is used if no specific ID is set. + +# TAG: http_accel_surrogate_remote on|off +# Remote surrogates (such as those in a CDN) honour the header +# "Surrogate-Control: no-store-remote". +# +# Set this to on to have squid behave as a remote surrogate. +#Default: +# http_accel_surrogate_remote off + +# TAG: esi_parser libxml2|expat|custom +# ESI markup is not strictly XML compatible. The custom ESI parser +# will give higher performance, but cannot handle non ASCII character +# encodings. +#Default: +# esi_parser custom + +# DELAY POOL PARAMETERS +# ----------------------------------------------------------------------------- + +# TAG: delay_pools +# This represents the number of delay pools to be used. For example, +# if you have one class 2 delay pool and one class 3 delays pool, you +# have a total of 2 delay pools. +# +# See also delay_parameters, delay_class, delay_access for pool +# configuration details. +#Default: +# delay_pools 0 + +# TAG: delay_class +# This defines the class of each delay pool. There must be exactly one +# delay_class line for each delay pool. For example, to define two +# delay pools, one of class 2 and one of class 3, the settings above +# and here would be: +# +# Example: +# delay_pools 4 # 4 delay pools +# delay_class 1 2 # pool 1 is a class 2 pool +# delay_class 2 3 # pool 2 is a class 3 pool +# delay_class 3 4 # pool 3 is a class 4 pool +# delay_class 4 5 # pool 4 is a class 5 pool +# +# The delay pool classes are: +# +# class 1 Everything is limited by a single aggregate +# bucket. +# +# class 2 Everything is limited by a single aggregate +# bucket as well as an "individual" bucket chosen +# from bits 25 through 32 of the IPv4 address. +# +# class 3 Everything is limited by a single aggregate +# bucket as well as a "network" bucket chosen +# from bits 17 through 24 of the IP address and a +# "individual" bucket chosen from bits 17 through +# 32 of the IPv4 address. +# +# class 4 Everything in a class 3 delay pool, with an +# additional limit on a per user basis. This +# only takes effect if the username is established +# in advance - by forcing authentication in your +# http_access rules. +# +# class 5 Requests are grouped according their tag (see +# external_acl's tag= reply). +# +# +# Each pool also requires a delay_parameters directive to configure the pool size +# and speed limits used whenever the pool is applied to a request. Along with +# a set of delay_access directives to determine when it is used. +# +# NOTE: If an IP address is a.b.c.d +# -> bits 25 through 32 are "d" +# -> bits 17 through 24 are "c" +# -> bits 17 through 32 are "c * 256 + d" +# +# NOTE-2: Due to the use of bitmasks in class 2,3,4 pools they only apply to +# IPv4 traffic. Class 1 and 5 pools may be used with IPv6 traffic. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# See also delay_parameters and delay_access. +#Default: +# none + +# TAG: delay_access +# This is used to determine which delay pool a request falls into. +# +# delay_access is sorted per pool and the matching starts with pool 1, +# then pool 2, ..., and finally pool N. The first delay pool where the +# request is allowed is selected for the request. If it does not allow +# the request to any pool then the request is not delayed (default). +# +# For example, if you want some_big_clients in delay +# pool 1 and lotsa_little_clients in delay pool 2: +# +# delay_access 1 allow some_big_clients +# delay_access 1 deny all +# delay_access 2 allow lotsa_little_clients +# delay_access 2 deny all +# delay_access 3 allow authenticated_clients +# +# See also delay_parameters and delay_class. +# +#Default: +# Deny using the pool, unless allow rules exist in squid.conf for the pool. + +# TAG: delay_parameters +# This defines the parameters for a delay pool. Each delay pool has +# a number of "buckets" associated with it, as explained in the +# description of delay_class. +# +# For a class 1 delay pool, the syntax is: +# delay_class pool 1 +# delay_parameters pool aggregate +# +# For a class 2 delay pool: +# delay_class pool 2 +# delay_parameters pool aggregate individual +# +# For a class 3 delay pool: +# delay_class pool 3 +# delay_parameters pool aggregate network individual +# +# For a class 4 delay pool: +# delay_class pool 4 +# delay_parameters pool aggregate network individual user +# +# For a class 5 delay pool: +# delay_class pool 5 +# delay_parameters pool tagrate +# +# The option variables are: +# +# pool a pool number - ie, a number between 1 and the +# number specified in delay_pools as used in +# delay_class lines. +# +# aggregate the speed limit parameters for the aggregate bucket +# (class 1, 2, 3). +# +# individual the speed limit parameters for the individual +# buckets (class 2, 3). +# +# network the speed limit parameters for the network buckets +# (class 3). +# +# user the speed limit parameters for the user buckets +# (class 4). +# +# tagrate the speed limit parameters for the tag buckets +# (class 5). +# +# A pair of delay parameters is written restore/maximum, where restore is +# the number of bytes (not bits - modem and network speeds are usually +# quoted in bits) per second placed into the bucket, and maximum is the +# maximum number of bytes which can be in the bucket at any time. +# +# There must be one delay_parameters line for each delay pool. +# +# +# For example, if delay pool number 1 is a class 2 delay pool as in the +# above example, and is being used to strictly limit each host to 64Kbit/sec +# (plus overheads), with no overall limit, the line is: +# +# delay_parameters 1 none 8000/8000 +# +# Note that 8 x 8K Byte/sec -> 64K bit/sec. +# +# Note that the word 'none' is used to represent no limit. +# +# +# And, if delay pool number 2 is a class 3 delay pool as in the above +# example, and you want to limit it to a total of 256Kbit/sec (strict limit) +# with each 8-bit network permitted 64Kbit/sec (strict limit) and each +# individual host permitted 4800bit/sec with a bucket maximum size of 64Kbits +# to permit a decent web page to be downloaded at a decent speed +# (if the network is not being limited due to overuse) but slow down +# large downloads more significantly: +# +# delay_parameters 2 32000/32000 8000/8000 600/8000 +# +# Note that 8 x 32K Byte/sec -> 256K bit/sec. +# 8 x 8K Byte/sec -> 64K bit/sec. +# 8 x 600 Byte/sec -> 4800 bit/sec. +# +# +# Finally, for a class 4 delay pool as in the example - each user will +# be limited to 128Kbits/sec no matter how many workstations they are logged into.: +# +# delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000 +# +# +# See also delay_class and delay_access. +# +#Default: +# none + +# TAG: delay_initial_bucket_level (percent, 0-100) +# The initial bucket percentage is used to determine how much is put +# in each bucket when squid starts, is reconfigured, or first notices +# a host accessing it (in class 2 and class 3, individual hosts and +# networks only have buckets associated with them once they have been +# "seen" by squid). +#Default: +# delay_initial_bucket_level 50 + +# CLIENT DELAY POOL PARAMETERS +# ----------------------------------------------------------------------------- + +# TAG: client_delay_pools +# This option specifies the number of client delay pools used. It must +# preceed other client_delay_* options. +# +# Example: +# client_delay_pools 2 +# +# See also client_delay_parameters and client_delay_access. +#Default: +# client_delay_pools 0 + +# TAG: client_delay_initial_bucket_level (percent, 0-no_limit) +# This option determines the initial bucket size as a percentage of +# max_bucket_size from client_delay_parameters. Buckets are created +# at the time of the "first" connection from the matching IP. Idle +# buckets are periodically deleted up. +# +# You can specify more than 100 percent but note that such "oversized" +# buckets are not refilled until their size goes down to max_bucket_size +# from client_delay_parameters. +# +# Example: +# client_delay_initial_bucket_level 50 +#Default: +# client_delay_initial_bucket_level 50 + +# TAG: client_delay_parameters +# +# This option configures client-side bandwidth limits using the +# following format: +# +# client_delay_parameters pool speed_limit max_bucket_size +# +# pool is an integer ID used for client_delay_access matching. +# +# speed_limit is bytes added to the bucket per second. +# +# max_bucket_size is the maximum size of a bucket, enforced after any +# speed_limit additions. +# +# Please see the delay_parameters option for more information and +# examples. +# +# Example: +# client_delay_parameters 1 1024 2048 +# client_delay_parameters 2 51200 16384 +# +# See also client_delay_access. +# +#Default: +# none + +# TAG: client_delay_access +# This option determines the client-side delay pool for the +# request: +# +# client_delay_access pool_ID allow|deny acl_name +# +# All client_delay_access options are checked in their pool ID +# order, starting with pool 1. The first checked pool with allowed +# request is selected for the request. If no ACL matches or there +# are no client_delay_access options, the request bandwidth is not +# limited. +# +# The ACL-selected pool is then used to find the +# client_delay_parameters for the request. Client-side pools are +# not used to aggregate clients. Clients are always aggregated +# based on their source IP addresses (one bucket per source IP). +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# Additionally, only the client TCP connection details are available. +# ACLs testing HTTP properties will not work. +# +# Please see delay_access for more examples. +# +# Example: +# client_delay_access 1 allow low_rate_network +# client_delay_access 2 allow vips_network +# +# +# See also client_delay_parameters and client_delay_pools. +#Default: +# Deny use of the pool, unless allow rules exist in squid.conf for the pool. + +# WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: wccp_router +# Use this option to define your WCCP ``home'' router for +# Squid. +# +# wccp_router supports a single WCCP(v1) router +# +# wccp2_router supports multiple WCCPv2 routers +# +# only one of the two may be used at the same time and defines +# which version of WCCP to use. +#Default: +# WCCP disabled. + +# TAG: wccp2_router +# Use this option to define your WCCP ``home'' router for +# Squid. +# +# wccp_router supports a single WCCP(v1) router +# +# wccp2_router supports multiple WCCPv2 routers +# +# only one of the two may be used at the same time and defines +# which version of WCCP to use. +#Default: +# WCCPv2 disabled. + +# TAG: wccp_version +# This directive is only relevant if you need to set up WCCP(v1) +# to some very old and end-of-life Cisco routers. In all other +# setups it must be left unset or at the default setting. +# It defines an internal version in the WCCP(v1) protocol, +# with version 4 being the officially documented protocol. +# +# According to some users, Cisco IOS 11.2 and earlier only +# support WCCP version 3. If you're using that or an earlier +# version of IOS, you may need to change this value to 3, otherwise +# do not specify this parameter. +#Default: +# wccp_version 4 + +# TAG: wccp2_rebuild_wait +# If this is enabled Squid will wait for the cache dir rebuild to finish +# before sending the first wccp2 HereIAm packet +#Default: +# wccp2_rebuild_wait on + +# TAG: wccp2_forwarding_method +# WCCP2 allows the setting of forwarding methods between the +# router/switch and the cache. Valid values are as follows: +# +# gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel) +# l2 - L2 redirect (forward the packet using Layer 2/MAC rewriting) +# +# Currently (as of IOS 12.4) cisco routers only support GRE. +# Cisco switches only support the L2 redirect assignment method. +#Default: +# wccp2_forwarding_method gre + +# TAG: wccp2_return_method +# WCCP2 allows the setting of return methods between the +# router/switch and the cache for packets that the cache +# decides not to handle. Valid values are as follows: +# +# gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel) +# l2 - L2 redirect (forward the packet using Layer 2/MAC rewriting) +# +# Currently (as of IOS 12.4) cisco routers only support GRE. +# Cisco switches only support the L2 redirect assignment. +# +# If the "ip wccp redirect exclude in" command has been +# enabled on the cache interface, then it is still safe for +# the proxy server to use a l2 redirect method even if this +# option is set to GRE. +#Default: +# wccp2_return_method gre + +# TAG: wccp2_assignment_method +# WCCP2 allows the setting of methods to assign the WCCP hash +# Valid values are as follows: +# +# hash - Hash assignment +# mask - Mask assignment +# +# As a general rule, cisco routers support the hash assignment method +# and cisco switches support the mask assignment method. +#Default: +# wccp2_assignment_method hash + +# TAG: wccp2_service +# WCCP2 allows for multiple traffic services. There are two +# types: "standard" and "dynamic". The standard type defines +# one service id - http (id 0). The dynamic service ids can be from +# 51 to 255 inclusive. In order to use a dynamic service id +# one must define the type of traffic to be redirected; this is done +# using the wccp2_service_info option. +# +# The "standard" type does not require a wccp2_service_info option, +# just specifying the service id will suffice. +# +# MD5 service authentication can be enabled by adding +# "password=" to the end of this service declaration. +# +# Examples: +# +# wccp2_service standard 0 # for the 'web-cache' standard service +# wccp2_service dynamic 80 # a dynamic service type which will be +# # fleshed out with subsequent options. +# wccp2_service standard 0 password=foo +#Default: +# Use the 'web-cache' standard service. + +# TAG: wccp2_service_info +# Dynamic WCCPv2 services require further information to define the +# traffic you wish to have diverted. +# +# The format is: +# +# wccp2_service_info protocol= flags=,.. +# priority= ports=,.. +# +# The relevant WCCPv2 flags: +# + src_ip_hash, dst_ip_hash +# + source_port_hash, dst_port_hash +# + src_ip_alt_hash, dst_ip_alt_hash +# + src_port_alt_hash, dst_port_alt_hash +# + ports_source +# +# The port list can be one to eight entries. +# +# Example: +# +# wccp2_service_info 80 protocol=tcp flags=src_ip_hash,ports_source +# priority=240 ports=80 +# +# Note: the service id must have been defined by a previous +# 'wccp2_service dynamic ' entry. +#Default: +# none + +# TAG: wccp2_weight +# Each cache server gets assigned a set of the destination +# hash proportional to their weight. +#Default: +# wccp2_weight 10000 + +# TAG: wccp_address +# Use this option if you require WCCPv2 to use a specific +# interface address. +# +# The default behavior is to not bind to any specific address. +#Default: +# Address selected by the operating system. + +# TAG: wccp2_address +# Use this option if you require WCCP to use a specific +# interface address. +# +# The default behavior is to not bind to any specific address. +#Default: +# Address selected by the operating system. + +# PERSISTENT CONNECTION HANDLING +# ----------------------------------------------------------------------------- +# +# Also see "pconn_timeout" in the TIMEOUTS section + +# TAG: client_persistent_connections +# Persistent connection support for clients. +# Squid uses persistent connections (when allowed). You can use +# this option to disable persistent connections with clients. +#Default: +# client_persistent_connections on + +# TAG: server_persistent_connections +# Persistent connection support for servers. +# Squid uses persistent connections (when allowed). You can use +# this option to disable persistent connections with servers. +#Default: +# server_persistent_connections on + +# TAG: persistent_connection_after_error +# With this directive the use of persistent connections after +# HTTP errors can be disabled. Useful if you have clients +# who fail to handle errors on persistent connections proper. +#Default: +# persistent_connection_after_error on + +# TAG: detect_broken_pconn +# Some servers have been found to incorrectly signal the use +# of HTTP/1.0 persistent connections even on replies not +# compatible, causing significant delays. This server problem +# has mostly been seen on redirects. +# +# By enabling this directive Squid attempts to detect such +# broken replies and automatically assume the reply is finished +# after 10 seconds timeout. +#Default: +# detect_broken_pconn off + +# CACHE DIGEST OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: digest_generation +# This controls whether the server will generate a Cache Digest +# of its contents. By default, Cache Digest generation is +# enabled if Squid is compiled with --enable-cache-digests defined. +#Default: +# digest_generation on + +# TAG: digest_bits_per_entry +# This is the number of bits of the server's Cache Digest which +# will be associated with the Digest entry for a given HTTP +# Method and URL (public key) combination. The default is 5. +#Default: +# digest_bits_per_entry 5 + +# TAG: digest_rebuild_period (seconds) +# This is the wait time between Cache Digest rebuilds. +#Default: +# digest_rebuild_period 1 hour + +# TAG: digest_rewrite_period (seconds) +# This is the wait time between Cache Digest writes to +# disk. +#Default: +# digest_rewrite_period 1 hour + +# TAG: digest_swapout_chunk_size (bytes) +# This is the number of bytes of the Cache Digest to write to +# disk at a time. It defaults to 4096 bytes (4KB), the Squid +# default swap page. +#Default: +# digest_swapout_chunk_size 4096 bytes + +# TAG: digest_rebuild_chunk_percentage (percent, 0-100) +# This is the percentage of the Cache Digest to be scanned at a +# time. By default it is set to 10% of the Cache Digest. +#Default: +# digest_rebuild_chunk_percentage 10 + +# SNMP OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: snmp_port +# The port number where Squid listens for SNMP requests. To enable +# SNMP support set this to a suitable port number. Port number +# 3401 is often used for the Squid SNMP agent. By default it's +# set to "0" (disabled) +# +# Example: +# snmp_port 3401 +#Default: +# SNMP disabled. + +# TAG: snmp_access +# Allowing or denying access to the SNMP port. +# +# All access to the agent is denied by default. +# usage: +# +# snmp_access allow|deny [!]aclname ... +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +#Example: +# snmp_access allow snmppublic localhost +# snmp_access deny all +#Default: +# Deny, unless rules exist in squid.conf. + +# TAG: snmp_incoming_address +# Just like 'udp_incoming_address', but for the SNMP port. +# +# snmp_incoming_address is used for the SNMP socket receiving +# messages from SNMP agents. +# +# The default snmp_incoming_address is to listen on all +# available network interfaces. +#Default: +# Accept SNMP packets from all machine interfaces. + +# TAG: snmp_outgoing_address +# Just like 'udp_outgoing_address', but for the SNMP port. +# +# snmp_outgoing_address is used for SNMP packets returned to SNMP +# agents. +# +# If snmp_outgoing_address is not set it will use the same socket +# as snmp_incoming_address. Only change this if you want to have +# SNMP replies sent using another address than where this Squid +# listens for SNMP queries. +# +# NOTE, snmp_incoming_address and snmp_outgoing_address can not have +# the same value since they both use the same port. +#Default: +# Use snmp_incoming_address or an address selected by the operating system. + +# ICP OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: icp_port +# The port number where Squid sends and receives ICP queries to +# and from neighbor caches. The standard UDP port for ICP is 3130. +# +# Example: +# icp_port 3130 +#Default: +# ICP disabled. + +# TAG: htcp_port +# The port number where Squid sends and receives HTCP queries to +# and from neighbor caches. To turn it on you want to set it to +# 4827. +# +# Example: +# htcp_port 4827 +#Default: +# HTCP disabled. + +# TAG: log_icp_queries on|off +# If set, ICP queries are logged to access.log. You may wish +# do disable this if your ICP load is VERY high to speed things +# up or to simplify log analysis. +#Default: +# log_icp_queries on + +# TAG: udp_incoming_address +# udp_incoming_address is used for UDP packets received from other +# caches. +# +# The default behavior is to not bind to any specific address. +# +# Only change this if you want to have all UDP queries received on +# a specific interface/address. +# +# NOTE: udp_incoming_address is used by the ICP, HTCP, and DNS +# modules. Altering it will affect all of them in the same manner. +# +# see also; udp_outgoing_address +# +# NOTE, udp_incoming_address and udp_outgoing_address can not +# have the same value since they both use the same port. +#Default: +# Accept packets from all machine interfaces. + +# TAG: udp_outgoing_address +# udp_outgoing_address is used for UDP packets sent out to other +# caches. +# +# The default behavior is to not bind to any specific address. +# +# Instead it will use the same socket as udp_incoming_address. +# Only change this if you want to have UDP queries sent using another +# address than where this Squid listens for UDP queries from other +# caches. +# +# NOTE: udp_outgoing_address is used by the ICP, HTCP, and DNS +# modules. Altering it will affect all of them in the same manner. +# +# see also; udp_incoming_address +# +# NOTE, udp_incoming_address and udp_outgoing_address can not +# have the same value since they both use the same port. +#Default: +# Use udp_incoming_address or an address selected by the operating system. + +# TAG: icp_hit_stale on|off +# If you want to return ICP_HIT for stale cache objects, set this +# option to 'on'. If you have sibling relationships with caches +# in other administrative domains, this should be 'off'. If you only +# have sibling relationships with caches under your control, +# it is probably okay to set this to 'on'. +# If set to 'on', your siblings should use the option "allow-miss" +# on their cache_peer lines for connecting to you. +#Default: +# icp_hit_stale off + +# TAG: minimum_direct_hops +# If using the ICMP pinging stuff, do direct fetches for sites +# which are no more than this many hops away. +#Default: +# minimum_direct_hops 4 + +# TAG: minimum_direct_rtt (msec) +# If using the ICMP pinging stuff, do direct fetches for sites +# which are no more than this many rtt milliseconds away. +#Default: +# minimum_direct_rtt 400 + +# TAG: netdb_low +# The low water mark for the ICMP measurement database. +# +# Note: high watermark controlled by netdb_high directive. +# +# These watermarks are counts, not percents. The defaults are +# (low) 900 and (high) 1000. When the high water mark is +# reached, database entries will be deleted until the low +# mark is reached. +#Default: +# netdb_low 900 + +# TAG: netdb_high +# The high water mark for the ICMP measurement database. +# +# Note: low watermark controlled by netdb_low directive. +# +# These watermarks are counts, not percents. The defaults are +# (low) 900 and (high) 1000. When the high water mark is +# reached, database entries will be deleted until the low +# mark is reached. +#Default: +# netdb_high 1000 + +# TAG: netdb_ping_period +# The minimum period for measuring a site. There will be at +# least this much delay between successive pings to the same +# network. The default is five minutes. +#Default: +# netdb_ping_period 5 minutes + +# TAG: query_icmp on|off +# If you want to ask your peers to include ICMP data in their ICP +# replies, enable this option. +# +# If your peer has configured Squid (during compilation) with +# '--enable-icmp' that peer will send ICMP pings to origin server +# sites of the URLs it receives. If you enable this option the +# ICP replies from that peer will include the ICMP data (if available). +# Then, when choosing a parent cache, Squid will choose the parent with +# the minimal RTT to the origin server. When this happens, the +# hierarchy field of the access.log will be +# "CLOSEST_PARENT_MISS". This option is off by default. +#Default: +# query_icmp off + +# TAG: test_reachability on|off +# When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH +# instead of ICP_MISS if the target host is NOT in the ICMP +# database, or has a zero RTT. +#Default: +# test_reachability off + +# TAG: icp_query_timeout (msec) +# Normally Squid will automatically determine an optimal ICP +# query timeout value based on the round-trip-time of recent ICP +# queries. If you want to override the value determined by +# Squid, set this 'icp_query_timeout' to a non-zero value. This +# value is specified in MILLISECONDS, so, to use a 2-second +# timeout (the old default), you would write: +# +# icp_query_timeout 2000 +#Default: +# Dynamic detection. + +# TAG: maximum_icp_query_timeout (msec) +# Normally the ICP query timeout is determined dynamically. But +# sometimes it can lead to very large values (say 5 seconds). +# Use this option to put an upper limit on the dynamic timeout +# value. Do NOT use this option to always use a fixed (instead +# of a dynamic) timeout value. To set a fixed timeout see the +# 'icp_query_timeout' directive. +#Default: +# maximum_icp_query_timeout 2000 + +# TAG: minimum_icp_query_timeout (msec) +# Normally the ICP query timeout is determined dynamically. But +# sometimes it can lead to very small timeouts, even lower than +# the normal latency variance on your link due to traffic. +# Use this option to put an lower limit on the dynamic timeout +# value. Do NOT use this option to always use a fixed (instead +# of a dynamic) timeout value. To set a fixed timeout see the +# 'icp_query_timeout' directive. +#Default: +# minimum_icp_query_timeout 5 + +# TAG: background_ping_rate time-units +# Controls how often the ICP pings are sent to siblings that +# have background-ping set. +#Default: +# background_ping_rate 10 seconds + +# MULTICAST ICP OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: mcast_groups +# This tag specifies a list of multicast groups which your server +# should join to receive multicasted ICP queries. +# +# NOTE! Be very careful what you put here! Be sure you +# understand the difference between an ICP _query_ and an ICP +# _reply_. This option is to be set only if you want to RECEIVE +# multicast queries. Do NOT set this option to SEND multicast +# ICP (use cache_peer for that). ICP replies are always sent via +# unicast, so this option does not affect whether or not you will +# receive replies from multicast group members. +# +# You must be very careful to NOT use a multicast address which +# is already in use by another group of caches. +# +# If you are unsure about multicast, please read the Multicast +# chapter in the Squid FAQ (http://www.squid-cache.org/FAQ/). +# +# Usage: mcast_groups 239.128.16.128 224.0.1.20 +# +# By default, Squid doesn't listen on any multicast groups. +#Default: +# none + +# TAG: mcast_miss_addr +# Note: This option is only available if Squid is rebuilt with the +# -DMULTICAST_MISS_STREAM define +# +# If you enable this option, every "cache miss" URL will +# be sent out on the specified multicast address. +# +# Do not enable this option unless you are are absolutely +# certain you understand what you are doing. +#Default: +# disabled. + +# TAG: mcast_miss_ttl +# Note: This option is only available if Squid is rebuilt with the +# -DMULTICAST_MISS_STREAM define +# +# This is the time-to-live value for packets multicasted +# when multicasting off cache miss URLs is enabled. By +# default this is set to 'site scope', i.e. 16. +#Default: +# mcast_miss_ttl 16 + +# TAG: mcast_miss_port +# Note: This option is only available if Squid is rebuilt with the +# -DMULTICAST_MISS_STREAM define +# +# This is the port number to be used in conjunction with +# 'mcast_miss_addr'. +#Default: +# mcast_miss_port 3135 + +# TAG: mcast_miss_encode_key +# Note: This option is only available if Squid is rebuilt with the +# -DMULTICAST_MISS_STREAM define +# +# The URLs that are sent in the multicast miss stream are +# encrypted. This is the encryption key. +#Default: +# mcast_miss_encode_key XXXXXXXXXXXXXXXX + +# TAG: mcast_icp_query_timeout (msec) +# For multicast peers, Squid regularly sends out ICP "probes" to +# count how many other peers are listening on the given multicast +# address. This value specifies how long Squid should wait to +# count all the replies. The default is 2000 msec, or 2 +# seconds. +#Default: +# mcast_icp_query_timeout 2000 + +# INTERNAL ICON OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: icon_directory +# Where the icons are stored. These are normally kept in +# /usr/share/squid/icons +#Default: +# icon_directory /usr/share/squid/icons + +# TAG: global_internal_static +# This directive controls is Squid should intercept all requests for +# /squid-internal-static/ no matter which host the URL is requesting +# (default on setting), or if nothing special should be done for +# such URLs (off setting). The purpose of this directive is to make +# icons etc work better in complex cache hierarchies where it may +# not always be possible for all corners in the cache mesh to reach +# the server generating a directory listing. +#Default: +# global_internal_static on + +# TAG: short_icon_urls +# If this is enabled Squid will use short URLs for icons. +# If disabled it will revert to the old behavior of including +# it's own name and port in the URL. +# +# If you run a complex cache hierarchy with a mix of Squid and +# other proxies you may need to disable this directive. +#Default: +# short_icon_urls on + +# ERROR PAGE OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: error_directory +# If you wish to create your own versions of the default +# error files to customize them to suit your company copy +# the error/template files to another directory and point +# this tag at them. +# +# WARNING: This option will disable multi-language support +# on error pages if used. +# +# The squid developers are interested in making squid available in +# a wide variety of languages. If you are making translations for a +# language that Squid does not currently provide please consider +# contributing your translation back to the project. +# http://wiki.squid-cache.org/Translations +# +# The squid developers working on translations are happy to supply drop-in +# translated error files in exchange for any new language contributions. +#Default: +# Send error pages in the clients preferred language + +# TAG: error_default_language +# Set the default language which squid will send error pages in +# if no existing translation matches the clients language +# preferences. +# +# If unset (default) generic English will be used. +# +# The squid developers are interested in making squid available in +# a wide variety of languages. If you are interested in making +# translations for any language see the squid wiki for details. +# http://wiki.squid-cache.org/Translations +#Default: +# Generate English language pages. + +# TAG: error_log_languages +# Log to cache.log what languages users are attempting to +# auto-negotiate for translations. +# +# Successful negotiations are not logged. Only failures +# have meaning to indicate that Squid may need an upgrade +# of its error page translations. +#Default: +# error_log_languages on + +# TAG: err_page_stylesheet +# CSS Stylesheet to pattern the display of Squid default error pages. +# +# For information on CSS see http://www.w3.org/Style/CSS/ +#Default: +# err_page_stylesheet /etc/squid/errorpage.css + +# TAG: err_html_text +# HTML text to include in error messages. Make this a "mailto" +# URL to your admin address, or maybe just a link to your +# organizations Web page. +# +# To include this in your error messages, you must rewrite +# the error template files (found in the "errors" directory). +# Wherever you want the 'err_html_text' line to appear, +# insert a %L tag in the error template file. +#Default: +# none + +# TAG: email_err_data on|off +# If enabled, information about the occurred error will be +# included in the mailto links of the ERR pages (if %W is set) +# so that the email body contains the data. +# Syntax is %w +#Default: +# email_err_data on + +# TAG: deny_info +# Usage: deny_info err_page_name acl +# or deny_info http://... acl +# or deny_info TCP_RESET acl +# +# This can be used to return a ERR_ page for requests which +# do not pass the 'http_access' rules. Squid remembers the last +# acl it evaluated in http_access, and if a 'deny_info' line exists +# for that ACL Squid returns a corresponding error page. +# +# The acl is typically the last acl on the http_access deny line which +# denied access. The exceptions to this rule are: +# - When Squid needs to request authentication credentials. It's then +# the first authentication related acl encountered +# - When none of the http_access lines matches. It's then the last +# acl processed on the last http_access line. +# - When the decision to deny access was made by an adaptation service, +# the acl name is the corresponding eCAP or ICAP service_name. +# +# NP: If providing your own custom error pages with error_directory +# you may also specify them by your custom file name: +# Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys +# +# By defaut Squid will send "403 Forbidden". A different 4xx or 5xx +# may be specified by prefixing the file name with the code and a colon. +# e.g. 404:ERR_CUSTOM_ACCESS_DENIED +# +# Alternatively you can tell Squid to reset the TCP connection +# by specifying TCP_RESET. +# +# Or you can specify an error URL or URL pattern. The browsers will +# get redirected to the specified URL after formatting tags have +# been replaced. Redirect will be done with 302 or 307 according to +# HTTP/1.1 specs. A different 3xx code may be specified by prefixing +# the URL. e.g. 303:http://example.com/ +# +# URL FORMAT TAGS: +# %a - username (if available. Password NOT included) +# %B - FTP path URL +# %e - Error number +# %E - Error description +# %h - Squid hostname +# %H - Request domain name +# %i - Client IP Address +# %M - Request Method +# %o - Message result from external ACL helper +# %p - Request Port number +# %P - Request Protocol name +# %R - Request URL path +# %T - Timestamp in RFC 1123 format +# %U - Full canonical URL from client +# (HTTPS URLs terminate with *) +# %u - Full canonical URL from client +# %w - Admin email from squid.conf +# %x - Error name +# %% - Literal percent (%) code +# +#Default: +# none + +# OPTIONS INFLUENCING REQUEST FORWARDING +# ----------------------------------------------------------------------------- + +# TAG: nonhierarchical_direct +# By default, Squid will send any non-hierarchical requests +# (not cacheable request type) direct to origin servers. +# +# When this is set to "off", Squid will prefer to send these +# requests to parents. +# +# Note that in most configurations, by turning this off you will only +# add latency to these request without any improvement in global hit +# ratio. +# +# This option only sets a preference. If the parent is unavailable a +# direct connection to the origin server may still be attempted. To +# completely prevent direct connections use never_direct. +#Default: +# nonhierarchical_direct on + +# TAG: prefer_direct +# Normally Squid tries to use parents for most requests. If you for some +# reason like it to first try going direct and only use a parent if +# going direct fails set this to on. +# +# By combining nonhierarchical_direct off and prefer_direct on you +# can set up Squid to use a parent as a backup path if going direct +# fails. +# +# Note: If you want Squid to use parents for all requests see +# the never_direct directive. prefer_direct only modifies how Squid +# acts on cacheable requests. +#Default: +# prefer_direct off + +# TAG: cache_miss_revalidate on|off +# RFC 7232 defines a conditional request mechanism to prevent +# response objects being unnecessarily transferred over the network. +# If that mechanism is used by the client and a cache MISS occurs +# it can prevent new cache entries being created. +# +# This option determines whether Squid on cache MISS will pass the +# client revalidation request to the server or tries to fetch new +# content for caching. It can be useful while the cache is mostly +# empty to more quickly have the cache populated by generating +# non-conditional GETs. +# +# When set to 'on' (default), Squid will pass all client If-* headers +# to the server. This permits server responses without a cacheable +# payload to be delivered and on MISS no new cache entry is created. +# +# When set to 'off' and if the request is cacheable, Squid will +# remove the clients If-Modified-Since and If-None-Match headers from +# the request sent to the server. This requests a 200 status response +# from the server to create a new cache entry with. +#Default: +# cache_miss_revalidate on + +# TAG: always_direct +# Usage: always_direct allow|deny [!]aclname ... +# +# Here you can use ACL elements to specify requests which should +# ALWAYS be forwarded by Squid to the origin servers without using +# any peers. For example, to always directly forward requests for +# local servers ignoring any parents or siblings you may have use +# something like: +# +# acl local-servers dstdomain my.domain.net +# always_direct allow local-servers +# +# To always forward FTP requests directly, use +# +# acl FTP proto FTP +# always_direct allow FTP +# +# NOTE: There is a similar, but opposite option named +# 'never_direct'. You need to be aware that "always_direct deny +# foo" is NOT the same thing as "never_direct allow foo". You +# may need to use a deny rule to exclude a more-specific case of +# some other rule. Example: +# +# acl local-external dstdomain external.foo.net +# acl local-servers dstdomain .foo.net +# always_direct deny local-external +# always_direct allow local-servers +# +# NOTE: If your goal is to make the client forward the request +# directly to the origin server bypassing Squid then this needs +# to be done in the client configuration. Squid configuration +# can only tell Squid how Squid should fetch the object. +# +# NOTE: This directive is not related to caching. The replies +# is cached as usual even if you use always_direct. To not cache +# the replies see the 'cache' directive. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Prevent any cache_peer being used for this request. + +# TAG: never_direct +# Usage: never_direct allow|deny [!]aclname ... +# +# never_direct is the opposite of always_direct. Please read +# the description for always_direct if you have not already. +# +# With 'never_direct' you can use ACL elements to specify +# requests which should NEVER be forwarded directly to origin +# servers. For example, to force the use of a proxy for all +# requests, except those in your local domain use something like: +# +# acl local-servers dstdomain .foo.net +# never_direct deny local-servers +# never_direct allow all +# +# or if Squid is inside a firewall and there are local intranet +# servers inside the firewall use something like: +# +# acl local-intranet dstdomain .foo.net +# acl local-external dstdomain external.foo.net +# always_direct deny local-external +# always_direct allow local-intranet +# never_direct allow all +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow DNS results to be used for this request. + +# ADVANCED NETWORKING OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: incoming_udp_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! +#Default: +# incoming_udp_average 6 + +# TAG: incoming_tcp_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! +#Default: +# incoming_tcp_average 4 + +# TAG: incoming_dns_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! +#Default: +# incoming_dns_average 4 + +# TAG: min_udp_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! +#Default: +# min_udp_poll_cnt 8 + +# TAG: min_dns_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! +#Default: +# min_dns_poll_cnt 8 + +# TAG: min_tcp_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! +#Default: +# min_tcp_poll_cnt 8 + +# TAG: accept_filter +# FreeBSD: +# +# The name of an accept(2) filter to install on Squid's +# listen socket(s). This feature is perhaps specific to +# FreeBSD and requires support in the kernel. +# +# The 'httpready' filter delays delivering new connections +# to Squid until a full HTTP request has been received. +# See the accf_http(9) man page for details. +# +# The 'dataready' filter delays delivering new connections +# to Squid until there is some data to process. +# See the accf_dataready(9) man page for details. +# +# Linux: +# +# The 'data' filter delays delivering of new connections +# to Squid until there is some data to process by TCP_ACCEPT_DEFER. +# You may optionally specify a number of seconds to wait by +# 'data=N' where N is the number of seconds. Defaults to 30 +# if not specified. See the tcp(7) man page for details. +#EXAMPLE: +## FreeBSD +#accept_filter httpready +## Linux +#accept_filter data +#Default: +# none + +# TAG: client_ip_max_connections +# Set an absolute limit on the number of connections a single +# client IP can use. Any more than this and Squid will begin to drop +# new connections from the client until it closes some links. +# +# Note that this is a global limit. It affects all HTTP, HTCP, Gopher and FTP +# connections from the client. For finer control use the ACL access controls. +# +# Requires client_db to be enabled (the default). +# +# WARNING: This may noticably slow down traffic received via external proxies +# or NAT devices and cause them to rebound error messages back to their clients. +#Default: +# No limit. + +# TAG: tcp_recv_bufsize (bytes) +# Size of receive buffer to set for TCP sockets. Probably just +# as easy to change your kernel's default. +# Omit from squid.conf to use the default buffer size. +#Default: +# Use operating system TCP defaults. + +# ICAP OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: icap_enable on|off +# If you want to enable the ICAP module support, set this to on. +#Default: +# icap_enable off + +# TAG: icap_connect_timeout +# This parameter specifies how long to wait for the TCP connect to +# the requested ICAP server to complete before giving up and either +# terminating the HTTP transaction or bypassing the failure. +# +# The default for optional services is peer_connect_timeout. +# The default for essential services is connect_timeout. +# If this option is explicitly set, its value applies to all services. +#Default: +# none + +# TAG: icap_io_timeout time-units +# This parameter specifies how long to wait for an I/O activity on +# an established, active ICAP connection before giving up and +# either terminating the HTTP transaction or bypassing the +# failure. +#Default: +# Use read_timeout. + +# TAG: icap_service_failure_limit limit [in memory-depth time-units] +# The limit specifies the number of failures that Squid tolerates +# when establishing a new TCP connection with an ICAP service. If +# the number of failures exceeds the limit, the ICAP service is +# not used for new ICAP requests until it is time to refresh its +# OPTIONS. +# +# A negative value disables the limit. Without the limit, an ICAP +# service will not be considered down due to connectivity failures +# between ICAP OPTIONS requests. +# +# Squid forgets ICAP service failures older than the specified +# value of memory-depth. The memory fading algorithm +# is approximate because Squid does not remember individual +# errors but groups them instead, splitting the option +# value into ten time slots of equal length. +# +# When memory-depth is 0 and by default this option has no +# effect on service failure expiration. +# +# Squid always forgets failures when updating service settings +# using an ICAP OPTIONS transaction, regardless of this option +# setting. +# +# For example, +# # suspend service usage after 10 failures in 5 seconds: +# icap_service_failure_limit 10 in 5 seconds +#Default: +# icap_service_failure_limit 10 + +# TAG: icap_service_revival_delay +# The delay specifies the number of seconds to wait after an ICAP +# OPTIONS request failure before requesting the options again. The +# failed ICAP service is considered "down" until fresh OPTIONS are +# fetched. +# +# The actual delay cannot be smaller than the hardcoded minimum +# delay of 30 seconds. +#Default: +# icap_service_revival_delay 180 + +# TAG: icap_preview_enable on|off +# The ICAP Preview feature allows the ICAP server to handle the +# HTTP message by looking only at the beginning of the message body +# or even without receiving the body at all. In some environments, +# previews greatly speedup ICAP processing. +# +# During an ICAP OPTIONS transaction, the server may tell Squid what +# HTTP messages should be previewed and how big the preview should be. +# Squid will not use Preview if the server did not request one. +# +# To disable ICAP Preview for all ICAP services, regardless of +# individual ICAP server OPTIONS responses, set this option to "off". +#Example: +#icap_preview_enable off +#Default: +# icap_preview_enable on + +# TAG: icap_preview_size +# The default size of preview data to be sent to the ICAP server. +# This value might be overwritten on a per server basis by OPTIONS requests. +#Default: +# No preview sent. + +# TAG: icap_206_enable on|off +# 206 (Partial Content) responses is an ICAP extension that allows the +# ICAP agents to optionally combine adapted and original HTTP message +# content. The decision to combine is postponed until the end of the +# ICAP response. Squid supports Partial Content extension by default. +# +# Activation of the Partial Content extension is negotiated with each +# ICAP service during OPTIONS exchange. Most ICAP servers should handle +# negotation correctly even if they do not support the extension, but +# some might fail. To disable Partial Content support for all ICAP +# services and to avoid any negotiation, set this option to "off". +# +# Example: +# icap_206_enable off +#Default: +# icap_206_enable on + +# TAG: icap_default_options_ttl +# The default TTL value for ICAP OPTIONS responses that don't have +# an Options-TTL header. +#Default: +# icap_default_options_ttl 60 + +# TAG: icap_persistent_connections on|off +# Whether or not Squid should use persistent connections to +# an ICAP server. +#Default: +# icap_persistent_connections on + +# TAG: adaptation_send_client_ip on|off +# If enabled, Squid shares HTTP client IP information with adaptation +# services. For ICAP, Squid adds the X-Client-IP header to ICAP requests. +# For eCAP, Squid sets the libecap::metaClientIp transaction option. +# +# See also: adaptation_uses_indirect_client +#Default: +# adaptation_send_client_ip off + +# TAG: adaptation_send_username on|off +# This sends authenticated HTTP client username (if available) to +# the adaptation service. +# +# For ICAP, the username value is encoded based on the +# icap_client_username_encode option and is sent using the header +# specified by the icap_client_username_header option. +#Default: +# adaptation_send_username off + +# TAG: icap_client_username_header +# ICAP request header name to use for adaptation_send_username. +#Default: +# icap_client_username_header X-Client-Username + +# TAG: icap_client_username_encode on|off +# Whether to base64 encode the authenticated client username. +#Default: +# icap_client_username_encode off + +# TAG: icap_service +# Defines a single ICAP service using the following format: +# +# icap_service id vectoring_point uri [option ...] +# +# id: ID +# an opaque identifier or name which is used to direct traffic to +# this specific service. Must be unique among all adaptation +# services in squid.conf. +# +# vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache +# This specifies at which point of transaction processing the +# ICAP service should be activated. *_postcache vectoring points +# are not yet supported. +# +# uri: icap://servername:port/servicepath +# ICAP server and service location. +# +# ICAP does not allow a single service to handle both REQMOD and RESPMOD +# transactions. Squid does not enforce that requirement. You can specify +# services with the same service_url and different vectoring_points. You +# can even specify multiple identical services as long as their +# service_names differ. +# +# To activate a service, use the adaptation_access directive. To group +# services, use adaptation_service_chain and adaptation_service_set. +# +# Service options are separated by white space. ICAP services support +# the following name=value options: +# +# bypass=on|off|1|0 +# If set to 'on' or '1', the ICAP service is treated as +# optional. If the service cannot be reached or malfunctions, +# Squid will try to ignore any errors and process the message as +# if the service was not enabled. No all ICAP errors can be +# bypassed. If set to 0, the ICAP service is treated as +# essential and all ICAP errors will result in an error page +# returned to the HTTP client. +# +# Bypass is off by default: services are treated as essential. +# +# routing=on|off|1|0 +# If set to 'on' or '1', the ICAP service is allowed to +# dynamically change the current message adaptation plan by +# returning a chain of services to be used next. The services +# are specified using the X-Next-Services ICAP response header +# value, formatted as a comma-separated list of service names. +# Each named service should be configured in squid.conf. Other +# services are ignored. An empty X-Next-Services value results +# in an empty plan which ends the current adaptation. +# +# Dynamic adaptation plan may cross or cover multiple supported +# vectoring points in their natural processing order. +# +# Routing is not allowed by default: the ICAP X-Next-Services +# response header is ignored. +# +# ipv6=on|off +# Only has effect on split-stack systems. The default on those systems +# is to use IPv4-only connections. When set to 'on' this option will +# make Squid use IPv6-only connections to contact this ICAP service. +# +# on-overload=block|bypass|wait|force +# If the service Max-Connections limit has been reached, do +# one of the following for each new ICAP transaction: +# * block: send an HTTP error response to the client +# * bypass: ignore the "over-connected" ICAP service +# * wait: wait (in a FIFO queue) for an ICAP connection slot +# * force: proceed, ignoring the Max-Connections limit +# +# In SMP mode with N workers, each worker assumes the service +# connection limit is Max-Connections/N, even though not all +# workers may use a given service. +# +# The default value is "bypass" if service is bypassable, +# otherwise it is set to "wait". +# +# +# max-conn=number +# Use the given number as the Max-Connections limit, regardless +# of the Max-Connections value given by the service, if any. +# +# Older icap_service format without optional named parameters is +# deprecated but supported for backward compatibility. +# +#Example: +#icap_service svcBlocker reqmod_precache icap://icap1.mydomain.net:1344/reqmod bypass=0 +#icap_service svcLogger reqmod_precache icap://icap2.mydomain.net:1344/respmod routing=on +#Default: +# none + +# TAG: icap_class +# This deprecated option was documented to define an ICAP service +# chain, even though it actually defined a set of similar, redundant +# services, and the chains were not supported. +# +# To define a set of redundant services, please use the +# adaptation_service_set directive. For service chains, use +# adaptation_service_chain. +#Default: +# none + +# TAG: icap_access +# This option is deprecated. Please use adaptation_access, which +# has the same ICAP functionality, but comes with better +# documentation, and eCAP support. +#Default: +# none + +# eCAP OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: ecap_enable on|off +# Controls whether eCAP support is enabled. +#Default: +# ecap_enable off + +# TAG: ecap_service +# Defines a single eCAP service +# +# ecap_service id vectoring_point uri [option ...] +# +# id: ID +# an opaque identifier or name which is used to direct traffic to +# this specific service. Must be unique among all adaptation +# services in squid.conf. +# +# vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache +# This specifies at which point of transaction processing the +# eCAP service should be activated. *_postcache vectoring points +# are not yet supported. +# +# uri: ecap://vendor/service_name?custom&cgi=style¶meters=optional +# Squid uses the eCAP service URI to match this configuration +# line with one of the dynamically loaded services. Each loaded +# eCAP service must have a unique URI. Obtain the right URI from +# the service provider. +# +# To activate a service, use the adaptation_access directive. To group +# services, use adaptation_service_chain and adaptation_service_set. +# +# Service options are separated by white space. eCAP services support +# the following name=value options: +# +# bypass=on|off|1|0 +# If set to 'on' or '1', the eCAP service is treated as optional. +# If the service cannot be reached or malfunctions, Squid will try +# to ignore any errors and process the message as if the service +# was not enabled. No all eCAP errors can be bypassed. +# If set to 'off' or '0', the eCAP service is treated as essential +# and all eCAP errors will result in an error page returned to the +# HTTP client. +# +# Bypass is off by default: services are treated as essential. +# +# routing=on|off|1|0 +# If set to 'on' or '1', the eCAP service is allowed to +# dynamically change the current message adaptation plan by +# returning a chain of services to be used next. +# +# Dynamic adaptation plan may cross or cover multiple supported +# vectoring points in their natural processing order. +# +# Routing is not allowed by default. +# +# Older ecap_service format without optional named parameters is +# deprecated but supported for backward compatibility. +# +# +#Example: +#ecap_service s1 reqmod_precache ecap://filters.R.us/leakDetector?on_error=block bypass=off +#ecap_service s2 respmod_precache ecap://filters.R.us/virusFilter config=/etc/vf.cfg bypass=on +#Default: +# none + +# TAG: loadable_modules +# Instructs Squid to load the specified dynamic module(s) or activate +# preloaded module(s). +#Example: +#loadable_modules /usr/lib/MinimalAdapter.so +#Default: +# none + +# MESSAGE ADAPTATION OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: adaptation_service_set +# +# Configures an ordered set of similar, redundant services. This is +# useful when hot standby or backup adaptation servers are available. +# +# adaptation_service_set set_name service_name1 service_name2 ... +# +# The named services are used in the set declaration order. The first +# applicable adaptation service from the set is used first. The next +# applicable service is tried if and only if the transaction with the +# previous service fails and the message waiting to be adapted is still +# intact. +# +# When adaptation starts, broken services are ignored as if they were +# not a part of the set. A broken service is a down optional service. +# +# The services in a set must be attached to the same vectoring point +# (e.g., pre-cache) and use the same adaptation method (e.g., REQMOD). +# +# If all services in a set are optional then adaptation failures are +# bypassable. If all services in the set are essential, then a +# transaction failure with one service may still be retried using +# another service from the set, but when all services fail, the master +# transaction fails as well. +# +# A set may contain a mix of optional and essential services, but that +# is likely to lead to surprising results because broken services become +# ignored (see above), making previously bypassable failures fatal. +# Technically, it is the bypassability of the last failed service that +# matters. +# +# See also: adaptation_access adaptation_service_chain +# +#Example: +#adaptation_service_set svcBlocker urlFilterPrimary urlFilterBackup +#adaptation service_set svcLogger loggerLocal loggerRemote +#Default: +# none + +# TAG: adaptation_service_chain +# +# Configures a list of complementary services that will be applied +# one-by-one, forming an adaptation chain or pipeline. This is useful +# when Squid must perform different adaptations on the same message. +# +# adaptation_service_chain chain_name service_name1 svc_name2 ... +# +# The named services are used in the chain declaration order. The first +# applicable adaptation service from the chain is used first. The next +# applicable service is applied to the successful adaptation results of +# the previous service in the chain. +# +# When adaptation starts, broken services are ignored as if they were +# not a part of the chain. A broken service is a down optional service. +# +# Request satisfaction terminates the adaptation chain because Squid +# does not currently allow declaration of RESPMOD services at the +# "reqmod_precache" vectoring point (see icap_service or ecap_service). +# +# The services in a chain must be attached to the same vectoring point +# (e.g., pre-cache) and use the same adaptation method (e.g., REQMOD). +# +# A chain may contain a mix of optional and essential services. If an +# essential adaptation fails (or the failure cannot be bypassed for +# other reasons), the master transaction fails. Otherwise, the failure +# is bypassed as if the failed adaptation service was not in the chain. +# +# See also: adaptation_access adaptation_service_set +# +#Example: +#adaptation_service_chain svcRequest requestLogger urlFilter leakDetector +#Default: +# none + +# TAG: adaptation_access +# Sends an HTTP transaction to an ICAP or eCAP adaptation service. +# +# adaptation_access service_name allow|deny [!]aclname... +# adaptation_access set_name allow|deny [!]aclname... +# +# At each supported vectoring point, the adaptation_access +# statements are processed in the order they appear in this +# configuration file. Statements pointing to the following services +# are ignored (i.e., skipped without checking their ACL): +# +# - services serving different vectoring points +# - "broken-but-bypassable" services +# - "up" services configured to ignore such transactions +# (e.g., based on the ICAP Transfer-Ignore header). +# +# When a set_name is used, all services in the set are checked +# using the same rules, to find the first applicable one. See +# adaptation_service_set for details. +# +# If an access list is checked and there is a match, the +# processing stops: For an "allow" rule, the corresponding +# adaptation service is used for the transaction. For a "deny" +# rule, no adaptation service is activated. +# +# It is currently not possible to apply more than one adaptation +# service at the same vectoring point to the same HTTP transaction. +# +# See also: icap_service and ecap_service +# +#Example: +#adaptation_access service_1 allow all +#Default: +# Allow, unless rules exist in squid.conf. + +# TAG: adaptation_service_iteration_limit +# Limits the number of iterations allowed when applying adaptation +# services to a message. If your longest adaptation set or chain +# may have more than 16 services, increase the limit beyond its +# default value of 16. If detecting infinite iteration loops sooner +# is critical, make the iteration limit match the actual number +# of services in your longest adaptation set or chain. +# +# Infinite adaptation loops are most likely with routing services. +# +# See also: icap_service routing=1 +#Default: +# adaptation_service_iteration_limit 16 + +# TAG: adaptation_masterx_shared_names +# For each master transaction (i.e., the HTTP request and response +# sequence, including all related ICAP and eCAP exchanges), Squid +# maintains a table of metadata. The table entries are (name, value) +# pairs shared among eCAP and ICAP exchanges. The table is destroyed +# with the master transaction. +# +# This option specifies the table entry names that Squid must accept +# from and forward to the adaptation transactions. +# +# An ICAP REQMOD or RESPMOD transaction may set an entry in the +# shared table by returning an ICAP header field with a name +# specified in adaptation_masterx_shared_names. +# +# An eCAP REQMOD or RESPMOD transaction may set an entry in the +# shared table by implementing the libecap::visitEachOption() API +# to provide an option with a name specified in +# adaptation_masterx_shared_names. +# +# Squid will store and forward the set entry to subsequent adaptation +# transactions within the same master transaction scope. +# +# Only one shared entry name is supported at this time. +# +#Example: +## share authentication information among ICAP services +#adaptation_masterx_shared_names X-Subscriber-ID +#Default: +# none + +# TAG: adaptation_meta +# This option allows Squid administrator to add custom ICAP request +# headers or eCAP options to Squid ICAP requests or eCAP transactions. +# Use it to pass custom authentication tokens and other +# transaction-state related meta information to an ICAP/eCAP service. +# +# The addition of a meta header is ACL-driven: +# adaptation_meta name value [!]aclname ... +# +# Processing for a given header name stops after the first ACL list match. +# Thus, it is impossible to add two headers with the same name. If no ACL +# lists match for a given header name, no such header is added. For +# example: +# +# # do not debug transactions except for those that need debugging +# adaptation_meta X-Debug 1 needs_debugging +# +# # log all transactions except for those that must remain secret +# adaptation_meta X-Log 1 !keep_secret +# +# # mark transactions from users in the "G 1" group +# adaptation_meta X-Authenticated-Groups "G 1" authed_as_G1 +# +# The "value" parameter may be a regular squid.conf token or a "double +# quoted string". Within the quoted string, use backslash (\) to escape +# any character, which is currently only useful for escaping backslashes +# and double quotes. For example, +# "this string has one backslash (\\) and two \"quotes\"" +# +# Used adaptation_meta header values may be logged via %note +# logformat code. If multiple adaptation_meta headers with the same name +# are used during master transaction lifetime, the header values are +# logged in the order they were used and duplicate values are ignored +# (only the first repeated value will be logged). +#Default: +# none + +# TAG: icap_retry +# This ACL determines which retriable ICAP transactions are +# retried. Transactions that received a complete ICAP response +# and did not have to consume or produce HTTP bodies to receive +# that response are usually retriable. +# +# icap_retry allow|deny [!]aclname ... +# +# Squid automatically retries some ICAP I/O timeouts and errors +# due to persistent connection race conditions. +# +# See also: icap_retry_limit +#Default: +# icap_retry deny all + +# TAG: icap_retry_limit +# Limits the number of retries allowed. +# +# Communication errors due to persistent connection race +# conditions are unavoidable, automatically retried, and do not +# count against this limit. +# +# See also: icap_retry +#Default: +# No retries are allowed. + +# DNS OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: check_hostnames +# For security and stability reasons Squid can check +# hostnames for Internet standard RFC compliance. If you want +# Squid to perform these checks turn this directive on. +#Default: +# check_hostnames off + +# TAG: allow_underscore +# Underscore characters is not strictly allowed in Internet hostnames +# but nevertheless used by many sites. Set this to off if you want +# Squid to be strict about the standard. +# This check is performed only when check_hostnames is set to on. +#Default: +# allow_underscore on + +# TAG: dns_retransmit_interval +# Initial retransmit interval for DNS queries. The interval is +# doubled each time all configured DNS servers have been tried. +#Default: +# dns_retransmit_interval 5 seconds + +# TAG: dns_timeout +# DNS Query timeout. If no response is received to a DNS query +# within this time all DNS servers for the queried domain +# are assumed to be unavailable. +#Default: +# dns_timeout 30 seconds + +# TAG: dns_packet_max +# Maximum number of bytes packet size to advertise via EDNS. +# Set to "none" to disable EDNS large packet support. +# +# For legacy reasons DNS UDP replies will default to 512 bytes which +# is too small for many responses. EDNS provides a means for Squid to +# negotiate receiving larger responses back immediately without having +# to failover with repeat requests. Responses larger than this limit +# will retain the old behaviour of failover to TCP DNS. +# +# Squid has no real fixed limit internally, but allowing packet sizes +# over 1500 bytes requires network jumbogram support and is usually not +# necessary. +# +# WARNING: The RFC also indicates that some older resolvers will reply +# with failure of the whole request if the extension is added. Some +# resolvers have already been identified which will reply with mangled +# EDNS response on occasion. Usually in response to many-KB jumbogram +# sizes being advertised by Squid. +# Squid will currently treat these both as an unable-to-resolve domain +# even if it would be resolvable without EDNS. +#Default: +# EDNS disabled + +# TAG: dns_defnames on|off +# Normally the RES_DEFNAMES resolver option is disabled +# (see res_init(3)). This prevents caches in a hierarchy +# from interpreting single-component hostnames locally. To allow +# Squid to handle single-component names, enable this option. +#Default: +# Search for single-label domain names is disabled. + +# TAG: dns_multicast_local on|off +# When set to on, Squid sends multicast DNS lookups on the local +# network for domains ending in .local and .arpa. +# This enables local servers and devices to be contacted in an +# ad-hoc or zero-configuration network environment. +#Default: +# Search for .local and .arpa names is disabled. + +# TAG: dns_nameservers +# Use this if you want to specify a list of DNS name servers +# (IP addresses) to use instead of those given in your +# /etc/resolv.conf file. +# +# On Windows platforms, if no value is specified here or in +# the /etc/resolv.conf file, the list of DNS name servers are +# taken from the Windows registry, both static and dynamic DHCP +# configurations are supported. +# +# Example: dns_nameservers 10.0.0.1 192.172.0.4 +#Default: +# Use operating system definitions + +# TAG: hosts_file +# Location of the host-local IP name-address associations +# database. Most Operating Systems have such a file on different +# default locations: +# - Un*X & Linux: /etc/hosts +# - Windows NT/2000: %SystemRoot%\system32\drivers\etc\hosts +# (%SystemRoot% value install default is c:\winnt) +# - Windows XP/2003: %SystemRoot%\system32\drivers\etc\hosts +# (%SystemRoot% value install default is c:\windows) +# - Windows 9x/Me: %windir%\hosts +# (%windir% value is usually c:\windows) +# - Cygwin: /etc/hosts +# +# The file contains newline-separated definitions, in the +# form ip_address_in_dotted_form name [name ...] names are +# whitespace-separated. Lines beginning with an hash (#) +# character are comments. +# +# The file is checked at startup and upon configuration. +# If set to 'none', it won't be checked. +# If append_domain is used, that domain will be added to +# domain-local (i.e. not containing any dot character) host +# definitions. +#Default: +# hosts_file /etc/hosts + +# TAG: append_domain +# Appends local domain name to hostnames without any dots in +# them. append_domain must begin with a period. +# +# Be warned there are now Internet names with no dots in +# them using only top-domain names, so setting this may +# cause some Internet sites to become unavailable. +# +#Example: +# append_domain .yourdomain.com +#Default: +# Use operating system definitions + +# TAG: ignore_unknown_nameservers +# By default Squid checks that DNS responses are received +# from the same IP addresses they are sent to. If they +# don't match, Squid ignores the response and writes a warning +# message to cache.log. You can allow responses from unknown +# nameservers by setting this option to 'off'. +#Default: +# ignore_unknown_nameservers on + +# TAG: dns_v4_first +# With the IPv6 Internet being as fast or faster than IPv4 Internet +# for most networks Squid prefers to contact websites over IPv6. +# +# This option reverses the order of preference to make Squid contact +# dual-stack websites over IPv4 first. Squid will still perform both +# IPv6 and IPv4 DNS lookups before connecting. +# +# WARNING: +# This option will restrict the situations under which IPv6 +# connectivity is used (and tested), potentially hiding network +# problems which would otherwise be detected and warned about. +#Default: +# dns_v4_first off + +# TAG: ipcache_size (number of entries) +# Maximum number of DNS IP cache entries. +#Default: +# ipcache_size 1024 + +# TAG: ipcache_low (percent) +#Default: +# ipcache_low 90 + +# TAG: ipcache_high (percent) +# The size, low-, and high-water marks for the IP cache. +#Default: +# ipcache_high 95 + +# TAG: fqdncache_size (number of entries) +# Maximum number of FQDN cache entries. +#Default: +# fqdncache_size 1024 + +# MISCELLANEOUS +# ----------------------------------------------------------------------------- + +# TAG: configuration_includes_quoted_values on|off +# If set, Squid will recognize each "quoted string" after a configuration +# directive as a single parameter. The quotes are stripped before the +# parameter value is interpreted or used. +# See "Values with spaces, quotes, and other special characters" +# section for more details. +#Default: +# configuration_includes_quoted_values off + +# TAG: memory_pools on|off +# If set, Squid will keep pools of allocated (but unused) memory +# available for future use. If memory is a premium on your +# system and you believe your malloc library outperforms Squid +# routines, disable this. +#Default: +# memory_pools on + +# TAG: memory_pools_limit (bytes) +# Used only with memory_pools on: +# memory_pools_limit 50 MB +# +# If set to a non-zero value, Squid will keep at most the specified +# limit of allocated (but unused) memory in memory pools. All free() +# requests that exceed this limit will be handled by your malloc +# library. Squid does not pre-allocate any memory, just safe-keeps +# objects that otherwise would be free()d. Thus, it is safe to set +# memory_pools_limit to a reasonably high value even if your +# configuration will use less memory. +# +# If set to none, Squid will keep all memory it can. That is, there +# will be no limit on the total amount of memory used for safe-keeping. +# +# To disable memory allocation optimization, do not set +# memory_pools_limit to 0 or none. Set memory_pools to "off" instead. +# +# An overhead for maintaining memory pools is not taken into account +# when the limit is checked. This overhead is close to four bytes per +# object kept. However, pools may actually _save_ memory because of +# reduced memory thrashing in your malloc library. +#Default: +# memory_pools_limit 5 MB + +# TAG: forwarded_for on|off|transparent|truncate|delete +# If set to "on", Squid will append your client's IP address +# in the HTTP requests it forwards. By default it looks like: +# +# X-Forwarded-For: 192.1.2.3 +# +# If set to "off", it will appear as +# +# X-Forwarded-For: unknown +# +# If set to "transparent", Squid will not alter the +# X-Forwarded-For header in any way. +# +# If set to "delete", Squid will delete the entire +# X-Forwarded-For header. +# +# If set to "truncate", Squid will remove all existing +# X-Forwarded-For entries, and place the client IP as the sole entry. +#Default: +# forwarded_for on + +# TAG: cachemgr_passwd +# Specify passwords for cachemgr operations. +# +# Usage: cachemgr_passwd password action action ... +# +# Some valid actions are (see cache manager menu for a full list): +# 5min +# 60min +# asndb +# authenticator +# cbdata +# client_list +# comm_incoming +# config * +# counters +# delay +# digest_stats +# dns +# events +# filedescriptors +# fqdncache +# histograms +# http_headers +# info +# io +# ipcache +# mem +# menu +# netdb +# non_peers +# objects +# offline_toggle * +# pconn +# peer_select +# reconfigure * +# redirector +# refresh +# server_list +# shutdown * +# store_digest +# storedir +# utilization +# via_headers +# vm_objects +# +# * Indicates actions which will not be performed without a +# valid password, others can be performed if not listed here. +# +# To disable an action, set the password to "disable". +# To allow performing an action without a password, set the +# password to "none". +# +# Use the keyword "all" to set the same password for all actions. +# +#Example: +# cachemgr_passwd secret shutdown +# cachemgr_passwd lesssssssecret info stats/objects +# cachemgr_passwd disable all +#Default: +# No password. Actions which require password are denied. + +# TAG: client_db on|off +# If you want to disable collecting per-client statistics, +# turn off client_db here. +#Default: +# client_db on + +# TAG: refresh_all_ims on|off +# When you enable this option, squid will always check +# the origin server for an update when a client sends an +# If-Modified-Since request. Many browsers use IMS +# requests when the user requests a reload, and this +# ensures those clients receive the latest version. +# +# By default (off), squid may return a Not Modified response +# based on the age of the cached version. +#Default: +# refresh_all_ims off + +# TAG: reload_into_ims on|off +# When you enable this option, client no-cache or ``reload'' +# requests will be changed to If-Modified-Since requests. +# Doing this VIOLATES the HTTP standard. Enabling this +# feature could make you liable for problems which it +# causes. +# +# see also refresh_pattern for a more selective approach. +#Default: +# reload_into_ims off + +# TAG: connect_retries +# This sets the maximum number of connection attempts made for each +# TCP connection. The connect_retries attempts must all still +# complete within the connection timeout period. +# +# The default is not to re-try if the first connection attempt fails. +# The (not recommended) maximum is 10 tries. +# +# A warning message will be generated if it is set to a too-high +# value and the configured value will be over-ridden. +# +# Note: These re-tries are in addition to forward_max_tries +# which limit how many different addresses may be tried to find +# a useful server. +#Default: +# Do not retry failed connections. + +# TAG: retry_on_error +# If set to ON Squid will automatically retry requests when +# receiving an error response with status 403 (Forbidden), +# 500 (Internal Error), 501 or 503 (Service not available). +# Status 502 and 504 (Gateway errors) are always retried. +# +# This is mainly useful if you are in a complex cache hierarchy to +# work around access control errors. +# +# NOTE: This retry will attempt to find another working destination. +# Which is different from the server which just failed. +#Default: +# retry_on_error off + +# TAG: as_whois_server +# WHOIS server to query for AS numbers. NOTE: AS numbers are +# queried only when Squid starts up, not for every request. +#Default: +# as_whois_server whois.ra.net + +# TAG: offline_mode +# Enable this option and Squid will never try to validate cached +# objects. +#Default: +# offline_mode off + +# TAG: uri_whitespace +# What to do with requests that have whitespace characters in the +# URI. Options: +# +# strip: The whitespace characters are stripped out of the URL. +# This is the behavior recommended by RFC2396 and RFC3986 +# for tolerant handling of generic URI. +# NOTE: This is one difference between generic URI and HTTP URLs. +# +# deny: The request is denied. The user receives an "Invalid +# Request" message. +# This is the behaviour recommended by RFC2616 for safe +# handling of HTTP request URL. +# +# allow: The request is allowed and the URI is not changed. The +# whitespace characters remain in the URI. Note the +# whitespace is passed to redirector processes if they +# are in use. +# Note this may be considered a violation of RFC2616 +# request parsing where whitespace is prohibited in the +# URL field. +# +# encode: The request is allowed and the whitespace characters are +# encoded according to RFC1738. +# +# chop: The request is allowed and the URI is chopped at the +# first whitespace. +# +# +# NOTE the current Squid implementation of encode and chop violates +# RFC2616 by not using a 301 redirect after altering the URL. +#Default: +# uri_whitespace strip + +# TAG: chroot +# Specifies a directory where Squid should do a chroot() while +# initializing. This also causes Squid to fully drop root +# privileges after initializing. This means, for example, if you +# use a HTTP port less than 1024 and try to reconfigure, you may +# get an error saying that Squid can not open the port. +#Default: +# none + +# TAG: balance_on_multiple_ip +# Modern IP resolvers in squid sort lookup results by preferred access. +# By default squid will use these IP in order and only rotates to +# the next listed when the most preffered fails. +# +# Some load balancing servers based on round robin DNS have been +# found not to preserve user session state across requests +# to different IP addresses. +# +# Enabling this directive Squid rotates IP's per request. +#Default: +# balance_on_multiple_ip off + +# TAG: pipeline_prefetch +# HTTP clients may send a pipeline of 1+N requests to Squid using a +# single connection, without waiting for Squid to respond to the first +# of those requests. This option limits the number of concurrent +# requests Squid will try to handle in parallel. If set to N, Squid +# will try to receive and process up to 1+N requests on the same +# connection concurrently. +# +# Defaults to 0 (off) for bandwidth management and access logging +# reasons. +# +# NOTE: pipelining requires persistent connections to clients. +# +# WARNING: pipelining breaks NTLM and Negotiate/Kerberos authentication. +#Default: +# Do not pre-parse pipelined requests. + +# TAG: high_response_time_warning (msec) +# If the one-minute median response time exceeds this value, +# Squid prints a WARNING with debug level 0 to get the +# administrators attention. The value is in milliseconds. +#Default: +# disabled. + +# TAG: high_page_fault_warning +# If the one-minute average page fault rate exceeds this +# value, Squid prints a WARNING with debug level 0 to get +# the administrators attention. The value is in page faults +# per second. +#Default: +# disabled. + +# TAG: high_memory_warning +# Note: This option is only available if Squid is rebuilt with the +# GNU Malloc with mstats() +# +# If the memory usage (as determined by gnumalloc, if available and used) +# exceeds this amount, Squid prints a WARNING with debug level 0 to get +# the administrators attention. +#Default: +# disabled. + +# TAG: sleep_after_fork (microseconds) +# When this is set to a non-zero value, the main Squid process +# sleeps the specified number of microseconds after a fork() +# system call. This sleep may help the situation where your +# system reports fork() failures due to lack of (virtual) +# memory. Note, however, if you have a lot of child +# processes, these sleep delays will add up and your +# Squid will not service requests for some amount of time +# until all the child processes have been started. +# On Windows value less then 1000 (1 milliseconds) are +# rounded to 1000. +#Default: +# sleep_after_fork 0 + +# TAG: windows_ipaddrchangemonitor on|off +# Note: This option is only available if Squid is rebuilt with the +# MS Windows +# +# On Windows Squid by default will monitor IP address changes and will +# reconfigure itself after any detected event. This is very useful for +# proxies connected to internet with dial-up interfaces. +# In some cases (a Proxy server acting as VPN gateway is one) it could be +# desiderable to disable this behaviour setting this to 'off'. +# Note: after changing this, Squid service must be restarted. +#Default: +# windows_ipaddrchangemonitor on + +# TAG: eui_lookup +# Whether to lookup the EUI or MAC address of a connected client. +#Default: +# eui_lookup on + +# TAG: max_filedescriptors +# Reduce the maximum number of filedescriptors supported below +# the usual operating system defaults. +# +# Remove from squid.conf to inherit the current ulimit setting. +# +# Note: Changing this requires a restart of Squid. Also +# not all I/O types supports large values (eg on Windows). +#Default: +# Use operating system limits set by ulimit. + diff --git a/roles/squid/files/squid.s-proxy.conf b/roles/squid/files/squid.s-proxy.conf new file mode 100644 index 0000000..83ab439 --- /dev/null +++ b/roles/squid/files/squid.s-proxy.conf @@ -0,0 +1,8579 @@ +# WELCOME TO SQUID 4.6 +# ---------------------------- +# +# This is the documentation for the Squid configuration file. +# This documentation can also be found online at: +# http://www.squid-cache.org/Doc/config/ +# +# You may wish to look at the Squid home page and wiki for the +# FAQ and other documentation: +# http://www.squid-cache.org/ +# http://wiki.squid-cache.org/SquidFaq +# http://wiki.squid-cache.org/ConfigExamples +# +# This documentation shows what the defaults for various directives +# happen to be. If you don't need to change the default, you should +# leave the line out of your squid.conf in most cases. +# +# In some cases "none" refers to no default setting at all, +# while in other cases it refers to the value of the option +# - the comments for that keyword indicate if this is the case. +# + +# Configuration options can be included using the "include" directive. +# Include takes a list of files to include. Quoting and wildcards are +# supported. +# +# For example, +# +# include /path/to/included/file/squid.acl.config +# +# Includes can be nested up to a hard-coded depth of 16 levels. +# This arbitrary restriction is to prevent recursive include references +# from causing Squid entering an infinite loop whilst trying to load +# configuration files. +# +# Values with byte units +# +# Squid accepts size units on some size related directives. All +# such directives are documented with a default value displaying +# a unit. +# +# Units accepted by Squid are: +# bytes - byte +# KB - Kilobyte (1024 bytes) +# MB - Megabyte +# GB - Gigabyte +# +# Values with spaces, quotes, and other special characters +# +# Squid supports directive parameters with spaces, quotes, and other +# special characters. Surround such parameters with "double quotes". Use +# the configuration_includes_quoted_values directive to enable or +# disable that support. +# +# Squid supports reading configuration option parameters from external +# files using the syntax: +# parameters("/path/filename") +# For example: +# acl whitelist dstdomain parameters("/etc/squid/whitelist.txt") +# +# Conditional configuration +# +# If-statements can be used to make configuration directives +# depend on conditions: +# +# if +# ... regular configuration directives ... +# [else +# ... regular configuration directives ...] +# endif +# +# The else part is optional. The keywords "if", "else", and "endif" +# must be typed on their own lines, as if they were regular +# configuration directives. +# +# NOTE: An else-if condition is not supported. +# +# These individual conditions types are supported: +# +# true +# Always evaluates to true. +# false +# Always evaluates to false. +# = +# Equality comparison of two integer numbers. +# +# +# SMP-Related Macros +# +# The following SMP-related preprocessor macros can be used. +# +# ${process_name} expands to the current Squid process "name" +# (e.g., squid1, squid2, or cache1). +# +# ${process_number} expands to the current Squid process +# identifier, which is an integer number (e.g., 1, 2, 3) unique +# across all Squid processes of the current service instance. +# +# ${service_name} expands into the current Squid service instance +# name identifier which is provided by -n on the command line. +# +# Logformat Macros +# +# Logformat macros can be used in many places outside of the logformat +# directive. In theory, all of the logformat codes can be used as %macros, +# where they are supported. In practice, a %macro expands as a dash (-) when +# the transaction does not yet have enough information and a value is needed. +# +# There is no definitive list of what tokens are available at the various +# stages of the transaction. +# +# And some information may already be available to Squid but not yet +# committed where the macro expansion code can access it (report +# such instances!). The macro will be expanded into a single dash +# ('-') in such cases. Not all macros have been tested. +# + +# TAG: broken_vary_encoding +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: cache_vary +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: error_map +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: external_refresh_check +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: location_rewrite_program +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: refresh_stale_hit +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: cache_peer_domain +# Replace with dstdomain ACLs and cache_peer_access. +#Default: +# none + +# TAG: ie_refresh +# Remove this line. The behaviour enabled by this is no longer needed. +#Default: +# none + +# TAG: sslproxy_cafile +# Remove this line. Use tls_outgoing_options cafile= instead. +#Default: +# none + +# TAG: sslproxy_capath +# Remove this line. Use tls_outgoing_options capath= instead. +#Default: +# none + +# TAG: sslproxy_cipher +# Remove this line. Use tls_outgoing_options cipher= instead. +#Default: +# none + +# TAG: sslproxy_client_certificate +# Remove this line. Use tls_outgoing_options cert= instead. +#Default: +# none + +# TAG: sslproxy_client_key +# Remove this line. Use tls_outgoing_options key= instead. +#Default: +# none + +# TAG: sslproxy_flags +# Remove this line. Use tls_outgoing_options flags= instead. +#Default: +# none + +# TAG: sslproxy_options +# Remove this line. Use tls_outgoing_options options= instead. +#Default: +# none + +# TAG: sslproxy_version +# Remove this line. Use tls_outgoing_options options= instead. +#Default: +# none + +# TAG: hierarchy_stoplist +# Remove this line. Use always_direct or cache_peer_access ACLs instead if you need to prevent cache_peer use. +#Default: +# none + +# TAG: log_access +# Remove this line. Use acls with access_log directives to control access logging +#Default: +# none + +# TAG: log_icap +# Remove this line. Use acls with icap_log directives to control icap logging +#Default: +# none + +# TAG: ignore_ims_on_miss +# Remove this line. The HTTP/1.1 feature is now configured by 'cache_miss_revalidate'. +#Default: +# none + +# TAG: balance_on_multiple_ip +# Remove this line. Squid performs a 'Happy Eyeballs' algorithm, this multiple-IP algorithm is not longer relevant. +#Default: +# none + +# TAG: chunked_request_body_max_size +# Remove this line. Squid is now HTTP/1.1 compliant. +#Default: +# none + +# TAG: dns_v4_fallback +# Remove this line. Squid performs a 'Happy Eyeballs' algorithm, the 'fallback' algorithm is no longer relevant. +#Default: +# none + +# TAG: emulate_httpd_log +# Replace this with an access_log directive using the format 'common' or 'combined'. +#Default: +# none + +# TAG: forward_log +# Use a regular access.log with ACL limiting it to MISS events. +#Default: +# none + +# TAG: ftp_list_width +# Remove this line. Configure FTP page display using the CSS controls in errorpages.css instead. +#Default: +# none + +# TAG: ignore_expect_100 +# Remove this line. The HTTP/1.1 feature is now fully supported by default. +#Default: +# none + +# TAG: log_fqdn +# Remove this option from your config. To log FQDN use %>A in the log format. +#Default: +# none + +# TAG: log_ip_on_direct +# Remove this option from your config. To log server or peer names use % +##auth_param negotiate children 20 startup=0 idle=1 +##auth_param negotiate keep_alive on +## +##auth_param digest program +##auth_param digest children 20 startup=0 idle=1 +##auth_param digest realm Squid proxy-caching web server +##auth_param digest nonce_garbage_interval 5 minutes +##auth_param digest nonce_max_duration 30 minutes +##auth_param digest nonce_max_count 50 +## +##auth_param ntlm program +##auth_param ntlm children 20 startup=0 idle=1 +##auth_param ntlm keep_alive on +## +##auth_param basic program +##auth_param basic children 5 startup=5 idle=1 +##auth_param basic realm Squid proxy-caching web server +##auth_param basic credentialsttl 2 hours +#Default: +# none + +# TAG: authenticate_cache_garbage_interval +# The time period between garbage collection across the username cache. +# This is a trade-off between memory utilization (long intervals - say +# 2 days) and CPU (short intervals - say 1 minute). Only change if you +# have good reason to. +#Default: +# authenticate_cache_garbage_interval 1 hour + +# TAG: authenticate_ttl +# The time a user & their credentials stay in the logged in +# user cache since their last request. When the garbage +# interval passes, all user credentials that have passed their +# TTL are removed from memory. +#Default: +# authenticate_ttl 1 hour + +# TAG: authenticate_ip_ttl +# If you use proxy authentication and the 'max_user_ip' ACL, +# this directive controls how long Squid remembers the IP +# addresses associated with each user. Use a small value +# (e.g., 60 seconds) if your users might change addresses +# quickly, as is the case with dialup. You might be safe +# using a larger value (e.g., 2 hours) in a corporate LAN +# environment with relatively static address assignments. +#Default: +# authenticate_ip_ttl 1 second + +# ACCESS CONTROLS +# ----------------------------------------------------------------------------- + +# TAG: external_acl_type +# This option defines external acl classes using a helper program +# to look up the status +# +# external_acl_type name [options] FORMAT /path/to/helper [helper arguments] +# +# Options: +# +# ttl=n TTL in seconds for cached results (defaults to 3600 +# for 1 hour) +# +# negative_ttl=n +# TTL for cached negative lookups (default same +# as ttl) +# +# grace=n Percentage remaining of TTL where a refresh of a +# cached entry should be initiated without needing to +# wait for a new reply. (default is for no grace period) +# +# cache=n The maximum number of entries in the result cache. The +# default limit is 262144 entries. Each cache entry usually +# consumes at least 256 bytes. Squid currently does not remove +# expired cache entries until the limit is reached, so a proxy +# will sooner or later reach the limit. The expanded FORMAT +# value is used as the cache key, so if the details in FORMAT +# are highly variable, a larger cache may be needed to produce +# reduction in helper load. +# +# children-max=n +# Maximum number of acl helper processes spawned to service +# external acl lookups of this type. (default 5) +# +# children-startup=n +# Minimum number of acl helper processes to spawn during +# startup and reconfigure to service external acl lookups +# of this type. (default 0) +# +# children-idle=n +# Number of acl helper processes to keep ahead of traffic +# loads. Squid will spawn this many at once whenever load +# rises above the capabilities of existing processes. +# Up to the value of children-max. (default 1) +# +# concurrency=n concurrency level per process. Only used with helpers +# capable of processing more than one query at a time. +# +# queue-size=N The queue-size option sets the maximum number of +# queued requests. A request is queued when no existing +# helper can accept it due to concurrency limit and no +# new helper can be started due to children-max limit. +# If the queued requests exceed queue size, the acl is +# ignored. The default value is set to 2*children-max. +# +# protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers. +# +# ipv4 / ipv6 IP protocol used to communicate with this helper. +# The default is to auto-detect IPv6 and use it when available. +# +# +# FORMAT is a series of %macro codes. See logformat directive for a full list +# of the accepted codes. Although note that at the time of any external ACL +# being tested data may not be available and thus some %macro expand to '-'. +# +# In addition to the logformat codes; when processing external ACLs these +# additional macros are made available: +# +# %ACL The name of the ACL being tested. +# +# %DATA The ACL arguments specified in the referencing config +# 'acl ... external' line, separated by spaces (an +# "argument string"). see acl external. +# +# If there are no ACL arguments %DATA expands to '-'. +# +# If you do not specify a DATA macro inside FORMAT, +# Squid automatically appends %DATA to your FORMAT. +# Note that Squid-3.x may expand %DATA to whitespace +# or nothing in this case. +# +# By default, Squid applies URL-encoding to each ACL +# argument inside the argument string. If an explicit +# encoding modifier is used (e.g., %#DATA), then Squid +# encodes the whole argument string as a single token +# (e.g., with %#DATA, spaces between arguments become +# %20). +# +# If SSL is enabled, the following formating codes become available: +# +# %USER_CERT SSL User certificate in PEM format +# %USER_CERTCHAIN SSL User certificate chain in PEM format +# %USER_CERT_xx SSL User certificate subject attribute xx +# %USER_CA_CERT_xx SSL User certificate issuer attribute xx +# +# +# NOTE: all other format codes accepted by older Squid versions +# are deprecated. +# +# +# General request syntax: +# +# [channel-ID] FORMAT-values +# +# +# FORMAT-values consists of transaction details expanded with +# whitespace separation per the config file FORMAT specification +# using the FORMAT macros listed above. +# +# Request values sent to the helper are URL escaped to protect +# each value in requests against whitespaces. +# +# If using protocol=2.5 then the request sent to the helper is not +# URL escaped to protect against whitespace. +# +# NOTE: protocol=3.0 is deprecated as no longer necessary. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# +# The helper receives lines expanded per the above format specification +# and for each input line returns 1 line starting with OK/ERR/BH result +# code and optionally followed by additional keywords with more details. +# +# +# General result syntax: +# +# [channel-ID] result keyword=value ... +# +# Result consists of one of the codes: +# +# OK +# the ACL test produced a match. +# +# ERR +# the ACL test does not produce a match. +# +# BH +# An internal error occurred in the helper, preventing +# a result being identified. +# +# The meaning of 'a match' is determined by your squid.conf +# access control configuration. See the Squid wiki for details. +# +# Defined keywords: +# +# user= The users name (login) +# +# password= The users password (for login= cache_peer option) +# +# message= Message describing the reason for this response. +# Available as %o in error pages. +# Useful on (ERR and BH results). +# +# tag= Apply a tag to a request. Only sets a tag once, +# does not alter existing tags. +# +# log= String to be logged in access.log. Available as +# %ea in logformat specifications. +# +# clt_conn_tag= Associates a TAG with the client TCP connection. +# Please see url_rewrite_program related documentation +# for this kv-pair. +# +# Any keywords may be sent on any response whether OK, ERR or BH. +# +# All response keyword values need to be a single token with URL +# escaping, or enclosed in double quotes (") and escaped using \ on +# any double quotes or \ characters within the value. The wrapping +# double quotes are removed before the value is interpreted by Squid. +# \r and \n are also replace by CR and LF. +# +# Some example key values: +# +# user=John%20Smith +# user="John Smith" +# user="J. \"Bob\" Smith" +#Default: +# none + +# TAG: acl +# Defining an Access List +# +# Every access list definition must begin with an aclname and acltype, +# followed by either type-specific arguments or a quoted filename that +# they are read from. +# +# acl aclname acltype argument ... +# acl aclname acltype "file" ... +# +# When using "file", the file should contain one item per line. +# +# +# ACL Options +# +# Some acl types supports options which changes their default behaviour: +# +# -i,+i By default, regular expressions are CASE-SENSITIVE. To make them +# case-insensitive, use the -i option. To return case-sensitive +# use the +i option between patterns, or make a new ACL line +# without -i. +# +# -n Disable lookups and address type conversions. If lookup or +# conversion is required because the parameter type (IP or +# domain name) does not match the message address type (domain +# name or IP), then the ACL would immediately declare a mismatch +# without any warnings or lookups. +# +# -m[=delimiters] +# Perform a list membership test, interpreting values as +# comma-separated token lists and matching against individual +# tokens instead of whole values. +# The optional "delimiters" parameter specifies one or more +# alternative non-alphanumeric delimiter characters. +# non-alphanumeric delimiter characters. +# +# -- Used to stop processing all options, in the case the first acl +# value has '-' character as first character (for example the '-' +# is a valid domain name) +# +# Some acl types require suspending the current request in order +# to access some external data source. +# Those which do are marked with the tag [slow], those which +# don't are marked as [fast]. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl +# for further information +# +# ***** ACL TYPES AVAILABLE ***** +# +# acl aclname src ip-address/mask ... # clients IP address [fast] +# acl aclname src addr1-addr2/mask ... # range of addresses [fast] +# acl aclname dst [-n] ip-address/mask ... # URL host's IP address [slow] +# acl aclname localip ip-address/mask ... # IP address the client connected to [fast] +# +#if USE_SQUID_EUI +# acl aclname arp mac-address ... +# acl aclname eui64 eui64-address ... +# # [fast] +# # MAC (EUI-48) and EUI-64 addresses use xx:xx:xx:xx:xx:xx notation. +# # +# # The 'arp' ACL code is not portable to all operating systems. +# # It works on Linux, Solaris, Windows, FreeBSD, and some other +# # BSD variants. +# # +# # The eui_lookup directive is required to be 'on' (the default) +# # and Squid built with --enable-eui for MAC/EUI addresses to be +# # available for this ACL. +# # +# # Squid can only determine the MAC/EUI address for IPv4 +# # clients that are on the same subnet. If the client is on a +# # different subnet, then Squid cannot find out its address. +# # +# # IPv6 protocol does not contain ARP. MAC/EUI is either +# # encoded directly in the IPv6 address or not available. +#endif +# acl aclname clientside_mark mark[/mask] ... +# # matches CONNMARK of an accepted connection [fast] +# # +# # mark and mask are unsigned integers (hex, octal, or decimal). +# # If multiple marks are given, then the ACL matches if at least +# # one mark matches. +# # +# # Uses netfilter-conntrack library. +# # Requires building Squid with --enable-linux-netfilter. +# # +# # The client, various intermediaries, and Squid itself may set +# # CONNMARK at various times. The last CONNMARK set wins. This ACL +# # checks the mark present on an accepted connection or set by +# # Squid afterwards, depending on the ACL check timing. This ACL +# # effectively ignores any mark set by other agents after Squid has +# # accepted the connection. +# +# acl aclname srcdomain .foo.com ... +# # reverse lookup, from client IP [slow] +# acl aclname dstdomain [-n] .foo.com ... +# # Destination server from URL [fast] +# acl aclname srcdom_regex [-i] \.foo\.com ... +# # regex matching client name [slow] +# acl aclname dstdom_regex [-n] [-i] \.foo\.com ... +# # regex matching server [fast] +# # +# # For dstdomain and dstdom_regex a reverse lookup is tried if a IP +# # based URL is used and no match is found. The name "none" is used +# # if the reverse lookup fails. +# +# acl aclname src_as number ... +# acl aclname dst_as number ... +# # [fast] +# # Except for access control, AS numbers can be used for +# # routing of requests to specific caches. Here's an +# # example for routing all requests for AS#1241 and only +# # those to mycache.mydomain.net: +# # acl asexample dst_as 1241 +# # cache_peer_access mycache.mydomain.net allow asexample +# # cache_peer_access mycache_mydomain.net deny all +# +# acl aclname peername myPeer ... +# acl aclname peername_regex [-i] regex-pattern ... +# # [fast] +# # match against a named cache_peer entry +# # set unique name= on cache_peer lines for reliable use. +# +# acl aclname time [day-abbrevs] [h1:m1-h2:m2] +# # [fast] +# # day-abbrevs: +# # S - Sunday +# # M - Monday +# # T - Tuesday +# # W - Wednesday +# # H - Thursday +# # F - Friday +# # A - Saturday +# # h1:m1 must be less than h2:m2 +# +# acl aclname url_regex [-i] ^http:// ... +# # regex matching on whole URL [fast] +# acl aclname urllogin [-i] [^a-zA-Z0-9] ... +# # regex matching on URL login field +# acl aclname urlpath_regex [-i] \.gif$ ... +# # regex matching on URL path [fast] +# +# acl aclname port 80 70 21 0-1024... # destination TCP port [fast] +# # ranges are alloed +# acl aclname localport 3128 ... # TCP port the client connected to [fast] +# # NP: for interception mode this is usually '80' +# +# acl aclname myportname 3128 ... # *_port name [fast] +# +# acl aclname proto HTTP FTP ... # request protocol [fast] +# +# acl aclname method GET POST ... # HTTP request method [fast] +# +# acl aclname http_status 200 301 500- 400-403 ... +# # status code in reply [fast] +# +# acl aclname browser [-i] regexp ... +# # pattern match on User-Agent header (see also req_header below) [fast] +# +# acl aclname referer_regex [-i] regexp ... +# # pattern match on Referer header [fast] +# # Referer is highly unreliable, so use with care +# +# acl aclname ident [-i] username ... +# acl aclname ident_regex [-i] pattern ... +# # string match on ident output [slow] +# # use REQUIRED to accept any non-null ident. +# +# acl aclname proxy_auth [-i] username ... +# acl aclname proxy_auth_regex [-i] pattern ... +# # perform http authentication challenge to the client and match against +# # supplied credentials [slow] +# # +# # takes a list of allowed usernames. +# # use REQUIRED to accept any valid username. +# # +# # Will use proxy authentication in forward-proxy scenarios, and plain +# # http authenticaiton in reverse-proxy scenarios +# # +# # NOTE: when a Proxy-Authentication header is sent but it is not +# # needed during ACL checking the username is NOT logged +# # in access.log. +# # +# # NOTE: proxy_auth requires a EXTERNAL authentication program +# # to check username/password combinations (see +# # auth_param directive). +# # +# # NOTE: proxy_auth can't be used in a transparent/intercepting proxy +# # as the browser needs to be configured for using a proxy in order +# # to respond to proxy authentication. +# +# acl aclname snmp_community string ... +# # A community string to limit access to your SNMP Agent [fast] +# # Example: +# # +# # acl snmppublic snmp_community public +# +# acl aclname maxconn number +# # This will be matched when the client's IP address has +# # more than TCP connections established. [fast] +# # NOTE: This only measures direct TCP links so X-Forwarded-For +# # indirect clients are not counted. +# +# acl aclname max_user_ip [-s] number +# # This will be matched when the user attempts to log in from more +# # than different ip addresses. The authenticate_ip_ttl +# # parameter controls the timeout on the ip entries. [fast] +# # If -s is specified the limit is strict, denying browsing +# # from any further IP addresses until the ttl has expired. Without +# # -s Squid will just annoy the user by "randomly" denying requests. +# # (the counter is reset each time the limit is reached and a +# # request is denied) +# # NOTE: in acceleration mode or where there is mesh of child proxies, +# # clients may appear to come from multiple addresses if they are +# # going through proxy farms, so a limit of 1 may cause user problems. +# +# acl aclname random probability +# # Pseudo-randomly match requests. Based on the probability given. +# # Probability may be written as a decimal (0.333), fraction (1/3) +# # or ratio of matches:non-matches (3:5). +# +# acl aclname req_mime_type [-i] mime-type ... +# # regex match against the mime type of the request generated +# # by the client. Can be used to detect file upload or some +# # types HTTP tunneling requests [fast] +# # NOTE: This does NOT match the reply. You cannot use this +# # to match the returned file type. +# +# acl aclname req_header header-name [-i] any\.regex\.here +# # regex match against any of the known request headers. May be +# # thought of as a superset of "browser", "referer" and "mime-type" +# # ACL [fast] +# +# acl aclname rep_mime_type [-i] mime-type ... +# # regex match against the mime type of the reply received by +# # squid. Can be used to detect file download or some +# # types HTTP tunneling requests. [fast] +# # NOTE: This has no effect in http_access rules. It only has +# # effect in rules that affect the reply data stream such as +# # http_reply_access. +# +# acl aclname rep_header header-name [-i] any\.regex\.here +# # regex match against any of the known reply headers. May be +# # thought of as a superset of "browser", "referer" and "mime-type" +# # ACLs [fast] +# +# acl aclname external class_name [arguments...] +# # external ACL lookup via a helper class defined by the +# # external_acl_type directive [slow] +# +# acl aclname user_cert attribute values... +# # match against attributes in a user SSL certificate +# # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast] +# +# acl aclname ca_cert attribute values... +# # match against attributes a users issuing CA SSL certificate +# # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast] +# +# acl aclname ext_user [-i] username ... +# acl aclname ext_user_regex [-i] pattern ... +# # string match on username returned by external acl helper [slow] +# # use REQUIRED to accept any non-null user name. +# +# acl aclname tag tagvalue ... +# # string match on tag returned by external acl helper [fast] +# # DEPRECATED. Only the first tag will match with this ACL. +# # Use the 'note' ACL instead for handling multiple tag values. +# +# acl aclname hier_code codename ... +# # string match against squid hierarchy code(s); [fast] +# # e.g., DIRECT, PARENT_HIT, NONE, etc. +# # +# # NOTE: This has no effect in http_access rules. It only has +# # effect in rules that affect the reply data stream such as +# # http_reply_access. +# +# acl aclname note [-m[=delimiters]] name [value ...] +# # match transaction annotation [fast] +# # Without values, matches any annotation with a given name. +# # With value(s), matches any annotation with a given name that +# # also has one of the given values. +# # If the -m flag is used, then the value of the named +# # annotation is interpreted as a list of tokens, and the ACL +# # matches individual name=token pairs rather than whole +# # name=value pairs. See "ACL Options" above for more info. +# # Annotation sources include note and adaptation_meta directives +# # as well as helper and eCAP responses. +# +# acl aclname adaptation_service service ... +# # Matches the name of any icap_service, ecap_service, +# # adaptation_service_set, or adaptation_service_chain that Squid +# # has used (or attempted to use) for the master transaction. +# # This ACL must be defined after the corresponding adaptation +# # service is named in squid.conf. This ACL is usable with +# # adaptation_meta because it starts matching immediately after +# # the service has been selected for adaptation. +# +# acl aclname transaction_initiator initiator ... +# # Matches transaction's initiator [fast] +# # +# # Supported initiators are: +# # esi: matches transactions fetching ESI resources +# # certificate-fetching: matches transactions fetching +# # a missing intermediate TLS certificate +# # cache-digest: matches transactions fetching Cache Digests +# # from a cache_peer +# # htcp: matches HTCP requests from peers +# # icp: matches ICP requests to peers +# # icmp: matches ICMP RTT database (NetDB) requests to peers +# # asn: matches asns db requests +# # internal: matches any of the above +# # client: matches transactions containing an HTTP or FTP +# # client request received at a Squid *_port +# # all: matches any transaction, including internal transactions +# # without a configurable initiator and hopefully rare +# # transactions without a known-to-Squid initiator +# # +# # Multiple initiators are ORed. +# +# acl aclname has component +# # matches a transaction "component" [fast] +# # +# # Supported transaction components are: +# # request: transaction has a request header (at least) +# # response: transaction has a response header (at least) +# # ALE: transaction has an internally-generated Access Log Entry +# # structure; bugs notwithstanding, all transaction have it +# # +# # For example, the following configuration helps when dealing with HTTP +# # clients that close connections without sending a request header: +# # +# # acl hasRequest has request +# # acl logMe note important_transaction +# # # avoid "logMe ACL is used in context without an HTTP request" warnings +# # access_log ... logformat=detailed hasRequest logMe +# # # log request-less transactions, instead of ignoring them +# # access_log ... logformat=brief !hasRequest +# # +# # Multiple components are not supported for one "acl" rule, but +# # can be specified (and are ORed) using multiple same-name rules: +# # +# # # OK, this strange logging daemon needs request or response, +# # # but can work without either a request or a response: +# # acl hasWhatMyLoggingDaemonNeeds has request +# # acl hasWhatMyLoggingDaemonNeeds has response +# +# acl aclname any-of acl1 acl2 ... +# # match any one of the acls [fast or slow] +# # The first matching ACL stops further ACL evaluation. +# # +# # ACLs from multiple any-of lines with the same name are ORed. +# # For example, A = (a1 or a2) or (a3 or a4) can be written as +# # acl A any-of a1 a2 +# # acl A any-of a3 a4 +# # +# # This group ACL is fast if all evaluated ACLs in the group are fast +# # and slow otherwise. +# +# acl aclname all-of acl1 acl2 ... +# # match all of the acls [fast or slow] +# # The first mismatching ACL stops further ACL evaluation. +# # +# # ACLs from multiple all-of lines with the same name are ORed. +# # For example, B = (b1 and b2) or (b3 and b4) can be written as +# # acl B all-of b1 b2 +# # acl B all-of b3 b4 +# # +# # This group ACL is fast if all evaluated ACLs in the group are fast +# # and slow otherwise. +# +# Examples: +# acl macaddress arp 09:00:2b:23:45:67 +# acl myexample dst_as 1241 +# acl password proxy_auth REQUIRED +# acl fileupload req_mime_type -i ^multipart/form-data$ +# acl javascript rep_mime_type -i ^application/x-javascript$ +# +#Default: +# ACLs all, manager, localhost, and to_localhost are predefined. +# +# +# Recommended minimum configuration: +# + +# Example rule allowing access from your local networks. +# Adapt to list your (internal) IP networks from where browsing +# should be allowed +#acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) +#acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN) +#acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN) +#acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines +acl localnet src 172.16.0.0/16 # RFC 1918 local private network (LAN) +#acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN) +#acl localnet src fc00::/7 # RFC 4193 local private network range +#acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines + +# SSL +acl SSL_ports port 443 +acl SSL_ports port 80 +acl SSL_ports port 21 +acl SSL_ports port 70 +acl SSL_ports port 210 +acl SSL_ports port 1025-65535 +acl SSL_ports port 280 +acl SSL_ports port 488 +acl SSL_ports port 591 +acl SSL_ports port 777 + +# Ports +acl Safe_ports port 80 +acl Safe_ports port 21 # ftp +acl Safe_ports port 443 # https +acl Safe_ports port 70 # gopher +acl Safe_ports port 210 # wais +acl Safe_ports port 1025-65535 # unregistered ports +acl Safe_ports port 280 # http-mgmt +acl Safe_ports port 488 # gss-http +acl Safe_ports port 591 # filemaker +acl Safe_ports port 777 # multiling http +acl CONNECT method CONNECT + +acl wp url_regex ^http://s-lb.gsb.lan/* +acl wp2 url_regex ^http://192.168.100.* + +# TAG: proxy_protocol_access +# Determine which client proxies can be trusted to provide correct +# information regarding real client IP address using PROXY protocol. +# +# Requests may pass through a chain of several other proxies +# before reaching us. The original source details may by sent in: +# * HTTP message Forwarded header, or +# * HTTP message X-Forwarded-For header, or +# * PROXY protocol connection header. +# +# This directive is solely for validating new PROXY protocol +# connections received from a port flagged with require-proxy-header. +# It is checked only once after TCP connection setup. +# +# A deny match results in TCP connection closure. +# +# An allow match is required for Squid to permit the corresponding +# TCP connection, before Squid even looks for HTTP request headers. +# If there is an allow match, Squid starts using PROXY header information +# to determine the source address of the connection for all future ACL +# checks, logging, etc. +# +# SECURITY CONSIDERATIONS: +# +# Any host from which we accept client IP details can place +# incorrect information in the relevant header, and Squid +# will use the incorrect information as if it were the +# source address of the request. This may enable remote +# hosts to bypass any access control restrictions that are +# based on the client's source addresses. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# all TCP connections to ports with require-proxy-header will be denied + +# TAG: follow_x_forwarded_for +# Determine which client proxies can be trusted to provide correct +# information regarding real client IP address. +# +# Requests may pass through a chain of several other proxies +# before reaching us. The original source details may by sent in: +# * HTTP message Forwarded header, or +# * HTTP message X-Forwarded-For header, or +# * PROXY protocol connection header. +# +# PROXY protocol connections are controlled by the proxy_protocol_access +# directive which is checked before this. +# +# If a request reaches us from a source that is allowed by this +# directive, then we trust the information it provides regarding +# the IP of the client it received from (if any). +# +# For the purpose of ACLs used in this directive the src ACL type always +# matches the address we are testing and srcdomain matches its rDNS. +# +# On each HTTP request Squid checks for X-Forwarded-For header fields. +# If found the header values are iterated in reverse order and an allow +# match is required for Squid to continue on to the next value. +# The verification ends when a value receives a deny match, cannot be +# tested, or there are no more values to test. +# NOTE: Squid does not yet follow the Forwarded HTTP header. +# +# The end result of this process is an IP address that we will +# refer to as the indirect client address. This address may +# be treated as the client address for access control, ICAP, delay +# pools and logging, depending on the acl_uses_indirect_client, +# icap_uses_indirect_client, delay_pool_uses_indirect_client, +# log_uses_indirect_client and tproxy_uses_indirect_client options. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# SECURITY CONSIDERATIONS: +# +# Any host from which we accept client IP details can place +# incorrect information in the relevant header, and Squid +# will use the incorrect information as if it were the +# source address of the request. This may enable remote +# hosts to bypass any access control restrictions that are +# based on the client's source addresses. +# +# For example: +# +# acl localhost src 127.0.0.1 +# acl my_other_proxy srcdomain .proxy.example.com +# follow_x_forwarded_for allow localhost +# follow_x_forwarded_for allow my_other_proxy +#Default: +# X-Forwarded-For header will be ignored. + +# TAG: acl_uses_indirect_client on|off +# Controls whether the indirect client address +# (see follow_x_forwarded_for) is used instead of the +# direct client address in acl matching. +# +# NOTE: maxconn ACL considers direct TCP links and indirect +# clients will always have zero. So no match. +#Default: +# acl_uses_indirect_client on + +# TAG: delay_pool_uses_indirect_client on|off +# Controls whether the indirect client address +# (see follow_x_forwarded_for) is used instead of the +# direct client address in delay pools. +#Default: +# delay_pool_uses_indirect_client on + +# TAG: log_uses_indirect_client on|off +# Controls whether the indirect client address +# (see follow_x_forwarded_for) is used instead of the +# direct client address in the access log. +#Default: +# log_uses_indirect_client on + +# TAG: tproxy_uses_indirect_client on|off +# Controls whether the indirect client address +# (see follow_x_forwarded_for) is used instead of the +# direct client address when spoofing the outgoing client. +# +# This has no effect on requests arriving in non-tproxy +# mode ports. +# +# SECURITY WARNING: Usage of this option is dangerous +# and should not be used trivially. Correct configuration +# of follow_x_forwarded_for with a limited set of trusted +# sources is required to prevent abuse of your proxy. +#Default: +# tproxy_uses_indirect_client off + +# TAG: spoof_client_ip +# Control client IP address spoofing of TPROXY traffic based on +# defined access lists. +# +# spoof_client_ip allow|deny [!]aclname ... +# +# If there are no "spoof_client_ip" lines present, the default +# is to "allow" spoofing of any suitable request. +# +# Note that the cache_peer "no-tproxy" option overrides this ACL. +# +# This clause supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow spoofing on all TPROXY traffic. + +# TAG: http_access +# Allowing or Denying access based on defined access lists +# +# To allow or deny a message received on an HTTP, HTTPS, or FTP port: +# http_access allow|deny [!]aclname ... +# +# NOTE on default values: +# +# If there are no "access" lines present, the default is to deny +# the request. +# +# If none of the "access" lines cause a match, the default is the +# opposite of the last line in the list. If the last line was +# deny, the default is allow. Conversely, if the last line +# is allow, the default will be deny. For these reasons, it is a +# good idea to have an "deny all" entry at the end of your access +# lists to avoid potential confusion. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +#Default: +# Deny, unless rules exist in squid.conf. +# + +# +# Recommended minimum Access Permission configuration: +# +# Deny requests to certain unsafe ports +http_access deny !Safe_ports + +# Deny CONNECT to other than secure SSL ports +http_access deny CONNECT !SSL_ports + +# Only allow cachemgr access from localhost +http_access allow localnet +#http_access allow localnet +http_access allow localhost +http_access allow wp +http_access allow wp2 +# And finally deny all other access to this proxy +http_access deny all + +# We strongly recommend the following be uncommented to protect innocent +# web applications running on the proxy server who think the only +# one who can access services on "localhost" is a local user +#http_access deny to_localhost + +# +# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS +# +include /etc/squid/conf.d/* + +# Example rule allowing access from your local networks. +# Adapt localnet in the ACL section to list your (internal) IP networks +# from where browsing should be allowed + + +# TAG: adapted_http_access +# Allowing or Denying access based on defined access lists +# +# Essentially identical to http_access, but runs after redirectors +# and ICAP/eCAP adaptation. Allowing access control based on their +# output. +# +# If not set then only http_access is used. +#Default: +# Allow, unless rules exist in squid.conf. + +# TAG: http_reply_access +# Allow replies to client requests. This is complementary to http_access. +# +# http_reply_access allow|deny [!] aclname ... +# +# NOTE: if there are no access lines present, the default is to allow +# all replies. +# +# If none of the access lines cause a match the opposite of the +# last line will apply. Thus it is good practice to end the rules +# with an "allow all" or "deny all" entry. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow, unless rules exist in squid.conf. + +# TAG: icp_access +# Allowing or Denying access to the ICP port based on defined +# access lists +# +# icp_access allow|deny [!]aclname ... +# +# NOTE: The default if no icp_access lines are present is to +# deny all traffic. This default may cause problems with peers +# using ICP. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +## Allow ICP queries from local networks only +##icp_access allow localnet +##icp_access deny all +#Default: +# Deny, unless rules exist in squid.conf. + +# TAG: htcp_access +# Allowing or Denying access to the HTCP port based on defined +# access lists +# +# htcp_access allow|deny [!]aclname ... +# +# See also htcp_clr_access for details on access control for +# cache purge (CLR) HTCP messages. +# +# NOTE: The default if no htcp_access lines are present is to +# deny all traffic. This default may cause problems with peers +# using the htcp option. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +## Allow HTCP queries from local networks only +##htcp_access allow localnet +##htcp_access deny all +#Default: +# Deny, unless rules exist in squid.conf. + +# TAG: htcp_clr_access +# Allowing or Denying access to purge content using HTCP based +# on defined access lists. +# See htcp_access for details on general HTCP access control. +# +# htcp_clr_access allow|deny [!]aclname ... +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +## Allow HTCP CLR requests from trusted peers +#acl htcp_clr_peer src 192.0.2.2 2001:DB8::2 +#htcp_clr_access allow htcp_clr_peer +#htcp_clr_access deny all +#Default: +# Deny, unless rules exist in squid.conf. + +# TAG: miss_access +# Determines whether network access is permitted when satisfying a request. +# +# For example; +# to force your neighbors to use you as a sibling instead of +# a parent. +# +# acl localclients src 192.0.2.0/24 2001:DB8::a:0/64 +# miss_access deny !localclients +# miss_access allow all +# +# This means only your local clients are allowed to fetch relayed/MISS +# replies from the network and all other clients can only fetch cached +# objects (HITs). +# +# The default for this setting allows all clients who passed the +# http_access rules to relay via this proxy. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow, unless rules exist in squid.conf. + +# TAG: ident_lookup_access +# A list of ACL elements which, if matched, cause an ident +# (RFC 931) lookup to be performed for this request. For +# example, you might choose to always perform ident lookups +# for your main multi-user Unix boxes, but not for your Macs +# and PCs. By default, ident lookups are not performed for +# any requests. +# +# To enable ident lookups for specific client addresses, you +# can follow this example: +# +# acl ident_aware_hosts src 198.168.1.0/24 +# ident_lookup_access allow ident_aware_hosts +# ident_lookup_access deny all +# +# Only src type ACL checks are fully supported. A srcdomain +# ACL might work at times, but it will not always provide +# the correct result. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Unless rules exist in squid.conf, IDENT is not fetched. + +# TAG: reply_body_max_size size [acl acl...] +# This option specifies the maximum size of a reply body. It can be +# used to prevent users from downloading very large files, such as +# MP3's and movies. When the reply headers are received, the +# reply_body_max_size lines are processed, and the first line where +# all (if any) listed ACLs are true is used as the maximum body size +# for this reply. +# +# This size is checked twice. First when we get the reply headers, +# we check the content-length value. If the content length value exists +# and is larger than the allowed size, the request is denied and the +# user receives an error message that says "the request or reply +# is too large." If there is no content-length, and the reply +# size exceeds this limit, the client's connection is just closed +# and they will receive a partial reply. +# +# WARNING: downstream caches probably can not detect a partial reply +# if there is no content-length header, so they will cache +# partial responses and give them out as hits. You should NOT +# use this option if you have downstream caches. +# +# WARNING: A maximum size smaller than the size of squid's error messages +# will cause an infinite loop and crash squid. Ensure that the smallest +# non-zero value you use is greater that the maximum header size plus +# the size of your largest error page. +# +# If you set this parameter none (the default), there will be +# no limit imposed. +# +# Configuration Format is: +# reply_body_max_size SIZE UNITS [acl ...] +# ie. +# reply_body_max_size 10 MB +# +#Default: +# No limit is applied. + +# TAG: on_unsupported_protocol +# Determines Squid behavior when encountering strange requests at the +# beginning of an accepted TCP connection or the beginning of a bumped +# CONNECT tunnel. Controlling Squid reaction to unexpected traffic is +# especially useful in interception environments where Squid is likely +# to see connections for unsupported protocols that Squid should either +# terminate or tunnel at TCP level. +# +# on_unsupported_protocol [!]acl ... +# +# The first matching action wins. Only fast ACLs are supported. +# +# Supported actions are: +# +# tunnel: Establish a TCP connection with the intended server and +# blindly shovel TCP packets between the client and server. +# +# respond: Respond with an error message, using the transfer protocol +# for the Squid port that received the request (e.g., HTTP +# for connections intercepted at the http_port). This is the +# default. +# +# Squid expects the following traffic patterns: +# +# http_port: a plain HTTP request +# https_port: SSL/TLS handshake followed by an [encrypted] HTTP request +# ftp_port: a plain FTP command (no on_unsupported_protocol support yet!) +# CONNECT tunnel on http_port: same as https_port +# CONNECT tunnel on https_port: same as https_port +# +# Currently, this directive has effect on intercepted connections and +# bumped tunnels only. Other cases are not supported because Squid +# cannot know the intended destination of other traffic. +# +# For example: +# # define what Squid errors indicate receiving non-HTTP traffic: +# acl foreignProtocol squid_error ERR_PROTOCOL_UNKNOWN ERR_TOO_BIG +# # define what Squid errors indicate receiving nothing: +# acl serverTalksFirstProtocol squid_error ERR_REQUEST_START_TIMEOUT +# # tunnel everything that does not look like HTTP: +# on_unsupported_protocol tunnel foreignProtocol +# # tunnel if we think the client waits for the server to talk first: +# on_unsupported_protocol tunnel serverTalksFirstProtocol +# # in all other error cases, just send an HTTP "error page" response: +# on_unsupported_protocol respond all +# +# See also: squid_error ACL +#Default: +# Respond with an error message to unidentifiable traffic + +# NETWORK OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: http_port +# Usage: port [mode] [options] +# hostname:port [mode] [options] +# 1.2.3.4:port [mode] [options] +# +# The socket addresses where Squid will listen for HTTP client +# requests. You may specify multiple socket addresses. +# There are three forms: port alone, hostname with port, and +# IP address with port. If you specify a hostname or IP +# address, Squid binds the socket to that specific +# address. Most likely, you do not need to bind to a specific +# address, so you can use the port number alone. +# +# If you are running Squid in accelerator mode, you +# probably want to listen on port 80 also, or instead. +# +# The -a command line option may be used to specify additional +# port(s) where Squid listens for proxy request. Such ports will +# be plain proxy ports with no options. +# +# You may specify multiple socket addresses on multiple lines. +# +# Modes: +# +# intercept Support for IP-Layer NAT interception delivering +# traffic to this Squid port. +# NP: disables authentication on the port. +# +# tproxy Support Linux TPROXY (or BSD divert-to) with spoofing +# of outgoing connections using the client IP address. +# NP: disables authentication on the port. +# +# accel Accelerator / reverse proxy mode +# +# ssl-bump For each CONNECT request allowed by ssl_bump ACLs, +# establish secure connection with the client and with +# the server, decrypt HTTPS messages as they pass through +# Squid, and treat them as unencrypted HTTP messages, +# becoming the man-in-the-middle. +# +# The ssl_bump option is required to fully enable +# bumping of CONNECT requests. +# +# Omitting the mode flag causes default forward proxy mode to be used. +# +# +# Accelerator Mode Options: +# +# defaultsite=domainname +# What to use for the Host: header if it is not present +# in a request. Determines what site (not origin server) +# accelerators should consider the default. +# +# no-vhost Disable using HTTP/1.1 Host header for virtual domain support. +# +# protocol= Protocol to reconstruct accelerated and intercepted +# requests with. Defaults to HTTP/1.1 for http_port and +# HTTPS/1.1 for https_port. +# When an unsupported value is configured Squid will +# produce a FATAL error. +# Values: HTTP or HTTP/1.1, HTTPS or HTTPS/1.1 +# +# vport Virtual host port support. Using the http_port number +# instead of the port passed on Host: headers. +# +# vport=NN Virtual host port support. Using the specified port +# number instead of the port passed on Host: headers. +# +# act-as-origin +# Act as if this Squid is the origin server. +# This currently means generate new Date: and Expires: +# headers on HIT instead of adding Age:. +# +# ignore-cc Ignore request Cache-Control headers. +# +# WARNING: This option violates HTTP specifications if +# used in non-accelerator setups. +# +# allow-direct Allow direct forwarding in accelerator mode. Normally +# accelerated requests are denied direct forwarding as if +# never_direct was used. +# +# WARNING: this option opens accelerator mode to security +# vulnerabilities usually only affecting in interception +# mode. Make sure to protect forwarding with suitable +# http_access rules when using this. +# +# +# SSL Bump Mode Options: +# In addition to these options ssl-bump requires TLS/SSL options. +# +# generate-host-certificates[=] +# Dynamically create SSL server certificates for the +# destination hosts of bumped CONNECT requests.When +# enabled, the cert and key options are used to sign +# generated certificates. Otherwise generated +# certificate will be selfsigned. +# If there is a CA certificate lifetime of the generated +# certificate equals lifetime of the CA certificate. If +# generated certificate is selfsigned lifetime is three +# years. +# This option is enabled by default when ssl-bump is used. +# See the ssl-bump option above for more information. +# +# dynamic_cert_mem_cache_size=SIZE +# Approximate total RAM size spent on cached generated +# certificates. If set to zero, caching is disabled. The +# default value is 4MB. +# +# TLS / SSL Options: +# +# tls-cert= Path to file containing an X.509 certificate (PEM format) +# to be used in the TLS handshake ServerHello. +# +# If this certificate is constrained by KeyUsage TLS +# feature it must allow HTTP server usage, along with +# any additional restrictions imposed by your choice +# of options= settings. +# +# When OpenSSL is used this file may also contain a +# chain of intermediate CA certificates to send in the +# TLS handshake. +# +# When GnuTLS is used this option (and any paired +# tls-key= option) may be repeated to load multiple +# certificates for different domains. +# +# Also, when generate-host-certificates=on is configured +# the first tls-cert= option must be a CA certificate +# capable of signing the automatically generated +# certificates. +# +# tls-key= Path to a file containing private key file (PEM format) +# for the previous tls-cert= option. +# +# If tls-key= is not specified tls-cert= is assumed to +# reference a PEM file containing both the certificate +# and private key. +# +# cipher= Colon separated list of supported ciphers. +# NOTE: some ciphers such as EDH ciphers depend on +# additional settings. If those settings are +# omitted the ciphers may be silently ignored +# by the OpenSSL library. +# +# options= Various SSL implementation options. The most important +# being: +# +# NO_SSLv3 Disallow the use of SSLv3 +# +# NO_TLSv1 Disallow the use of TLSv1.0 +# +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# +# SINGLE_DH_USE +# Always create a new key when using +# temporary/ephemeral DH key exchanges +# +# SINGLE_ECDH_USE +# Enable ephemeral ECDH key exchange. +# The adopted curve should be specified +# using the tls-dh option. +# +# NO_TICKET +# Disable use of RFC5077 session tickets. +# Some servers may have problems +# understanding the TLS extension due +# to ambiguous specification in RFC4507. +# +# ALL Enable various bug workarounds +# suggested as "harmless" by OpenSSL +# Be warned that this reduces SSL/TLS +# strength to some attacks. +# +# See the OpenSSL SSL_CTX_set_options documentation for a +# more complete list. +# +# clientca= File containing the list of CAs to use when +# requesting a client certificate. +# +# tls-cafile= PEM file containing CA certificates to use when verifying +# client certificates. If not configured clientca will be +# used. May be repeated to load multiple files. +# +# capath= Directory containing additional CA certificates +# and CRL lists to use when verifying client certificates. +# Requires OpenSSL or LibreSSL. +# +# crlfile= File of additional CRL lists to use when verifying +# the client certificate, in addition to CRLs stored in +# the capath. Implies VERIFY_CRL flag below. +# +# tls-dh=[curve:]file +# File containing DH parameters for temporary/ephemeral DH key +# exchanges, optionally prefixed by a curve for ephemeral ECDH +# key exchanges. +# See OpenSSL documentation for details on how to create the +# DH parameter file. Supported curves for ECDH can be listed +# using the "openssl ecparam -list_curves" command. +# WARNING: EDH and EECDH ciphers will be silently disabled if +# this option is not set. +# +# sslflags= Various flags modifying the use of SSL: +# DELAYED_AUTH +# Don't request client certificates +# immediately, but wait until acl processing +# requires a certificate (not yet implemented). +# NO_SESSION_REUSE +# Don't allow for session reuse. Each connection +# will result in a new SSL session. +# VERIFY_CRL +# Verify CRL lists when accepting client +# certificates. +# VERIFY_CRL_ALL +# Verify CRL lists for all certificates in the +# client certificate chain. +# +# tls-default-ca[=off] +# Whether to use the system Trusted CAs. Default is OFF. +# +# tls-no-npn Do not use the TLS NPN extension to advertise HTTP/1.1. +# +# sslcontext= SSL session ID context identifier. +# +# Other Options: +# +# connection-auth[=on|off] +# use connection-auth=off to tell Squid to prevent +# forwarding Microsoft connection oriented authentication +# (NTLM, Negotiate and Kerberos) +# +# disable-pmtu-discovery= +# Control Path-MTU discovery usage: +# off lets OS decide on what to do (default). +# transparent disable PMTU discovery when transparent +# support is enabled. +# always disable always PMTU discovery. +# +# In many setups of transparently intercepting proxies +# Path-MTU discovery can not work on traffic towards the +# clients. This is the case when the intercepting device +# does not fully track connections and fails to forward +# ICMP must fragment messages to the cache server. If you +# have such setup and experience that certain clients +# sporadically hang or never complete requests set +# disable-pmtu-discovery option to 'transparent'. +# +# name= Specifies a internal name for the port. Defaults to +# the port specification (port or addr:port) +# +# tcpkeepalive[=idle,interval,timeout] +# Enable TCP keepalive probes of idle connections. +# In seconds; idle is the initial time before TCP starts +# probing the connection, interval how often to probe, and +# timeout the time before giving up. +# +# require-proxy-header +# Require PROXY protocol version 1 or 2 connections. +# The proxy_protocol_access is required to whitelist +# downstream proxies which can be trusted. +# +# If you run Squid on a dual-homed machine with an internal +# and an external interface we recommend you to specify the +# internal address:port in http_port. This way Squid will only be +# visible on the internal address. +# +# + +# Squid normally listens to port 3128 +http_port 8080 + +# TAG: https_port +# Usage: [ip:]port [mode] tls-cert=certificate.pem [options] +# +# The socket address where Squid will listen for client requests made +# over TLS or SSL connections. Commonly referred to as HTTPS. +# +# This is most useful for situations where you are running squid in +# accelerator mode and you want to do the TLS work at the accelerator +# level. +# +# You may specify multiple socket addresses on multiple lines, +# each with their own certificate and/or options. +# +# The tls-cert= option is mandatory on HTTPS ports. +# +# See http_port for a list of modes and options. +#Default: +# none + +# TAG: ftp_port +# Enables Native FTP proxy by specifying the socket address where Squid +# listens for FTP client requests. See http_port directive for various +# ways to specify the listening address and mode. +# +# Usage: ftp_port address [mode] [options] +# +# WARNING: This is a new, experimental, complex feature that has seen +# limited production exposure. Some Squid modules (e.g., caching) do not +# currently work with native FTP proxying, and many features have not +# even been tested for compatibility. Test well before deploying! +# +# Native FTP proxying differs substantially from proxying HTTP requests +# with ftp:// URIs because Squid works as an FTP server and receives +# actual FTP commands (rather than HTTP requests with FTP URLs). +# +# Native FTP commands accepted at ftp_port are internally converted or +# wrapped into HTTP-like messages. The same happens to Native FTP +# responses received from FTP origin servers. Those HTTP-like messages +# are shoveled through regular access control and adaptation layers +# between the FTP client and the FTP origin server. This allows Squid to +# examine, adapt, block, and log FTP exchanges. Squid reuses most HTTP +# mechanisms when shoveling wrapped FTP messages. For example, +# http_access and adaptation_access directives are used. +# +# Modes: +# +# intercept Same as http_port intercept. The FTP origin address is +# determined based on the intended destination of the +# intercepted connection. +# +# tproxy Support Linux TPROXY for spoofing outgoing +# connections using the client IP address. +# NP: disables authentication and maybe IPv6 on the port. +# +# By default (i.e., without an explicit mode option), Squid extracts the +# FTP origin address from the login@origin parameter of the FTP USER +# command. Many popular FTP clients support such native FTP proxying. +# +# Options: +# +# name=token Specifies an internal name for the port. Defaults to +# the port address. Usable with myportname ACL. +# +# ftp-track-dirs +# Enables tracking of FTP directories by injecting extra +# PWD commands and adjusting Request-URI (in wrapping +# HTTP requests) to reflect the current FTP server +# directory. Tracking is disabled by default. +# +# protocol=FTP Protocol to reconstruct accelerated and intercepted +# requests with. Defaults to FTP. No other accepted +# values have been tested with. An unsupported value +# results in a FATAL error. Accepted values are FTP, +# HTTP (or HTTP/1.1), and HTTPS (or HTTPS/1.1). +# +# Other http_port modes and options that are not specific to HTTP and +# HTTPS may also work. +#Default: +# none + +# TAG: tcp_outgoing_tos +# Allows you to select a TOS/Diffserv value for packets outgoing +# on the server side, based on an ACL. +# +# tcp_outgoing_tos ds-field [!]aclname ... +# +# Example where normal_service_net uses the TOS value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# tcp_outgoing_tos 0x00 normal_service_net +# tcp_outgoing_tos 0x20 good_service_net +# +# TOS/DSCP values really only have local significance - so you should +# know what you're specifying. For more information, see RFC2474, +# RFC2475, and RFC3260. +# +# The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or +# "default" to use whatever default your host has. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. +# +# Processing proceeds in the order specified, and stops at first fully +# matching line. +# +# Only fast ACLs are supported. +#Default: +# none + +# TAG: clientside_tos +# Allows you to select a TOS/DSCP value for packets being transmitted +# on the client-side, based on an ACL. +# +# clientside_tos ds-field [!]aclname ... +# +# Example where normal_service_net uses the TOS value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# clientside_tos 0x00 normal_service_net +# clientside_tos 0x20 good_service_net +# +# Note: This feature is incompatible with qos_flows. Any TOS values set here +# will be overwritten by TOS values in qos_flows. +# +# The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or +# "default" to use whatever default your host has. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# none + +# TAG: tcp_outgoing_mark +# Note: This option is only available if Squid is rebuilt with the +# Packet MARK (Linux) +# +# Allows you to apply a Netfilter mark value to outgoing packets +# on the server side, based on an ACL. +# +# tcp_outgoing_mark mark-value [!]aclname ... +# +# Example where normal_service_net uses the mark value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# tcp_outgoing_mark 0x00 normal_service_net +# tcp_outgoing_mark 0x20 good_service_net +# +# Only fast ACLs are supported. +#Default: +# none + +# TAG: clientside_mark +# Note: This option is only available if Squid is rebuilt with the +# Packet MARK (Linux) +# +# Allows you to apply a Netfilter mark value to packets being transmitted +# on the client-side, based on an ACL. +# +# clientside_mark mark-value [!]aclname ... +# +# Example where normal_service_net uses the mark value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# clientside_mark 0x00 normal_service_net +# clientside_mark 0x20 good_service_net +# +# Note: This feature is incompatible with qos_flows. Any mark values set here +# will be overwritten by mark values in qos_flows. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# none + +# TAG: qos_flows +# Allows you to select a TOS/DSCP value to mark outgoing +# connections to the client, based on where the reply was sourced. +# For platforms using netfilter, allows you to set a netfilter mark +# value instead of, or in addition to, a TOS value. +# +# By default this functionality is disabled. To enable it with the default +# settings simply use "qos_flows mark" or "qos_flows tos". Default +# settings will result in the netfilter mark or TOS value being copied +# from the upstream connection to the client. Note that it is the connection +# CONNMARK value not the packet MARK value that is copied. +# +# It is not currently possible to copy the mark or TOS value from the +# client to the upstream connection request. +# +# TOS values really only have local significance - so you should +# know what you're specifying. For more information, see RFC2474, +# RFC2475, and RFC3260. +# +# The TOS/DSCP byte must be exactly that - a octet value 0 - 255. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. +# +# Mark values can be any unsigned 32-bit integer value. +# +# This setting is configured by setting the following values: +# +# tos|mark Whether to set TOS or netfilter mark values +# +# local-hit=0xFF Value to mark local cache hits. +# +# sibling-hit=0xFF Value to mark hits from sibling peers. +# +# parent-hit=0xFF Value to mark hits from parent peers. +# +# miss=0xFF[/mask] Value to mark cache misses. Takes precedence +# over the preserve-miss feature (see below), unless +# mask is specified, in which case only the bits +# specified in the mask are written. +# +# The TOS variant of the following features are only possible on Linux +# and require your kernel to be patched with the TOS preserving ZPH +# patch, available from http://zph.bratcheda.org +# No patch is needed to preserve the netfilter mark, which will work +# with all variants of netfilter. +# +# disable-preserve-miss +# This option disables the preservation of the TOS or netfilter +# mark. By default, the existing TOS or netfilter mark value of +# the response coming from the remote server will be retained +# and masked with miss-mark. +# NOTE: in the case of a netfilter mark, the mark must be set on +# the connection (using the CONNMARK target) not on the packet +# (MARK target). +# +# miss-mask=0xFF +# Allows you to mask certain bits in the TOS or mark value +# received from the remote server, before copying the value to +# the TOS sent towards clients. +# Default for tos: 0xFF (TOS from server is not changed). +# Default for mark: 0xFFFFFFFF (mark from server is not changed). +# +# All of these features require the --enable-zph-qos compilation flag +# (enabled by default). Netfilter marking also requires the +# libnetfilter_conntrack libraries (--with-netfilter-conntrack) and +# libcap 2.09+ (--with-libcap). +# +#Default: +# none + +# TAG: tcp_outgoing_address +# Allows you to map requests to different outgoing IP addresses +# based on the username or source address of the user making +# the request. +# +# tcp_outgoing_address ipaddr [[!]aclname] ... +# +# For example; +# Forwarding clients with dedicated IPs for certain subnets. +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.2.0/24 +# +# tcp_outgoing_address 2001:db8::c001 good_service_net +# tcp_outgoing_address 10.1.0.2 good_service_net +# +# tcp_outgoing_address 2001:db8::beef normal_service_net +# tcp_outgoing_address 10.1.0.1 normal_service_net +# +# tcp_outgoing_address 2001:db8::1 +# tcp_outgoing_address 10.1.0.3 +# +# Processing proceeds in the order specified, and stops at first fully +# matching line. +# +# Squid will add an implicit IP version test to each line. +# Requests going to IPv4 websites will use the outgoing 10.1.0.* addresses. +# Requests going to IPv6 websites will use the outgoing 2001:db8:* addresses. +# +# +# NOTE: The use of this directive using client dependent ACLs is +# incompatible with the use of server side persistent connections. To +# ensure correct results it is best to set server_persistent_connections +# to off when using this directive in such configurations. +# +# NOTE: The use of this directive to set a local IP on outgoing TCP links +# is incompatible with using TPROXY to set client IP out outbound TCP links. +# When needing to contact peers use the no-tproxy cache_peer option and the +# client_dst_passthru directive re-enable normal forwarding such as this. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Address selection is performed by the operating system. + +# TAG: host_verify_strict +# Regardless of this option setting, when dealing with intercepted +# traffic, Squid always verifies that the destination IP address matches +# the Host header domain or IP (called 'authority form URL'). +# +# This enforcement is performed to satisfy a MUST-level requirement in +# RFC 2616 section 14.23: "The Host field value MUST represent the naming +# authority of the origin server or gateway given by the original URL". +# +# When set to ON: +# Squid always responds with an HTTP 409 (Conflict) error +# page and logs a security warning if there is no match. +# +# Squid verifies that the destination IP address matches +# the Host header for forward-proxy and reverse-proxy traffic +# as well. For those traffic types, Squid also enables the +# following checks, comparing the corresponding Host header +# and Request-URI components: +# +# * The host names (domain or IP) must be identical, +# but valueless or missing Host header disables all checks. +# For the two host names to match, both must be either IP +# or FQDN. +# +# * Port numbers must be identical, but if a port is missing +# the scheme-default port is assumed. +# +# +# When set to OFF (the default): +# Squid allows suspicious requests to continue but logs a +# security warning and blocks caching of the response. +# +# * Forward-proxy traffic is not checked at all. +# +# * Reverse-proxy traffic is not checked at all. +# +# * Intercepted traffic which passes verification is handled +# according to client_dst_passthru. +# +# * Intercepted requests which fail verification are sent +# to the client original destination instead of DIRECT. +# This overrides 'client_dst_passthru off'. +# +# For now suspicious intercepted CONNECT requests are always +# responded to with an HTTP 409 (Conflict) error page. +# +# +# SECURITY NOTE: +# +# As described in CVE-2009-0801 when the Host: header alone is used +# to determine the destination of a request it becomes trivial for +# malicious scripts on remote websites to bypass browser same-origin +# security policy and sandboxing protections. +# +# The cause of this is that such applets are allowed to perform their +# own HTTP stack, in which case the same-origin policy of the browser +# sandbox only verifies that the applet tries to contact the same IP +# as from where it was loaded at the IP level. The Host: header may +# be different from the connected IP and approved origin. +# +#Default: +# host_verify_strict off + +# TAG: client_dst_passthru +# With NAT or TPROXY intercepted traffic Squid may pass the request +# directly to the original client destination IP or seek a faster +# source using the HTTP Host header. +# +# Using Host to locate alternative servers can provide faster +# connectivity with a range of failure recovery options. +# But can also lead to connectivity trouble when the client and +# server are attempting stateful interactions unaware of the proxy. +# +# This option (on by default) prevents alternative DNS entries being +# located to send intercepted traffic DIRECT to an origin server. +# The clients original destination IP and port will be used instead. +# +# Regardless of this option setting, when dealing with intercepted +# traffic Squid will verify the Host: header and any traffic which +# fails Host verification will be treated as if this option were ON. +# +# see host_verify_strict for details on the verification process. +#Default: +# client_dst_passthru on + +# TLS OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: tls_outgoing_options +# disable Do not support https:// URLs. +# +# cert=/path/to/client/certificate +# A client X.509 certificate to use when connecting. +# +# key=/path/to/client/private_key +# The private key corresponding to the cert= above. +# +# If key= is not specified cert= is assumed to +# reference a PEM file containing both the certificate +# and private key. +# +# cipher=... The list of valid TLS ciphers to use. +# +# min-version=1.N +# The minimum TLS protocol version to permit. +# To control SSLv3 use the options= parameter. +# Supported Values: 1.0 (default), 1.1, 1.2 +# +# options=... Specify various TLS/SSL implementation options. +# +# OpenSSL options most important are: +# +# NO_SSLv3 Disallow the use of SSLv3 +# +# SINGLE_DH_USE +# Always create a new key when using +# temporary/ephemeral DH key exchanges +# +# NO_TICKET +# Disable use of RFC5077 session tickets. +# Some servers may have problems +# understanding the TLS extension due +# to ambiguous specification in RFC4507. +# +# ALL Enable various bug workarounds +# suggested as "harmless" by OpenSSL +# Be warned that this reduces SSL/TLS +# strength to some attacks. +# +# See the OpenSSL SSL_CTX_set_options documentation +# for a more complete list. +# +# GnuTLS options most important are: +# +# %NO_TICKETS +# Disable use of RFC5077 session tickets. +# Some servers may have problems +# understanding the TLS extension due +# to ambiguous specification in RFC4507. +# +# See the GnuTLS Priority Strings documentation +# for a more complete list. +# http://www.gnutls.org/manual/gnutls.html#Priority-Strings +# +# +# cafile= PEM file containing CA certificates to use when verifying +# the peer certificate. May be repeated to load multiple files. +# +# capath= A directory containing additional CA certificates to +# use when verifying the peer certificate. +# Requires OpenSSL or LibreSSL. +# +# crlfile=... A certificate revocation list file to use when +# verifying the peer certificate. +# +# flags=... Specify various flags modifying the TLS implementation: +# +# DONT_VERIFY_PEER +# Accept certificates even if they fail to +# verify. +# DONT_VERIFY_DOMAIN +# Don't verify the peer certificate +# matches the server name +# +# default-ca[=off] +# Whether to use the system Trusted CAs. Default is ON. +# +# domain= The peer name as advertised in its certificate. +# Used for verifying the correctness of the received peer +# certificate. If not specified the peer hostname will be +# used. +#Default: +# tls_outgoing_options min-version=1.0 + +# SSL OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: ssl_unclean_shutdown +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Some browsers (especially MSIE) bugs out on SSL shutdown +# messages. +#Default: +# ssl_unclean_shutdown off + +# TAG: ssl_engine +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# The OpenSSL engine to use. You will need to set this if you +# would like to use hardware SSL acceleration for example. +#Default: +# none + +# TAG: sslproxy_session_ttl +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the timeout value for SSL sessions +#Default: +# sslproxy_session_ttl 300 + +# TAG: sslproxy_session_cache_size +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the cache size to use for ssl session +#Default: +# sslproxy_session_cache_size 2 MB + +# TAG: sslproxy_foreign_intermediate_certs +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Many origin servers fail to send their full server certificate +# chain for verification, assuming the client already has or can +# easily locate any missing intermediate certificates. +# +# Squid uses the certificates from the specified file to fill in +# these missing chains when trying to validate origin server +# certificate chains. +# +# The file is expected to contain zero or more PEM-encoded +# intermediate certificates. These certificates are not treated +# as trusted root certificates, and any self-signed certificate in +# this file will be ignored. +#Default: +# none + +# TAG: sslproxy_cert_sign_hash +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the hashing algorithm to use when signing generated certificates. +# Valid algorithm names depend on the OpenSSL library used. The following +# names are usually available: sha1, sha256, sha512, and md5. Please see +# your OpenSSL library manual for the available hashes. By default, Squids +# that support this option use sha256 hashes. +# +# Squid does not forcefully purge cached certificates that were generated +# with an algorithm other than the currently configured one. They remain +# in the cache, subject to the regular cache eviction policy, and become +# useful if the algorithm changes again. +#Default: +# none + +# TAG: ssl_bump +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# This option is consulted when a CONNECT request is received on +# an http_port (or a new connection is intercepted at an +# https_port), provided that port was configured with an ssl-bump +# flag. The subsequent data on the connection is either treated as +# HTTPS and decrypted OR tunneled at TCP level without decryption, +# depending on the first matching bumping "action". +# +# ssl_bump [!]acl ... +# +# The following bumping actions are currently supported: +# +# splice +# Become a TCP tunnel without decrypting proxied traffic. +# This is the default action. +# +# bump +# When used on step SslBump1, establishes a secure connection +# with the client first, then connect to the server. +# When used on step SslBump2 or SslBump3, establishes a secure +# connection with the server and, using a mimicked server +# certificate, with the client. +# +# peek +# Receive client (step SslBump1) or server (step SslBump2) +# certificate while preserving the possibility of splicing the +# connection. Peeking at the server certificate (during step 2) +# usually precludes bumping of the connection at step 3. +# +# stare +# Receive client (step SslBump1) or server (step SslBump2) +# certificate while preserving the possibility of bumping the +# connection. Staring at the server certificate (during step 2) +# usually precludes splicing of the connection at step 3. +# +# terminate +# Close client and server connections. +# +# Backward compatibility actions available at step SslBump1: +# +# client-first +# Bump the connection. Establish a secure connection with the +# client first, then connect to the server. This old mode does +# not allow Squid to mimic server SSL certificate and does not +# work with intercepted SSL connections. +# +# server-first +# Bump the connection. Establish a secure connection with the +# server first, then establish a secure connection with the +# client, using a mimicked server certificate. Works with both +# CONNECT requests and intercepted SSL connections, but does +# not allow to make decisions based on SSL handshake info. +# +# peek-and-splice +# Decide whether to bump or splice the connection based on +# client-to-squid and server-to-squid SSL hello messages. +# XXX: Remove. +# +# none +# Same as the "splice" action. +# +# All ssl_bump rules are evaluated at each of the supported bumping +# steps. Rules with actions that are impossible at the current step are +# ignored. The first matching ssl_bump action wins and is applied at the +# end of the current step. If no rules match, the splice action is used. +# See the at_step ACL for a list of the supported SslBump steps. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# See also: http_port ssl-bump, https_port ssl-bump, and acl at_step. +# +# +# # Example: Bump all TLS connections except those originating from +# # localhost or those going to example.com. +# +# acl broken_sites ssl::server_name .example.com +# ssl_bump splice localhost +# ssl_bump splice broken_sites +# ssl_bump bump all +#Default: +# Become a TCP tunnel without decrypting proxied traffic. + +# TAG: sslproxy_cert_error +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Use this ACL to bypass server certificate validation errors. +# +# For example, the following lines will bypass all validation errors +# when talking to servers for example.com. All other +# validation errors will result in ERR_SECURE_CONNECT_FAIL error. +# +# acl BrokenButTrustedServers dstdomain example.com +# sslproxy_cert_error allow BrokenButTrustedServers +# sslproxy_cert_error deny all +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# Using slow acl types may result in server crashes +# +# Without this option, all server certificate validation errors +# terminate the transaction to protect Squid and the client. +# +# SQUID_X509_V_ERR_INFINITE_VALIDATION error cannot be bypassed +# but should not happen unless your OpenSSL library is buggy. +# +# SECURITY WARNING: +# Bypassing validation errors is dangerous because an +# error usually implies that the server cannot be trusted +# and the connection may be insecure. +# +# See also: sslproxy_flags and DONT_VERIFY_PEER. +#Default: +# Server certificate errors terminate the transaction. + +# TAG: sslproxy_cert_sign +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# +# sslproxy_cert_sign acl ... +# +# The following certificate signing algorithms are supported: +# +# signTrusted +# Sign using the configured CA certificate which is usually +# placed in and trusted by end-user browsers. This is the +# default for trusted origin server certificates. +# +# signUntrusted +# Sign to guarantee an X509_V_ERR_CERT_UNTRUSTED browser error. +# This is the default for untrusted origin server certificates +# that are not self-signed (see ssl::certUntrusted). +# +# signSelf +# Sign using a self-signed certificate with the right CN to +# generate a X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT error in the +# browser. This is the default for self-signed origin server +# certificates (see ssl::certSelfSigned). +# +# This clause only supports fast acl types. +# +# When sslproxy_cert_sign acl(s) match, Squid uses the corresponding +# signing algorithm to generate the certificate and ignores all +# subsequent sslproxy_cert_sign options (the first match wins). If no +# acl(s) match, the default signing algorithm is determined by errors +# detected when obtaining and validating the origin server certificate. +# +# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can +# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a +# CONNECT request that carries a domain name. In all other cases (CONNECT +# to an IP address or an intercepted SSL connection), Squid cannot detect +# the domain mismatch at certificate generation time when +# bump-server-first is used. +#Default: +# none + +# TAG: sslproxy_cert_adapt +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# +# sslproxy_cert_adapt acl ... +# +# The following certificate adaptation algorithms are supported: +# +# setValidAfter +# Sets the "Not After" property to the "Not After" property of +# the CA certificate used to sign generated certificates. +# +# setValidBefore +# Sets the "Not Before" property to the "Not Before" property of +# the CA certificate used to sign generated certificates. +# +# setCommonName or setCommonName{CN} +# Sets Subject.CN property to the host name specified as a +# CN parameter or, if no explicit CN parameter was specified, +# extracted from the CONNECT request. It is a misconfiguration +# to use setCommonName without an explicit parameter for +# intercepted or tproxied SSL connections. +# +# This clause only supports fast acl types. +# +# Squid first groups sslproxy_cert_adapt options by adaptation algorithm. +# Within a group, when sslproxy_cert_adapt acl(s) match, Squid uses the +# corresponding adaptation algorithm to generate the certificate and +# ignores all subsequent sslproxy_cert_adapt options in that algorithm's +# group (i.e., the first match wins within each algorithm group). If no +# acl(s) match, the default mimicking action takes place. +# +# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can +# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a +# CONNECT request that carries a domain name. In all other cases (CONNECT +# to an IP address or an intercepted SSL connection), Squid cannot detect +# the domain mismatch at certificate generation time when +# bump-server-first is used. +#Default: +# none + +# TAG: sslpassword_program +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Specify a program used for entering SSL key passphrases +# when using encrypted SSL certificate keys. If not specified +# keys must either be unencrypted, or Squid started with the -N +# option to allow it to query interactively for the passphrase. +# +# The key file name is given as argument to the program allowing +# selection of the right password if you have multiple encrypted +# keys. +#Default: +# none + +# OPTIONS RELATING TO EXTERNAL SSL_CRTD +# ----------------------------------------------------------------------------- + +# TAG: sslcrtd_program +# Note: This option is only available if Squid is rebuilt with the +# --enable-ssl-crtd +# +# Specify the location and options of the executable for certificate +# generator. +# +# /usr/lib/squid/security_file_certgen program can use a disk cache to improve response +# times on repeated requests. To enable caching, specify -s and -M +# parameters. If those parameters are not given, the program generates +# a new certificate on every request. +# +# For more information use: +# /usr/lib/squid/security_file_certgen -h +#Default: +# sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/spool/squid/ssl_db -M 4MB + +# TAG: sslcrtd_children +# Note: This option is only available if Squid is rebuilt with the +# --enable-ssl-crtd +# +# Specifies the maximum number of certificate generation processes that +# Squid may spawn (numberofchildren) and several related options. Using +# too few of these helper processes (a.k.a. "helpers") creates request +# queues. Using too many helpers wastes your system resources. Squid +# does not support spawning more than 32 helpers. +# +# Usage: numberofchildren [option]... +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup=N +# +# Sets the minimum number of processes to spawn when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few children temporary slows Squid under load while it +# tries to spawn enough additional processes to cope with traffic. +# +# idle=N +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# queue-size=N +# +# Sets the maximum number of queued requests. A request is queued when +# no existing child is idle and no new child can be started due to +# numberofchildren limit. If the queued requests exceed queue size for +# more than 3 minutes squid aborts its operation. The default value is +# set to 2*numberofchildren. +# +# You must have at least one ssl_crtd process. +#Default: +# sslcrtd_children 32 startup=5 idle=1 + +# TAG: sslcrtvalidator_program +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Specify the location and options of the executable for ssl_crt_validator +# process. +# +# Usage: sslcrtvalidator_program [ttl=n] [cache=n] path ... +# +# Options: +# ttl=n TTL in seconds for cached results. The default is 60 secs +# cache=n limit the result cache size. The default value is 2048 +#Default: +# none + +# TAG: sslcrtvalidator_children +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Specifies the maximum number of certificate validation processes that +# Squid may spawn (numberofchildren) and several related options. Using +# too few of these helper processes (a.k.a. "helpers") creates request +# queues. Using too many helpers wastes your system resources. Squid +# does not support spawning more than 32 helpers. +# +# Usage: numberofchildren [option]... +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup=N +# +# Sets the minimum number of processes to spawn when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few children temporary slows Squid under load while it +# tries to spawn enough additional processes to cope with traffic. +# +# idle=N +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each certificate validator helper can handle in +# parallel. A value of 0 indicates the certficate validator does not +# support concurrency. Defaults to 1. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# a request ID in front of the request/response. The request +# ID from the request must be echoed back with the response +# to that request. +# +# queue-size=N +# +# Sets the maximum number of queued requests. A request is queued when +# no existing child can accept it due to concurrency limit and no new +# child can be started due to numberofchildren limit. If the queued +# requests exceed queue size for more than 3 minutes squid aborts its +# operation. The default value is set to 2*numberofchildren. +# +# You must have at least one ssl_crt_validator process. +#Default: +# sslcrtvalidator_children 32 startup=5 idle=1 concurrency=1 + +# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM +# ----------------------------------------------------------------------------- + +# TAG: cache_peer +# To specify other caches in a hierarchy, use the format: +# +# cache_peer hostname type http-port icp-port [options] +# +# For example, +# +# # proxy icp +# # hostname type port port options +# # -------------------- -------- ----- ----- ----------- +# cache_peer parent.foo.net parent 3128 3130 default +# cache_peer sib1.foo.net sibling 3128 3130 proxy-only +# cache_peer sib2.foo.net sibling 3128 3130 proxy-only +# cache_peer example.com parent 80 0 default +# cache_peer cdn.example.com sibling 3128 0 +# +# type: either 'parent', 'sibling', or 'multicast'. +# +# proxy-port: The port number where the peer accept HTTP requests. +# For other Squid proxies this is usually 3128 +# For web servers this is usually 80 +# +# icp-port: Used for querying neighbor caches about objects. +# Set to 0 if the peer does not support ICP or HTCP. +# See ICP and HTCP options below for additional details. +# +# +# ==== ICP OPTIONS ==== +# +# You MUST also set icp_port and icp_access explicitly when using these options. +# The defaults will prevent peer traffic using ICP. +# +# +# no-query Disable ICP queries to this neighbor. +# +# multicast-responder +# Indicates the named peer is a member of a multicast group. +# ICP queries will not be sent directly to the peer, but ICP +# replies will be accepted from it. +# +# closest-only Indicates that, for ICP_OP_MISS replies, we'll only forward +# CLOSEST_PARENT_MISSes and never FIRST_PARENT_MISSes. +# +# background-ping +# To only send ICP queries to this neighbor infrequently. +# This is used to keep the neighbor round trip time updated +# and is usually used in conjunction with weighted-round-robin. +# +# +# ==== HTCP OPTIONS ==== +# +# You MUST also set htcp_port and htcp_access explicitly when using these options. +# The defaults will prevent peer traffic using HTCP. +# +# +# htcp Send HTCP, instead of ICP, queries to the neighbor. +# You probably also want to set the "icp-port" to 4827 +# instead of 3130. This directive accepts a comma separated +# list of options described below. +# +# htcp=oldsquid Send HTCP to old Squid versions (2.5 or earlier). +# +# htcp=no-clr Send HTCP to the neighbor but without +# sending any CLR requests. This cannot be used with +# only-clr. +# +# htcp=only-clr Send HTCP to the neighbor but ONLY CLR requests. +# This cannot be used with no-clr. +# +# htcp=no-purge-clr +# Send HTCP to the neighbor including CLRs but only when +# they do not result from PURGE requests. +# +# htcp=forward-clr +# Forward any HTCP CLR requests this proxy receives to the peer. +# +# +# ==== PEER SELECTION METHODS ==== +# +# The default peer selection method is ICP, with the first responding peer +# being used as source. These options can be used for better load balancing. +# +# +# default This is a parent cache which can be used as a "last-resort" +# if a peer cannot be located by any of the peer-selection methods. +# If specified more than once, only the first is used. +# +# round-robin Load-Balance parents which should be used in a round-robin +# fashion in the absence of any ICP queries. +# weight=N can be used to add bias. +# +# weighted-round-robin +# Load-Balance parents which should be used in a round-robin +# fashion with the frequency of each parent being based on the +# round trip time. Closer parents are used more often. +# Usually used for background-ping parents. +# weight=N can be used to add bias. +# +# carp Load-Balance parents which should be used as a CARP array. +# The requests will be distributed among the parents based on the +# CARP load balancing hash function based on their weight. +# +# userhash Load-balance parents based on the client proxy_auth or ident username. +# +# sourcehash Load-balance parents based on the client source IP. +# +# multicast-siblings +# To be used only for cache peers of type "multicast". +# ALL members of this multicast group have "sibling" +# relationship with it, not "parent". This is to a multicast +# group when the requested object would be fetched only from +# a "parent" cache, anyway. It's useful, e.g., when +# configuring a pool of redundant Squid proxies, being +# members of the same multicast group. +# +# +# ==== PEER SELECTION OPTIONS ==== +# +# weight=N use to affect the selection of a peer during any weighted +# peer-selection mechanisms. +# The weight must be an integer; default is 1, +# larger weights are favored more. +# This option does not affect parent selection if a peering +# protocol is not in use. +# +# basetime=N Specify a base amount to be subtracted from round trip +# times of parents. +# It is subtracted before division by weight in calculating +# which parent to fectch from. If the rtt is less than the +# base time the rtt is set to a minimal value. +# +# ttl=N Specify a TTL to use when sending multicast ICP queries +# to this address. +# Only useful when sending to a multicast group. +# Because we don't accept ICP replies from random +# hosts, you must configure other group members as +# peers with the 'multicast-responder' option. +# +# no-delay To prevent access to this neighbor from influencing the +# delay pools. +# +# digest-url=URL Tell Squid to fetch the cache digest (if digests are +# enabled) for this host from the specified URL rather +# than the Squid default location. +# +# +# ==== CARP OPTIONS ==== +# +# carp-key=key-specification +# use a different key than the full URL to hash against the peer. +# the key-specification is a comma-separated list of the keywords +# scheme, host, port, path, params +# Order is not important. +# +# ==== ACCELERATOR / REVERSE-PROXY OPTIONS ==== +# +# originserver Causes this parent to be contacted as an origin server. +# Meant to be used in accelerator setups when the peer +# is a web server. +# +# forceddomain=name +# Set the Host header of requests forwarded to this peer. +# Useful in accelerator setups where the server (peer) +# expects a certain domain name but clients may request +# others. ie example.com or www.example.com +# +# no-digest Disable request of cache digests. +# +# no-netdb-exchange +# Disables requesting ICMP RTT database (NetDB). +# +# +# ==== AUTHENTICATION OPTIONS ==== +# +# login=user:password +# If this is a personal/workgroup proxy and your parent +# requires proxy authentication. +# +# Note: The string can include URL escapes (i.e. %20 for +# spaces). This also means % must be written as %%. +# +# login=PASSTHRU +# Send login details received from client to this peer. +# Both Proxy- and WWW-Authorization headers are passed +# without alteration to the peer. +# Authentication is not required by Squid for this to work. +# +# Note: This will pass any form of authentication but +# only Basic auth will work through a proxy unless the +# connection-auth options are also used. +# +# login=PASS Send login details received from client to this peer. +# Authentication is not required by this option. +# +# If there are no client-provided authentication headers +# to pass on, but username and password are available +# from an external ACL user= and password= result tags +# they may be sent instead. +# +# Note: To combine this with proxy_auth both proxies must +# share the same user database as HTTP only allows for +# a single login (one for proxy, one for origin server). +# Also be warned this will expose your users proxy +# password to the peer. USE WITH CAUTION +# +# login=*:password +# Send the username to the upstream cache, but with a +# fixed password. This is meant to be used when the peer +# is in another administrative domain, but it is still +# needed to identify each user. +# The star can optionally be followed by some extra +# information which is added to the username. This can +# be used to identify this proxy to the peer, similar to +# the login=username:password option above. +# +# login=NEGOTIATE +# If this is a personal/workgroup proxy and your parent +# requires a secure proxy authentication. +# The first principal from the default keytab or defined by +# the environment variable KRB5_KTNAME will be used. +# +# WARNING: The connection may transmit requests from multiple +# clients. Negotiate often assumes end-to-end authentication +# and a single-client. Which is not strictly true here. +# +# login=NEGOTIATE:principal_name +# If this is a personal/workgroup proxy and your parent +# requires a secure proxy authentication. +# The principal principal_name from the default keytab or +# defined by the environment variable KRB5_KTNAME will be +# used. +# +# WARNING: The connection may transmit requests from multiple +# clients. Negotiate often assumes end-to-end authentication +# and a single-client. Which is not strictly true here. +# +# connection-auth=on|off +# Tell Squid that this peer does or not support Microsoft +# connection oriented authentication, and any such +# challenges received from there should be ignored. +# Default is auto to automatically determine the status +# of the peer. +# +# auth-no-keytab +# Do not use a keytab to authenticate to a peer when +# login=NEGOTIATE is specified. Let the GSSAPI +# implementation determine which already existing +# credentials cache to use instead. +# +# +# ==== SSL / HTTPS / TLS OPTIONS ==== +# +# tls Encrypt connections to this peer with TLS. +# +# sslcert=/path/to/ssl/certificate +# A client X.509 certificate to use when connecting to +# this peer. +# +# sslkey=/path/to/ssl/key +# The private key corresponding to sslcert above. +# +# If sslkey= is not specified sslcert= is assumed to +# reference a PEM file containing both the certificate +# and private key. +# +# sslcipher=... The list of valid SSL ciphers to use when connecting +# to this peer. +# +# tls-min-version=1.N +# The minimum TLS protocol version to permit. To control +# SSLv3 use the tls-options= parameter. +# Supported Values: 1.0 (default), 1.1, 1.2 +# +# tls-options=... Specify various TLS implementation options. +# +# OpenSSL options most important are: +# +# NO_SSLv3 Disallow the use of SSLv3 +# +# SINGLE_DH_USE +# Always create a new key when using +# temporary/ephemeral DH key exchanges +# +# NO_TICKET +# Disable use of RFC5077 session tickets. +# Some servers may have problems +# understanding the TLS extension due +# to ambiguous specification in RFC4507. +# +# ALL Enable various bug workarounds +# suggested as "harmless" by OpenSSL +# Be warned that this reduces SSL/TLS +# strength to some attacks. +# +# See the OpenSSL SSL_CTX_set_options documentation for a +# more complete list. +# +# GnuTLS options most important are: +# +# %NO_TICKETS +# Disable use of RFC5077 session tickets. +# Some servers may have problems +# understanding the TLS extension due +# to ambiguous specification in RFC4507. +# +# See the GnuTLS Priority Strings documentation +# for a more complete list. +# http://www.gnutls.org/manual/gnutls.html#Priority-Strings +# +# tls-cafile= PEM file containing CA certificates to use when verifying +# the peer certificate. May be repeated to load multiple files. +# +# sslcapath=... A directory containing additional CA certificates to +# use when verifying the peer certificate. +# Requires OpenSSL or LibreSSL. +# +# sslcrlfile=... A certificate revocation list file to use when +# verifying the peer certificate. +# +# sslflags=... Specify various flags modifying the SSL implementation: +# +# DONT_VERIFY_PEER +# Accept certificates even if they fail to +# verify. +# +# DONT_VERIFY_DOMAIN +# Don't verify the peer certificate +# matches the server name +# +# ssldomain= The peer name as advertised in it's certificate. +# Used for verifying the correctness of the received peer +# certificate. If not specified the peer hostname will be +# used. +# +# front-end-https[=off|on|auto] +# Enable the "Front-End-Https: On" header needed when +# using Squid as a SSL frontend in front of Microsoft OWA. +# See MS KB document Q307347 for details on this header. +# If set to auto the header will only be added if the +# request is forwarded as a https:// URL. +# +# tls-default-ca[=off] +# Whether to use the system Trusted CAs. Default is ON. +# +# tls-no-npn Do not use the TLS NPN extension to advertise HTTP/1.1. +# +# ==== GENERAL OPTIONS ==== +# +# connect-timeout=N +# A peer-specific connect timeout. +# Also see the peer_connect_timeout directive. +# +# connect-fail-limit=N +# How many times connecting to a peer must fail before +# it is marked as down. Standby connection failures +# count towards this limit. Default is 10. +# +# allow-miss Disable Squid's use of only-if-cached when forwarding +# requests to siblings. This is primarily useful when +# icp_hit_stale is used by the sibling. Excessive use +# of this option may result in forwarding loops. One way +# to prevent peering loops when using this option, is to +# deny cache peer usage on requests from a peer: +# acl fromPeer ... +# cache_peer_access peerName deny fromPeer +# +# max-conn=N Limit the number of concurrent connections the Squid +# may open to this peer, including already opened idle +# and standby connections. There is no peer-specific +# connection limit by default. +# +# A peer exceeding the limit is not used for new +# requests unless a standby connection is available. +# +# max-conn currently works poorly with idle persistent +# connections: When a peer reaches its max-conn limit, +# and there are idle persistent connections to the peer, +# the peer may not be selected because the limiting code +# does not know whether Squid can reuse those idle +# connections. +# +# standby=N Maintain a pool of N "hot standby" connections to an +# UP peer, available for requests when no idle +# persistent connection is available (or safe) to use. +# By default and with zero N, no such pool is maintained. +# N must not exceed the max-conn limit (if any). +# +# At start or after reconfiguration, Squid opens new TCP +# standby connections until there are N connections +# available and then replenishes the standby pool as +# opened connections are used up for requests. A used +# connection never goes back to the standby pool, but +# may go to the regular idle persistent connection pool +# shared by all peers and origin servers. +# +# Squid never opens multiple new standby connections +# concurrently. This one-at-a-time approach minimizes +# flooding-like effect on peers. Furthermore, just a few +# standby connections should be sufficient in most cases +# to supply most new requests with a ready-to-use +# connection. +# +# Standby connections obey server_idle_pconn_timeout. +# For the feature to work as intended, the peer must be +# configured to accept and keep them open longer than +# the idle timeout at the connecting Squid, to minimize +# race conditions typical to idle used persistent +# connections. Default request_timeout and +# server_idle_pconn_timeout values ensure such a +# configuration. +# +# name=xxx Unique name for the peer. +# Required if you have multiple peers on the same host +# but different ports. +# This name can be used in cache_peer_access and similar +# directives to identify the peer. +# Can be used by outgoing access controls through the +# peername ACL type. +# +# no-tproxy Do not use the client-spoof TPROXY support when forwarding +# requests to this peer. Use normal address selection instead. +# This overrides the spoof_client_ip ACL. +# +# proxy-only objects fetched from the peer will not be stored locally. +# +#Default: +# none + +# TAG: cache_peer_access +# Restricts usage of cache_peer proxies. +# +# Usage: +# cache_peer_access peer-name allow|deny [!]aclname ... +# +# For the required peer-name parameter, use either the value of the +# cache_peer name=value parameter or, if name=value is missing, the +# cache_peer hostname parameter. +# +# This directive narrows down the selection of peering candidates, but +# does not determine the order in which the selected candidates are +# contacted. That order is determined by the peer selection algorithms +# (see PEER SELECTION sections in the cache_peer documentation). +# +# If a deny rule matches, the corresponding peer will not be contacted +# for the current transaction -- Squid will not send ICP queries and +# will not forward HTTP requests to that peer. An allow match leaves +# the corresponding peer in the selection. The first match for a given +# peer wins for that peer. +# +# The relative order of cache_peer_access directives for the same peer +# matters. The relative order of any two cache_peer_access directives +# for different peers does not matter. To ease interpretation, it is a +# good idea to group cache_peer_access directives for the same peer +# together. +# +# A single cache_peer_access directive may be evaluated multiple times +# for a given transaction because individual peer selection algorithms +# may check it independently from each other. These redundant checks +# may be optimized away in future Squid versions. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +#Default: +# No peer usage restrictions. + +# TAG: neighbor_type_domain +# Modify the cache_peer neighbor type when passing requests +# about specific domains to the peer. +# +# Usage: +# neighbor_type_domain neighbor parent|sibling domain domain ... +# +# For example: +# cache_peer foo.example.com parent 3128 3130 +# neighbor_type_domain foo.example.com sibling .au .de +# +# The above configuration treats all requests to foo.example.com as a +# parent proxy unless the request is for a .au or .de ccTLD domain name. +#Default: +# The peer type from cache_peer directive is used for all requests to that peer. + +# TAG: dead_peer_timeout (seconds) +# This controls how long Squid waits to declare a peer cache +# as "dead." If there are no ICP replies received in this +# amount of time, Squid will declare the peer dead and not +# expect to receive any further ICP replies. However, it +# continues to send ICP queries, and will mark the peer as +# alive upon receipt of the first subsequent ICP reply. +# +# This timeout also affects when Squid expects to receive ICP +# replies from peers. If more than 'dead_peer' seconds have +# passed since the last ICP reply was received, Squid will not +# expect to receive an ICP reply on the next query. Thus, if +# your time between requests is greater than this timeout, you +# will see a lot of requests sent DIRECT to origin servers +# instead of to your parents. +#Default: +# dead_peer_timeout 10 seconds + +# TAG: forward_max_tries +# Limits the number of attempts to forward the request. +# +# For the purpose of this limit, Squid counts all high-level request +# forwarding attempts, including any same-destination retries after +# certain persistent connection failures and any attempts to use a +# different peer. However, low-level connection reopening attempts +# (enabled using connect_retries) are not counted. +# +# See also: forward_timeout and connect_retries. +#Default: +# forward_max_tries 25 + +# MEMORY CACHE OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: cache_mem (bytes) +# NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE. +# IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL +# USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER +# THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS. +# +# 'cache_mem' specifies the ideal amount of memory to be used +# for: +# * In-Transit objects +# * Hot Objects +# * Negative-Cached objects +# +# Data for these objects are stored in 4 KB blocks. This +# parameter specifies the ideal upper limit on the total size of +# 4 KB blocks allocated. In-Transit objects take the highest +# priority. +# +# In-transit objects have priority over the others. When +# additional space is needed for incoming data, negative-cached +# and hot objects will be released. In other words, the +# negative-cached and hot objects will fill up any unused space +# not needed for in-transit objects. +# +# If circumstances require, this limit will be exceeded. +# Specifically, if your incoming request rate requires more than +# 'cache_mem' of memory to hold in-transit objects, Squid will +# exceed this limit to satisfy the new requests. When the load +# decreases, blocks will be freed until the high-water mark is +# reached. Thereafter, blocks will be used to store hot +# objects. +# +# If shared memory caching is enabled, Squid does not use the shared +# cache space for in-transit objects, but they still consume as much +# local memory as they need. For more details about the shared memory +# cache, see memory_cache_shared. +#Default: +# cache_mem 256 MB + +# TAG: maximum_object_size_in_memory (bytes) +# Objects greater than this size will not be attempted to kept in +# the memory cache. This should be set high enough to keep objects +# accessed frequently in memory to improve performance whilst low +# enough to keep larger objects from hoarding cache_mem. +#Default: +# maximum_object_size_in_memory 512 KB + +# TAG: memory_cache_shared on|off +# Controls whether the memory cache is shared among SMP workers. +# +# The shared memory cache is meant to occupy cache_mem bytes and replace +# the non-shared memory cache, although some entities may still be +# cached locally by workers for now (e.g., internal and in-transit +# objects may be served from a local memory cache even if shared memory +# caching is enabled). +# +# By default, the memory cache is shared if and only if all of the +# following conditions are satisfied: Squid runs in SMP mode with +# multiple workers, cache_mem is positive, and Squid environment +# supports required IPC primitives (e.g., POSIX shared memory segments +# and GCC-style atomic operations). +# +# To avoid blocking locks, shared memory uses opportunistic algorithms +# that do not guarantee that every cachable entity that could have been +# shared among SMP workers will actually be shared. +#Default: +# "on" where supported if doing memory caching with multiple SMP workers. + +# TAG: memory_cache_mode +# Controls which objects to keep in the memory cache (cache_mem) +# +# always Keep most recently fetched objects in memory (default) +# +# disk Only disk cache hits are kept in memory, which means +# an object must first be cached on disk and then hit +# a second time before cached in memory. +# +# network Only objects fetched from network is kept in memory +#Default: +# Keep the most recently fetched objects in memory + +# TAG: memory_replacement_policy +# The memory replacement policy parameter determines which +# objects are purged from memory when memory space is needed. +# +# See cache_replacement_policy for details on algorithms. +#Default: +# memory_replacement_policy lru + +# DISK CACHE OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: cache_replacement_policy +# The cache replacement policy parameter determines which +# objects are evicted (replaced) when disk space is needed. +# +# lru : Squid's original list based LRU policy +# heap GDSF : Greedy-Dual Size Frequency +# heap LFUDA: Least Frequently Used with Dynamic Aging +# heap LRU : LRU policy implemented using a heap +# +# Applies to any cache_dir lines listed below this directive. +# +# The LRU policies keeps recently referenced objects. +# +# The heap GDSF policy optimizes object hit rate by keeping smaller +# popular objects in cache so it has a better chance of getting a +# hit. It achieves a lower byte hit rate than LFUDA though since +# it evicts larger (possibly popular) objects. +# +# The heap LFUDA policy keeps popular objects in cache regardless of +# their size and thus optimizes byte hit rate at the expense of +# hit rate since one large, popular object will prevent many +# smaller, slightly less popular objects from being cached. +# +# Both policies utilize a dynamic aging mechanism that prevents +# cache pollution that can otherwise occur with frequency-based +# replacement policies. +# +# NOTE: if using the LFUDA replacement policy you should increase +# the value of maximum_object_size above its default of 4 MB to +# to maximize the potential byte hit rate improvement of LFUDA. +# +# For more information about the GDSF and LFUDA cache replacement +# policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html +# and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html. +#Default: +# cache_replacement_policy lru + +# TAG: minimum_object_size (bytes) +# Objects smaller than this size will NOT be saved on disk. The +# value is specified in bytes, and the default is 0 KB, which +# means all responses can be stored. +#Default: +# no limit + +# TAG: maximum_object_size (bytes) +# Set the default value for max-size parameter on any cache_dir. +# The value is specified in bytes, and the default is 4 MB. +# +# If you wish to get a high BYTES hit ratio, you should probably +# increase this (one 32 MB object hit counts for 3200 10KB +# hits). +# +# If you wish to increase hit ratio more than you want to +# save bandwidth you should leave this low. +# +# NOTE: if using the LFUDA replacement policy you should increase +# this value to maximize the byte hit rate improvement of LFUDA! +# See cache_replacement_policy for a discussion of this policy. +#Default: +# maximum_object_size 4 MB + +# TAG: cache_dir +# Format: +# cache_dir Type Directory-Name Fs-specific-data [options] +# +# You can specify multiple cache_dir lines to spread the +# cache among different disk partitions. +# +# Type specifies the kind of storage system to use. Only "ufs" +# is built by default. To enable any of the other storage systems +# see the --enable-storeio configure option. +# +# 'Directory' is a top-level directory where cache swap +# files will be stored. If you want to use an entire disk +# for caching, this can be the mount-point directory. +# The directory must exist and be writable by the Squid +# process. Squid will NOT create this directory for you. +# +# In SMP configurations, cache_dir must not precede the workers option +# and should use configuration macros or conditionals to give each +# worker interested in disk caching a dedicated cache directory. +# +# +# ==== The ufs store type ==== +# +# "ufs" is the old well-known Squid storage format that has always +# been there. +# +# Usage: +# cache_dir ufs Directory-Name Mbytes L1 L2 [options] +# +# 'Mbytes' is the amount of disk space (MB) to use under this +# directory. The default is 100 MB. Change this to suit your +# configuration. Do NOT put the size of your disk drive here. +# Instead, if you want Squid to use the entire disk drive, +# subtract 20% and use that value. +# +# 'L1' is the number of first-level subdirectories which +# will be created under the 'Directory'. The default is 16. +# +# 'L2' is the number of second-level subdirectories which +# will be created under each first-level directory. The default +# is 256. +# +# +# ==== The aufs store type ==== +# +# "aufs" uses the same storage format as "ufs", utilizing +# POSIX-threads to avoid blocking the main Squid process on +# disk-I/O. This was formerly known in Squid as async-io. +# +# Usage: +# cache_dir aufs Directory-Name Mbytes L1 L2 [options] +# +# see argument descriptions under ufs above +# +# +# ==== The diskd store type ==== +# +# "diskd" uses the same storage format as "ufs", utilizing a +# separate process to avoid blocking the main Squid process on +# disk-I/O. +# +# Usage: +# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] +# +# see argument descriptions under ufs above +# +# Q1 specifies the number of unacknowledged I/O requests when Squid +# stops opening new files. If this many messages are in the queues, +# Squid won't open new files. Default is 64 +# +# Q2 specifies the number of unacknowledged messages when Squid +# starts blocking. If this many messages are in the queues, +# Squid blocks until it receives some replies. Default is 72 +# +# When Q1 < Q2 (the default), the cache directory is optimized +# for lower response time at the expense of a decrease in hit +# ratio. If Q1 > Q2, the cache directory is optimized for +# higher hit ratio at the expense of an increase in response +# time. +# +# +# ==== The rock store type ==== +# +# Usage: +# cache_dir rock Directory-Name Mbytes [options] +# +# The Rock Store type is a database-style storage. All cached +# entries are stored in a "database" file, using fixed-size slots. +# A single entry occupies one or more slots. +# +# If possible, Squid using Rock Store creates a dedicated kid +# process called "disker" to avoid blocking Squid worker(s) on disk +# I/O. One disker kid is created for each rock cache_dir. Diskers +# are created only when Squid, running in daemon mode, has support +# for the IpcIo disk I/O module. +# +# swap-timeout=msec: Squid will not start writing a miss to or +# reading a hit from disk if it estimates that the swap operation +# will take more than the specified number of milliseconds. By +# default and when set to zero, disables the disk I/O time limit +# enforcement. Ignored when using blocking I/O module because +# blocking synchronous I/O does not allow Squid to estimate the +# expected swap wait time. +# +# max-swap-rate=swaps/sec: Artificially limits disk access using +# the specified I/O rate limit. Swap out requests that +# would cause the average I/O rate to exceed the limit are +# delayed. Individual swap in requests (i.e., hits or reads) are +# not delayed, but they do contribute to measured swap rate and +# since they are placed in the same FIFO queue as swap out +# requests, they may wait longer if max-swap-rate is smaller. +# This is necessary on file systems that buffer "too +# many" writes and then start blocking Squid and other processes +# while committing those writes to disk. Usually used together +# with swap-timeout to avoid excessive delays and queue overflows +# when disk demand exceeds available disk "bandwidth". By default +# and when set to zero, disables the disk I/O rate limit +# enforcement. Currently supported by IpcIo module only. +# +# slot-size=bytes: The size of a database "record" used for +# storing cached responses. A cached response occupies at least +# one slot and all database I/O is done using individual slots so +# increasing this parameter leads to more disk space waste while +# decreasing it leads to more disk I/O overheads. Should be a +# multiple of your operating system I/O page size. Defaults to +# 16KBytes. A housekeeping header is stored with each slot and +# smaller slot-sizes will be rejected. The header is smaller than +# 100 bytes. +# +# +# ==== COMMON OPTIONS ==== +# +# no-store no new objects should be stored to this cache_dir. +# +# min-size=n the minimum object size in bytes this cache_dir +# will accept. It's used to restrict a cache_dir +# to only store large objects (e.g. AUFS) while +# other stores are optimized for smaller objects +# (e.g. Rock). +# Defaults to 0. +# +# max-size=n the maximum object size in bytes this cache_dir +# supports. +# The value in maximum_object_size directive sets +# the default unless more specific details are +# available (ie a small store capacity). +# +# Note: To make optimal use of the max-size limits you should order +# the cache_dir lines with the smallest max-size value first. +# +#Default: +# No disk cache. Store cache ojects only in memory. +# + +# Uncomment and adjust the following to add a disk cache directory. +#cache_dir ufs /var/spool/squid 100 16 256 + +# TAG: store_dir_select_algorithm +# How Squid selects which cache_dir to use when the response +# object will fit into more than one. +# +# Regardless of which algorithm is used the cache_dir min-size +# and max-size parameters are obeyed. As such they can affect +# the selection algorithm by limiting the set of considered +# cache_dir. +# +# Algorithms: +# +# least-load +# +# This algorithm is suited to caches with similar cache_dir +# sizes and disk speeds. +# +# The disk with the least I/O pending is selected. +# When there are multiple disks with the same I/O load ranking +# the cache_dir with most available capacity is selected. +# +# When a mix of cache_dir sizes are configured the faster disks +# have a naturally lower I/O loading and larger disks have more +# capacity. So space used to store objects and data throughput +# may be very unbalanced towards larger disks. +# +# +# round-robin +# +# This algorithm is suited to caches with unequal cache_dir +# disk sizes. +# +# Each cache_dir is selected in a rotation. The next suitable +# cache_dir is used. +# +# Available cache_dir capacity is only considered in relation +# to whether the object will fit and meets the min-size and +# max-size parameters. +# +# Disk I/O loading is only considered to prevent overload on slow +# disks. This algorithm does not spread objects by size, so any +# I/O loading per-disk may appear very unbalanced and volatile. +# +# If several cache_dirs use similar min-size, max-size, or other +# limits to to reject certain responses, then do not group such +# cache_dir lines together, to avoid round-robin selection bias +# towards the first cache_dir after the group. Instead, interleave +# cache_dir lines from different groups. For example: +# +# store_dir_select_algorithm round-robin +# cache_dir rock /hdd1 ... min-size=100000 +# cache_dir rock /ssd1 ... max-size=99999 +# cache_dir rock /hdd2 ... min-size=100000 +# cache_dir rock /ssd2 ... max-size=99999 +# cache_dir rock /hdd3 ... min-size=100000 +# cache_dir rock /ssd3 ... max-size=99999 +#Default: +# store_dir_select_algorithm least-load + +# TAG: max_open_disk_fds +# To avoid having disk as the I/O bottleneck Squid can optionally +# bypass the on-disk cache if more than this amount of disk file +# descriptors are open. +# +# A value of 0 indicates no limit. +#Default: +# no limit + +# TAG: cache_swap_low (percent, 0-100) +# The low-water mark for AUFS/UFS/diskd cache object eviction by +# the cache_replacement_policy algorithm. +# +# Removal begins when the swap (disk) usage of a cache_dir is +# above this low-water mark and attempts to maintain utilization +# near the low-water mark. +# +# As swap utilization increases towards the high-water mark set +# by cache_swap_high object eviction becomes more agressive. +# +# The value difference in percentages between low- and high-water +# marks represent an eviction rate of 300 objects per second and +# the rate continues to scale in agressiveness by multiples of +# this above the high-water mark. +# +# Defaults are 90% and 95%. If you have a large cache, 5% could be +# hundreds of MB. If this is the case you may wish to set these +# numbers closer together. +# +# See also cache_swap_high and cache_replacement_policy +#Default: +# cache_swap_low 90 + +# TAG: cache_swap_high (percent, 0-100) +# The high-water mark for AUFS/UFS/diskd cache object eviction by +# the cache_replacement_policy algorithm. +# +# Removal begins when the swap (disk) usage of a cache_dir is +# above the low-water mark set by cache_swap_low and attempts to +# maintain utilization near the low-water mark. +# +# As swap utilization increases towards this high-water mark object +# eviction becomes more agressive. +# +# The value difference in percentages between low- and high-water +# marks represent an eviction rate of 300 objects per second and +# the rate continues to scale in agressiveness by multiples of +# this above the high-water mark. +# +# Defaults are 90% and 95%. If you have a large cache, 5% could be +# hundreds of MB. If this is the case you may wish to set these +# numbers closer together. +# +# See also cache_swap_low and cache_replacement_policy +#Default: +# cache_swap_high 95 + +# LOGFILE OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: logformat +# Usage: +# +# logformat +# +# Defines an access log format. +# +# The is a string with embedded % format codes +# +# % format codes all follow the same basic structure where all +# components but the formatcode are optional and usually unnecessary, +# especially when dealing with common codes. +# +# % [encoding] [-] [[0]width] [{arg}] formatcode [{arg}] +# +# encoding escapes or otherwise protects "special" characters: +# +# " Quoted string encoding where quote(") and +# backslash(\) characters are \-escaped while +# CR, LF, and TAB characters are encoded as \r, +# \n, and \t two-character sequences. +# +# [ Custom Squid encoding where percent(%), square +# brackets([]), backslash(\) and characters with +# codes outside of [32,126] range are %-encoded. +# SP is not encoded. Used by log_mime_hdrs. +# +# # URL encoding (a.k.a. percent-encoding) where +# all URL unsafe and control characters (per RFC +# 1738) are %-encoded. +# +# / Shell-like encoding where quote(") and +# backslash(\) characters are \-escaped while CR +# and LF characters are encoded as \r and \n +# two-character sequences. Values containing SP +# character(s) are surrounded by quotes("). +# +# ' Raw/as-is encoding with no escaping/quoting. +# +# Default encoding: When no explicit encoding is +# specified, each %code determines its own encoding. +# Most %codes use raw/as-is encoding, but some codes use +# a so called "pass-through URL encoding" where all URL +# unsafe and control characters (per RFC 1738) are +# %-encoded, but the percent character(%) is left as is. +# +# - left aligned +# +# width minimum and/or maximum field width: +# [width_min][.width_max] +# When minimum starts with 0, the field is zero-padded. +# String values exceeding maximum width are truncated. +# +# {arg} argument such as header name etc. This field may be +# placed before or after the token, but not both at once. +# +# Format codes: +# +# % a literal % character +# sn Unique sequence number per log line entry +# err_code The ID of an error response served by Squid or +# a similar internal error identifier. +# err_detail Additional err_code-dependent error information. +# note The annotation specified by the argument. Also +# logs the adaptation meta headers set by the +# adaptation_meta configuration parameter. +# If no argument given all annotations logged. +# The argument may include a separator to use with +# annotation values: +# name[:separator] +# By default, multiple note values are separated with "," +# and multiple notes are separated with "\r\n". +# When logging named notes with %{name}note, the +# explicitly configured separator is used between note +# values. When logging all notes with %note, the +# explicitly configured separator is used between +# individual notes. There is currently no way to +# specify both value and notes separators when logging +# all notes with %note. +# +# Connection related format codes: +# +# >a Client source IP address +# >A Client FQDN +# >p Client source port +# >eui Client source EUI (MAC address, EUI-48 or EUI-64 identifier) +# >la Local IP address the client connected to +# >lp Local port number the client connected to +# >qos Client connection TOS/DSCP value set by Squid +# >nfmark Client connection netfilter mark set by Squid +# +# la Local listening IP address the client connection was connected to. +# lp Local listening port number the client connection was connected to. +# +# handshake Raw client handshake +# Initial client bytes received by Squid on a newly +# accepted TCP connection or inside a just established +# CONNECT tunnel. Squid stops accumulating handshake +# bytes as soon as the handshake parser succeeds or +# fails (determining whether the client is using the +# expected protocol). +# +# For HTTP clients, the handshake is the request line. +# For TLS clients, the handshake consists of all TLS +# records up to and including the TLS record that +# contains the last byte of the first ClientHello +# message. For clients using an unsupported protocol, +# this field contains the bytes received by Squid at the +# time of the handshake parsing failure. +# +# See the on_unsupported_protocol directive for more +# information on Squid handshake traffic expectations. +# +# Current support is limited to these contexts: +# - http_port connections, but only when the +# on_unsupported_protocol directive is in use. +# - https_port connections (and CONNECT tunnels) that +# are subject to the ssl_bump peek or stare action. +# +# To protect binary handshake data, this field is always +# base64-encoded (RFC 4648 Section 4). If logformat +# field encoding is configured, that encoding is applied +# on top of base64. Otherwise, the computed base64 value +# is recorded as is. +# +# Time related format codes: +# +# ts Seconds since epoch +# tu subsecond time (milliseconds) +# tl Local time. Optional strftime format argument +# default %d/%b/%Y:%H:%M:%S %z +# tg GMT time. Optional strftime format argument +# default %d/%b/%Y:%H:%M:%S %z +# tr Response time (milliseconds) +# dt Total time spent making DNS lookups (milliseconds) +# tS Approximate master transaction start time in +# . format. +# Currently, Squid considers the master transaction +# started when a complete HTTP request header initiating +# the transaction is received from the client. This is +# the same value that Squid uses to calculate transaction +# response time when logging %tr to access.log. Currently, +# Squid uses millisecond resolution for %tS values, +# similar to the default access.log "current time" field +# (%ts.%03tu). +# +# Access Control related format codes: +# +# et Tag returned by external acl +# ea Log string returned by external acl +# un User name (any available) +# ul User name from authentication +# ue User name from external acl helper +# ui User name from ident +# un A user name. Expands to the first available name +# from the following list of information sources: +# - authenticated user name, like %ul +# - user name supplied by an external ACL, like %ue +# - SSL client name, like %us +# - ident user name, like %ui +# credentials Client credentials. The exact meaning depends on +# the authentication scheme: For Basic authentication, +# it is the password; for Digest, the realm sent by the +# client; for NTLM and Negotiate, the client challenge +# or client credentials prefixed with "YR " or "KK ". +# +# HTTP related format codes: +# +# REQUEST +# +# [http::]rm Request method (GET/POST etc) +# [http::]>rm Request method from client +# [http::]ru Request URL received from the client (or computed) +# +# Computed URLs are URIs of internally generated +# requests and various "error:..." URIs. +# +# Unlike %ru, this request URI is not affected +# by request adaptation, URL rewriting services, +# and strip_query_terms. +# +# Honors uri_whitespace. +# +# This field is using pass-through URL encoding +# by default. Encoding this field using other +# variants of %-encoding will clash with +# uri_whitespace modifications that also use +# %-encoding. +# +# [http::]rs Request URL scheme from client +# [http::]rd Request URL domain from client +# [http::]rP Request URL port from client +# [http::]rp Request URL path excluding hostname from client +# [http::]rv Request protocol version from client +# [http::]h Original received request header. +# Usually differs from the request header sent by +# Squid, although most fields are often preserved. +# Accepts optional header field name/value filter +# argument using name[:[separator]element] format. +# [http::]>ha Received request header after adaptation and +# redirection (pre-cache REQMOD vectoring point). +# Usually differs from the request header sent by +# Squid, although most fields are often preserved. +# Optional header name argument as for >h +# +# RESPONSE +# +# [http::]Hs HTTP status code sent to the client +# +# [http::]h +# +# [http::]mt MIME content type +# +# +# SIZE COUNTERS +# +# [http::]st Total size of request + reply traffic with client +# [http::]>st Total size of request received from client. +# Excluding chunked encoding bytes. +# [http::]sh Size of request headers received from client +# [http::]sni SSL client SNI sent to Squid. +# +# ssl::>cert_subject +# The Subject field of the received client +# SSL certificate or a dash ('-') if Squid has +# received an invalid/malformed certificate or +# no certificate at all. Consider encoding the +# logged value because Subject often has spaces. +# +# ssl::>cert_issuer +# The Issuer field of the received client +# SSL certificate or a dash ('-') if Squid has +# received an invalid/malformed certificate or +# no certificate at all. Consider encoding the +# logged value because Issuer often has spaces. +# +# ssl::negotiated_version The negotiated TLS version of the +# client connection. +# +# %ssl::received_hello_version The TLS version of the Hello +# message received from TLS client. +# +# %ssl::received_supported_version The maximum TLS version +# supported by the TLS client. +# +# %ssl::negotiated_cipher The negotiated cipher of the +# client connection. +# +# %ssl::a %Ss/%03>Hs %a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh +#logformat referrer %ts.%03tu %>a %{Referer}>h %ru +#logformat useragent %>a [%tl] "%{User-Agent}>h" +# +# NOTE: When the log_mime_hdrs directive is set to ON. +# The squid, common and combined formats have a safely encoded copy +# of the mime headers appended to each line within a pair of brackets. +# +# NOTE: The common and combined formats are not quite true to the Apache definition. +# The logs from Squid contain an extra status and hierarchy code appended. +# +#Default: +# The format definitions squid, common, combined, referrer, useragent are built in. + +# TAG: access_log +# Configures whether and how Squid logs HTTP and ICP transactions. +# If access logging is enabled, a single line is logged for every +# matching HTTP or ICP request. The recommended directive formats are: +# +# access_log : [option ...] [acl acl ...] +# access_log none [acl acl ...] +# +# The following directive format is accepted but may be deprecated: +# access_log : [ [acl acl ...]] +# +# In most cases, the first ACL name must not contain the '=' character +# and should not be equal to an existing logformat name. You can always +# start with an 'all' ACL to work around those restrictions. +# +# Will log to the specified module:place using the specified format (which +# must be defined in a logformat directive) those entries which match +# ALL the acl's specified (which must be defined in acl clauses). +# If no acl is specified, all requests will be logged to this destination. +# +# ===== Available options for the recommended directive format ===== +# +# logformat=name Names log line format (either built-in or +# defined by a logformat directive). Defaults +# to 'squid'. +# +# buffer-size=64KB Defines approximate buffering limit for log +# records (see buffered_logs). Squid should not +# keep more than the specified size and, hence, +# should flush records before the buffer becomes +# full to avoid overflows under normal +# conditions (the exact flushing algorithm is +# module-dependent though). The on-error option +# controls overflow handling. +# +# on-error=die|drop Defines action on unrecoverable errors. The +# 'drop' action ignores (i.e., does not log) +# affected log records. The default 'die' action +# kills the affected worker. The drop action +# support has not been tested for modules other +# than tcp. +# +# rotate=N Specifies the number of log file rotations to +# make when you run 'squid -k rotate'. The default +# is to obey the logfile_rotate directive. Setting +# rotate=0 will disable the file name rotation, +# but the log files are still closed and re-opened. +# This will enable you to rename the logfiles +# yourself just before sending the rotate signal. +# Only supported by the stdio module. +# +# ===== Modules Currently available ===== +# +# none Do not log any requests matching these ACL. +# Do not specify Place or logformat name. +# +# stdio Write each log line to disk immediately at the completion of +# each request. +# Place: the filename and path to be written. +# +# daemon Very similar to stdio. But instead of writing to disk the log +# line is passed to a daemon helper for asychronous handling instead. +# Place: varies depending on the daemon. +# +# log_file_daemon Place: the file name and path to be written. +# +# syslog To log each request via syslog facility. +# Place: The syslog facility and priority level for these entries. +# Place Format: facility.priority +# +# where facility could be any of: +# authpriv, daemon, local0 ... local7 or user. +# +# And priority could be any of: +# err, warning, notice, info, debug. +# +# udp To send each log line as text data to a UDP receiver. +# Place: The destination host name or IP and port. +# Place Format: //host:port +# +# tcp To send each log line as text data to a TCP receiver. +# Lines may be accumulated before sending (see buffered_logs). +# Place: The destination host name or IP and port. +# Place Format: //host:port +# +# Default: +# access_log daemon:/var/log/squid/access.log squid +#Default: +# access_log daemon:/var/log/squid/access.log squid + +# TAG: icap_log +# ICAP log files record ICAP transaction summaries, one line per +# transaction. +# +# The icap_log option format is: +# icap_log [ [acl acl ...]] +# icap_log none [acl acl ...]] +# +# Please see access_log option documentation for details. The two +# kinds of logs share the overall configuration approach and many +# features. +# +# ICAP processing of a single HTTP message or transaction may +# require multiple ICAP transactions. In such cases, multiple +# ICAP transaction log lines will correspond to a single access +# log line. +# +# ICAP log supports many access.log logformat %codes. In ICAP context, +# HTTP message-related %codes are applied to the HTTP message embedded +# in an ICAP message. Logformat "%http::>..." codes are used for HTTP +# messages embedded in ICAP requests while "%http::<..." codes are used +# for HTTP messages embedded in ICAP responses. For example: +# +# http::>h To-be-adapted HTTP message headers sent by Squid to +# the ICAP service. For REQMOD transactions, these are +# HTTP request headers. For RESPMOD, these are HTTP +# response headers, but Squid currently cannot log them +# (i.e., %http::>h will expand to "-" for RESPMOD). +# +# http::st The total size of the ICAP request sent to the ICAP +# server (ICAP headers + ICAP body), including chunking +# metadata (if any). +# +# icap::h ICAP request header(s). Similar to >h. +# +# icap::A %icap::to/%03icap::Hs %icap::\n - logfile data +# R\n - rotate file +# T\n - truncate file +# O\n - reopen file +# F\n - flush file +# r\n - set rotate count to +# b\n - 1 = buffer output, 0 = don't buffer output +# +# No responses is expected. +#Default: +# logfile_daemon /usr/lib/squid/log_file_daemon + +# TAG: stats_collection allow|deny acl acl... +# This options allows you to control which requests gets accounted +# in performance counters. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow logging for all transactions. + +# TAG: cache_store_log +# Logs the activities of the storage manager. Shows which +# objects are ejected from the cache, and which objects are +# saved and for how long. +# There are not really utilities to analyze this data, so you can safely +# disable it (the default). +# +# Store log uses modular logging outputs. See access_log for the list +# of modules supported. +# +# Example: +# cache_store_log stdio:/var/log/squid/store.log +# cache_store_log daemon:/var/log/squid/store.log +#Default: +# none + +# TAG: cache_swap_state +# Location for the cache "swap.state" file. This index file holds +# the metadata of objects saved on disk. It is used to rebuild +# the cache during startup. Normally this file resides in each +# 'cache_dir' directory, but you may specify an alternate +# pathname here. Note you must give a full filename, not just +# a directory. Since this is the index for the whole object +# list you CANNOT periodically rotate it! +# +# If %s can be used in the file name it will be replaced with a +# a representation of the cache_dir name where each / is replaced +# with '.'. This is needed to allow adding/removing cache_dir +# lines when cache_swap_log is being used. +# +# If have more than one 'cache_dir', and %s is not used in the name +# these swap logs will have names such as: +# +# cache_swap_log.00 +# cache_swap_log.01 +# cache_swap_log.02 +# +# The numbered extension (which is added automatically) +# corresponds to the order of the 'cache_dir' lines in this +# configuration file. If you change the order of the 'cache_dir' +# lines in this file, these index files will NOT correspond to +# the correct 'cache_dir' entry (unless you manually rename +# them). We recommend you do NOT use this option. It is +# better to keep these index files in each 'cache_dir' directory. +#Default: +# Store the journal inside its cache_dir + +# TAG: logfile_rotate +# Specifies the default number of logfile rotations to make when you +# type 'squid -k rotate'. The default is 10, which will rotate +# with extensions 0 through 9. Setting logfile_rotate to 0 will +# disable the file name rotation, but the logfiles are still closed +# and re-opened. This will enable you to rename the logfiles +# yourself just before sending the rotate signal. +# +# Note, from Squid-3.1 this option is only a default for cache.log, +# that log can be rotated separately by using debug_options. +# +# Note, from Squid-4 this option is only a default for access.log +# recorded by stdio: module. Those logs can be rotated separately by +# using the rotate=N option on their access_log directive. +# +# Note, the 'squid -k rotate' command normally sends a USR1 +# signal to the running squid process. In certain situations +# (e.g. on Linux with Async I/O), USR1 is used for other +# purposes, so -k rotate uses another signal. It is best to get +# in the habit of using 'squid -k rotate' instead of 'kill -USR1 +# '. +# +# Note, for Debian/Linux the default of logfile_rotate is +# zero, since it includes external logfile-rotation methods. +#Default: +# logfile_rotate 0 + +# TAG: mime_table +# Path to Squid's icon configuration file. +# +# You shouldn't need to change this, but the default file contains +# examples and formatting information if you do. +#Default: +# mime_table /usr/share/squid/mime.conf + +# TAG: log_mime_hdrs on|off +# The Cache can record both the request and the response MIME +# headers for each HTTP transaction. The headers are encoded +# safely and will appear as two bracketed fields at the end of +# the access log (for either the native or httpd-emulated log +# formats). To enable this logging set log_mime_hdrs to 'on'. +#Default: +# log_mime_hdrs off + +# TAG: pid_filename +# A filename to write the process-id to. To disable, enter "none". +#Default: +# pid_filename /var/run/squid.pid + +# TAG: client_netmask +# A netmask for client addresses in logfiles and cachemgr output. +# Change this to protect the privacy of your cache clients. +# A netmask of 255.255.255.0 will log all IP's in that range with +# the last digit set to '0'. +#Default: +# Log full client IP address + +# TAG: strip_query_terms +# By default, Squid strips query terms from requested URLs before +# logging. This protects your user's privacy and reduces log size. +# +# When investigating HIT/MISS or other caching behaviour you +# will need to disable this to see the full URL used by Squid. +#Default: +# strip_query_terms on + +# TAG: buffered_logs on|off +# Whether to write/send access_log records ASAP or accumulate them and +# then write/send them in larger chunks. Buffering may improve +# performance because it decreases the number of I/Os. However, +# buffering increases the delay before log records become available to +# the final recipient (e.g., a disk file or logging daemon) and, +# hence, increases the risk of log records loss. +# +# Note that even when buffered_logs are off, Squid may have to buffer +# records if it cannot write/send them immediately due to pending I/Os +# (e.g., the I/O writing the previous log record) or connectivity loss. +# +# Currently honored by 'daemon' and 'tcp' access_log modules only. +#Default: +# buffered_logs off + +# TAG: netdb_filename +# Where Squid stores it's netdb journal. +# When enabled this journal preserves netdb state between restarts. +# +# To disable, enter "none". +#Default: +# netdb_filename stdio:/var/spool/squid/netdb.state + +# OPTIONS FOR TROUBLESHOOTING +# ----------------------------------------------------------------------------- + +# TAG: cache_log +# Squid administrative logging file. +# +# This is where general information about Squid behavior goes. You can +# increase the amount of data logged to this file and how often it is +# rotated with "debug_options" +#Default: +# cache_log /var/log/squid/cache.log + +# TAG: debug_options +# Logging options are set as section,level where each source file +# is assigned a unique section. Lower levels result in less +# output, Full debugging (level 9) can result in a very large +# log file, so be careful. +# +# The magic word "ALL" sets debugging levels for all sections. +# The default is to run with "ALL,1" to record important warnings. +# +# The rotate=N option can be used to keep more or less of these logs +# than would otherwise be kept by logfile_rotate. +# For most uses a single log should be enough to monitor current +# events affecting Squid. +#Default: +# Log all critical and important messages. + +# TAG: coredump_dir +# By default Squid leaves core files in the directory from where +# it was started. If you set 'coredump_dir' to a directory +# that exists, Squid will chdir() to that directory at startup +# and coredump files will be left there. +# +#Default: +# Use the directory from where Squid was started. +# + +# Leave coredumps in the first cache dir +coredump_dir /var/spool/squid + +# OPTIONS FOR FTP GATEWAYING +# ----------------------------------------------------------------------------- + +# TAG: ftp_user +# If you want the anonymous login password to be more informative +# (and enable the use of picky FTP servers), set this to something +# reasonable for your domain, like wwwuser@somewhere.net +# +# The reason why this is domainless by default is the +# request can be made on the behalf of a user in any domain, +# depending on how the cache is used. +# Some FTP server also validate the email address is valid +# (for example perl.com). +#Default: +# ftp_user Squid@ + +# TAG: ftp_passive +# If your firewall does not allow Squid to use passive +# connections, turn off this option. +# +# Use of ftp_epsv_all option requires this to be ON. +#Default: +# ftp_passive on + +# TAG: ftp_epsv_all +# FTP Protocol extensions permit the use of a special "EPSV ALL" command. +# +# NATs may be able to put the connection on a "fast path" through the +# translator, as the EPRT command will never be used and therefore, +# translation of the data portion of the segments will never be needed. +# +# When a client only expects to do two-way FTP transfers this may be +# useful. +# If squid finds that it must do a three-way FTP transfer after issuing +# an EPSV ALL command, the FTP session will fail. +# +# If you have any doubts about this option do not use it. +# Squid will nicely attempt all other connection methods. +# +# Requires ftp_passive to be ON (default) for any effect. +#Default: +# ftp_epsv_all off + +# TAG: ftp_epsv +# FTP Protocol extensions permit the use of a special "EPSV" command. +# +# NATs may be able to put the connection on a "fast path" through the +# translator using EPSV, as the EPRT command will never be used +# and therefore, translation of the data portion of the segments +# will never be needed. +# +# EPSV is often required to interoperate with FTP servers on IPv6 +# networks. On the other hand, it may break some IPv4 servers. +# +# By default, EPSV may try EPSV with any FTP server. To fine tune +# that decision, you may restrict EPSV to certain clients or servers +# using ACLs: +# +# ftp_epsv allow|deny al1 acl2 ... +# +# WARNING: Disabling EPSV may cause problems with external NAT and IPv6. +# +# Only fast ACLs are supported. +# Requires ftp_passive to be ON (default) for any effect. +#Default: +# none + +# TAG: ftp_eprt +# FTP Protocol extensions permit the use of a special "EPRT" command. +# +# This extension provides a protocol neutral alternative to the +# IPv4-only PORT command. When supported it enables active FTP data +# channels over IPv6 and efficient NAT handling. +# +# Turning this OFF will prevent EPRT being attempted and will skip +# straight to using PORT for IPv4 servers. +# +# Some devices are known to not handle this extension correctly and +# may result in crashes. Devices which suport EPRT enough to fail +# cleanly will result in Squid attempting PORT anyway. This directive +# should only be disabled when EPRT results in device failures. +# +# WARNING: Doing so will convert Squid back to the old behavior with all +# the related problems with external NAT devices/layers and IPv4-only FTP. +#Default: +# ftp_eprt on + +# TAG: ftp_sanitycheck +# For security and data integrity reasons Squid by default performs +# sanity checks of the addresses of FTP data connections ensure the +# data connection is to the requested server. If you need to allow +# FTP connections to servers using another IP address for the data +# connection turn this off. +#Default: +# ftp_sanitycheck on + +# TAG: ftp_telnet_protocol +# The FTP protocol is officially defined to use the telnet protocol +# as transport channel for the control connection. However, many +# implementations are broken and does not respect this aspect of +# the FTP protocol. +# +# If you have trouble accessing files with ASCII code 255 in the +# path or similar problems involving this ASCII code you can +# try setting this directive to off. If that helps, report to the +# operator of the FTP server in question that their FTP server +# is broken and does not follow the FTP standard. +#Default: +# ftp_telnet_protocol on + +# OPTIONS FOR EXTERNAL SUPPORT PROGRAMS +# ----------------------------------------------------------------------------- + +# TAG: diskd_program +# Specify the location of the diskd executable. +# Note this is only useful if you have compiled in +# diskd as one of the store io modules. +#Default: +# diskd_program /usr/lib/squid/diskd + +# TAG: unlinkd_program +# Specify the location of the executable for file deletion process. +#Default: +# unlinkd_program /usr/lib/squid/unlinkd + +# TAG: pinger_program +# Specify the location of the executable for the pinger process. +#Default: +# pinger_program /usr/lib/squid/pinger + +# TAG: pinger_enable +# Control whether the pinger is active at run-time. +# Enables turning ICMP pinger on and off with a simple +# squid -k reconfigure. +#Default: +# pinger_enable on + +# OPTIONS FOR URL REWRITING +# ----------------------------------------------------------------------------- + +# TAG: url_rewrite_program +# Specify the location of the executable URL rewriter to use. +# Since they can perform almost any function there isn't one included. +# +# For each requested URL, the rewriter will receive on line with the format +# +# [channel-ID ] URL [ extras] +# +# See url_rewrite_extras on how to send "extras" with optional values to +# the helper. +# After processing the request the helper must reply using the following format: +# +# [channel-ID ] result [ kv-pairs] +# +# The result code can be: +# +# OK status=30N url="..." +# Redirect the URL to the one supplied in 'url='. +# 'status=' is optional and contains the status code to send +# the client in Squids HTTP response. It must be one of the +# HTTP redirect status codes: 301, 302, 303, 307, 308. +# When no status is given Squid will use 302. +# +# OK rewrite-url="..." +# Rewrite the URL to the one supplied in 'rewrite-url='. +# The new URL is fetched directly by Squid and returned to +# the client as the response to its request. +# +# OK +# When neither of url= and rewrite-url= are sent Squid does +# not change the URL. +# +# ERR +# Do not change the URL. +# +# BH +# An internal error occurred in the helper, preventing +# a result being identified. The 'message=' key name is +# reserved for delivering a log message. +# +# +# In addition to the above kv-pairs Squid also understands the following +# optional kv-pairs received from URL rewriters: +# clt_conn_tag=TAG +# Associates a TAG with the client TCP connection. +# The TAG is treated as a regular annotation but persists across +# future requests on the client connection rather than just the +# current request. A helper may update the TAG during subsequent +# requests be returning a new kv-pair. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# WARNING: URL re-writing ability should be avoided whenever possible. +# Use the URL redirect form of response instead. +# +# Re-write creates a difference in the state held by the client +# and server. Possibly causing confusion when the server response +# contains snippets of its view state. Embeded URLs, response +# and content Location headers, etc. are not re-written by this +# interface. +# +# By default, a URL rewriter is not used. +#Default: +# none + +# TAG: url_rewrite_children +# Specifies the maximum number of redirector processes that Squid may +# spawn (numberofchildren) and several related options. Using too few of +# these helper processes (a.k.a. "helpers") creates request queues. +# Using too many helpers wastes your system resources. +# +# Usage: numberofchildren [option]... +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup= +# +# Sets a minimum of how many processes are to be spawned when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few will cause an initial slowdown in traffic as Squid +# attempts to simultaneously spawn enough processes to cope. +# +# idle= +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each redirector helper can handle in +# parallel. Defaults to 0 which indicates the redirector +# is a old-style single threaded redirector. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# an ID in front of the request/response. The ID from the request +# must be echoed back with the response to that request. +# +# queue-size=N +# +# Sets the maximum number of queued requests. A request is queued when +# no existing child can accept it due to concurrency limit and no new +# child can be started due to numberofchildren limit. The default +# maximum is zero if url_rewrite_bypass is enabled and +# 2*numberofchildren otherwise. If the queued requests exceed queue size +# and redirector_bypass configuration option is set, then redirector is +# bypassed. Otherwise, Squid is allowed to temporarily exceed the +# configured maximum, marking the affected helper as "overloaded". If +# the helper overload lasts more than 3 minutes, the action prescribed +# by the on-persistent-overload option applies. +# +# on-persistent-overload=action +# +# Specifies Squid reaction to a new helper request arriving when the helper +# has been overloaded for more that 3 minutes already. The number of queued +# requests determines whether the helper is overloaded (see the queue-size +# option). +# +# Two actions are supported: +# +# die Squid worker quits. This is the default behavior. +# +# ERR Squid treats the helper request as if it was +# immediately submitted, and the helper immediately +# replied with an ERR response. This action has no effect +# on the already queued and in-progress helper requests. +#Default: +# url_rewrite_children 20 startup=0 idle=1 concurrency=0 + +# TAG: url_rewrite_host_header +# To preserve same-origin security policies in browsers and +# prevent Host: header forgery by redirectors Squid rewrites +# any Host: header in redirected requests. +# +# If you are running an accelerator this may not be a wanted +# effect of a redirector. This directive enables you disable +# Host: alteration in reverse-proxy traffic. +# +# WARNING: Entries are cached on the result of the URL rewriting +# process, so be careful if you have domain-virtual hosts. +# +# WARNING: Squid and other software verifies the URL and Host +# are matching, so be careful not to relay through other proxies +# or inspecting firewalls with this disabled. +#Default: +# url_rewrite_host_header on + +# TAG: url_rewrite_access +# If defined, this access list specifies which requests are +# sent to the redirector processes. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow, unless rules exist in squid.conf. + +# TAG: url_rewrite_bypass +# When this is 'on', a request will not go through the +# redirector if all the helpers are busy. If this is 'off' and the +# redirector queue grows too large, the action is prescribed by the +# on-persistent-overload option. You should only enable this if the +# redirectors are not critical to your caching system. If you use +# redirectors for access control, and you enable this option, +# users may have access to pages they should not +# be allowed to request. +# +# Enabling this option sets the default url_rewrite_children queue-size +# option value to 0. +#Default: +# url_rewrite_bypass off + +# TAG: url_rewrite_extras +# Specifies a string to be append to request line format for the +# rewriter helper. "Quoted" format values may contain spaces and +# logformat %macros. In theory, any logformat %macro can be used. +# In practice, a %macro expands as a dash (-) if the helper request is +# sent before the required macro information is available to Squid. +#Default: +# url_rewrite_extras "%>a/%>A %un %>rm myip=%la myport=%lp" + +# TAG: url_rewrite_timeout +# Squid times active requests to redirector. The timeout value and Squid +# reaction to a timed out request are configurable using the following +# format: +# +# url_rewrite_timeout timeout time-units on_timeout= [response=] +# +# supported timeout actions: +# fail Squid return a ERR_GATEWAY_FAILURE error page +# +# bypass Do not re-write the URL +# +# retry Send the lookup to the helper again +# +# use_configured_response +# Use the as helper response +#Default: +# Squid waits for the helper response forever + +# OPTIONS FOR STORE ID +# ----------------------------------------------------------------------------- + +# TAG: store_id_program +# Specify the location of the executable StoreID helper to use. +# Since they can perform almost any function there isn't one included. +# +# For each requested URL, the helper will receive one line with the format +# +# [channel-ID ] URL [ extras] +# +# +# After processing the request the helper must reply using the following format: +# +# [channel-ID ] result [ kv-pairs] +# +# The result code can be: +# +# OK store-id="..." +# Use the StoreID supplied in 'store-id='. +# +# ERR +# The default is to use HTTP request URL as the store ID. +# +# BH +# An internal error occurred in the helper, preventing +# a result being identified. +# +# In addition to the above kv-pairs Squid also understands the following +# optional kv-pairs received from URL rewriters: +# clt_conn_tag=TAG +# Associates a TAG with the client TCP connection. +# Please see url_rewrite_program related documentation for this +# kv-pair +# +# Helper programs should be prepared to receive and possibly ignore +# additional whitespace-separated tokens on each input line. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# NOTE: when using StoreID refresh_pattern will apply to the StoreID +# returned from the helper and not the URL. +# +# WARNING: Wrong StoreID value returned by a careless helper may result +# in the wrong cached response returned to the user. +# +# By default, a StoreID helper is not used. +#Default: +# none + +# TAG: store_id_extras +# Specifies a string to be append to request line format for the +# StoreId helper. "Quoted" format values may contain spaces and +# logformat %macros. In theory, any logformat %macro can be used. +# In practice, a %macro expands as a dash (-) if the helper request is +# sent before the required macro information is available to Squid. +#Default: +# store_id_extras "%>a/%>A %un %>rm myip=%la myport=%lp" + +# TAG: store_id_children +# Specifies the maximum number of StoreID helper processes that Squid +# may spawn (numberofchildren) and several related options. Using +# too few of these helper processes (a.k.a. "helpers") creates request +# queues. Using too many helpers wastes your system resources. +# +# Usage: numberofchildren [option]... +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup= +# +# Sets a minimum of how many processes are to be spawned when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few will cause an initial slowdown in traffic as Squid +# attempts to simultaneously spawn enough processes to cope. +# +# idle= +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each storeID helper can handle in +# parallel. Defaults to 0 which indicates the helper +# is a old-style single threaded program. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# an ID in front of the request/response. The ID from the request +# must be echoed back with the response to that request. +# +# queue-size=N +# +# Sets the maximum number of queued requests to N. A request is queued +# when no existing child can accept it due to concurrency limit and no +# new child can be started due to numberofchildren limit. The default +# maximum is 2*numberofchildren. If the queued requests exceed queue +# size and redirector_bypass configuration option is set, then +# redirector is bypassed. Otherwise, Squid is allowed to temporarily +# exceed the configured maximum, marking the affected helper as +# "overloaded". If the helper overload lasts more than 3 minutes, the +# action prescribed by the on-persistent-overload option applies. +# +# on-persistent-overload=action +# +# Specifies Squid reaction to a new helper request arriving when the helper +# has been overloaded for more that 3 minutes already. The number of queued +# requests determines whether the helper is overloaded (see the queue-size +# option). +# +# Two actions are supported: +# +# die Squid worker quits. This is the default behavior. +# +# ERR Squid treats the helper request as if it was +# immediately submitted, and the helper immediately +# replied with an ERR response. This action has no effect +# on the already queued and in-progress helper requests. +#Default: +# store_id_children 20 startup=0 idle=1 concurrency=0 + +# TAG: store_id_access +# If defined, this access list specifies which requests are +# sent to the StoreID processes. By default all requests +# are sent. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow, unless rules exist in squid.conf. + +# TAG: store_id_bypass +# When this is 'on', a request will not go through the +# helper if all helpers are busy. If this is 'off' and the helper +# queue grows too large, the action is prescribed by the +# on-persistent-overload option. You should only enable this if the +# helpers are not critical to your caching system. If you use +# helpers for critical caching components, and you enable this +# option, users may not get objects from cache. +# This options sets default queue-size option of the store_id_children +# to 0. +#Default: +# store_id_bypass on + +# OPTIONS FOR TUNING THE CACHE +# ----------------------------------------------------------------------------- + +# TAG: cache +# Requests denied by this directive will not be served from the cache +# and their responses will not be stored in the cache. This directive +# has no effect on other transactions and on already cached responses. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# This and the two other similar caching directives listed below are +# checked at different transaction processing stages, have different +# access to response information, affect different cache operations, +# and differ in slow ACLs support: +# +# * cache: Checked before Squid makes a hit/miss determination. +# No access to reply information! +# Denies both serving a hit and storing a miss. +# Supports both fast and slow ACLs. +# * send_hit: Checked after a hit was detected. +# Has access to reply (hit) information. +# Denies serving a hit only. +# Supports fast ACLs only. +# * store_miss: Checked before storing a cachable miss. +# Has access to reply (miss) information. +# Denies storing a miss only. +# Supports fast ACLs only. +# +# If you are not sure which of the three directives to use, apply the +# following decision logic: +# +# * If your ACL(s) are of slow type _and_ need response info, redesign. +# Squid does not support that particular combination at this time. +# Otherwise: +# * If your directive ACL(s) are of slow type, use "cache"; and/or +# * if your directive ACL(s) need no response info, use "cache". +# Otherwise: +# * If you do not want the response cached, use store_miss; and/or +# * if you do not want a hit on a cached response, use send_hit. +#Default: +# By default, this directive is unused and has no effect. + +# TAG: send_hit +# Responses denied by this directive will not be served from the cache +# (but may still be cached, see store_miss). This directive has no +# effect on the responses it allows and on the cached objects. +# +# Please see the "cache" directive for a summary of differences among +# store_miss, send_hit, and cache directives. +# +# Unlike the "cache" directive, send_hit only supports fast acl +# types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# For example: +# +# # apply custom Store ID mapping to some URLs +# acl MapMe dstdomain .c.example.com +# store_id_program ... +# store_id_access allow MapMe +# +# # but prevent caching of special responses +# # such as 302 redirects that cause StoreID loops +# acl Ordinary http_status 200-299 +# store_miss deny MapMe !Ordinary +# +# # and do not serve any previously stored special responses +# # from the cache (in case they were already cached before +# # the above store_miss rule was in effect). +# send_hit deny MapMe !Ordinary +#Default: +# By default, this directive is unused and has no effect. + +# TAG: store_miss +# Responses denied by this directive will not be cached (but may still +# be served from the cache, see send_hit). This directive has no +# effect on the responses it allows and on the already cached responses. +# +# Please see the "cache" directive for a summary of differences among +# store_miss, send_hit, and cache directives. See the +# send_hit directive for a usage example. +# +# Unlike the "cache" directive, store_miss only supports fast acl +# types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# By default, this directive is unused and has no effect. + +# TAG: max_stale time-units +# This option puts an upper limit on how stale content Squid +# will serve from the cache if cache validation fails. +# Can be overriden by the refresh_pattern max-stale option. +#Default: +# max_stale 1 week + +# TAG: refresh_pattern +# usage: refresh_pattern [-i] regex min percent max [options] +# +# By default, regular expressions are CASE-SENSITIVE. To make +# them case-insensitive, use the -i option. +# +# 'Min' is the time (in minutes) an object without an explicit +# expiry time should be considered fresh. The recommended +# value is 0, any higher values may cause dynamic applications +# to be erroneously cached unless the application designer +# has taken the appropriate actions. +# +# 'Percent' is a percentage of the objects age (time since last +# modification age) an object without explicit expiry time +# will be considered fresh. +# +# 'Max' is an upper limit on how long objects without an explicit +# expiry time will be considered fresh. The value is also used +# to form Cache-Control: max-age header for a request sent from +# Squid to origin/parent. +# +# options: override-expire +# override-lastmod +# reload-into-ims +# ignore-reload +# ignore-no-store +# ignore-private +# max-stale=NN +# refresh-ims +# store-stale +# +# override-expire enforces min age even if the server +# sent an explicit expiry time (e.g., with the +# Expires: header or Cache-Control: max-age). Doing this +# VIOLATES the HTTP standard. Enabling this feature +# could make you liable for problems which it causes. +# +# Note: override-expire does not enforce staleness - it only extends +# freshness / min. If the server returns a Expires time which +# is longer than your max time, Squid will still consider +# the object fresh for that period of time. +# +# override-lastmod enforces min age even on objects +# that were modified recently. +# +# reload-into-ims changes a client no-cache or ``reload'' +# request for a cached entry into a conditional request using +# If-Modified-Since and/or If-None-Match headers, provided the +# cached entry has a Last-Modified and/or a strong ETag header. +# Doing this VIOLATES the HTTP standard. Enabling this feature +# could make you liable for problems which it causes. +# +# ignore-reload ignores a client no-cache or ``reload'' +# header. Doing this VIOLATES the HTTP standard. Enabling +# this feature could make you liable for problems which +# it causes. +# +# ignore-no-store ignores any ``Cache-control: no-store'' +# headers received from a server. Doing this VIOLATES +# the HTTP standard. Enabling this feature could make you +# liable for problems which it causes. +# +# ignore-private ignores any ``Cache-control: private'' +# headers received from a server. Doing this VIOLATES +# the HTTP standard. Enabling this feature could make you +# liable for problems which it causes. +# +# refresh-ims causes squid to contact the origin server +# when a client issues an If-Modified-Since request. This +# ensures that the client will receive an updated version +# if one is available. +# +# store-stale stores responses even if they don't have explicit +# freshness or a validator (i.e., Last-Modified or an ETag) +# present, or if they're already stale. By default, Squid will +# not cache such responses because they usually can't be +# reused. Note that such responses will be stale by default. +# +# max-stale=NN provide a maximum staleness factor. Squid won't +# serve objects more stale than this even if it failed to +# validate the object. Default: use the max_stale global limit. +# +# Basically a cached object is: +# +# FRESH if expire > now, else STALE +# STALE if age > max +# FRESH if lm-factor < percent, else STALE +# FRESH if age < min +# else STALE +# +# The refresh_pattern lines are checked in the order listed here. +# The first entry which matches is used. If none of the entries +# match the default will be used. +# +# Note, you must uncomment all the default lines if you want +# to change one. The default setting is only active if none is +# used. +# +# + +# +# Add any of your own refresh_pattern entries above these. +# +refresh_pattern ^ftp: 1440 20% 10080 +refresh_pattern ^gopher: 1440 0% 1440 +refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 +refresh_pattern . 0 20% 4320 + +# TAG: quick_abort_min (KB) +#Default: +# quick_abort_min 16 KB + +# TAG: quick_abort_max (KB) +#Default: +# quick_abort_max 16 KB + +# TAG: quick_abort_pct (percent) +# The cache by default continues downloading aborted requests +# which are almost completed (less than 16 KB remaining). This +# may be undesirable on slow (e.g. SLIP) links and/or very busy +# caches. Impatient users may tie up file descriptors and +# bandwidth by repeatedly requesting and immediately aborting +# downloads. +# +# When the user aborts a request, Squid will check the +# quick_abort values to the amount of data transferred until +# then. +# +# If the transfer has less than 'quick_abort_min' KB remaining, +# it will finish the retrieval. +# +# If the transfer has more than 'quick_abort_max' KB remaining, +# it will abort the retrieval. +# +# If more than 'quick_abort_pct' of the transfer has completed, +# it will finish the retrieval. +# +# If you do not want any retrieval to continue after the client +# has aborted, set both 'quick_abort_min' and 'quick_abort_max' +# to '0 KB'. +# +# If you want retrievals to always continue if they are being +# cached set 'quick_abort_min' to '-1 KB'. +#Default: +# quick_abort_pct 95 + +# TAG: read_ahead_gap buffer-size +# The amount of data the cache will buffer ahead of what has been +# sent to the client when retrieving an object from another server. +#Default: +# read_ahead_gap 16 KB + +# TAG: negative_ttl time-units +# Set the Default Time-to-Live (TTL) for failed requests. +# Certain types of failures (such as "connection refused" and +# "404 Not Found") are able to be negatively-cached for a short time. +# Modern web servers should provide Expires: header, however if they +# do not this can provide a minimum TTL. +# The default is not to cache errors with unknown expiry details. +# +# Note that this is different from negative caching of DNS lookups. +# +# WARNING: Doing this VIOLATES the HTTP standard. Enabling +# this feature could make you liable for problems which it +# causes. +#Default: +# negative_ttl 0 seconds + +# TAG: positive_dns_ttl time-units +# Upper limit on how long Squid will cache positive DNS responses. +# Default is 6 hours (360 minutes). This directive must be set +# larger than negative_dns_ttl. +#Default: +# positive_dns_ttl 6 hours + +# TAG: negative_dns_ttl time-units +# Time-to-Live (TTL) for negative caching of failed DNS lookups. +# This also sets the lower cache limit on positive lookups. +# Minimum value is 1 second, and it is not recommendable to go +# much below 10 seconds. +#Default: +# negative_dns_ttl 1 minutes + +# TAG: range_offset_limit size [acl acl...] +# usage: (size) [units] [[!]aclname] +# +# Sets an upper limit on how far (number of bytes) into the file +# a Range request may be to cause Squid to prefetch the whole file. +# If beyond this limit, Squid forwards the Range request as it is and +# the result is NOT cached. +# +# This is to stop a far ahead range request (lets say start at 17MB) +# from making Squid fetch the whole object up to that point before +# sending anything to the client. +# +# Multiple range_offset_limit lines may be specified, and they will +# be searched from top to bottom on each request until a match is found. +# The first match found will be used. If no line matches a request, the +# default limit of 0 bytes will be used. +# +# 'size' is the limit specified as a number of units. +# +# 'units' specifies whether to use bytes, KB, MB, etc. +# If no units are specified bytes are assumed. +# +# A size of 0 causes Squid to never fetch more than the +# client requested. (default) +# +# A size of 'none' causes Squid to always fetch the object from the +# beginning so it may cache the result. (2.0 style) +# +# 'aclname' is the name of a defined ACL. +# +# NP: Using 'none' as the byte value here will override any quick_abort settings +# that may otherwise apply to the range request. The range request will +# be fully fetched from start to finish regardless of the client +# actions. This affects bandwidth usage. +#Default: +# none + +# TAG: minimum_expiry_time (seconds) +# The minimum caching time according to (Expires - Date) +# headers Squid honors if the object can't be revalidated. +# The default is 60 seconds. +# +# In reverse proxy environments it might be desirable to honor +# shorter object lifetimes. It is most likely better to make +# your server return a meaningful Last-Modified header however. +# +# In ESI environments where page fragments often have short +# lifetimes, this will often be best set to 0. +#Default: +# minimum_expiry_time 60 seconds + +# TAG: store_avg_object_size (bytes) +# Average object size, used to estimate number of objects your +# cache can hold. The default is 13 KB. +# +# This is used to pre-seed the cache index memory allocation to +# reduce expensive reallocate operations while handling clients +# traffic. Too-large values may result in memory allocation during +# peak traffic, too-small values will result in wasted memory. +# +# Check the cache manager 'info' report metrics for the real +# object sizes seen by your Squid before tuning this. +#Default: +# store_avg_object_size 13 KB + +# TAG: store_objects_per_bucket +# Target number of objects per bucket in the store hash table. +# Lowering this value increases the total number of buckets and +# also the storage maintenance rate. The default is 20. +#Default: +# store_objects_per_bucket 20 + +# HTTP OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: request_header_max_size (KB) +# This specifies the maximum size for HTTP headers in a request. +# Request headers are usually relatively small (about 512 bytes). +# Placing a limit on the request header size will catch certain +# bugs (for example with persistent connections) and possibly +# buffer-overflow or denial-of-service attacks. +#Default: +# request_header_max_size 64 KB + +# TAG: reply_header_max_size (KB) +# This specifies the maximum size for HTTP headers in a reply. +# Reply headers are usually relatively small (about 512 bytes). +# Placing a limit on the reply header size will catch certain +# bugs (for example with persistent connections) and possibly +# buffer-overflow or denial-of-service attacks. +#Default: +# reply_header_max_size 64 KB + +# TAG: request_body_max_size (bytes) +# This specifies the maximum size for an HTTP request body. +# In other words, the maximum size of a PUT/POST request. +# A user who attempts to send a request with a body larger +# than this limit receives an "Invalid Request" error message. +# If you set this parameter to a zero (the default), there will +# be no limit imposed. +# +# See also client_request_buffer_max_size for an alternative +# limitation on client uploads which can be configured. +#Default: +# No limit. + +# TAG: client_request_buffer_max_size (bytes) +# This specifies the maximum buffer size of a client request. +# It prevents squid eating too much memory when somebody uploads +# a large file. +#Default: +# client_request_buffer_max_size 512 KB + +# TAG: broken_posts +# A list of ACL elements which, if matched, causes Squid to send +# an extra CRLF pair after the body of a PUT/POST request. +# +# Some HTTP servers has broken implementations of PUT/POST, +# and rely on an extra CRLF pair sent by some WWW clients. +# +# Quote from RFC2616 section 4.1 on this matter: +# +# Note: certain buggy HTTP/1.0 client implementations generate an +# extra CRLF's after a POST request. To restate what is explicitly +# forbidden by the BNF, an HTTP/1.1 client must not preface or follow +# a request with an extra CRLF. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +#Example: +# acl buggy_server url_regex ^http://.... +# broken_posts allow buggy_server +#Default: +# Obey RFC 2616. + +# TAG: adaptation_uses_indirect_client on|off +# Controls whether the indirect client IP address (instead of the direct +# client IP address) is passed to adaptation services. +# +# See also: follow_x_forwarded_for adaptation_send_client_ip +#Default: +# adaptation_uses_indirect_client on + +# TAG: via on|off +# If set (default), Squid will include a Via header in requests and +# replies as required by RFC2616. +#Default: +# via on + +# TAG: vary_ignore_expire on|off +# Many HTTP servers supporting Vary gives such objects +# immediate expiry time with no cache-control header +# when requested by a HTTP/1.0 client. This option +# enables Squid to ignore such expiry times until +# HTTP/1.1 is fully implemented. +# +# WARNING: If turned on this may eventually cause some +# varying objects not intended for caching to get cached. +#Default: +# vary_ignore_expire off + +# TAG: request_entities +# Squid defaults to deny GET and HEAD requests with request entities, +# as the meaning of such requests are undefined in the HTTP standard +# even if not explicitly forbidden. +# +# Set this directive to on if you have clients which insists +# on sending request entities in GET or HEAD requests. But be warned +# that there is server software (both proxies and web servers) which +# can fail to properly process this kind of request which may make you +# vulnerable to cache pollution attacks if enabled. +#Default: +# request_entities off + +# TAG: request_header_access +# Usage: request_header_access header_name allow|deny [!]aclname ... +# +# WARNING: Doing this VIOLATES the HTTP standard. Enabling +# this feature could make you liable for problems which it +# causes. +# +# This option replaces the old 'anonymize_headers' and the +# older 'http_anonymizer' option with something that is much +# more configurable. A list of ACLs for each header name allows +# removal of specific header fields under specific conditions. +# +# This option only applies to outgoing HTTP request headers (i.e., +# headers sent by Squid to the next HTTP hop such as a cache peer +# or an origin server). The option has no effect during cache hit +# detection. The equivalent adaptation vectoring point in ICAP +# terminology is post-cache REQMOD. +# +# The option is applied to individual outgoing request header +# fields. For each request header field F, Squid uses the first +# qualifying sets of request_header_access rules: +# +# 1. Rules with header_name equal to F's name. +# 2. Rules with header_name 'Other', provided F's name is not +# on the hard-coded list of commonly used HTTP header names. +# 3. Rules with header_name 'All'. +# +# Within that qualifying rule set, rule ACLs are checked as usual. +# If ACLs of an "allow" rule match, the header field is allowed to +# go through as is. If ACLs of a "deny" rule match, the header is +# removed and request_header_replace is then checked to identify +# if the removed header has a replacement. If no rules within the +# set have matching ACLs, the header field is left as is. +# +# For example, to achieve the same behavior as the old +# 'http_anonymizer standard' option, you should use: +# +# request_header_access From deny all +# request_header_access Referer deny all +# request_header_access User-Agent deny all +# +# Or, to reproduce the old 'http_anonymizer paranoid' feature +# you should use: +# +# request_header_access Authorization allow all +# request_header_access Proxy-Authorization allow all +# request_header_access Cache-Control allow all +# request_header_access Content-Length allow all +# request_header_access Content-Type allow all +# request_header_access Date allow all +# request_header_access Host allow all +# request_header_access If-Modified-Since allow all +# request_header_access Pragma allow all +# request_header_access Accept allow all +# request_header_access Accept-Charset allow all +# request_header_access Accept-Encoding allow all +# request_header_access Accept-Language allow all +# request_header_access Connection allow all +# request_header_access All deny all +# +# HTTP reply headers are controlled with the reply_header_access directive. +# +# By default, all headers are allowed (no anonymizing is performed). +#Default: +# No limits. + +# TAG: reply_header_access +# Usage: reply_header_access header_name allow|deny [!]aclname ... +# +# WARNING: Doing this VIOLATES the HTTP standard. Enabling +# this feature could make you liable for problems which it +# causes. +# +# This option only applies to reply headers, i.e., from the +# server to the client. +# +# This is the same as request_header_access, but in the other +# direction. Please see request_header_access for detailed +# documentation. +# +# For example, to achieve the same behavior as the old +# 'http_anonymizer standard' option, you should use: +# +# reply_header_access Server deny all +# reply_header_access WWW-Authenticate deny all +# reply_header_access Link deny all +# +# Or, to reproduce the old 'http_anonymizer paranoid' feature +# you should use: +# +# reply_header_access Allow allow all +# reply_header_access WWW-Authenticate allow all +# reply_header_access Proxy-Authenticate allow all +# reply_header_access Cache-Control allow all +# reply_header_access Content-Encoding allow all +# reply_header_access Content-Length allow all +# reply_header_access Content-Type allow all +# reply_header_access Date allow all +# reply_header_access Expires allow all +# reply_header_access Last-Modified allow all +# reply_header_access Location allow all +# reply_header_access Pragma allow all +# reply_header_access Content-Language allow all +# reply_header_access Retry-After allow all +# reply_header_access Title allow all +# reply_header_access Content-Disposition allow all +# reply_header_access Connection allow all +# reply_header_access All deny all +# +# HTTP request headers are controlled with the request_header_access directive. +# +# By default, all headers are allowed (no anonymizing is +# performed). +#Default: +# No limits. + +# TAG: request_header_replace +# Usage: request_header_replace header_name message +# Example: request_header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit) +# +# This option allows you to change the contents of headers +# denied with request_header_access above, by replacing them +# with some fixed string. +# +# This only applies to request headers, not reply headers. +# +# By default, headers are removed if denied. +#Default: +# none + +# TAG: reply_header_replace +# Usage: reply_header_replace header_name message +# Example: reply_header_replace Server Foo/1.0 +# +# This option allows you to change the contents of headers +# denied with reply_header_access above, by replacing them +# with some fixed string. +# +# This only applies to reply headers, not request headers. +# +# By default, headers are removed if denied. +#Default: +# none + +# TAG: request_header_add +# Usage: request_header_add field-name field-value [ acl ... ] +# Example: request_header_add X-Client-CA "CA=%ssl::>cert_issuer" all +# +# This option adds header fields to outgoing HTTP requests (i.e., +# request headers sent by Squid to the next HTTP hop such as a +# cache peer or an origin server). The option has no effect during +# cache hit detection. The equivalent adaptation vectoring point +# in ICAP terminology is post-cache REQMOD. +# +# Field-name is a token specifying an HTTP header name. If a +# standard HTTP header name is used, Squid does not check whether +# the new header conflicts with any existing headers or violates +# HTTP rules. If the request to be modified already contains a +# field with the same name, the old field is preserved but the +# header field values are not merged. +# +# Field-value is either a token or a quoted string. If quoted +# string format is used, then the surrounding quotes are removed +# while escape sequences and %macros are processed. +# +# One or more Squid ACLs may be specified to restrict header +# injection to matching requests. As always in squid.conf, all +# ACLs in the ACL list must be satisfied for the insertion to +# happen. The request_header_add supports fast ACLs only. +# +# See also: reply_header_add. +#Default: +# none + +# TAG: reply_header_add +# Usage: reply_header_add field-name field-value [ acl ... ] +# Example: reply_header_add X-Client-CA "CA=%ssl::>cert_issuer" all +# +# This option adds header fields to outgoing HTTP responses (i.e., response +# headers delivered by Squid to the client). This option has no effect on +# cache hit detection. The equivalent adaptation vectoring point in +# ICAP terminology is post-cache RESPMOD. This option does not apply to +# successful CONNECT replies. +# +# Field-name is a token specifying an HTTP header name. If a +# standard HTTP header name is used, Squid does not check whether +# the new header conflicts with any existing headers or violates +# HTTP rules. If the response to be modified already contains a +# field with the same name, the old field is preserved but the +# header field values are not merged. +# +# Field-value is either a token or a quoted string. If quoted +# string format is used, then the surrounding quotes are removed +# while escape sequences and %macros are processed. +# +# One or more Squid ACLs may be specified to restrict header +# injection to matching responses. As always in squid.conf, all +# ACLs in the ACL list must be satisfied for the insertion to +# happen. The reply_header_add option supports fast ACLs only. +# +# See also: request_header_add. +#Default: +# none + +# TAG: note +# This option used to log custom information about the master +# transaction. For example, an admin may configure Squid to log +# which "user group" the transaction belongs to, where "user group" +# will be determined based on a set of ACLs and not [just] +# authentication information. +# Values of key/value pairs can be logged using %{key}note macros: +# +# note key value acl ... +# logformat myFormat ... %{key}note ... +#Default: +# none + +# TAG: relaxed_header_parser on|off|warn +# In the default "on" setting Squid accepts certain forms +# of non-compliant HTTP messages where it is unambiguous +# what the sending application intended even if the message +# is not correctly formatted. The messages is then normalized +# to the correct form when forwarded by Squid. +# +# If set to "warn" then a warning will be emitted in cache.log +# each time such HTTP error is encountered. +# +# If set to "off" then such HTTP errors will cause the request +# or response to be rejected. +#Default: +# relaxed_header_parser on + +# TAG: collapsed_forwarding (on|off) +# This option controls whether Squid is allowed to merge multiple +# potentially cachable requests for the same URI before Squid knows +# whether the response is going to be cachable. +# +# When enabled, instead of forwarding each concurrent request for +# the same URL, Squid just sends the first of them. The other, so +# called "collapsed" requests, wait for the response to the first +# request and, if it happens to be cachable, use that response. +# Here, "concurrent requests" means "received after the first +# request headers were parsed and before the corresponding response +# headers were parsed". +# +# This feature is disabled by default: enabling collapsed +# forwarding needlessly delays forwarding requests that look +# cachable (when they are collapsed) but then need to be forwarded +# individually anyway because they end up being for uncachable +# content. However, in some cases, such as acceleration of highly +# cachable content with periodic or grouped expiration times, the +# gains from collapsing [large volumes of simultaneous refresh +# requests] outweigh losses from such delays. +# +# Squid collapses two kinds of requests: regular client requests +# received on one of the listening ports and internal "cache +# revalidation" requests which are triggered by those regular +# requests hitting a stale cached object. Revalidation collapsing +# is currently disabled for Squid instances containing SMP-aware +# disk or memory caches and for Vary-controlled cached objects. +#Default: +# collapsed_forwarding off + +# TAG: collapsed_forwarding_shared_entries_limit (number of entries) +# This limits the size of a table used for sharing information +# about collapsible entries among SMP workers. Limiting sharing +# too much results in cache content duplication and missed +# collapsing opportunities. Using excessively large values +# wastes shared memory. +# +# The limit should be significantly larger then the number of +# concurrent collapsible entries one wants to share. For a cache +# that handles less than 5000 concurrent requests, the default +# setting of 16384 should be plenty. +# +# If the limit is set to zero, it disables sharing of collapsed +# forwarding between SMP workers. +#Default: +# collapsed_forwarding_shared_entries_limit 16384 + +# TIMEOUTS +# ----------------------------------------------------------------------------- + +# TAG: forward_timeout time-units +# This parameter specifies how long Squid should at most attempt in +# finding a forwarding path for the request before giving up. +#Default: +# forward_timeout 4 minutes + +# TAG: connect_timeout time-units +# This parameter specifies how long to wait for the TCP connect to +# the requested server or peer to complete before Squid should +# attempt to find another path where to forward the request. +#Default: +# connect_timeout 1 minute + +# TAG: peer_connect_timeout time-units +# This parameter specifies how long to wait for a pending TCP +# connection to a peer cache. The default is 30 seconds. You +# may also set different timeout values for individual neighbors +# with the 'connect-timeout' option on a 'cache_peer' line. +#Default: +# peer_connect_timeout 30 seconds + +# TAG: read_timeout time-units +# Applied on peer server connections. +# +# After each successful read(), the timeout will be extended by this +# amount. If no data is read again after this amount of time, +# the request is aborted and logged with ERR_READ_TIMEOUT. +# +# The default is 15 minutes. +#Default: +# read_timeout 15 minutes + +# TAG: write_timeout time-units +# This timeout is tracked for all connections that have data +# available for writing and are waiting for the socket to become +# ready. After each successful write, the timeout is extended by +# the configured amount. If Squid has data to write but the +# connection is not ready for the configured duration, the +# transaction associated with the connection is terminated. The +# default is 15 minutes. +#Default: +# write_timeout 15 minutes + +# TAG: request_timeout +# How long to wait for complete HTTP request headers after initial +# connection establishment. +#Default: +# request_timeout 5 minutes + +# TAG: request_start_timeout +# How long to wait for the first request byte after initial +# connection establishment. +#Default: +# request_start_timeout 5 minutes + +# TAG: client_idle_pconn_timeout +# How long to wait for the next HTTP request on a persistent +# client connection after the previous request completes. +#Default: +# client_idle_pconn_timeout 2 minutes + +# TAG: ftp_client_idle_timeout +# How long to wait for an FTP request on a connection to Squid ftp_port. +# Many FTP clients do not deal with idle connection closures well, +# necessitating a longer default timeout than client_idle_pconn_timeout +# used for incoming HTTP requests. +#Default: +# ftp_client_idle_timeout 30 minutes + +# TAG: client_lifetime time-units +# The maximum amount of time a client (browser) is allowed to +# remain connected to the cache process. This protects the Cache +# from having a lot of sockets (and hence file descriptors) tied up +# in a CLOSE_WAIT state from remote clients that go away without +# properly shutting down (either because of a network failure or +# because of a poor client implementation). The default is one +# day, 1440 minutes. +# +# NOTE: The default value is intended to be much larger than any +# client would ever need to be connected to your cache. You +# should probably change client_lifetime only as a last resort. +# If you seem to have many client connections tying up +# filedescriptors, we recommend first tuning the read_timeout, +# request_timeout, persistent_request_timeout and quick_abort values. +#Default: +# client_lifetime 1 day + +# TAG: pconn_lifetime time-units +# Desired maximum lifetime of a persistent connection. +# When set, Squid will close a now-idle persistent connection that +# exceeded configured lifetime instead of moving the connection into +# the idle connection pool (or equivalent). No effect on ongoing/active +# transactions. Connection lifetime is the time period from the +# connection acceptance or opening time until "now". +# +# This limit is useful in environments with long-lived connections +# where Squid configuration or environmental factors change during a +# single connection lifetime. If unrestricted, some connections may +# last for hours and even days, ignoring those changes that should +# have affected their behavior or their existence. +# +# Currently, a new lifetime value supplied via Squid reconfiguration +# has no effect on already idle connections unless they become busy. +# +# When set to '0' this limit is not used. +#Default: +# pconn_lifetime 0 seconds + +# TAG: half_closed_clients +# Some clients may shutdown the sending side of their TCP +# connections, while leaving their receiving sides open. Sometimes, +# Squid can not tell the difference between a half-closed and a +# fully-closed TCP connection. +# +# By default, Squid will immediately close client connections when +# read(2) returns "no more data to read." +# +# Change this option to 'on' and Squid will keep open connections +# until a read(2) or write(2) on the socket returns an error. +# This may show some benefits for reverse proxies. But if not +# it is recommended to leave OFF. +#Default: +# half_closed_clients off + +# TAG: server_idle_pconn_timeout +# Timeout for idle persistent connections to servers and other +# proxies. +#Default: +# server_idle_pconn_timeout 1 minute + +# TAG: ident_timeout +# Maximum time to wait for IDENT lookups to complete. +# +# If this is too high, and you enabled IDENT lookups from untrusted +# users, you might be susceptible to denial-of-service by having +# many ident requests going at once. +#Default: +# ident_timeout 10 seconds + +# TAG: shutdown_lifetime time-units +# When SIGTERM or SIGHUP is received, the cache is put into +# "shutdown pending" mode until all active sockets are closed. +# This value is the lifetime to set for all open descriptors +# during shutdown mode. Any active clients after this many +# seconds will receive a 'timeout' message. +#Default: +# shutdown_lifetime 30 seconds + +# ADMINISTRATIVE PARAMETERS +# ----------------------------------------------------------------------------- + +# TAG: cache_mgr +# Email-address of local cache manager who will receive +# mail if the cache dies. The default is "webmaster". +#Default: +# cache_mgr webmaster + +# TAG: mail_from +# From: email-address for mail sent when the cache dies. +# The default is to use 'squid@unique_hostname'. +# +# See also: unique_hostname directive. +#Default: +# none + +# TAG: mail_program +# Email program used to send mail if the cache dies. +# The default is "mail". The specified program must comply +# with the standard Unix mail syntax: +# mail-program recipient < mailfile +# +# Optional command line options can be specified. +#Default: +# mail_program mail + +# TAG: cache_effective_user +# If you start Squid as root, it will change its effective/real +# UID/GID to the user specified below. The default is to change +# to UID of proxy. +# see also; cache_effective_group +#Default: +# cache_effective_user proxy + +# TAG: cache_effective_group +# Squid sets the GID to the effective user's default group ID +# (taken from the password file) and supplementary group list +# from the groups membership. +# +# If you want Squid to run with a specific GID regardless of +# the group memberships of the effective user then set this +# to the group (or GID) you want Squid to run as. When set +# all other group privileges of the effective user are ignored +# and only this GID is effective. If Squid is not started as +# root the user starting Squid MUST be member of the specified +# group. +# +# This option is not recommended by the Squid Team. +# Our preference is for administrators to configure a secure +# user account for squid with UID/GID matching system policies. +#Default: +# Use system group memberships of the cache_effective_user account + +# TAG: httpd_suppress_version_string on|off +# Suppress Squid version string info in HTTP headers and HTML error pages. +#Default: +# httpd_suppress_version_string off + +# TAG: visible_hostname +# If you want to present a special hostname in error messages, etc, +# define this. Otherwise, the return value of gethostname() +# will be used. If you have multiple caches in a cluster and +# get errors about IP-forwarding you must set them to have individual +# names with this setting. +#Default: +# Automatically detect the system host name + +# TAG: unique_hostname +# If you want to have multiple machines with the same +# 'visible_hostname' you must give each machine a different +# 'unique_hostname' so forwarding loops can be detected. +#Default: +# Copy the value from visible_hostname + +# TAG: hostname_aliases +# A list of other DNS names your cache has. +#Default: +# none + +# TAG: umask +# Minimum umask which should be enforced while the proxy +# is running, in addition to the umask set at startup. +# +# For a traditional octal representation of umasks, start +# your value with 0. +#Default: +# umask 027 + +# OPTIONS FOR THE CACHE REGISTRATION SERVICE +# ----------------------------------------------------------------------------- +# +# This section contains parameters for the (optional) cache +# announcement service. This service is provided to help +# cache administrators locate one another in order to join or +# create cache hierarchies. +# +# An 'announcement' message is sent (via UDP) to the registration +# service by Squid. By default, the announcement message is NOT +# SENT unless you enable it with 'announce_period' below. +# +# The announcement message includes your hostname, plus the +# following information from this configuration file: +# +# http_port +# icp_port +# cache_mgr +# +# All current information is processed regularly and made +# available on the Web at http://www.ircache.net/Cache/Tracker/. + +# TAG: announce_period +# This is how frequently to send cache announcements. +# +# To enable announcing your cache, just set an announce period. +# +# Example: +# announce_period 1 day +#Default: +# Announcement messages disabled. + +# TAG: announce_host +# Set the hostname where announce registration messages will be sent. +# +# See also announce_port and announce_file +#Default: +# announce_host tracker.ircache.net + +# TAG: announce_file +# The contents of this file will be included in the announce +# registration messages. +#Default: +# none + +# TAG: announce_port +# Set the port where announce registration messages will be sent. +# +# See also announce_host and announce_file +#Default: +# announce_port 3131 + +# HTTPD-ACCELERATOR OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: httpd_accel_surrogate_id +# Surrogates (http://www.esi.org/architecture_spec_1.0.html) +# need an identification token to allow control targeting. Because +# a farm of surrogates may all perform the same tasks, they may share +# an identification token. +#Default: +# visible_hostname is used if no specific ID is set. + +# TAG: http_accel_surrogate_remote on|off +# Remote surrogates (such as those in a CDN) honour the header +# "Surrogate-Control: no-store-remote". +# +# Set this to on to have squid behave as a remote surrogate. +#Default: +# http_accel_surrogate_remote off + +# TAG: esi_parser libxml2|expat +# Selects the XML parsing library to use when interpreting responses with +# Edge Side Includes. +# +# To disable ESI handling completely, ./configure Squid with --disable-esi. +#Default: +# Selects libxml2 if available at ./configure time or libexpat otherwise. + +# DELAY POOL PARAMETERS +# ----------------------------------------------------------------------------- + +# TAG: delay_pools +# This represents the number of delay pools to be used. For example, +# if you have one class 2 delay pool and one class 3 delays pool, you +# have a total of 2 delay pools. +# +# See also delay_parameters, delay_class, delay_access for pool +# configuration details. +#Default: +# delay_pools 0 + +# TAG: delay_class +# This defines the class of each delay pool. There must be exactly one +# delay_class line for each delay pool. For example, to define two +# delay pools, one of class 2 and one of class 3, the settings above +# and here would be: +# +# Example: +# delay_pools 4 # 4 delay pools +# delay_class 1 2 # pool 1 is a class 2 pool +# delay_class 2 3 # pool 2 is a class 3 pool +# delay_class 3 4 # pool 3 is a class 4 pool +# delay_class 4 5 # pool 4 is a class 5 pool +# +# The delay pool classes are: +# +# class 1 Everything is limited by a single aggregate +# bucket. +# +# class 2 Everything is limited by a single aggregate +# bucket as well as an "individual" bucket chosen +# from bits 25 through 32 of the IPv4 address. +# +# class 3 Everything is limited by a single aggregate +# bucket as well as a "network" bucket chosen +# from bits 17 through 24 of the IP address and a +# "individual" bucket chosen from bits 17 through +# 32 of the IPv4 address. +# +# class 4 Everything in a class 3 delay pool, with an +# additional limit on a per user basis. This +# only takes effect if the username is established +# in advance - by forcing authentication in your +# http_access rules. +# +# class 5 Requests are grouped according their tag (see +# external_acl's tag= reply). +# +# +# Each pool also requires a delay_parameters directive to configure the pool size +# and speed limits used whenever the pool is applied to a request. Along with +# a set of delay_access directives to determine when it is used. +# +# NOTE: If an IP address is a.b.c.d +# -> bits 25 through 32 are "d" +# -> bits 17 through 24 are "c" +# -> bits 17 through 32 are "c * 256 + d" +# +# NOTE-2: Due to the use of bitmasks in class 2,3,4 pools they only apply to +# IPv4 traffic. Class 1 and 5 pools may be used with IPv6 traffic. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# See also delay_parameters and delay_access. +#Default: +# none + +# TAG: delay_access +# This is used to determine which delay pool a request falls into. +# +# delay_access is sorted per pool and the matching starts with pool 1, +# then pool 2, ..., and finally pool N. The first delay pool where the +# request is allowed is selected for the request. If it does not allow +# the request to any pool then the request is not delayed (default). +# +# For example, if you want some_big_clients in delay +# pool 1 and lotsa_little_clients in delay pool 2: +# +# delay_access 1 allow some_big_clients +# delay_access 1 deny all +# delay_access 2 allow lotsa_little_clients +# delay_access 2 deny all +# delay_access 3 allow authenticated_clients +# +# See also delay_parameters and delay_class. +# +#Default: +# Deny using the pool, unless allow rules exist in squid.conf for the pool. + +# TAG: delay_parameters +# This defines the parameters for a delay pool. Each delay pool has +# a number of "buckets" associated with it, as explained in the +# description of delay_class. +# +# For a class 1 delay pool, the syntax is: +# delay_class pool 1 +# delay_parameters pool aggregate +# +# For a class 2 delay pool: +# delay_class pool 2 +# delay_parameters pool aggregate individual +# +# For a class 3 delay pool: +# delay_class pool 3 +# delay_parameters pool aggregate network individual +# +# For a class 4 delay pool: +# delay_class pool 4 +# delay_parameters pool aggregate network individual user +# +# For a class 5 delay pool: +# delay_class pool 5 +# delay_parameters pool tagrate +# +# The option variables are: +# +# pool a pool number - ie, a number between 1 and the +# number specified in delay_pools as used in +# delay_class lines. +# +# aggregate the speed limit parameters for the aggregate bucket +# (class 1, 2, 3). +# +# individual the speed limit parameters for the individual +# buckets (class 2, 3). +# +# network the speed limit parameters for the network buckets +# (class 3). +# +# user the speed limit parameters for the user buckets +# (class 4). +# +# tagrate the speed limit parameters for the tag buckets +# (class 5). +# +# A pair of delay parameters is written restore/maximum, where restore is +# the number of bytes (not bits - modem and network speeds are usually +# quoted in bits) per second placed into the bucket, and maximum is the +# maximum number of bytes which can be in the bucket at any time. +# +# There must be one delay_parameters line for each delay pool. +# +# +# For example, if delay pool number 1 is a class 2 delay pool as in the +# above example, and is being used to strictly limit each host to 64Kbit/sec +# (plus overheads), with no overall limit, the line is: +# +# delay_parameters 1 none 8000/8000 +# +# Note that 8 x 8K Byte/sec -> 64K bit/sec. +# +# Note that the word 'none' is used to represent no limit. +# +# +# And, if delay pool number 2 is a class 3 delay pool as in the above +# example, and you want to limit it to a total of 256Kbit/sec (strict limit) +# with each 8-bit network permitted 64Kbit/sec (strict limit) and each +# individual host permitted 4800bit/sec with a bucket maximum size of 64Kbits +# to permit a decent web page to be downloaded at a decent speed +# (if the network is not being limited due to overuse) but slow down +# large downloads more significantly: +# +# delay_parameters 2 32000/32000 8000/8000 600/8000 +# +# Note that 8 x 32K Byte/sec -> 256K bit/sec. +# 8 x 8K Byte/sec -> 64K bit/sec. +# 8 x 600 Byte/sec -> 4800 bit/sec. +# +# +# Finally, for a class 4 delay pool as in the example - each user will +# be limited to 128Kbits/sec no matter how many workstations they are logged into.: +# +# delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000 +# +# +# See also delay_class and delay_access. +# +#Default: +# none + +# TAG: delay_initial_bucket_level (percent, 0-100) +# The initial bucket percentage is used to determine how much is put +# in each bucket when squid starts, is reconfigured, or first notices +# a host accessing it (in class 2 and class 3, individual hosts and +# networks only have buckets associated with them once they have been +# "seen" by squid). +#Default: +# delay_initial_bucket_level 50 + +# CLIENT DELAY POOL PARAMETERS +# ----------------------------------------------------------------------------- + +# TAG: client_delay_pools +# This option specifies the number of client delay pools used. It must +# preceed other client_delay_* options. +# +# Example: +# client_delay_pools 2 +# +# See also client_delay_parameters and client_delay_access. +#Default: +# client_delay_pools 0 + +# TAG: client_delay_initial_bucket_level (percent, 0-no_limit) +# This option determines the initial bucket size as a percentage of +# max_bucket_size from client_delay_parameters. Buckets are created +# at the time of the "first" connection from the matching IP. Idle +# buckets are periodically deleted up. +# +# You can specify more than 100 percent but note that such "oversized" +# buckets are not refilled until their size goes down to max_bucket_size +# from client_delay_parameters. +# +# Example: +# client_delay_initial_bucket_level 50 +#Default: +# client_delay_initial_bucket_level 50 + +# TAG: client_delay_parameters +# +# This option configures client-side bandwidth limits using the +# following format: +# +# client_delay_parameters pool speed_limit max_bucket_size +# +# pool is an integer ID used for client_delay_access matching. +# +# speed_limit is bytes added to the bucket per second. +# +# max_bucket_size is the maximum size of a bucket, enforced after any +# speed_limit additions. +# +# Please see the delay_parameters option for more information and +# examples. +# +# Example: +# client_delay_parameters 1 1024 2048 +# client_delay_parameters 2 51200 16384 +# +# See also client_delay_access. +# +#Default: +# none + +# TAG: client_delay_access +# This option determines the client-side delay pool for the +# request: +# +# client_delay_access pool_ID allow|deny acl_name +# +# All client_delay_access options are checked in their pool ID +# order, starting with pool 1. The first checked pool with allowed +# request is selected for the request. If no ACL matches or there +# are no client_delay_access options, the request bandwidth is not +# limited. +# +# The ACL-selected pool is then used to find the +# client_delay_parameters for the request. Client-side pools are +# not used to aggregate clients. Clients are always aggregated +# based on their source IP addresses (one bucket per source IP). +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# Additionally, only the client TCP connection details are available. +# ACLs testing HTTP properties will not work. +# +# Please see delay_access for more examples. +# +# Example: +# client_delay_access 1 allow low_rate_network +# client_delay_access 2 allow vips_network +# +# +# See also client_delay_parameters and client_delay_pools. +#Default: +# Deny use of the pool, unless allow rules exist in squid.conf for the pool. + +# WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: wccp_router +# Use this option to define your WCCP ``home'' router for +# Squid. +# +# wccp_router supports a single WCCP(v1) router +# +# wccp2_router supports multiple WCCPv2 routers +# +# only one of the two may be used at the same time and defines +# which version of WCCP to use. +#Default: +# WCCP disabled. + +# TAG: wccp2_router +# Use this option to define your WCCP ``home'' router for +# Squid. +# +# wccp_router supports a single WCCP(v1) router +# +# wccp2_router supports multiple WCCPv2 routers +# +# only one of the two may be used at the same time and defines +# which version of WCCP to use. +#Default: +# WCCPv2 disabled. + +# TAG: wccp_version +# This directive is only relevant if you need to set up WCCP(v1) +# to some very old and end-of-life Cisco routers. In all other +# setups it must be left unset or at the default setting. +# It defines an internal version in the WCCP(v1) protocol, +# with version 4 being the officially documented protocol. +# +# According to some users, Cisco IOS 11.2 and earlier only +# support WCCP version 3. If you're using that or an earlier +# version of IOS, you may need to change this value to 3, otherwise +# do not specify this parameter. +#Default: +# wccp_version 4 + +# TAG: wccp2_rebuild_wait +# If this is enabled Squid will wait for the cache dir rebuild to finish +# before sending the first wccp2 HereIAm packet +#Default: +# wccp2_rebuild_wait on + +# TAG: wccp2_forwarding_method +# WCCP2 allows the setting of forwarding methods between the +# router/switch and the cache. Valid values are as follows: +# +# gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel) +# l2 - L2 redirect (forward the packet using Layer 2/MAC rewriting) +# +# Currently (as of IOS 12.4) cisco routers only support GRE. +# Cisco switches only support the L2 redirect assignment method. +#Default: +# wccp2_forwarding_method gre + +# TAG: wccp2_return_method +# WCCP2 allows the setting of return methods between the +# router/switch and the cache for packets that the cache +# decides not to handle. Valid values are as follows: +# +# gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel) +# l2 - L2 redirect (forward the packet using Layer 2/MAC rewriting) +# +# Currently (as of IOS 12.4) cisco routers only support GRE. +# Cisco switches only support the L2 redirect assignment. +# +# If the "ip wccp redirect exclude in" command has been +# enabled on the cache interface, then it is still safe for +# the proxy server to use a l2 redirect method even if this +# option is set to GRE. +#Default: +# wccp2_return_method gre + +# TAG: wccp2_assignment_method +# WCCP2 allows the setting of methods to assign the WCCP hash +# Valid values are as follows: +# +# hash - Hash assignment +# mask - Mask assignment +# +# As a general rule, cisco routers support the hash assignment method +# and cisco switches support the mask assignment method. +#Default: +# wccp2_assignment_method hash + +# TAG: wccp2_service +# WCCP2 allows for multiple traffic services. There are two +# types: "standard" and "dynamic". The standard type defines +# one service id - http (id 0). The dynamic service ids can be from +# 51 to 255 inclusive. In order to use a dynamic service id +# one must define the type of traffic to be redirected; this is done +# using the wccp2_service_info option. +# +# The "standard" type does not require a wccp2_service_info option, +# just specifying the service id will suffice. +# +# MD5 service authentication can be enabled by adding +# "password=" to the end of this service declaration. +# +# Examples: +# +# wccp2_service standard 0 # for the 'web-cache' standard service +# wccp2_service dynamic 80 # a dynamic service type which will be +# # fleshed out with subsequent options. +# wccp2_service standard 0 password=foo +#Default: +# Use the 'web-cache' standard service. + +# TAG: wccp2_service_info +# Dynamic WCCPv2 services require further information to define the +# traffic you wish to have diverted. +# +# The format is: +# +# wccp2_service_info protocol= flags=,.. +# priority= ports=,.. +# +# The relevant WCCPv2 flags: +# + src_ip_hash, dst_ip_hash +# + source_port_hash, dst_port_hash +# + src_ip_alt_hash, dst_ip_alt_hash +# + src_port_alt_hash, dst_port_alt_hash +# + ports_source +# +# The port list can be one to eight entries. +# +# Example: +# +# wccp2_service_info 80 protocol=tcp flags=src_ip_hash,ports_source +# priority=240 ports=80 +# +# Note: the service id must have been defined by a previous +# 'wccp2_service dynamic ' entry. +#Default: +# none + +# TAG: wccp2_weight +# Each cache server gets assigned a set of the destination +# hash proportional to their weight. +#Default: +# wccp2_weight 10000 + +# TAG: wccp_address +# Use this option if you require WCCPv2 to use a specific +# interface address. +# +# The default behavior is to not bind to any specific address. +#Default: +# Address selected by the operating system. + +# TAG: wccp2_address +# Use this option if you require WCCP to use a specific +# interface address. +# +# The default behavior is to not bind to any specific address. +#Default: +# Address selected by the operating system. + +# PERSISTENT CONNECTION HANDLING +# ----------------------------------------------------------------------------- +# +# Also see "pconn_timeout" in the TIMEOUTS section + +# TAG: client_persistent_connections +# Persistent connection support for clients. +# Squid uses persistent connections (when allowed). You can use +# this option to disable persistent connections with clients. +#Default: +# client_persistent_connections on + +# TAG: server_persistent_connections +# Persistent connection support for servers. +# Squid uses persistent connections (when allowed). You can use +# this option to disable persistent connections with servers. +#Default: +# server_persistent_connections on + +# TAG: persistent_connection_after_error +# With this directive the use of persistent connections after +# HTTP errors can be disabled. Useful if you have clients +# who fail to handle errors on persistent connections proper. +#Default: +# persistent_connection_after_error on + +# TAG: detect_broken_pconn +# Some servers have been found to incorrectly signal the use +# of HTTP/1.0 persistent connections even on replies not +# compatible, causing significant delays. This server problem +# has mostly been seen on redirects. +# +# By enabling this directive Squid attempts to detect such +# broken replies and automatically assume the reply is finished +# after 10 seconds timeout. +#Default: +# detect_broken_pconn off + +# CACHE DIGEST OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: digest_generation +# This controls whether the server will generate a Cache Digest +# of its contents. By default, Cache Digest generation is +# enabled if Squid is compiled with --enable-cache-digests defined. +#Default: +# digest_generation on + +# TAG: digest_bits_per_entry +# This is the number of bits of the server's Cache Digest which +# will be associated with the Digest entry for a given HTTP +# Method and URL (public key) combination. The default is 5. +#Default: +# digest_bits_per_entry 5 + +# TAG: digest_rebuild_period (seconds) +# This is the wait time between Cache Digest rebuilds. +#Default: +# digest_rebuild_period 1 hour + +# TAG: digest_rewrite_period (seconds) +# This is the wait time between Cache Digest writes to +# disk. +#Default: +# digest_rewrite_period 1 hour + +# TAG: digest_swapout_chunk_size (bytes) +# This is the number of bytes of the Cache Digest to write to +# disk at a time. It defaults to 4096 bytes (4KB), the Squid +# default swap page. +#Default: +# digest_swapout_chunk_size 4096 bytes + +# TAG: digest_rebuild_chunk_percentage (percent, 0-100) +# This is the percentage of the Cache Digest to be scanned at a +# time. By default it is set to 10% of the Cache Digest. +#Default: +# digest_rebuild_chunk_percentage 10 + +# SNMP OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: snmp_port +# The port number where Squid listens for SNMP requests. To enable +# SNMP support set this to a suitable port number. Port number +# 3401 is often used for the Squid SNMP agent. By default it's +# set to "0" (disabled) +# +# Example: +# snmp_port 3401 +#Default: +# SNMP disabled. + +# TAG: snmp_access +# Allowing or denying access to the SNMP port. +# +# All access to the agent is denied by default. +# usage: +# +# snmp_access allow|deny [!]aclname ... +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +#Example: +# snmp_access allow snmppublic localhost +# snmp_access deny all +#Default: +# Deny, unless rules exist in squid.conf. + +# TAG: snmp_incoming_address +# Just like 'udp_incoming_address', but for the SNMP port. +# +# snmp_incoming_address is used for the SNMP socket receiving +# messages from SNMP agents. +# +# The default snmp_incoming_address is to listen on all +# available network interfaces. +#Default: +# Accept SNMP packets from all machine interfaces. + +# TAG: snmp_outgoing_address +# Just like 'udp_outgoing_address', but for the SNMP port. +# +# snmp_outgoing_address is used for SNMP packets returned to SNMP +# agents. +# +# If snmp_outgoing_address is not set it will use the same socket +# as snmp_incoming_address. Only change this if you want to have +# SNMP replies sent using another address than where this Squid +# listens for SNMP queries. +# +# NOTE, snmp_incoming_address and snmp_outgoing_address can not have +# the same value since they both use the same port. +#Default: +# Use snmp_incoming_address or an address selected by the operating system. + +# ICP OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: icp_port +# The port number where Squid sends and receives ICP queries to +# and from neighbor caches. The standard UDP port for ICP is 3130. +# +# Example: +# icp_port 3130 +#Default: +# ICP disabled. + +# TAG: htcp_port +# The port number where Squid sends and receives HTCP queries to +# and from neighbor caches. To turn it on you want to set it to +# 4827. +# +# Example: +# htcp_port 4827 +#Default: +# HTCP disabled. + +# TAG: log_icp_queries on|off +# If set, ICP queries are logged to access.log. You may wish +# do disable this if your ICP load is VERY high to speed things +# up or to simplify log analysis. +#Default: +# log_icp_queries on + +# TAG: udp_incoming_address +# udp_incoming_address is used for UDP packets received from other +# caches. +# +# The default behavior is to not bind to any specific address. +# +# Only change this if you want to have all UDP queries received on +# a specific interface/address. +# +# NOTE: udp_incoming_address is used by the ICP, HTCP, and DNS +# modules. Altering it will affect all of them in the same manner. +# +# see also; udp_outgoing_address +# +# NOTE, udp_incoming_address and udp_outgoing_address can not +# have the same value since they both use the same port. +#Default: +# Accept packets from all machine interfaces. + +# TAG: udp_outgoing_address +# udp_outgoing_address is used for UDP packets sent out to other +# caches. +# +# The default behavior is to not bind to any specific address. +# +# Instead it will use the same socket as udp_incoming_address. +# Only change this if you want to have UDP queries sent using another +# address than where this Squid listens for UDP queries from other +# caches. +# +# NOTE: udp_outgoing_address is used by the ICP, HTCP, and DNS +# modules. Altering it will affect all of them in the same manner. +# +# see also; udp_incoming_address +# +# NOTE, udp_incoming_address and udp_outgoing_address can not +# have the same value since they both use the same port. +#Default: +# Use udp_incoming_address or an address selected by the operating system. + +# TAG: icp_hit_stale on|off +# If you want to return ICP_HIT for stale cache objects, set this +# option to 'on'. If you have sibling relationships with caches +# in other administrative domains, this should be 'off'. If you only +# have sibling relationships with caches under your control, +# it is probably okay to set this to 'on'. +# If set to 'on', your siblings should use the option "allow-miss" +# on their cache_peer lines for connecting to you. +#Default: +# icp_hit_stale off + +# TAG: minimum_direct_hops +# If using the ICMP pinging stuff, do direct fetches for sites +# which are no more than this many hops away. +#Default: +# minimum_direct_hops 4 + +# TAG: minimum_direct_rtt (msec) +# If using the ICMP pinging stuff, do direct fetches for sites +# which are no more than this many rtt milliseconds away. +#Default: +# minimum_direct_rtt 400 + +# TAG: netdb_low +# The low water mark for the ICMP measurement database. +# +# Note: high watermark controlled by netdb_high directive. +# +# These watermarks are counts, not percents. The defaults are +# (low) 900 and (high) 1000. When the high water mark is +# reached, database entries will be deleted until the low +# mark is reached. +#Default: +# netdb_low 900 + +# TAG: netdb_high +# The high water mark for the ICMP measurement database. +# +# Note: low watermark controlled by netdb_low directive. +# +# These watermarks are counts, not percents. The defaults are +# (low) 900 and (high) 1000. When the high water mark is +# reached, database entries will be deleted until the low +# mark is reached. +#Default: +# netdb_high 1000 + +# TAG: netdb_ping_period +# The minimum period for measuring a site. There will be at +# least this much delay between successive pings to the same +# network. The default is five minutes. +#Default: +# netdb_ping_period 5 minutes + +# TAG: query_icmp on|off +# If you want to ask your peers to include ICMP data in their ICP +# replies, enable this option. +# +# If your peer has configured Squid (during compilation) with +# '--enable-icmp' that peer will send ICMP pings to origin server +# sites of the URLs it receives. If you enable this option the +# ICP replies from that peer will include the ICMP data (if available). +# Then, when choosing a parent cache, Squid will choose the parent with +# the minimal RTT to the origin server. When this happens, the +# hierarchy field of the access.log will be +# "CLOSEST_PARENT_MISS". This option is off by default. +#Default: +# query_icmp off + +# TAG: test_reachability on|off +# When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH +# instead of ICP_MISS if the target host is NOT in the ICMP +# database, or has a zero RTT. +#Default: +# test_reachability off + +# TAG: icp_query_timeout (msec) +# Normally Squid will automatically determine an optimal ICP +# query timeout value based on the round-trip-time of recent ICP +# queries. If you want to override the value determined by +# Squid, set this 'icp_query_timeout' to a non-zero value. This +# value is specified in MILLISECONDS, so, to use a 2-second +# timeout (the old default), you would write: +# +# icp_query_timeout 2000 +#Default: +# Dynamic detection. + +# TAG: maximum_icp_query_timeout (msec) +# Normally the ICP query timeout is determined dynamically. But +# sometimes it can lead to very large values (say 5 seconds). +# Use this option to put an upper limit on the dynamic timeout +# value. Do NOT use this option to always use a fixed (instead +# of a dynamic) timeout value. To set a fixed timeout see the +# 'icp_query_timeout' directive. +#Default: +# maximum_icp_query_timeout 2000 + +# TAG: minimum_icp_query_timeout (msec) +# Normally the ICP query timeout is determined dynamically. But +# sometimes it can lead to very small timeouts, even lower than +# the normal latency variance on your link due to traffic. +# Use this option to put an lower limit on the dynamic timeout +# value. Do NOT use this option to always use a fixed (instead +# of a dynamic) timeout value. To set a fixed timeout see the +# 'icp_query_timeout' directive. +#Default: +# minimum_icp_query_timeout 5 + +# TAG: background_ping_rate time-units +# Controls how often the ICP pings are sent to siblings that +# have background-ping set. +#Default: +# background_ping_rate 10 seconds + +# MULTICAST ICP OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: mcast_groups +# This tag specifies a list of multicast groups which your server +# should join to receive multicasted ICP queries. +# +# NOTE! Be very careful what you put here! Be sure you +# understand the difference between an ICP _query_ and an ICP +# _reply_. This option is to be set only if you want to RECEIVE +# multicast queries. Do NOT set this option to SEND multicast +# ICP (use cache_peer for that). ICP replies are always sent via +# unicast, so this option does not affect whether or not you will +# receive replies from multicast group members. +# +# You must be very careful to NOT use a multicast address which +# is already in use by another group of caches. +# +# If you are unsure about multicast, please read the Multicast +# chapter in the Squid FAQ (http://www.squid-cache.org/FAQ/). +# +# Usage: mcast_groups 239.128.16.128 224.0.1.20 +# +# By default, Squid doesn't listen on any multicast groups. +#Default: +# none + +# TAG: mcast_miss_addr +# Note: This option is only available if Squid is rebuilt with the +# -DMULTICAST_MISS_STREAM define +# +# If you enable this option, every "cache miss" URL will +# be sent out on the specified multicast address. +# +# Do not enable this option unless you are are absolutely +# certain you understand what you are doing. +#Default: +# disabled. + +# TAG: mcast_miss_ttl +# Note: This option is only available if Squid is rebuilt with the +# -DMULTICAST_MISS_STREAM define +# +# This is the time-to-live value for packets multicasted +# when multicasting off cache miss URLs is enabled. By +# default this is set to 'site scope', i.e. 16. +#Default: +# mcast_miss_ttl 16 + +# TAG: mcast_miss_port +# Note: This option is only available if Squid is rebuilt with the +# -DMULTICAST_MISS_STREAM define +# +# This is the port number to be used in conjunction with +# 'mcast_miss_addr'. +#Default: +# mcast_miss_port 3135 + +# TAG: mcast_miss_encode_key +# Note: This option is only available if Squid is rebuilt with the +# -DMULTICAST_MISS_STREAM define +# +# The URLs that are sent in the multicast miss stream are +# encrypted. This is the encryption key. +#Default: +# mcast_miss_encode_key XXXXXXXXXXXXXXXX + +# TAG: mcast_icp_query_timeout (msec) +# For multicast peers, Squid regularly sends out ICP "probes" to +# count how many other peers are listening on the given multicast +# address. This value specifies how long Squid should wait to +# count all the replies. The default is 2000 msec, or 2 +# seconds. +#Default: +# mcast_icp_query_timeout 2000 + +# INTERNAL ICON OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: icon_directory +# Where the icons are stored. These are normally kept in +# /usr/share/squid/icons +#Default: +# icon_directory /usr/share/squid/icons + +# TAG: global_internal_static +# This directive controls is Squid should intercept all requests for +# /squid-internal-static/ no matter which host the URL is requesting +# (default on setting), or if nothing special should be done for +# such URLs (off setting). The purpose of this directive is to make +# icons etc work better in complex cache hierarchies where it may +# not always be possible for all corners in the cache mesh to reach +# the server generating a directory listing. +#Default: +# global_internal_static on + +# TAG: short_icon_urls +# If this is enabled Squid will use short URLs for icons. +# If disabled it will revert to the old behavior of including +# it's own name and port in the URL. +# +# If you run a complex cache hierarchy with a mix of Squid and +# other proxies you may need to disable this directive. +#Default: +# short_icon_urls on + +# ERROR PAGE OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: error_directory +# If you wish to create your own versions of the default +# error files to customize them to suit your company copy +# the error/template files to another directory and point +# this tag at them. +# +# WARNING: This option will disable multi-language support +# on error pages if used. +# +# The squid developers are interested in making squid available in +# a wide variety of languages. If you are making translations for a +# language that Squid does not currently provide please consider +# contributing your translation back to the project. +# http://wiki.squid-cache.org/Translations +# +# The squid developers working on translations are happy to supply drop-in +# translated error files in exchange for any new language contributions. +#Default: +# Send error pages in the clients preferred language + +# TAG: error_default_language +# Set the default language which squid will send error pages in +# if no existing translation matches the clients language +# preferences. +# +# If unset (default) generic English will be used. +# +# The squid developers are interested in making squid available in +# a wide variety of languages. If you are interested in making +# translations for any language see the squid wiki for details. +# http://wiki.squid-cache.org/Translations +#Default: +# Generate English language pages. + +# TAG: error_log_languages +# Log to cache.log what languages users are attempting to +# auto-negotiate for translations. +# +# Successful negotiations are not logged. Only failures +# have meaning to indicate that Squid may need an upgrade +# of its error page translations. +#Default: +# error_log_languages on + +# TAG: err_page_stylesheet +# CSS Stylesheet to pattern the display of Squid default error pages. +# +# For information on CSS see http://www.w3.org/Style/CSS/ +#Default: +# err_page_stylesheet /etc/squid/errorpage.css + +# TAG: err_html_text +# HTML text to include in error messages. Make this a "mailto" +# URL to your admin address, or maybe just a link to your +# organizations Web page. +# +# To include this in your error messages, you must rewrite +# the error template files (found in the "errors" directory). +# Wherever you want the 'err_html_text' line to appear, +# insert a %L tag in the error template file. +#Default: +# none + +# TAG: email_err_data on|off +# If enabled, information about the occurred error will be +# included in the mailto links of the ERR pages (if %W is set) +# so that the email body contains the data. +# Syntax is %w +#Default: +# email_err_data on + +# TAG: deny_info +# Usage: deny_info err_page_name acl +# or deny_info http://... acl +# or deny_info TCP_RESET acl +# +# This can be used to return a ERR_ page for requests which +# do not pass the 'http_access' rules. Squid remembers the last +# acl it evaluated in http_access, and if a 'deny_info' line exists +# for that ACL Squid returns a corresponding error page. +# +# The acl is typically the last acl on the http_access deny line which +# denied access. The exceptions to this rule are: +# - When Squid needs to request authentication credentials. It's then +# the first authentication related acl encountered +# - When none of the http_access lines matches. It's then the last +# acl processed on the last http_access line. +# - When the decision to deny access was made by an adaptation service, +# the acl name is the corresponding eCAP or ICAP service_name. +# +# NP: If providing your own custom error pages with error_directory +# you may also specify them by your custom file name: +# Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys +# +# By defaut Squid will send "403 Forbidden". A different 4xx or 5xx +# may be specified by prefixing the file name with the code and a colon. +# e.g. 404:ERR_CUSTOM_ACCESS_DENIED +# +# Alternatively you can tell Squid to reset the TCP connection +# by specifying TCP_RESET. +# +# Or you can specify an error URL or URL pattern. The browsers will +# get redirected to the specified URL after formatting tags have +# been replaced. Redirect will be done with 302 or 307 according to +# HTTP/1.1 specs. A different 3xx code may be specified by prefixing +# the URL. e.g. 303:http://example.com/ +# +# URL FORMAT TAGS: +# %a - username (if available. Password NOT included) +# %B - FTP path URL +# %e - Error number +# %E - Error description +# %h - Squid hostname +# %H - Request domain name +# %i - Client IP Address +# %M - Request Method +# %O - Unescaped message result from external ACL helper +# %o - Message result from external ACL helper +# %p - Request Port number +# %P - Request Protocol name +# %R - Request URL path +# %T - Timestamp in RFC 1123 format +# %U - Full canonical URL from client +# (HTTPS URLs terminate with *) +# %u - Full canonical URL from client +# %w - Admin email from squid.conf +# %x - Error name +# %% - Literal percent (%) code +# +#Default: +# none + +# OPTIONS INFLUENCING REQUEST FORWARDING +# ----------------------------------------------------------------------------- + +# TAG: nonhierarchical_direct +# By default, Squid will send any non-hierarchical requests +# (not cacheable request type) direct to origin servers. +# +# When this is set to "off", Squid will prefer to send these +# requests to parents. +# +# Note that in most configurations, by turning this off you will only +# add latency to these request without any improvement in global hit +# ratio. +# +# This option only sets a preference. If the parent is unavailable a +# direct connection to the origin server may still be attempted. To +# completely prevent direct connections use never_direct. +#Default: +# nonhierarchical_direct on + +# TAG: prefer_direct +# Normally Squid tries to use parents for most requests. If you for some +# reason like it to first try going direct and only use a parent if +# going direct fails set this to on. +# +# By combining nonhierarchical_direct off and prefer_direct on you +# can set up Squid to use a parent as a backup path if going direct +# fails. +# +# Note: If you want Squid to use parents for all requests see +# the never_direct directive. prefer_direct only modifies how Squid +# acts on cacheable requests. +#Default: +# prefer_direct off + +# TAG: cache_miss_revalidate on|off +# RFC 7232 defines a conditional request mechanism to prevent +# response objects being unnecessarily transferred over the network. +# If that mechanism is used by the client and a cache MISS occurs +# it can prevent new cache entries being created. +# +# This option determines whether Squid on cache MISS will pass the +# client revalidation request to the server or tries to fetch new +# content for caching. It can be useful while the cache is mostly +# empty to more quickly have the cache populated by generating +# non-conditional GETs. +# +# When set to 'on' (default), Squid will pass all client If-* headers +# to the server. This permits server responses without a cacheable +# payload to be delivered and on MISS no new cache entry is created. +# +# When set to 'off' and if the request is cacheable, Squid will +# remove the clients If-Modified-Since and If-None-Match headers from +# the request sent to the server. This requests a 200 status response +# from the server to create a new cache entry with. +#Default: +# cache_miss_revalidate on + +# TAG: always_direct +# Usage: always_direct allow|deny [!]aclname ... +# +# Here you can use ACL elements to specify requests which should +# ALWAYS be forwarded by Squid to the origin servers without using +# any peers. For example, to always directly forward requests for +# local servers ignoring any parents or siblings you may have use +# something like: +# +# acl local-servers dstdomain my.domain.net +# always_direct allow local-servers +# +# To always forward FTP requests directly, use +# +# acl FTP proto FTP +# always_direct allow FTP +# +# NOTE: There is a similar, but opposite option named +# 'never_direct'. You need to be aware that "always_direct deny +# foo" is NOT the same thing as "never_direct allow foo". You +# may need to use a deny rule to exclude a more-specific case of +# some other rule. Example: +# +# acl local-external dstdomain external.foo.net +# acl local-servers dstdomain .foo.net +# always_direct deny local-external +# always_direct allow local-servers +# +# NOTE: If your goal is to make the client forward the request +# directly to the origin server bypassing Squid then this needs +# to be done in the client configuration. Squid configuration +# can only tell Squid how Squid should fetch the object. +# +# NOTE: This directive is not related to caching. The replies +# is cached as usual even if you use always_direct. To not cache +# the replies see the 'cache' directive. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Prevent any cache_peer being used for this request. + +# TAG: never_direct +# Usage: never_direct allow|deny [!]aclname ... +# +# never_direct is the opposite of always_direct. Please read +# the description for always_direct if you have not already. +# +# With 'never_direct' you can use ACL elements to specify +# requests which should NEVER be forwarded directly to origin +# servers. For example, to force the use of a proxy for all +# requests, except those in your local domain use something like: +# +# acl local-servers dstdomain .foo.net +# never_direct deny local-servers +# never_direct allow all +# +# or if Squid is inside a firewall and there are local intranet +# servers inside the firewall use something like: +# +# acl local-intranet dstdomain .foo.net +# acl local-external dstdomain external.foo.net +# always_direct deny local-external +# always_direct allow local-intranet +# never_direct allow all +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow DNS results to be used for this request. + +# ADVANCED NETWORKING OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: incoming_udp_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! +#Default: +# incoming_udp_average 6 + +# TAG: incoming_tcp_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! +#Default: +# incoming_tcp_average 4 + +# TAG: incoming_dns_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! +#Default: +# incoming_dns_average 4 + +# TAG: min_udp_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! +#Default: +# min_udp_poll_cnt 8 + +# TAG: min_dns_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! +#Default: +# min_dns_poll_cnt 8 + +# TAG: min_tcp_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! +#Default: +# min_tcp_poll_cnt 8 + +# TAG: accept_filter +# FreeBSD: +# +# The name of an accept(2) filter to install on Squid's +# listen socket(s). This feature is perhaps specific to +# FreeBSD and requires support in the kernel. +# +# The 'httpready' filter delays delivering new connections +# to Squid until a full HTTP request has been received. +# See the accf_http(9) man page for details. +# +# The 'dataready' filter delays delivering new connections +# to Squid until there is some data to process. +# See the accf_dataready(9) man page for details. +# +# Linux: +# +# The 'data' filter delays delivering of new connections +# to Squid until there is some data to process by TCP_ACCEPT_DEFER. +# You may optionally specify a number of seconds to wait by +# 'data=N' where N is the number of seconds. Defaults to 30 +# if not specified. See the tcp(7) man page for details. +#EXAMPLE: +## FreeBSD +#accept_filter httpready +## Linux +#accept_filter data +#Default: +# none + +# TAG: client_ip_max_connections +# Set an absolute limit on the number of connections a single +# client IP can use. Any more than this and Squid will begin to drop +# new connections from the client until it closes some links. +# +# Note that this is a global limit. It affects all HTTP, HTCP, Gopher and FTP +# connections from the client. For finer control use the ACL access controls. +# +# Requires client_db to be enabled (the default). +# +# WARNING: This may noticably slow down traffic received via external proxies +# or NAT devices and cause them to rebound error messages back to their clients. +#Default: +# No limit. + +# TAG: tcp_recv_bufsize (bytes) +# Size of receive buffer to set for TCP sockets. Probably just +# as easy to change your kernel's default. +# Omit from squid.conf to use the default buffer size. +#Default: +# Use operating system TCP defaults. + +# ICAP OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: icap_enable on|off +# If you want to enable the ICAP module support, set this to on. +#Default: +# icap_enable off + +# TAG: icap_connect_timeout +# This parameter specifies how long to wait for the TCP connect to +# the requested ICAP server to complete before giving up and either +# terminating the HTTP transaction or bypassing the failure. +# +# The default for optional services is peer_connect_timeout. +# The default for essential services is connect_timeout. +# If this option is explicitly set, its value applies to all services. +#Default: +# none + +# TAG: icap_io_timeout time-units +# This parameter specifies how long to wait for an I/O activity on +# an established, active ICAP connection before giving up and +# either terminating the HTTP transaction or bypassing the +# failure. +#Default: +# Use read_timeout. + +# TAG: icap_service_failure_limit limit [in memory-depth time-units] +# The limit specifies the number of failures that Squid tolerates +# when establishing a new TCP connection with an ICAP service. If +# the number of failures exceeds the limit, the ICAP service is +# not used for new ICAP requests until it is time to refresh its +# OPTIONS. +# +# A negative value disables the limit. Without the limit, an ICAP +# service will not be considered down due to connectivity failures +# between ICAP OPTIONS requests. +# +# Squid forgets ICAP service failures older than the specified +# value of memory-depth. The memory fading algorithm +# is approximate because Squid does not remember individual +# errors but groups them instead, splitting the option +# value into ten time slots of equal length. +# +# When memory-depth is 0 and by default this option has no +# effect on service failure expiration. +# +# Squid always forgets failures when updating service settings +# using an ICAP OPTIONS transaction, regardless of this option +# setting. +# +# For example, +# # suspend service usage after 10 failures in 5 seconds: +# icap_service_failure_limit 10 in 5 seconds +#Default: +# icap_service_failure_limit 10 + +# TAG: icap_service_revival_delay +# The delay specifies the number of seconds to wait after an ICAP +# OPTIONS request failure before requesting the options again. The +# failed ICAP service is considered "down" until fresh OPTIONS are +# fetched. +# +# The actual delay cannot be smaller than the hardcoded minimum +# delay of 30 seconds. +#Default: +# icap_service_revival_delay 180 + +# TAG: icap_preview_enable on|off +# The ICAP Preview feature allows the ICAP server to handle the +# HTTP message by looking only at the beginning of the message body +# or even without receiving the body at all. In some environments, +# previews greatly speedup ICAP processing. +# +# During an ICAP OPTIONS transaction, the server may tell Squid what +# HTTP messages should be previewed and how big the preview should be. +# Squid will not use Preview if the server did not request one. +# +# To disable ICAP Preview for all ICAP services, regardless of +# individual ICAP server OPTIONS responses, set this option to "off". +#Example: +#icap_preview_enable off +#Default: +# icap_preview_enable on + +# TAG: icap_preview_size +# The default size of preview data to be sent to the ICAP server. +# This value might be overwritten on a per server basis by OPTIONS requests. +#Default: +# No preview sent. + +# TAG: icap_206_enable on|off +# 206 (Partial Content) responses is an ICAP extension that allows the +# ICAP agents to optionally combine adapted and original HTTP message +# content. The decision to combine is postponed until the end of the +# ICAP response. Squid supports Partial Content extension by default. +# +# Activation of the Partial Content extension is negotiated with each +# ICAP service during OPTIONS exchange. Most ICAP servers should handle +# negotation correctly even if they do not support the extension, but +# some might fail. To disable Partial Content support for all ICAP +# services and to avoid any negotiation, set this option to "off". +# +# Example: +# icap_206_enable off +#Default: +# icap_206_enable on + +# TAG: icap_default_options_ttl +# The default TTL value for ICAP OPTIONS responses that don't have +# an Options-TTL header. +#Default: +# icap_default_options_ttl 60 + +# TAG: icap_persistent_connections on|off +# Whether or not Squid should use persistent connections to +# an ICAP server. +#Default: +# icap_persistent_connections on + +# TAG: adaptation_send_client_ip on|off +# If enabled, Squid shares HTTP client IP information with adaptation +# services. For ICAP, Squid adds the X-Client-IP header to ICAP requests. +# For eCAP, Squid sets the libecap::metaClientIp transaction option. +# +# See also: adaptation_uses_indirect_client +#Default: +# adaptation_send_client_ip off + +# TAG: adaptation_send_username on|off +# This sends authenticated HTTP client username (if available) to +# the adaptation service. +# +# For ICAP, the username value is encoded based on the +# icap_client_username_encode option and is sent using the header +# specified by the icap_client_username_header option. +#Default: +# adaptation_send_username off + +# TAG: icap_client_username_header +# ICAP request header name to use for adaptation_send_username. +#Default: +# icap_client_username_header X-Client-Username + +# TAG: icap_client_username_encode on|off +# Whether to base64 encode the authenticated client username. +#Default: +# icap_client_username_encode off + +# TAG: icap_service +# Defines a single ICAP service using the following format: +# +# icap_service id vectoring_point uri [option ...] +# +# id: ID +# an opaque identifier or name which is used to direct traffic to +# this specific service. Must be unique among all adaptation +# services in squid.conf. +# +# vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache +# This specifies at which point of transaction processing the +# ICAP service should be activated. *_postcache vectoring points +# are not yet supported. +# +# uri: icap://servername:port/servicepath +# ICAP server and service location. +# icaps://servername:port/servicepath +# The "icap:" URI scheme is used for traditional ICAP server and +# service location (default port is 1344, connections are not +# encrypted). The "icaps:" URI scheme is for Secure ICAP +# services that use SSL/TLS-encrypted ICAP connections (by +# default, on port 11344). +# +# ICAP does not allow a single service to handle both REQMOD and RESPMOD +# transactions. Squid does not enforce that requirement. You can specify +# services with the same service_url and different vectoring_points. You +# can even specify multiple identical services as long as their +# service_names differ. +# +# To activate a service, use the adaptation_access directive. To group +# services, use adaptation_service_chain and adaptation_service_set. +# +# Service options are separated by white space. ICAP services support +# the following name=value options: +# +# bypass=on|off|1|0 +# If set to 'on' or '1', the ICAP service is treated as +# optional. If the service cannot be reached or malfunctions, +# Squid will try to ignore any errors and process the message as +# if the service was not enabled. No all ICAP errors can be +# bypassed. If set to 0, the ICAP service is treated as +# essential and all ICAP errors will result in an error page +# returned to the HTTP client. +# +# Bypass is off by default: services are treated as essential. +# +# routing=on|off|1|0 +# If set to 'on' or '1', the ICAP service is allowed to +# dynamically change the current message adaptation plan by +# returning a chain of services to be used next. The services +# are specified using the X-Next-Services ICAP response header +# value, formatted as a comma-separated list of service names. +# Each named service should be configured in squid.conf. Other +# services are ignored. An empty X-Next-Services value results +# in an empty plan which ends the current adaptation. +# +# Dynamic adaptation plan may cross or cover multiple supported +# vectoring points in their natural processing order. +# +# Routing is not allowed by default: the ICAP X-Next-Services +# response header is ignored. +# +# ipv6=on|off +# Only has effect on split-stack systems. The default on those systems +# is to use IPv4-only connections. When set to 'on' this option will +# make Squid use IPv6-only connections to contact this ICAP service. +# +# on-overload=block|bypass|wait|force +# If the service Max-Connections limit has been reached, do +# one of the following for each new ICAP transaction: +# * block: send an HTTP error response to the client +# * bypass: ignore the "over-connected" ICAP service +# * wait: wait (in a FIFO queue) for an ICAP connection slot +# * force: proceed, ignoring the Max-Connections limit +# +# In SMP mode with N workers, each worker assumes the service +# connection limit is Max-Connections/N, even though not all +# workers may use a given service. +# +# The default value is "bypass" if service is bypassable, +# otherwise it is set to "wait". +# +# +# max-conn=number +# Use the given number as the Max-Connections limit, regardless +# of the Max-Connections value given by the service, if any. +# +# connection-encryption=on|off +# Determines the ICAP service effect on the connections_encrypted +# ACL. +# +# The default is "on" for Secure ICAP services (i.e., those +# with the icaps:// service URIs scheme) and "off" for plain ICAP +# services. +# +# Does not affect ICAP connections (e.g., does not turn Secure +# ICAP on or off). +# +# ==== ICAPS / TLS OPTIONS ==== +# +# These options are used for Secure ICAP (icaps://....) services only. +# +# tls-cert=/path/to/ssl/certificate +# A client X.509 certificate to use when connecting to +# this ICAP server. +# +# tls-key=/path/to/ssl/key +# The private key corresponding to the previous +# tls-cert= option. +# +# If tls-key= is not specified tls-cert= is assumed to +# reference a PEM file containing both the certificate +# and private key. +# +# tls-cipher=... The list of valid TLS/SSL ciphers to use when connecting +# to this icap server. +# +# tls-min-version=1.N +# The minimum TLS protocol version to permit. To control +# SSLv3 use the tls-options= parameter. +# Supported Values: 1.0 (default), 1.1, 1.2 +# +# tls-options=... Specify various OpenSSL library options: +# +# NO_SSLv3 Disallow the use of SSLv3 +# +# SINGLE_DH_USE +# Always create a new key when using +# temporary/ephemeral DH key exchanges +# +# ALL Enable various bug workarounds +# suggested as "harmless" by OpenSSL +# Be warned that this reduces SSL/TLS +# strength to some attacks. +# +# See the OpenSSL SSL_CTX_set_options documentation for a +# more complete list. Options relevant only to SSLv2 are +# not supported. +# +# tls-cafile= PEM file containing CA certificates to use when verifying +# the icap server certificate. +# Use to specify intermediate CA certificate(s) if not sent +# by the server. Or the full CA chain for the server when +# using the tls-default-ca=off flag. +# May be repeated to load multiple files. +# +# tls-capath=... A directory containing additional CA certificates to +# use when verifying the icap server certificate. +# Requires OpenSSL or LibreSSL. +# +# tls-crlfile=... A certificate revocation list file to use when +# verifying the icap server certificate. +# +# tls-flags=... Specify various flags modifying the Squid TLS implementation: +# +# DONT_VERIFY_PEER +# Accept certificates even if they fail to +# verify. +# DONT_VERIFY_DOMAIN +# Don't verify the icap server certificate +# matches the server name +# +# tls-default-ca[=off] +# Whether to use the system Trusted CAs. Default is ON. +# +# tls-domain= The icap server name as advertised in it's certificate. +# Used for verifying the correctness of the received icap +# server certificate. If not specified the icap server +# hostname extracted from ICAP URI will be used. +# +# Older icap_service format without optional named parameters is +# deprecated but supported for backward compatibility. +# +#Example: +#icap_service svcBlocker reqmod_precache icap://icap1.mydomain.net:1344/reqmod bypass=0 +#icap_service svcLogger reqmod_precache icaps://icap2.mydomain.net:11344/reqmod routing=on +#Default: +# none + +# TAG: icap_class +# This deprecated option was documented to define an ICAP service +# chain, even though it actually defined a set of similar, redundant +# services, and the chains were not supported. +# +# To define a set of redundant services, please use the +# adaptation_service_set directive. For service chains, use +# adaptation_service_chain. +#Default: +# none + +# TAG: icap_access +# This option is deprecated. Please use adaptation_access, which +# has the same ICAP functionality, but comes with better +# documentation, and eCAP support. +#Default: +# none + +# eCAP OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: ecap_enable on|off +# Controls whether eCAP support is enabled. +#Default: +# ecap_enable off + +# TAG: ecap_service +# Defines a single eCAP service +# +# ecap_service id vectoring_point uri [option ...] +# +# id: ID +# an opaque identifier or name which is used to direct traffic to +# this specific service. Must be unique among all adaptation +# services in squid.conf. +# +# vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache +# This specifies at which point of transaction processing the +# eCAP service should be activated. *_postcache vectoring points +# are not yet supported. +# +# uri: ecap://vendor/service_name?custom&cgi=style¶meters=optional +# Squid uses the eCAP service URI to match this configuration +# line with one of the dynamically loaded services. Each loaded +# eCAP service must have a unique URI. Obtain the right URI from +# the service provider. +# +# To activate a service, use the adaptation_access directive. To group +# services, use adaptation_service_chain and adaptation_service_set. +# +# Service options are separated by white space. eCAP services support +# the following name=value options: +# +# bypass=on|off|1|0 +# If set to 'on' or '1', the eCAP service is treated as optional. +# If the service cannot be reached or malfunctions, Squid will try +# to ignore any errors and process the message as if the service +# was not enabled. No all eCAP errors can be bypassed. +# If set to 'off' or '0', the eCAP service is treated as essential +# and all eCAP errors will result in an error page returned to the +# HTTP client. +# +# Bypass is off by default: services are treated as essential. +# +# routing=on|off|1|0 +# If set to 'on' or '1', the eCAP service is allowed to +# dynamically change the current message adaptation plan by +# returning a chain of services to be used next. +# +# Dynamic adaptation plan may cross or cover multiple supported +# vectoring points in their natural processing order. +# +# Routing is not allowed by default. +# +# connection-encryption=on|off +# Determines the eCAP service effect on the connections_encrypted +# ACL. +# +# Defaults to "on", which does not taint the master transaction +# w.r.t. that ACL. +# +# Does not affect eCAP API calls. +# +# Older ecap_service format without optional named parameters is +# deprecated but supported for backward compatibility. +# +# +#Example: +#ecap_service s1 reqmod_precache ecap://filters.R.us/leakDetector?on_error=block bypass=off +#ecap_service s2 respmod_precache ecap://filters.R.us/virusFilter config=/etc/vf.cfg bypass=on +#Default: +# none + +# TAG: loadable_modules +# Instructs Squid to load the specified dynamic module(s) or activate +# preloaded module(s). +#Example: +#loadable_modules /usr/lib/MinimalAdapter.so +#Default: +# none + +# MESSAGE ADAPTATION OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: adaptation_service_set +# +# Configures an ordered set of similar, redundant services. This is +# useful when hot standby or backup adaptation servers are available. +# +# adaptation_service_set set_name service_name1 service_name2 ... +# +# The named services are used in the set declaration order. The first +# applicable adaptation service from the set is used first. The next +# applicable service is tried if and only if the transaction with the +# previous service fails and the message waiting to be adapted is still +# intact. +# +# When adaptation starts, broken services are ignored as if they were +# not a part of the set. A broken service is a down optional service. +# +# The services in a set must be attached to the same vectoring point +# (e.g., pre-cache) and use the same adaptation method (e.g., REQMOD). +# +# If all services in a set are optional then adaptation failures are +# bypassable. If all services in the set are essential, then a +# transaction failure with one service may still be retried using +# another service from the set, but when all services fail, the master +# transaction fails as well. +# +# A set may contain a mix of optional and essential services, but that +# is likely to lead to surprising results because broken services become +# ignored (see above), making previously bypassable failures fatal. +# Technically, it is the bypassability of the last failed service that +# matters. +# +# See also: adaptation_access adaptation_service_chain +# +#Example: +#adaptation_service_set svcBlocker urlFilterPrimary urlFilterBackup +#adaptation service_set svcLogger loggerLocal loggerRemote +#Default: +# none + +# TAG: adaptation_service_chain +# +# Configures a list of complementary services that will be applied +# one-by-one, forming an adaptation chain or pipeline. This is useful +# when Squid must perform different adaptations on the same message. +# +# adaptation_service_chain chain_name service_name1 svc_name2 ... +# +# The named services are used in the chain declaration order. The first +# applicable adaptation service from the chain is used first. The next +# applicable service is applied to the successful adaptation results of +# the previous service in the chain. +# +# When adaptation starts, broken services are ignored as if they were +# not a part of the chain. A broken service is a down optional service. +# +# Request satisfaction terminates the adaptation chain because Squid +# does not currently allow declaration of RESPMOD services at the +# "reqmod_precache" vectoring point (see icap_service or ecap_service). +# +# The services in a chain must be attached to the same vectoring point +# (e.g., pre-cache) and use the same adaptation method (e.g., REQMOD). +# +# A chain may contain a mix of optional and essential services. If an +# essential adaptation fails (or the failure cannot be bypassed for +# other reasons), the master transaction fails. Otherwise, the failure +# is bypassed as if the failed adaptation service was not in the chain. +# +# See also: adaptation_access adaptation_service_set +# +#Example: +#adaptation_service_chain svcRequest requestLogger urlFilter leakDetector +#Default: +# none + +# TAG: adaptation_access +# Sends an HTTP transaction to an ICAP or eCAP adaptation service. +# +# adaptation_access service_name allow|deny [!]aclname... +# adaptation_access set_name allow|deny [!]aclname... +# +# At each supported vectoring point, the adaptation_access +# statements are processed in the order they appear in this +# configuration file. Statements pointing to the following services +# are ignored (i.e., skipped without checking their ACL): +# +# - services serving different vectoring points +# - "broken-but-bypassable" services +# - "up" services configured to ignore such transactions +# (e.g., based on the ICAP Transfer-Ignore header). +# +# When a set_name is used, all services in the set are checked +# using the same rules, to find the first applicable one. See +# adaptation_service_set for details. +# +# If an access list is checked and there is a match, the +# processing stops: For an "allow" rule, the corresponding +# adaptation service is used for the transaction. For a "deny" +# rule, no adaptation service is activated. +# +# It is currently not possible to apply more than one adaptation +# service at the same vectoring point to the same HTTP transaction. +# +# See also: icap_service and ecap_service +# +#Example: +#adaptation_access service_1 allow all +#Default: +# Allow, unless rules exist in squid.conf. + +# TAG: adaptation_service_iteration_limit +# Limits the number of iterations allowed when applying adaptation +# services to a message. If your longest adaptation set or chain +# may have more than 16 services, increase the limit beyond its +# default value of 16. If detecting infinite iteration loops sooner +# is critical, make the iteration limit match the actual number +# of services in your longest adaptation set or chain. +# +# Infinite adaptation loops are most likely with routing services. +# +# See also: icap_service routing=1 +#Default: +# adaptation_service_iteration_limit 16 + +# TAG: adaptation_masterx_shared_names +# For each master transaction (i.e., the HTTP request and response +# sequence, including all related ICAP and eCAP exchanges), Squid +# maintains a table of metadata. The table entries are (name, value) +# pairs shared among eCAP and ICAP exchanges. The table is destroyed +# with the master transaction. +# +# This option specifies the table entry names that Squid must accept +# from and forward to the adaptation transactions. +# +# An ICAP REQMOD or RESPMOD transaction may set an entry in the +# shared table by returning an ICAP header field with a name +# specified in adaptation_masterx_shared_names. +# +# An eCAP REQMOD or RESPMOD transaction may set an entry in the +# shared table by implementing the libecap::visitEachOption() API +# to provide an option with a name specified in +# adaptation_masterx_shared_names. +# +# Squid will store and forward the set entry to subsequent adaptation +# transactions within the same master transaction scope. +# +# Only one shared entry name is supported at this time. +# +#Example: +## share authentication information among ICAP services +#adaptation_masterx_shared_names X-Subscriber-ID +#Default: +# none + +# TAG: adaptation_meta +# This option allows Squid administrator to add custom ICAP request +# headers or eCAP options to Squid ICAP requests or eCAP transactions. +# Use it to pass custom authentication tokens and other +# transaction-state related meta information to an ICAP/eCAP service. +# +# The addition of a meta header is ACL-driven: +# adaptation_meta name value [!]aclname ... +# +# Processing for a given header name stops after the first ACL list match. +# Thus, it is impossible to add two headers with the same name. If no ACL +# lists match for a given header name, no such header is added. For +# example: +# +# # do not debug transactions except for those that need debugging +# adaptation_meta X-Debug 1 needs_debugging +# +# # log all transactions except for those that must remain secret +# adaptation_meta X-Log 1 !keep_secret +# +# # mark transactions from users in the "G 1" group +# adaptation_meta X-Authenticated-Groups "G 1" authed_as_G1 +# +# The "value" parameter may be a regular squid.conf token or a "double +# quoted string". Within the quoted string, use backslash (\) to escape +# any character, which is currently only useful for escaping backslashes +# and double quotes. For example, +# "this string has one backslash (\\) and two \"quotes\"" +# +# Used adaptation_meta header values may be logged via %note +# logformat code. If multiple adaptation_meta headers with the same name +# are used during master transaction lifetime, the header values are +# logged in the order they were used and duplicate values are ignored +# (only the first repeated value will be logged). +#Default: +# none + +# TAG: icap_retry +# This ACL determines which retriable ICAP transactions are +# retried. Transactions that received a complete ICAP response +# and did not have to consume or produce HTTP bodies to receive +# that response are usually retriable. +# +# icap_retry allow|deny [!]aclname ... +# +# Squid automatically retries some ICAP I/O timeouts and errors +# due to persistent connection race conditions. +# +# See also: icap_retry_limit +#Default: +# icap_retry deny all + +# TAG: icap_retry_limit +# Limits the number of retries allowed. +# +# Communication errors due to persistent connection race +# conditions are unavoidable, automatically retried, and do not +# count against this limit. +# +# See also: icap_retry +#Default: +# No retries are allowed. + +# DNS OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: check_hostnames +# For security and stability reasons Squid can check +# hostnames for Internet standard RFC compliance. If you want +# Squid to perform these checks turn this directive on. +#Default: +# check_hostnames off + +# TAG: allow_underscore +# Underscore characters is not strictly allowed in Internet hostnames +# but nevertheless used by many sites. Set this to off if you want +# Squid to be strict about the standard. +# This check is performed only when check_hostnames is set to on. +#Default: +# allow_underscore on + +# TAG: dns_retransmit_interval +# Initial retransmit interval for DNS queries. The interval is +# doubled each time all configured DNS servers have been tried. +#Default: +# dns_retransmit_interval 5 seconds + +# TAG: dns_timeout +# DNS Query timeout. If no response is received to a DNS query +# within this time all DNS servers for the queried domain +# are assumed to be unavailable. +#Default: +# dns_timeout 30 seconds + +# TAG: dns_packet_max +# Maximum number of bytes packet size to advertise via EDNS. +# Set to "none" to disable EDNS large packet support. +# +# For legacy reasons DNS UDP replies will default to 512 bytes which +# is too small for many responses. EDNS provides a means for Squid to +# negotiate receiving larger responses back immediately without having +# to failover with repeat requests. Responses larger than this limit +# will retain the old behaviour of failover to TCP DNS. +# +# Squid has no real fixed limit internally, but allowing packet sizes +# over 1500 bytes requires network jumbogram support and is usually not +# necessary. +# +# WARNING: The RFC also indicates that some older resolvers will reply +# with failure of the whole request if the extension is added. Some +# resolvers have already been identified which will reply with mangled +# EDNS response on occasion. Usually in response to many-KB jumbogram +# sizes being advertised by Squid. +# Squid will currently treat these both as an unable-to-resolve domain +# even if it would be resolvable without EDNS. +#Default: +# EDNS disabled + +# TAG: dns_defnames on|off +# Normally the RES_DEFNAMES resolver option is disabled +# (see res_init(3)). This prevents caches in a hierarchy +# from interpreting single-component hostnames locally. To allow +# Squid to handle single-component names, enable this option. +#Default: +# Search for single-label domain names is disabled. + +# TAG: dns_multicast_local on|off +# When set to on, Squid sends multicast DNS lookups on the local +# network for domains ending in .local and .arpa. +# This enables local servers and devices to be contacted in an +# ad-hoc or zero-configuration network environment. +#Default: +# Search for .local and .arpa names is disabled. + +# TAG: dns_nameservers +# Use this if you want to specify a list of DNS name servers +# (IP addresses) to use instead of those given in your +# /etc/resolv.conf file. +# +# On Windows platforms, if no value is specified here or in +# the /etc/resolv.conf file, the list of DNS name servers are +# taken from the Windows registry, both static and dynamic DHCP +# configurations are supported. +# +# Example: dns_nameservers 10.0.0.1 192.172.0.4 +#Default: +# Use operating system definitions + +# TAG: hosts_file +# Location of the host-local IP name-address associations +# database. Most Operating Systems have such a file on different +# default locations: +# - Un*X & Linux: /etc/hosts +# - Windows NT/2000: %SystemRoot%\system32\drivers\etc\hosts +# (%SystemRoot% value install default is c:\winnt) +# - Windows XP/2003: %SystemRoot%\system32\drivers\etc\hosts +# (%SystemRoot% value install default is c:\windows) +# - Windows 9x/Me: %windir%\hosts +# (%windir% value is usually c:\windows) +# - Cygwin: /etc/hosts +# +# The file contains newline-separated definitions, in the +# form ip_address_in_dotted_form name [name ...] names are +# whitespace-separated. Lines beginning with an hash (#) +# character are comments. +# +# The file is checked at startup and upon configuration. +# If set to 'none', it won't be checked. +# If append_domain is used, that domain will be added to +# domain-local (i.e. not containing any dot character) host +# definitions. +#Default: +# hosts_file /etc/hosts + +# TAG: append_domain +# Appends local domain name to hostnames without any dots in +# them. append_domain must begin with a period. +# +# Be warned there are now Internet names with no dots in +# them using only top-domain names, so setting this may +# cause some Internet sites to become unavailable. +# +#Example: +# append_domain .yourdomain.com +#Default: +# Use operating system definitions + +# TAG: ignore_unknown_nameservers +# By default Squid checks that DNS responses are received +# from the same IP addresses they are sent to. If they +# don't match, Squid ignores the response and writes a warning +# message to cache.log. You can allow responses from unknown +# nameservers by setting this option to 'off'. +#Default: +# ignore_unknown_nameservers on + +# TAG: dns_v4_first +# With the IPv6 Internet being as fast or faster than IPv4 Internet +# for most networks Squid prefers to contact websites over IPv6. +# +# This option reverses the order of preference to make Squid contact +# dual-stack websites over IPv4 first. Squid will still perform both +# IPv6 and IPv4 DNS lookups before connecting. +# +# WARNING: +# This option will restrict the situations under which IPv6 +# connectivity is used (and tested), potentially hiding network +# problems which would otherwise be detected and warned about. +#Default: +# dns_v4_first off + +# TAG: ipcache_size (number of entries) +# Maximum number of DNS IP cache entries. +#Default: +# ipcache_size 1024 + +# TAG: ipcache_low (percent) +#Default: +# ipcache_low 90 + +# TAG: ipcache_high (percent) +# The size, low-, and high-water marks for the IP cache. +#Default: +# ipcache_high 95 + +# TAG: fqdncache_size (number of entries) +# Maximum number of FQDN cache entries. +#Default: +# fqdncache_size 1024 + +# MISCELLANEOUS +# ----------------------------------------------------------------------------- + +# TAG: configuration_includes_quoted_values on|off +# If set, Squid will recognize each "quoted string" after a configuration +# directive as a single parameter. The quotes are stripped before the +# parameter value is interpreted or used. +# See "Values with spaces, quotes, and other special characters" +# section for more details. +#Default: +# configuration_includes_quoted_values off + +# TAG: memory_pools on|off +# If set, Squid will keep pools of allocated (but unused) memory +# available for future use. If memory is a premium on your +# system and you believe your malloc library outperforms Squid +# routines, disable this. +#Default: +# memory_pools on + +# TAG: memory_pools_limit (bytes) +# Used only with memory_pools on: +# memory_pools_limit 50 MB +# +# If set to a non-zero value, Squid will keep at most the specified +# limit of allocated (but unused) memory in memory pools. All free() +# requests that exceed this limit will be handled by your malloc +# library. Squid does not pre-allocate any memory, just safe-keeps +# objects that otherwise would be free()d. Thus, it is safe to set +# memory_pools_limit to a reasonably high value even if your +# configuration will use less memory. +# +# If set to none, Squid will keep all memory it can. That is, there +# will be no limit on the total amount of memory used for safe-keeping. +# +# To disable memory allocation optimization, do not set +# memory_pools_limit to 0 or none. Set memory_pools to "off" instead. +# +# An overhead for maintaining memory pools is not taken into account +# when the limit is checked. This overhead is close to four bytes per +# object kept. However, pools may actually _save_ memory because of +# reduced memory thrashing in your malloc library. +#Default: +# memory_pools_limit 5 MB + +# TAG: forwarded_for on|off|transparent|truncate|delete +# If set to "on", Squid will append your client's IP address +# in the HTTP requests it forwards. By default it looks like: +# +# X-Forwarded-For: 192.1.2.3 +# +# If set to "off", it will appear as +# +# X-Forwarded-For: unknown +# +# If set to "transparent", Squid will not alter the +# X-Forwarded-For header in any way. +# +# If set to "delete", Squid will delete the entire +# X-Forwarded-For header. +# +# If set to "truncate", Squid will remove all existing +# X-Forwarded-For entries, and place the client IP as the sole entry. +#Default: +# forwarded_for on + +# TAG: cachemgr_passwd +# Specify passwords for cachemgr operations. +# +# Usage: cachemgr_passwd password action action ... +# +# Some valid actions are (see cache manager menu for a full list): +# 5min +# 60min +# asndb +# authenticator +# cbdata +# client_list +# comm_incoming +# config * +# counters +# delay +# digest_stats +# dns +# events +# filedescriptors +# fqdncache +# histograms +# http_headers +# info +# io +# ipcache +# mem +# menu +# netdb +# non_peers +# objects +# offline_toggle * +# pconn +# peer_select +# reconfigure * +# redirector +# refresh +# server_list +# shutdown * +# store_digest +# storedir +# utilization +# via_headers +# vm_objects +# +# * Indicates actions which will not be performed without a +# valid password, others can be performed if not listed here. +# +# To disable an action, set the password to "disable". +# To allow performing an action without a password, set the +# password to "none". +# +# Use the keyword "all" to set the same password for all actions. +# +#Example: +# cachemgr_passwd secret shutdown +# cachemgr_passwd lesssssssecret info stats/objects +# cachemgr_passwd disable all +#Default: +# No password. Actions which require password are denied. + +# TAG: client_db on|off +# If you want to disable collecting per-client statistics, +# turn off client_db here. +#Default: +# client_db on + +# TAG: refresh_all_ims on|off +# When you enable this option, squid will always check +# the origin server for an update when a client sends an +# If-Modified-Since request. Many browsers use IMS +# requests when the user requests a reload, and this +# ensures those clients receive the latest version. +# +# By default (off), squid may return a Not Modified response +# based on the age of the cached version. +#Default: +# refresh_all_ims off + +# TAG: reload_into_ims on|off +# When you enable this option, client no-cache or ``reload'' +# requests will be changed to If-Modified-Since requests. +# Doing this VIOLATES the HTTP standard. Enabling this +# feature could make you liable for problems which it +# causes. +# +# see also refresh_pattern for a more selective approach. +#Default: +# reload_into_ims off + +# TAG: connect_retries +# Limits the number of reopening attempts when establishing a single +# TCP connection. All these attempts must still complete before the +# applicable connection opening timeout expires. +# +# By default and when connect_retries is set to zero, Squid does not +# retry failed connection opening attempts. +# +# The (not recommended) maximum is 10 tries. An attempt to configure a +# higher value results in the value of 10 being used (with a warning). +# +# Squid may open connections to retry various high-level forwarding +# failures. For an outside observer, that activity may look like a +# low-level connection reopening attempt, but those high-level retries +# are governed by forward_max_tries instead. +# +# See also: connect_timeout, forward_timeout, icap_connect_timeout, +# ident_timeout, and forward_max_tries. +#Default: +# Do not retry failed connections. + +# TAG: retry_on_error +# If set to ON Squid will automatically retry requests when +# receiving an error response with status 403 (Forbidden), +# 500 (Internal Error), 501 or 503 (Service not available). +# Status 502 and 504 (Gateway errors) are always retried. +# +# This is mainly useful if you are in a complex cache hierarchy to +# work around access control errors. +# +# NOTE: This retry will attempt to find another working destination. +# Which is different from the server which just failed. +#Default: +# retry_on_error off + +# TAG: as_whois_server +# WHOIS server to query for AS numbers. NOTE: AS numbers are +# queried only when Squid starts up, not for every request. +#Default: +# as_whois_server whois.ra.net + +# TAG: offline_mode +# Enable this option and Squid will never try to validate cached +# objects. +#Default: +# offline_mode off + +# TAG: uri_whitespace +# What to do with requests that have whitespace characters in the +# URI. Options: +# +# strip: The whitespace characters are stripped out of the URL. +# This is the behavior recommended by RFC2396 and RFC3986 +# for tolerant handling of generic URI. +# NOTE: This is one difference between generic URI and HTTP URLs. +# +# deny: The request is denied. The user receives an "Invalid +# Request" message. +# This is the behaviour recommended by RFC2616 for safe +# handling of HTTP request URL. +# +# allow: The request is allowed and the URI is not changed. The +# whitespace characters remain in the URI. Note the +# whitespace is passed to redirector processes if they +# are in use. +# Note this may be considered a violation of RFC2616 +# request parsing where whitespace is prohibited in the +# URL field. +# +# encode: The request is allowed and the whitespace characters are +# encoded according to RFC1738. +# +# chop: The request is allowed and the URI is chopped at the +# first whitespace. +# +# +# NOTE the current Squid implementation of encode and chop violates +# RFC2616 by not using a 301 redirect after altering the URL. +#Default: +# uri_whitespace strip + +# TAG: chroot +# Specifies a directory where Squid should do a chroot() while +# initializing. This also causes Squid to fully drop root +# privileges after initializing. This means, for example, if you +# use a HTTP port less than 1024 and try to reconfigure, you may +# get an error saying that Squid can not open the port. +#Default: +# none + +# TAG: pipeline_prefetch +# HTTP clients may send a pipeline of 1+N requests to Squid using a +# single connection, without waiting for Squid to respond to the first +# of those requests. This option limits the number of concurrent +# requests Squid will try to handle in parallel. If set to N, Squid +# will try to receive and process up to 1+N requests on the same +# connection concurrently. +# +# Defaults to 0 (off) for bandwidth management and access logging +# reasons. +# +# NOTE: pipelining requires persistent connections to clients. +# +# WARNING: pipelining breaks NTLM and Negotiate/Kerberos authentication. +#Default: +# Do not pre-parse pipelined requests. + +# TAG: high_response_time_warning (msec) +# If the one-minute median response time exceeds this value, +# Squid prints a WARNING with debug level 0 to get the +# administrators attention. The value is in milliseconds. +#Default: +# disabled. + +# TAG: high_page_fault_warning +# If the one-minute average page fault rate exceeds this +# value, Squid prints a WARNING with debug level 0 to get +# the administrators attention. The value is in page faults +# per second. +#Default: +# disabled. + +# TAG: high_memory_warning +# Note: This option is only available if Squid is rebuilt with the +# GNU Malloc with mstats() +# +# If the memory usage (as determined by gnumalloc, if available and used) +# exceeds this amount, Squid prints a WARNING with debug level 0 to get +# the administrators attention. +#Default: +# disabled. + +# TAG: sleep_after_fork (microseconds) +# When this is set to a non-zero value, the main Squid process +# sleeps the specified number of microseconds after a fork() +# system call. This sleep may help the situation where your +# system reports fork() failures due to lack of (virtual) +# memory. Note, however, if you have a lot of child +# processes, these sleep delays will add up and your +# Squid will not service requests for some amount of time +# until all the child processes have been started. +# On Windows value less then 1000 (1 milliseconds) are +# rounded to 1000. +#Default: +# sleep_after_fork 0 + +# TAG: windows_ipaddrchangemonitor on|off +# Note: This option is only available if Squid is rebuilt with the +# MS Windows +# +# On Windows Squid by default will monitor IP address changes and will +# reconfigure itself after any detected event. This is very useful for +# proxies connected to internet with dial-up interfaces. +# In some cases (a Proxy server acting as VPN gateway is one) it could be +# desiderable to disable this behaviour setting this to 'off'. +# Note: after changing this, Squid service must be restarted. +#Default: +# windows_ipaddrchangemonitor on + +# TAG: eui_lookup +# Whether to lookup the EUI or MAC address of a connected client. +#Default: +# eui_lookup on + +# TAG: max_filedescriptors +# Reduce the maximum number of filedescriptors supported below +# the usual operating system defaults. +# +# Remove from squid.conf to inherit the current ulimit setting. +# +# Note: Changing this requires a restart of Squid. Also +# not all I/O types supports large values (eg on Windows). +#Default: +# Use operating system limits set by ulimit. + +# TAG: force_request_body_continuation +# This option controls how Squid handles data upload requests from HTTP +# and FTP agents that require a "Please Continue" control message response +# to actually send the request body to Squid. It is mostly useful in +# adaptation environments. +# +# When Squid receives an HTTP request with an "Expect: 100-continue" +# header or an FTP upload command (e.g., STOR), Squid normally sends the +# request headers or FTP command information to an adaptation service (or +# peer) and waits for a response. Most adaptation services (and some +# broken peers) may not respond to Squid at that stage because they may +# decide to wait for the HTTP request body or FTP data transfer. However, +# that request body or data transfer may never come because Squid has not +# responded with the HTTP 100 or FTP 150 (Please Continue) control message +# to the request sender yet! +# +# An allow match tells Squid to respond with the HTTP 100 or FTP 150 +# (Please Continue) control message on its own, before forwarding the +# request to an adaptation service or peer. Such a response usually forces +# the request sender to proceed with sending the body. A deny match tells +# Squid to delay that control response until the origin server confirms +# that the request body is needed. Delaying is the default behavior. +#Default: +# Deny, unless rules exist in squid.conf. + +# TAG: server_pconn_for_nonretriable +# This option provides fine-grained control over persistent connection +# reuse when forwarding HTTP requests that Squid cannot retry. It is useful +# in environments where opening new connections is very expensive +# (e.g., all connections are secured with TLS with complex client and server +# certificate validation) and race conditions associated with persistent +# connections are very rare and/or only cause minor problems. +# +# HTTP prohibits retrying unsafe and non-idempotent requests (e.g., POST). +# Squid limitations also prohibit retrying all requests with bodies (e.g., PUT). +# By default, when forwarding such "risky" requests, Squid opens a new +# connection to the server or cache_peer, even if there is an idle persistent +# connection available. When Squid is configured to risk sending a non-retriable +# request on a previously used persistent connection, and the server closes +# the connection before seeing that risky request, the user gets an error response +# from Squid. In most cases, that error response will be HTTP 502 (Bad Gateway) +# with ERR_ZERO_SIZE_OBJECT or ERR_WRITE_ERROR (peer connection reset) error detail. +# +# If an allow rule matches, Squid reuses an available idle persistent connection +# (if any) for the request that Squid cannot retry. If a deny rule matches, then +# Squid opens a new connection for the request that Squid cannot retry. +# +# This option does not affect requests that Squid can retry. They will reuse idle +# persistent connections (if any). +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# Example: +# acl SpeedIsWorthTheRisk method POST +# server_pconn_for_nonretriable allow SpeedIsWorthTheRisk +#Default: +# Open new connections for forwarding requests Squid cannot retry safely. + diff --git a/roles/squid/files/squid.s-proxy.conf.old b/roles/squid/files/squid.s-proxy.conf.old new file mode 100644 index 0000000..b9e46ab --- /dev/null +++ b/roles/squid/files/squid.s-proxy.conf.old @@ -0,0 +1,7656 @@ +# WELCOME TO SQUID 3.4.8 +# ---------------------------- +# +# This is the documentation for the Squid configuration file. +# This documentation can also be found online at: +# http://www.squid-cache.org/Doc/config/ +# +# You may wish to look at the Squid home page and wiki for the +# FAQ and other documentation: +# http://www.squid-cache.org/ +# http://wiki.squid-cache.org/SquidFaq +# http://wiki.squid-cache.org/ConfigExamples +# +# This documentation shows what the defaults for various directives +# happen to be. If you don't need to change the default, you should +# leave the line out of your squid.conf in most cases. +# +# In some cases "none" refers to no default setting at all, +# while in other cases it refers to the value of the option +# - the comments for that keyword indicate if this is the case. +# + +# Configuration options can be included using the "include" directive. +# Include takes a list of files to include. Quoting and wildcards are +# supported. +# +# For example, +# +# include /path/to/included/file/squid.acl.config +# +# Includes can be nested up to a hard-coded depth of 16 levels. +# This arbitrary restriction is to prevent recursive include references +# from causing Squid entering an infinite loop whilst trying to load +# configuration files. +# +# Values with byte units +# +# Squid accepts size units on some size related directives. All +# such directives are documented with a default value displaying +# a unit. +# +# Units accepted by Squid are: +# bytes - byte +# KB - Kilobyte (1024 bytes) +# MB - Megabyte +# GB - Gigabyte +# +# Values with spaces, quotes, and other special characters +# +# Squid supports directive parameters with spaces, quotes, and other +# special characters. Surround such parameters with "double quotes". Use +# the configuration_includes_quoted_values directive to enable or +# disable that support. +# +# For example; +# +# configuration_includes_quoted_values on +# acl group external groupCheck Administrators "Internet Users" Guest +# configuration_includes_quoted_values off +# +# +# Conditional configuration +# +# If-statements can be used to make configuration directives +# depend on conditions: +# +# if +# ... regular configuration directives ... +# [else +# ... regular configuration directives ...] +# endif +# +# The else part is optional. The keywords "if", "else", and "endif" +# must be typed on their own lines, as if they were regular +# configuration directives. +# +# NOTE: An else-if condition is not supported. +# +# These individual conditions types are supported: +# +# true +# Always evaluates to true. +# false +# Always evaluates to false. +# = +# Equality comparison of two integer numbers. +# +# +# SMP-Related Macros +# +# The following SMP-related preprocessor macros can be used. +# +# ${process_name} expands to the current Squid process "name" +# (e.g., squid1, squid2, or cache1). +# +# ${process_number} expands to the current Squid process +# identifier, which is an integer number (e.g., 1, 2, 3) unique +# across all Squid processes. + +# TAG: broken_vary_encoding +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: cache_vary +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: collapsed_forwarding +# This option is not yet supported by Squid-3. see http://bugs.squid-cache.org/show_bug.cgi?id=3495 +#Default: +# none + +# TAG: error_map +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: external_refresh_check +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: location_rewrite_program +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: refresh_stale_hit +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: ignore_ims_on_miss +# Remove this line. The HTTP/1.1 feature is now configured by 'cache_miss_revalidate'. +#Default: +# none + +# TAG: ignore_expect_100 +# Remove this line. The HTTP/1.1 feature is now fully supported by default. +#Default: +# none + +# TAG: dns_v4_fallback +# Remove this line. Squid performs a 'Happy Eyeballs' algorithm, the 'fallback' algorithm is no longer relevant. +#Default: +# none + +# TAG: ftp_list_width +# Remove this line. Configure FTP page display using the CSS controls in errorpages.css instead. +#Default: +# none + +# TAG: maximum_single_addr_tries +# Replaced by connect_retries. The behaviour has changed, please read the documentation before altering. +#Default: +# none + +# TAG: update_headers +# Remove this line. The feature is supported by default in storage types where update is implemented. +#Default: +# none + +# TAG: url_rewrite_concurrency +# Remove this line. Set the 'concurrency=' option of url_rewrite_children instead. +#Default: +# none + +# TAG: dns_testnames +# Remove this line. DNS is no longer tested on startup. +#Default: +# none + +# TAG: extension_methods +# Remove this line. All valid methods for HTTP are accepted by default. +#Default: +# none + +# TAG: zero_buffers +#Default: +# none + +# TAG: incoming_rate +#Default: +# none + +# TAG: server_http11 +# Remove this line. HTTP/1.1 is supported by default. +#Default: +# none + +# TAG: upgrade_http0.9 +# Remove this line. ICY/1.0 streaming protocol is supported by default. +#Default: +# none + +# TAG: zph_local +# Alter these entries. Use the qos_flows directive instead. +#Default: +# none + +# TAG: header_access +# Since squid-3.0 replace with request_header_access or reply_header_access +# depending on whether you wish to match client requests or server replies. +#Default: +# none + +# TAG: httpd_accel_no_pmtu_disc +# Since squid-3.0 use the 'disable-pmtu-discovery' flag on http_port instead. +#Default: +# none + +# TAG: wais_relay_host +# Replace this line with 'cache_peer' configuration. +#Default: +# none + +# TAG: wais_relay_port +# Replace this line with 'cache_peer' configuration. +#Default: +# none + +# OPTIONS FOR AUTHENTICATION +# ----------------------------------------------------------------------------- + +# TAG: auth_param +# This is used to define parameters for the various authentication +# schemes supported by Squid. +# +# format: auth_param scheme parameter [setting] +# +# The order in which authentication schemes are presented to the client is +# dependent on the order the scheme first appears in config file. IE +# has a bug (it's not RFC 2617 compliant) in that it will use the basic +# scheme if basic is the first entry presented, even if more secure +# schemes are presented. For now use the order in the recommended +# settings section below. If other browsers have difficulties (don't +# recognize the schemes offered even if you are using basic) either +# put basic first, or disable the other schemes (by commenting out their +# program entry). +# +# Once an authentication scheme is fully configured, it can only be +# shutdown by shutting squid down and restarting. Changes can be made on +# the fly and activated with a reconfigure. I.E. You can change to a +# different helper, but not unconfigure the helper completely. +# +# Please note that while this directive defines how Squid processes +# authentication it does not automatically activate authentication. +# To use authentication you must in addition make use of ACLs based +# on login name in http_access (proxy_auth, proxy_auth_regex or +# external with %LOGIN used in the format tag). The browser will be +# challenged for authentication on the first such acl encountered +# in http_access processing and will also be re-challenged for new +# login credentials if the request is being denied by a proxy_auth +# type acl. +# +# WARNING: authentication can't be used in a transparently intercepting +# proxy as the client then thinks it is talking to an origin server and +# not the proxy. This is a limitation of bending the TCP/IP protocol to +# transparently intercepting port 80, not a limitation in Squid. +# Ports flagged 'transparent', 'intercept', or 'tproxy' have +# authentication disabled. +# +# === Parameters for the basic scheme follow. === +# +# "program" cmdline +# Specify the command for the external authenticator. Such a program +# reads a line containing "username password" and replies with one of +# three results: +# +# OK +# the user exists. +# +# ERR +# the user does not exist. +# +# BH +# An internal error occurred in the helper, preventing +# a result being identified. +# +# "ERR" and "BH" results may optionally be followed by message="..." +# containing a description available as %m in the returned error page. +# +# If you use an authenticator, make sure you have 1 acl of type +# proxy_auth. +# +# By default, the basic authentication scheme is not used unless a +# program is specified. +# +# If you want to use the traditional NCSA proxy authentication, set +# this line to something like +# +# auth_param basic program /usr/lib/squid3/basic_ncsa_auth /usr/etc/passwd +# +# "utf8" on|off +# HTTP uses iso-latin-1 as character set, while some authentication +# backends such as LDAP expects UTF-8. If this is set to on Squid will +# translate the HTTP iso-latin-1 charset to UTF-8 before sending the +# username & password to the helper. +# +# "children" numberofchildren [startup=N] [idle=N] [concurrency=N] +# The maximum number of authenticator processes to spawn. If you start too few +# Squid will have to wait for them to process a backlog of credential +# verifications, slowing it down. When password verifications are +# done via a (slow) network you are likely to need lots of +# authenticator processes. +# +# The startup= and idle= options permit some skew in the exact amount +# run. A minimum of startup=N will begin during startup and reconfigure. +# Squid will start more in groups of up to idle=N in an attempt to meet +# traffic needs and to keep idle=N free above those traffic needs up to +# the maximum. +# +# The concurrency= option sets the number of concurrent requests the +# helper can process. The default of 0 is used for helpers who only +# supports one request at a time. Setting this to a number greater than +# 0 changes the protocol used to include a channel number first on the +# request/response line, allowing multiple requests to be sent to the +# same helper in parallel without waiting for the response. +# Must not be set unless it's known the helper supports this. +# +# auth_param basic children 20 startup=0 idle=1 +# +# "realm" realmstring +# Specifies the realm name which is to be reported to the +# client for the basic proxy authentication scheme (part of +# the text the user will see when prompted their username and +# password). There is no default. +# auth_param basic realm Squid proxy-caching web server +# +# "credentialsttl" timetolive +# Specifies how long squid assumes an externally validated +# username:password pair is valid for - in other words how +# often the helper program is called for that user. Set this +# low to force revalidation with short lived passwords. Note +# setting this high does not impact your susceptibility +# to replay attacks unless you are using an one-time password +# system (such as SecureID). If you are using such a system, +# you will be vulnerable to replay attacks unless you also +# use the max_user_ip ACL in an http_access rule. +# +# "casesensitive" on|off +# Specifies if usernames are case sensitive. Most user databases are +# case insensitive allowing the same username to be spelled using both +# lower and upper case letters, but some are case sensitive. This +# makes a big difference for user_max_ip ACL processing and similar. +# auth_param basic casesensitive off +# +# === Parameters for the digest scheme follow === +# +# "program" cmdline +# Specify the command for the external authenticator. Such +# a program reads a line containing "username":"realm" and +# replies with one of three results: +# +# OK ha1="..." +# the user exists. The ha1= key is mandatory and +# contains the appropriate H(A1) value, hex encoded. +# See rfc 2616 for the definition of H(A1). +# +# ERR +# the user does not exist. +# +# BH +# An internal error occurred in the helper, preventing +# a result being identified. +# +# "ERR" and "BH" results may optionally be followed by message="..." +# containing a description available as %m in the returned error page. +# +# By default, the digest authentication scheme is not used unless a +# program is specified. +# +# If you want to use a digest authenticator, set this line to +# something like +# +# auth_param digest program /usr/lib/squid3/digest_pw_auth /usr/etc/digpass +# +# "utf8" on|off +# HTTP uses iso-latin-1 as character set, while some authentication +# backends such as LDAP expects UTF-8. If this is set to on Squid will +# translate the HTTP iso-latin-1 charset to UTF-8 before sending the +# username & password to the helper. +# +# "children" numberofchildren [startup=N] [idle=N] [concurrency=N] +# The maximum number of authenticator processes to spawn (default 5). +# If you start too few Squid will have to wait for them to +# process a backlog of H(A1) calculations, slowing it down. +# When the H(A1) calculations are done via a (slow) network +# you are likely to need lots of authenticator processes. +# +# The startup= and idle= options permit some skew in the exact amount +# run. A minimum of startup=N will begin during startup and reconfigure. +# Squid will start more in groups of up to idle=N in an attempt to meet +# traffic needs and to keep idle=N free above those traffic needs up to +# the maximum. +# +# The concurrency= option sets the number of concurrent requests the +# helper can process. The default of 0 is used for helpers who only +# supports one request at a time. Setting this to a number greater than +# 0 changes the protocol used to include a channel number first on the +# request/response line, allowing multiple requests to be sent to the +# same helper in parallel without waiting for the response. +# Must not be set unless it's known the helper supports this. +# +# auth_param digest children 20 startup=0 idle=1 +# +# "realm" realmstring +# Specifies the realm name which is to be reported to the +# client for the digest proxy authentication scheme (part of +# the text the user will see when prompted their username and +# password). There is no default. +# auth_param digest realm Squid proxy-caching web server +# +# "nonce_garbage_interval" timeinterval +# Specifies the interval that nonces that have been issued +# to client_agent's are checked for validity. +# +# "nonce_max_duration" timeinterval +# Specifies the maximum length of time a given nonce will be +# valid for. +# +# "nonce_max_count" number +# Specifies the maximum number of times a given nonce can be +# used. +# +# "nonce_strictness" on|off +# Determines if squid requires strict increment-by-1 behavior +# for nonce counts, or just incrementing (off - for use when +# user agents generate nonce counts that occasionally miss 1 +# (ie, 1,2,4,6)). Default off. +# +# "check_nonce_count" on|off +# This directive if set to off can disable the nonce count check +# completely to work around buggy digest qop implementations in +# certain mainstream browser versions. Default on to check the +# nonce count to protect from authentication replay attacks. +# +# "post_workaround" on|off +# This is a workaround to certain buggy browsers who sends +# an incorrect request digest in POST requests when reusing +# the same nonce as acquired earlier on a GET request. +# +# === NTLM scheme options follow === +# +# "program" cmdline +# Specify the command for the external NTLM authenticator. +# Such a program reads exchanged NTLMSSP packets with +# the browser via Squid until authentication is completed. +# If you use an NTLM authenticator, make sure you have 1 acl +# of type proxy_auth. By default, the NTLM authenticator program +# is not used. +# +# NOTE: In Debian the ntlm_auth program is distributed in the winbindd package +# which is required for this auth scheme to work +# +# auth_param ntlm program /usr/bin/ntlm_auth +# +# "children" numberofchildren [startup=N] [idle=N] +# The maximum number of authenticator processes to spawn (default 5). +# If you start too few Squid will have to wait for them to +# process a backlog of credential verifications, slowing it +# down. When credential verifications are done via a (slow) +# network you are likely to need lots of authenticator +# processes. +# +# The startup= and idle= options permit some skew in the exact amount +# run. A minimum of startup=N will begin during startup and reconfigure. +# Squid will start more in groups of up to idle=N in an attempt to meet +# traffic needs and to keep idle=N free above those traffic needs up to +# the maximum. +# +# auth_param ntlm children 20 startup=0 idle=1 +# +# "keep_alive" on|off +# If you experience problems with PUT/POST requests when using the +# Negotiate authentication scheme then you can try setting this to +# off. This will cause Squid to forcibly close the connection on +# the initial requests where the browser asks which schemes are +# supported by the proxy. +# +# auth_param ntlm keep_alive on +# +# === Options for configuring the NEGOTIATE auth-scheme follow === +# +# "program" cmdline +# Specify the command for the external Negotiate authenticator. +# This protocol is used in Microsoft Active-Directory enabled setups with +# the Microsoft Internet Explorer or Mozilla Firefox browsers. +# Its main purpose is to exchange credentials with the Squid proxy +# using the Kerberos mechanisms. +# If you use a Negotiate authenticator, make sure you have at least +# one acl of type proxy_auth active. By default, the negotiate +# authenticator program is not used. +# The only supported program for this role is the ntlm_auth +# program distributed as part of Samba, version 4 or later. +# +# NOTE: In Debian the ntlm_auth program is distributed in the winbindd package +# which is required for this auth scheme to work +# +# auth_param negotiate program /usr/bin/ntlm_auth --helper-protocol=gss-spnego +# +# "children" numberofchildren [startup=N] [idle=N] +# The maximum number of authenticator processes to spawn (default 5). +# If you start too few Squid will have to wait for them to +# process a backlog of credential verifications, slowing it +# down. When credential verifications are done via a (slow) +# network you are likely to need lots of authenticator +# processes. +# +# The startup= and idle= options permit some skew in the exact amount +# run. A minimum of startup=N will begin during startup and reconfigure. +# Squid will start more in groups of up to idle=N in an attempt to meet +# traffic needs and to keep idle=N free above those traffic needs up to +# the maximum. +# +# auth_param negotiate children 20 startup=0 idle=1 +# +# "keep_alive" on|off +# If you experience problems with PUT/POST requests when using the +# Negotiate authentication scheme then you can try setting this to +# off. This will cause Squid to forcibly close the connection on +# the initial requests where the browser asks which schemes are +# supported by the proxy. +# +# auth_param negotiate keep_alive on +# +# +# Examples: +# +##Recommended minimum configuration per scheme: +##auth_param negotiate program +##auth_param negotiate children 20 startup=0 idle=1 +##auth_param negotiate keep_alive on +## +##auth_param ntlm program +##auth_param ntlm children 20 startup=0 idle=1 +##auth_param ntlm keep_alive on +## +##auth_param digest program +##auth_param digest children 20 startup=0 idle=1 +##auth_param digest realm Squid proxy-caching web server +##auth_param digest nonce_garbage_interval 5 minutes +##auth_param digest nonce_max_duration 30 minutes +##auth_param digest nonce_max_count 50 +## +##auth_param basic program +##auth_param basic children 5 startup=5 idle=1 +##auth_param basic realm Squid proxy-caching web server +##auth_param basic credentialsttl 2 hours +#Default: +# none + +# TAG: authenticate_cache_garbage_interval +# The time period between garbage collection across the username cache. +# This is a trade-off between memory utilization (long intervals - say +# 2 days) and CPU (short intervals - say 1 minute). Only change if you +# have good reason to. +#Default: +# authenticate_cache_garbage_interval 1 hour + +# TAG: authenticate_ttl +# The time a user & their credentials stay in the logged in +# user cache since their last request. When the garbage +# interval passes, all user credentials that have passed their +# TTL are removed from memory. +#Default: +# authenticate_ttl 1 hour + +# TAG: authenticate_ip_ttl +# If you use proxy authentication and the 'max_user_ip' ACL, +# this directive controls how long Squid remembers the IP +# addresses associated with each user. Use a small value +# (e.g., 60 seconds) if your users might change addresses +# quickly, as is the case with dialup. You might be safe +# using a larger value (e.g., 2 hours) in a corporate LAN +# environment with relatively static address assignments. +#Default: +# authenticate_ip_ttl 1 second + +# ACCESS CONTROLS +# ----------------------------------------------------------------------------- + +# TAG: external_acl_type +# This option defines external acl classes using a helper program +# to look up the status +# +# external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..] +# +# Options: +# +# ttl=n TTL in seconds for cached results (defaults to 3600 +# for 1 hour) +# negative_ttl=n +# TTL for cached negative lookups (default same +# as ttl) +# children-max=n +# Maximum number of acl helper processes spawned to service +# external acl lookups of this type. (default 20) +# children-startup=n +# Minimum number of acl helper processes to spawn during +# startup and reconfigure to service external acl lookups +# of this type. (default 0) +# children-idle=n +# Number of acl helper processes to keep ahead of traffic +# loads. Squid will spawn this many at once whenever load +# rises above the capabilities of existing processes. +# Up to the value of children-max. (default 1) +# concurrency=n concurrency level per process. Only used with helpers +# capable of processing more than one query at a time. +# cache=n limit the result cache size, default is 262144. +# grace=n Percentage remaining of TTL where a refresh of a +# cached entry should be initiated without needing to +# wait for a new reply. (default is for no grace period) +# protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers +# ipv4 / ipv6 IP protocol used to communicate with this helper. +# The default is to auto-detect IPv6 and use it when available. +# +# FORMAT specifications +# +# %LOGIN Authenticated user login name +# %EXT_USER Username from previous external acl +# %EXT_LOG Log details from previous external acl +# %EXT_TAG Tag from previous external acl +# %IDENT Ident user name +# %SRC Client IP +# %SRCPORT Client source port +# %URI Requested URI +# %DST Requested host +# %PROTO Requested protocol +# %PORT Requested port +# %PATH Requested URL path +# %METHOD Request method +# %MYADDR Squid interface address +# %MYPORT Squid http_port number +# %PATH Requested URL-path (including query-string if any) +# %USER_CERT SSL User certificate in PEM format +# %USER_CERTCHAIN SSL User certificate chain in PEM format +# %USER_CERT_xx SSL User certificate subject attribute xx +# %USER_CA_CERT_xx SSL User certificate issuer attribute xx +# +# %>{Header} HTTP request header "Header" +# %>{Hdr:member} +# HTTP request header "Hdr" list member "member" +# %>{Hdr:;member} +# HTTP request header list member using ; as +# list separator. ; can be any non-alphanumeric +# character. +# +# %<{Header} HTTP reply header "Header" +# %<{Hdr:member} +# HTTP reply header "Hdr" list member "member" +# %<{Hdr:;member} +# HTTP reply header list member using ; as +# list separator. ; can be any non-alphanumeric +# character. +# +# %ACL The name of the ACL being tested. +# %DATA The ACL arguments. If not used then any arguments +# is automatically added at the end of the line +# sent to the helper. +# NOTE: this will encode the arguments as one token, +# whereas the default will pass each separately. +# +# %% The percent sign. Useful for helpers which need +# an unchanging input format. +# +# +# General request syntax: +# +# [channel-ID] FORMAT-values [acl-values ...] +# +# +# FORMAT-values consists of transaction details expanded with +# whitespace separation per the config file FORMAT specification +# using the FORMAT macros listed above. +# +# acl-values consists of any string specified in the referencing +# config 'acl ... external' line. see the "acl external" directive. +# +# Request values sent to the helper are URL escaped to protect +# each value in requests against whitespaces. +# +# If using protocol=2.5 then the request sent to the helper is not +# URL escaped to protect against whitespace. +# +# NOTE: protocol=3.0 is deprecated as no longer necessary. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# +# The helper receives lines expanded per the above format specification +# and for each input line returns 1 line starting with OK/ERR/BH result +# code and optionally followed by additional keywords with more details. +# +# +# General result syntax: +# +# [channel-ID] result keyword=value ... +# +# Result consists of one of the codes: +# +# OK +# the ACL test produced a match. +# +# ERR +# the ACL test does not produce a match. +# +# BH +# An internal error occurred in the helper, preventing +# a result being identified. +# +# The meaning of 'a match' is determined by your squid.conf +# access control configuration. See the Squid wiki for details. +# +# Defined keywords: +# +# user= The users name (login) +# +# password= The users password (for login= cache_peer option) +# +# message= Message describing the reason for this response. +# Available as %o in error pages. +# Useful on (ERR and BH results). +# +# tag= Apply a tag to a request. Only sets a tag once, +# does not alter existing tags. +# +# log= String to be logged in access.log. Available as +# %ea in logformat specifications. +# +# Any keywords may be sent on any response whether OK, ERR or BH. +# +# All response keyword values need to be a single token with URL +# escaping, or enclosed in double quotes (") and escaped using \ on +# any double quotes or \ characters within the value. The wrapping +# double quotes are removed before the value is interpreted by Squid. +# \r and \n are also replace by CR and LF. +# +# Some example key values: +# +# user=John%20Smith +# user="John Smith" +# user="J. \"Bob\" Smith" +#Default: +# none + +# TAG: acl +# Defining an Access List +# +# Every access list definition must begin with an aclname and acltype, +# followed by either type-specific arguments or a quoted filename that +# they are read from. +# +# acl aclname acltype argument ... +# acl aclname acltype "file" ... +# +# When using "file", the file should contain one item per line. +# +# Some acl types supports options which changes their default behaviour. +# The available options are: +# +# -i,+i By default, regular expressions are CASE-SENSITIVE. To make them +# case-insensitive, use the -i option. To return case-sensitive +# use the +i option between patterns, or make a new ACL line +# without -i. +# +# -n Disable lookups and address type conversions. If lookup or +# conversion is required because the parameter type (IP or +# domain name) does not match the message address type (domain +# name or IP), then the ACL would immediately declare a mismatch +# without any warnings or lookups. +# +# -- Used to stop processing all options, in the case the first acl +# value has '-' character as first character (for example the '-' +# is a valid domain name) +# +# Some acl types require suspending the current request in order +# to access some external data source. +# Those which do are marked with the tag [slow], those which +# don't are marked as [fast]. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl +# for further information +# +# ***** ACL TYPES AVAILABLE ***** +# +# acl aclname src ip-address/mask ... # clients IP address [fast] +# acl aclname src addr1-addr2/mask ... # range of addresses [fast] +# acl aclname dst [-n] ip-address/mask ... # URL host's IP address [slow] +# acl aclname localip ip-address/mask ... # IP address the client connected to [fast] +# +# acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation) +# # The arp ACL requires the special configure option --enable-arp-acl. +# # Furthermore, the ARP ACL code is not portable to all operating systems. +# # It works on Linux, Solaris, Windows, FreeBSD, and some +# # other *BSD variants. +# # [fast] +# # +# # NOTE: Squid can only determine the MAC address for clients that are on +# # the same subnet. If the client is on a different subnet, +# # then Squid cannot find out its MAC address. +# +# acl aclname srcdomain .foo.com ... +# # reverse lookup, from client IP [slow] +# acl aclname dstdomain [-n] .foo.com ... +# # Destination server from URL [fast] +# acl aclname srcdom_regex [-i] \.foo\.com ... +# # regex matching client name [slow] +# acl aclname dstdom_regex [-n] [-i] \.foo\.com ... +# # regex matching server [fast] +# # +# # For dstdomain and dstdom_regex a reverse lookup is tried if a IP +# # based URL is used and no match is found. The name "none" is used +# # if the reverse lookup fails. +# +# acl aclname src_as number ... +# acl aclname dst_as number ... +# # [fast] +# # Except for access control, AS numbers can be used for +# # routing of requests to specific caches. Here's an +# # example for routing all requests for AS#1241 and only +# # those to mycache.mydomain.net: +# # acl asexample dst_as 1241 +# # cache_peer_access mycache.mydomain.net allow asexample +# # cache_peer_access mycache_mydomain.net deny all +# +# acl aclname peername myPeer ... +# # [fast] +# # match against a named cache_peer entry +# # set unique name= on cache_peer lines for reliable use. +# +# acl aclname time [day-abbrevs] [h1:m1-h2:m2] +# # [fast] +# # day-abbrevs: +# # S - Sunday +# # M - Monday +# # T - Tuesday +# # W - Wednesday +# # H - Thursday +# # F - Friday +# # A - Saturday +# # h1:m1 must be less than h2:m2 +# +# acl aclname url_regex [-i] ^http:// ... +# # regex matching on whole URL [fast] +# acl aclname urllogin [-i] [^a-zA-Z0-9] ... +# # regex matching on URL login field +# acl aclname urlpath_regex [-i] \.gif$ ... +# # regex matching on URL path [fast] +# +# acl aclname port 80 70 21 0-1024... # destination TCP port [fast] +# # ranges are alloed +# acl aclname localport 3128 ... # TCP port the client connected to [fast] +# # NP: for interception mode this is usually '80' +# +# acl aclname myportname 3128 ... # http(s)_port name [fast] +# +# acl aclname proto HTTP FTP ... # request protocol [fast] +# +# acl aclname method GET POST ... # HTTP request method [fast] +# +# acl aclname http_status 200 301 500- 400-403 ... +# # status code in reply [fast] +# +# acl aclname browser [-i] regexp ... +# # pattern match on User-Agent header (see also req_header below) [fast] +# +# acl aclname referer_regex [-i] regexp ... +# # pattern match on Referer header [fast] +# # Referer is highly unreliable, so use with care +# +# acl aclname ident username ... +# acl aclname ident_regex [-i] pattern ... +# # string match on ident output [slow] +# # use REQUIRED to accept any non-null ident. +# +# acl aclname proxy_auth [-i] username ... +# acl aclname proxy_auth_regex [-i] pattern ... +# # perform http authentication challenge to the client and match against +# # supplied credentials [slow] +# # +# # takes a list of allowed usernames. +# # use REQUIRED to accept any valid username. +# # +# # Will use proxy authentication in forward-proxy scenarios, and plain +# # http authenticaiton in reverse-proxy scenarios +# # +# # NOTE: when a Proxy-Authentication header is sent but it is not +# # needed during ACL checking the username is NOT logged +# # in access.log. +# # +# # NOTE: proxy_auth requires a EXTERNAL authentication program +# # to check username/password combinations (see +# # auth_param directive). +# # +# # NOTE: proxy_auth can't be used in a transparent/intercepting proxy +# # as the browser needs to be configured for using a proxy in order +# # to respond to proxy authentication. +# +# acl aclname snmp_community string ... +# # A community string to limit access to your SNMP Agent [fast] +# # Example: +# # +# # acl snmppublic snmp_community public +# +# acl aclname maxconn number +# # This will be matched when the client's IP address has +# # more than TCP connections established. [fast] +# # NOTE: This only measures direct TCP links so X-Forwarded-For +# # indirect clients are not counted. +# +# acl aclname max_user_ip [-s] number +# # This will be matched when the user attempts to log in from more +# # than different ip addresses. The authenticate_ip_ttl +# # parameter controls the timeout on the ip entries. [fast] +# # If -s is specified the limit is strict, denying browsing +# # from any further IP addresses until the ttl has expired. Without +# # -s Squid will just annoy the user by "randomly" denying requests. +# # (the counter is reset each time the limit is reached and a +# # request is denied) +# # NOTE: in acceleration mode or where there is mesh of child proxies, +# # clients may appear to come from multiple addresses if they are +# # going through proxy farms, so a limit of 1 may cause user problems. +# +# acl aclname random probability +# # Pseudo-randomly match requests. Based on the probability given. +# # Probability may be written as a decimal (0.333), fraction (1/3) +# # or ratio of matches:non-matches (3:5). +# +# acl aclname req_mime_type [-i] mime-type ... +# # regex match against the mime type of the request generated +# # by the client. Can be used to detect file upload or some +# # types HTTP tunneling requests [fast] +# # NOTE: This does NOT match the reply. You cannot use this +# # to match the returned file type. +# +# acl aclname req_header header-name [-i] any\.regex\.here +# # regex match against any of the known request headers. May be +# # thought of as a superset of "browser", "referer" and "mime-type" +# # ACL [fast] +# +# acl aclname rep_mime_type [-i] mime-type ... +# # regex match against the mime type of the reply received by +# # squid. Can be used to detect file download or some +# # types HTTP tunneling requests. [fast] +# # NOTE: This has no effect in http_access rules. It only has +# # effect in rules that affect the reply data stream such as +# # http_reply_access. +# +# acl aclname rep_header header-name [-i] any\.regex\.here +# # regex match against any of the known reply headers. May be +# # thought of as a superset of "browser", "referer" and "mime-type" +# # ACLs [fast] +# +# acl aclname external class_name [arguments...] +# # external ACL lookup via a helper class defined by the +# # external_acl_type directive [slow] +# +# acl aclname user_cert attribute values... +# # match against attributes in a user SSL certificate +# # attribute is one of DN/C/O/CN/L/ST [fast] +# +# acl aclname ca_cert attribute values... +# # match against attributes a users issuing CA SSL certificate +# # attribute is one of DN/C/O/CN/L/ST [fast] +# +# acl aclname ext_user username ... +# acl aclname ext_user_regex [-i] pattern ... +# # string match on username returned by external acl helper [slow] +# # use REQUIRED to accept any non-null user name. +# +# acl aclname tag tagvalue ... +# # string match on tag returned by external acl helper [slow] +# +# acl aclname hier_code codename ... +# # string match against squid hierarchy code(s); [fast] +# # e.g., DIRECT, PARENT_HIT, NONE, etc. +# # +# # NOTE: This has no effect in http_access rules. It only has +# # effect in rules that affect the reply data stream such as +# # http_reply_access. +# +# acl aclname note name [value ...] +# # match transaction annotation [fast] +# # Without values, matches any annotation with a given name. +# # With value(s), matches any annotation with a given name that +# # also has one of the given values. +# # Names and values are compared using a string equality test. +# # Annotation sources include note and adaptation_meta directives +# # as well as helper and eCAP responses. +# +# acl aclname any-of acl1 acl2 ... +# # match any one of the acls [fast or slow] +# # The first matching ACL stops further ACL evaluation. +# # +# # ACLs from multiple any-of lines with the same name are ORed. +# # For example, A = (a1 or a2) or (a3 or a4) can be written as +# # acl A any-of a1 a2 +# # acl A any-of a3 a4 +# # +# # This group ACL is fast if all evaluated ACLs in the group are fast +# # and slow otherwise. +# +# acl aclname all-of acl1 acl2 ... +# # match all of the acls [fast or slow] +# # The first mismatching ACL stops further ACL evaluation. +# # +# # ACLs from multiple all-of lines with the same name are ORed. +# # For example, B = (b1 and b2) or (b3 and b4) can be written as +# # acl B all-of b1 b2 +# # acl B all-of b3 b4 +# # +# # This group ACL is fast if all evaluated ACLs in the group are fast +# # and slow otherwise. +# +# Examples: +# acl macaddress arp 09:00:2b:23:45:67 +# acl myexample dst_as 1241 +# acl password proxy_auth REQUIRED +# acl fileupload req_mime_type -i ^multipart/form-data$ +# acl javascript rep_mime_type -i ^application/x-javascript$ +# +#Default: +# ACLs all, manager, localhost, and to_localhost are predefined. +# +# +# Recommended minimum configuration: +# + +# Example rule allowing access from your local networks. +# Adapt to list your (internal) IP networks from where browsing +# should be allowed +#acl localnet src 10.0.0.0/8 # RFC1918 possible internal network +acl localnet src 172.16.64.0/24 # RFC1918 possible internal network +#acl localnet src 192.168.0.0/16 # RFC1918 possible internal network +#acl localnet src fc00::/7 # RFC 4193 local private network range +#acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines + +acl SSL_ports port 443 +acl Safe_ports port 80 # http +acl Safe_ports port 21 # ftp +acl Safe_ports port 443 # https +acl Safe_ports port 70 # gopher +acl Safe_ports port 210 # wais +acl Safe_ports port 1025-65535 # unregistered ports +acl Safe_ports port 280 # http-mgmt +acl Safe_ports port 488 # gss-http +acl Safe_ports port 591 # filemaker +acl Safe_ports port 777 # multiling http +acl CONNECT method CONNECT + +# TAG: follow_x_forwarded_for +# Allowing or Denying the X-Forwarded-For header to be followed to +# find the original source of a request. +# +# Requests may pass through a chain of several other proxies +# before reaching us. The X-Forwarded-For header will contain a +# comma-separated list of the IP addresses in the chain, with the +# rightmost address being the most recent. +# +# If a request reaches us from a source that is allowed by this +# configuration item, then we consult the X-Forwarded-For header +# to see where that host received the request from. If the +# X-Forwarded-For header contains multiple addresses, we continue +# backtracking until we reach an address for which we are not allowed +# to follow the X-Forwarded-For header, or until we reach the first +# address in the list. For the purpose of ACL used in the +# follow_x_forwarded_for directive the src ACL type always matches +# the address we are testing and srcdomain matches its rDNS. +# +# The end result of this process is an IP address that we will +# refer to as the indirect client address. This address may +# be treated as the client address for access control, ICAP, delay +# pools and logging, depending on the acl_uses_indirect_client, +# icap_uses_indirect_client, delay_pool_uses_indirect_client, +# log_uses_indirect_client and tproxy_uses_indirect_client options. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# SECURITY CONSIDERATIONS: +# +# Any host for which we follow the X-Forwarded-For header +# can place incorrect information in the header, and Squid +# will use the incorrect information as if it were the +# source address of the request. This may enable remote +# hosts to bypass any access control restrictions that are +# based on the client's source addresses. +# +# For example: +# +# acl localhost src 127.0.0.1 +# acl my_other_proxy srcdomain .proxy.example.com +# follow_x_forwarded_for allow localhost +# follow_x_forwarded_for allow my_other_proxy +#Default: +# X-Forwarded-For header will be ignored. + +# TAG: acl_uses_indirect_client on|off +# Controls whether the indirect client address +# (see follow_x_forwarded_for) is used instead of the +# direct client address in acl matching. +# +# NOTE: maxconn ACL considers direct TCP links and indirect +# clients will always have zero. So no match. +#Default: +# acl_uses_indirect_client on + +# TAG: delay_pool_uses_indirect_client on|off +# Controls whether the indirect client address +# (see follow_x_forwarded_for) is used instead of the +# direct client address in delay pools. +#Default: +# delay_pool_uses_indirect_client on + +# TAG: log_uses_indirect_client on|off +# Controls whether the indirect client address +# (see follow_x_forwarded_for) is used instead of the +# direct client address in the access log. +#Default: +# log_uses_indirect_client on + +# TAG: tproxy_uses_indirect_client on|off +# Controls whether the indirect client address +# (see follow_x_forwarded_for) is used instead of the +# direct client address when spoofing the outgoing client. +# +# This has no effect on requests arriving in non-tproxy +# mode ports. +# +# SECURITY WARNING: Usage of this option is dangerous +# and should not be used trivially. Correct configuration +# of follow_x_forewarded_for with a limited set of trusted +# sources is required to prevent abuse of your proxy. +#Default: +# tproxy_uses_indirect_client off + +# TAG: spoof_client_ip +# Control client IP address spoofing of TPROXY traffic based on +# defined access lists. +# +# spoof_client_ip allow|deny [!]aclname ... +# +# If there are no "spoof_client_ip" lines present, the default +# is to "allow" spoofing of any suitable request. +# +# Note that the cache_peer "no-tproxy" option overrides this ACL. +# +# This clause supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow spoofing on all TPROXY traffic. + +# TAG: http_access +# Allowing or Denying access based on defined access lists +# +# Access to the HTTP port: +# http_access allow|deny [!]aclname ... +# +# NOTE on default values: +# +# If there are no "access" lines present, the default is to deny +# the request. +# +# If none of the "access" lines cause a match, the default is the +# opposite of the last line in the list. If the last line was +# deny, the default is allow. Conversely, if the last line +# is allow, the default will be deny. For these reasons, it is a +# good idea to have an "deny all" entry at the end of your access +# lists to avoid potential confusion. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +#Default: +# Deny, unless rules exist in squid.conf. +# + +# +# Recommended minimum Access Permission configuration: +# +# Deny requests to certain unsafe ports +http_access deny !Safe_ports + +# Deny CONNECT to other than secure SSL ports +http_access deny CONNECT !SSL_ports + +# Only allow cachemgr access from localhost +http_access allow localnet +http_access deny all + +# We strongly recommend the following be uncommented to protect innocent +# web applications running on the proxy server who think the only +# one who can access services on "localhost" is a local user +#http_access deny to_localhost + +# +# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS +# + +# Example rule allowing access from your local networks. +# Adapt localnet in the ACL section to list your (internal) IP networks +# from where browsing should be allowed +http_access allow localnet +http_access allow localhost + +# And finally deny all other access to this proxy +http_access deny all + +# TAG: adapted_http_access +# Allowing or Denying access based on defined access lists +# +# Essentially identical to http_access, but runs after redirectors +# and ICAP/eCAP adaptation. Allowing access control based on their +# output. +# +# If not set then only http_access is used. +#Default: +# Allow, unless rules exist in squid.conf. + +# TAG: http_reply_access +# Allow replies to client requests. This is complementary to http_access. +# +# http_reply_access allow|deny [!] aclname ... +# +# NOTE: if there are no access lines present, the default is to allow +# all replies. +# +# If none of the access lines cause a match the opposite of the +# last line will apply. Thus it is good practice to end the rules +# with an "allow all" or "deny all" entry. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow, unless rules exist in squid.conf. + +# TAG: icp_access +# Allowing or Denying access to the ICP port based on defined +# access lists +# +# icp_access allow|deny [!]aclname ... +# +# NOTE: The default if no icp_access lines are present is to +# deny all traffic. This default may cause problems with peers +# using ICP. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +## Allow ICP queries from local networks only +##icp_access allow localnet +##icp_access deny all +#Default: +# Deny, unless rules exist in squid.conf. + +# TAG: htcp_access +# Allowing or Denying access to the HTCP port based on defined +# access lists +# +# htcp_access allow|deny [!]aclname ... +# +# See also htcp_clr_access for details on access control for +# cache purge (CLR) HTCP messages. +# +# NOTE: The default if no htcp_access lines are present is to +# deny all traffic. This default may cause problems with peers +# using the htcp option. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +## Allow HTCP queries from local networks only +##htcp_access allow localnet +##htcp_access deny all +#Default: +# Deny, unless rules exist in squid.conf. + +# TAG: htcp_clr_access +# Allowing or Denying access to purge content using HTCP based +# on defined access lists. +# See htcp_access for details on general HTCP access control. +# +# htcp_clr_access allow|deny [!]aclname ... +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +## Allow HTCP CLR requests from trusted peers +#acl htcp_clr_peer src 192.0.2.2 2001:DB8::2 +#htcp_clr_access allow htcp_clr_peer +#htcp_clr_access deny all +#Default: +# Deny, unless rules exist in squid.conf. + +# TAG: miss_access +# Determins whether network access is permitted when satisfying a request. +# +# For example; +# to force your neighbors to use you as a sibling instead of +# a parent. +# +# acl localclients src 192.0.2.0/24 2001:DB8::a:0/64 +# miss_access deny !localclients +# miss_access allow all +# +# This means only your local clients are allowed to fetch relayed/MISS +# replies from the network and all other clients can only fetch cached +# objects (HITs). +# +# The default for this setting allows all clients who passed the +# http_access rules to relay via this proxy. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow, unless rules exist in squid.conf. + +# TAG: ident_lookup_access +# A list of ACL elements which, if matched, cause an ident +# (RFC 931) lookup to be performed for this request. For +# example, you might choose to always perform ident lookups +# for your main multi-user Unix boxes, but not for your Macs +# and PCs. By default, ident lookups are not performed for +# any requests. +# +# To enable ident lookups for specific client addresses, you +# can follow this example: +# +# acl ident_aware_hosts src 198.168.1.0/24 +# ident_lookup_access allow ident_aware_hosts +# ident_lookup_access deny all +# +# Only src type ACL checks are fully supported. A srcdomain +# ACL might work at times, but it will not always provide +# the correct result. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Unless rules exist in squid.conf, IDENT is not fetched. + +# TAG: reply_body_max_size size [acl acl...] +# This option specifies the maximum size of a reply body. It can be +# used to prevent users from downloading very large files, such as +# MP3's and movies. When the reply headers are received, the +# reply_body_max_size lines are processed, and the first line where +# all (if any) listed ACLs are true is used as the maximum body size +# for this reply. +# +# This size is checked twice. First when we get the reply headers, +# we check the content-length value. If the content length value exists +# and is larger than the allowed size, the request is denied and the +# user receives an error message that says "the request or reply +# is too large." If there is no content-length, and the reply +# size exceeds this limit, the client's connection is just closed +# and they will receive a partial reply. +# +# WARNING: downstream caches probably can not detect a partial reply +# if there is no content-length header, so they will cache +# partial responses and give them out as hits. You should NOT +# use this option if you have downstream caches. +# +# WARNING: A maximum size smaller than the size of squid's error messages +# will cause an infinite loop and crash squid. Ensure that the smallest +# non-zero value you use is greater that the maximum header size plus +# the size of your largest error page. +# +# If you set this parameter none (the default), there will be +# no limit imposed. +# +# Configuration Format is: +# reply_body_max_size SIZE UNITS [acl ...] +# ie. +# reply_body_max_size 10 MB +# +#Default: +# No limit is applied. + +# NETWORK OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: http_port +# Usage: port [mode] [options] +# hostname:port [mode] [options] +# 1.2.3.4:port [mode] [options] +# +# The socket addresses where Squid will listen for HTTP client +# requests. You may specify multiple socket addresses. +# There are three forms: port alone, hostname with port, and +# IP address with port. If you specify a hostname or IP +# address, Squid binds the socket to that specific +# address. Most likely, you do not need to bind to a specific +# address, so you can use the port number alone. +# +# If you are running Squid in accelerator mode, you +# probably want to listen on port 80 also, or instead. +# +# The -a command line option may be used to specify additional +# port(s) where Squid listens for proxy request. Such ports will +# be plain proxy ports with no options. +# +# You may specify multiple socket addresses on multiple lines. +# +# Modes: +# +# intercept Support for IP-Layer interception of +# outgoing requests without browser settings. +# NP: disables authentication and IPv6 on the port. +# +# tproxy Support Linux TPROXY for spoofing outgoing +# connections using the client IP address. +# NP: disables authentication and maybe IPv6 on the port. +# +# accel Accelerator / reverse proxy mode +# +# ssl-bump For each CONNECT request allowed by ssl_bump ACLs, +# establish secure connection with the client and with +# the server, decrypt HTTPS messages as they pass through +# Squid, and treat them as unencrypted HTTP messages, +# becoming the man-in-the-middle. +# +# The ssl_bump option is required to fully enable +# bumping of CONNECT requests. +# +# Omitting the mode flag causes default forward proxy mode to be used. +# +# +# Accelerator Mode Options: +# +# defaultsite=domainname +# What to use for the Host: header if it is not present +# in a request. Determines what site (not origin server) +# accelerators should consider the default. +# +# no-vhost Disable using HTTP/1.1 Host header for virtual domain support. +# +# protocol= Protocol to reconstruct accelerated requests with. +# Defaults to http for http_port and https for +# https_port +# +# vport Virtual host port support. Using the http_port number +# instead of the port passed on Host: headers. +# +# vport=NN Virtual host port support. Using the specified port +# number instead of the port passed on Host: headers. +# +# act-as-origin +# Act as if this Squid is the origin server. +# This currently means generate new Date: and Expires: +# headers on HIT instead of adding Age:. +# +# ignore-cc Ignore request Cache-Control headers. +# +# WARNING: This option violates HTTP specifications if +# used in non-accelerator setups. +# +# allow-direct Allow direct forwarding in accelerator mode. Normally +# accelerated requests are denied direct forwarding as if +# never_direct was used. +# +# WARNING: this option opens accelerator mode to security +# vulnerabilities usually only affecting in interception +# mode. Make sure to protect forwarding with suitable +# http_access rules when using this. +# +# +# SSL Bump Mode Options: +# In addition to these options ssl-bump requires TLS/SSL options. +# +# generate-host-certificates[=] +# Dynamically create SSL server certificates for the +# destination hosts of bumped CONNECT requests.When +# enabled, the cert and key options are used to sign +# generated certificates. Otherwise generated +# certificate will be selfsigned. +# If there is a CA certificate lifetime of the generated +# certificate equals lifetime of the CA certificate. If +# generated certificate is selfsigned lifetime is three +# years. +# This option is enabled by default when ssl-bump is used. +# See the ssl-bump option above for more information. +# +# dynamic_cert_mem_cache_size=SIZE +# Approximate total RAM size spent on cached generated +# certificates. If set to zero, caching is disabled. The +# default value is 4MB. +# +# TLS / SSL Options: +# +# cert= Path to SSL certificate (PEM format). +# +# key= Path to SSL private key file (PEM format) +# if not specified, the certificate file is +# assumed to be a combined certificate and +# key file. +# +# version= The version of SSL/TLS supported +# 1 automatic (default) +# 2 SSLv2 only +# 3 SSLv3 only +# 4 TLSv1.0 only +# 5 TLSv1.1 only +# 6 TLSv1.2 only +# +# cipher= Colon separated list of supported ciphers. +# NOTE: some ciphers such as EDH ciphers depend on +# additional settings. If those settings are +# omitted the ciphers may be silently ignored +# by the OpenSSL library. +# +# options= Various SSL implementation options. The most important +# being: +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# SINGLE_DH_USE Always create a new key when using +# temporary/ephemeral DH key exchanges +# ALL Enable various bug workarounds +# suggested as "harmless" by OpenSSL +# Be warned that this reduces SSL/TLS +# strength to some attacks. +# See OpenSSL SSL_CTX_set_options documentation for a +# complete list of options. +# +# clientca= File containing the list of CAs to use when +# requesting a client certificate. +# +# cafile= File containing additional CA certificates to +# use when verifying client certificates. If unset +# clientca will be used. +# +# capath= Directory containing additional CA certificates +# and CRL lists to use when verifying client certificates. +# +# crlfile= File of additional CRL lists to use when verifying +# the client certificate, in addition to CRLs stored in +# the capath. Implies VERIFY_CRL flag below. +# +# dhparams= File containing DH parameters for temporary/ephemeral +# DH key exchanges. See OpenSSL documentation for details +# on how to create this file. +# WARNING: EDH ciphers will be silently disabled if this +# option is not set. +# +# sslflags= Various flags modifying the use of SSL: +# DELAYED_AUTH +# Don't request client certificates +# immediately, but wait until acl processing +# requires a certificate (not yet implemented). +# NO_DEFAULT_CA +# Don't use the default CA lists built in +# to OpenSSL. +# NO_SESSION_REUSE +# Don't allow for session reuse. Each connection +# will result in a new SSL session. +# VERIFY_CRL +# Verify CRL lists when accepting client +# certificates. +# VERIFY_CRL_ALL +# Verify CRL lists for all certificates in the +# client certificate chain. +# +# sslcontext= SSL session ID context identifier. +# +# Other Options: +# +# connection-auth[=on|off] +# use connection-auth=off to tell Squid to prevent +# forwarding Microsoft connection oriented authentication +# (NTLM, Negotiate and Kerberos) +# +# disable-pmtu-discovery= +# Control Path-MTU discovery usage: +# off lets OS decide on what to do (default). +# transparent disable PMTU discovery when transparent +# support is enabled. +# always disable always PMTU discovery. +# +# In many setups of transparently intercepting proxies +# Path-MTU discovery can not work on traffic towards the +# clients. This is the case when the intercepting device +# does not fully track connections and fails to forward +# ICMP must fragment messages to the cache server. If you +# have such setup and experience that certain clients +# sporadically hang or never complete requests set +# disable-pmtu-discovery option to 'transparent'. +# +# name= Specifies a internal name for the port. Defaults to +# the port specification (port or addr:port) +# +# tcpkeepalive[=idle,interval,timeout] +# Enable TCP keepalive probes of idle connections. +# In seconds; idle is the initial time before TCP starts +# probing the connection, interval how often to probe, and +# timeout the time before giving up. +# +# If you run Squid on a dual-homed machine with an internal +# and an external interface we recommend you to specify the +# internal address:port in http_port. This way Squid will only be +# visible on the internal address. +# +# + +# Squid normally listens to port 3128 +#http_port 3128 +http_port 8080 + +# TAG: https_port +# Note: This option is only available if Squid is rebuilt with the +# --enable-ssl +# +# Usage: [ip:]port cert=certificate.pem [key=key.pem] [mode] [options...] +# +# The socket address where Squid will listen for client requests made +# over TLS or SSL connections. Commonly referred to as HTTPS. +# +# This is most useful for situations where you are running squid in +# accelerator mode and you want to do the SSL work at the accelerator level. +# +# You may specify multiple socket addresses on multiple lines, +# each with their own SSL certificate and/or options. +# +# Modes: +# +# accel Accelerator / reverse proxy mode +# +# intercept Support for IP-Layer interception of +# outgoing requests without browser settings. +# NP: disables authentication and IPv6 on the port. +# +# tproxy Support Linux TPROXY for spoofing outgoing +# connections using the client IP address. +# NP: disables authentication and maybe IPv6 on the port. +# +# ssl-bump For each intercepted connection allowed by ssl_bump +# ACLs, establish a secure connection with the client and with +# the server, decrypt HTTPS messages as they pass through +# Squid, and treat them as unencrypted HTTP messages, +# becoming the man-in-the-middle. +# +# An "ssl_bump server-first" match is required to +# fully enable bumping of intercepted SSL connections. +# +# Requires tproxy or intercept. +# +# Omitting the mode flag causes default forward proxy mode to be used. +# +# +# See http_port for a list of generic options +# +# +# SSL Options: +# +# cert= Path to SSL certificate (PEM format). +# +# key= Path to SSL private key file (PEM format) +# if not specified, the certificate file is +# assumed to be a combined certificate and +# key file. +# +# version= The version of SSL/TLS supported +# 1 automatic (default) +# 2 SSLv2 only +# 3 SSLv3 only +# 4 TLSv1 only +# +# cipher= Colon separated list of supported ciphers. +# +# options= Various SSL engine options. The most important +# being: +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1 +# SINGLE_DH_USE Always create a new key when using +# temporary/ephemeral DH key exchanges +# See src/ssl_support.c or OpenSSL SSL_CTX_set_options +# documentation for a complete list of options. +# +# clientca= File containing the list of CAs to use when +# requesting a client certificate. +# +# cafile= File containing additional CA certificates to +# use when verifying client certificates. If unset +# clientca will be used. +# +# capath= Directory containing additional CA certificates +# and CRL lists to use when verifying client certificates. +# +# crlfile= File of additional CRL lists to use when verifying +# the client certificate, in addition to CRLs stored in +# the capath. Implies VERIFY_CRL flag below. +# +# dhparams= File containing DH parameters for temporary/ephemeral +# DH key exchanges. +# +# sslflags= Various flags modifying the use of SSL: +# DELAYED_AUTH +# Don't request client certificates +# immediately, but wait until acl processing +# requires a certificate (not yet implemented). +# NO_DEFAULT_CA +# Don't use the default CA lists built in +# to OpenSSL. +# NO_SESSION_REUSE +# Don't allow for session reuse. Each connection +# will result in a new SSL session. +# VERIFY_CRL +# Verify CRL lists when accepting client +# certificates. +# VERIFY_CRL_ALL +# Verify CRL lists for all certificates in the +# client certificate chain. +# +# sslcontext= SSL session ID context identifier. +# +# generate-host-certificates[=] +# Dynamically create SSL server certificates for the +# destination hosts of bumped SSL requests.When +# enabled, the cert and key options are used to sign +# generated certificates. Otherwise generated +# certificate will be selfsigned. +# If there is CA certificate life time of generated +# certificate equals lifetime of CA certificate. If +# generated certificate is selfsigned lifetime is three +# years. +# This option is enabled by default when SslBump is used. +# See the sslBump option above for more information. +# +# dynamic_cert_mem_cache_size=SIZE +# Approximate total RAM size spent on cached generated +# certificates. If set to zero, caching is disabled. The +# default value is 4MB. +# +# See http_port for a list of available options. +#Default: +# none + +# TAG: tcp_outgoing_tos +# Allows you to select a TOS/Diffserv value for packets outgoing +# on the server side, based on an ACL. +# +# tcp_outgoing_tos ds-field [!]aclname ... +# +# Example where normal_service_net uses the TOS value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# tcp_outgoing_tos 0x00 normal_service_net +# tcp_outgoing_tos 0x20 good_service_net +# +# TOS/DSCP values really only have local significance - so you should +# know what you're specifying. For more information, see RFC2474, +# RFC2475, and RFC3260. +# +# The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or +# "default" to use whatever default your host has. Note that in +# practice often only multiples of 4 is usable as the two rightmost bits +# have been redefined for use by ECN (RFC 3168 section 23.1). +# +# Processing proceeds in the order specified, and stops at first fully +# matching line. +#Default: +# none + +# TAG: clientside_tos +# Allows you to select a TOS/Diffserv value for packets being transmitted +# on the client-side, based on an ACL. +# +# clientside_tos ds-field [!]aclname ... +# +# Example where normal_service_net uses the TOS value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# clientside_tos 0x00 normal_service_net +# clientside_tos 0x20 good_service_net +# +# Note: This feature is incompatible with qos_flows. Any TOS values set here +# will be overwritten by TOS values in qos_flows. +#Default: +# none + +# TAG: tcp_outgoing_mark +# Note: This option is only available if Squid is rebuilt with the +# Packet MARK (Linux) +# +# Allows you to apply a Netfilter mark value to outgoing packets +# on the server side, based on an ACL. +# +# tcp_outgoing_mark mark-value [!]aclname ... +# +# Example where normal_service_net uses the mark value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# tcp_outgoing_mark 0x00 normal_service_net +# tcp_outgoing_mark 0x20 good_service_net +#Default: +# none + +# TAG: clientside_mark +# Note: This option is only available if Squid is rebuilt with the +# Packet MARK (Linux) +# +# Allows you to apply a Netfilter mark value to packets being transmitted +# on the client-side, based on an ACL. +# +# clientside_mark mark-value [!]aclname ... +# +# Example where normal_service_net uses the mark value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# clientside_mark 0x00 normal_service_net +# clientside_mark 0x20 good_service_net +# +# Note: This feature is incompatible with qos_flows. Any mark values set here +# will be overwritten by mark values in qos_flows. +#Default: +# none + +# TAG: qos_flows +# Allows you to select a TOS/DSCP value to mark outgoing +# connections to the client, based on where the reply was sourced. +# For platforms using netfilter, allows you to set a netfilter mark +# value instead of, or in addition to, a TOS value. +# +# By default this functionality is disabled. To enable it with the default +# settings simply use "qos_flows mark" or "qos_flows tos". Default +# settings will result in the netfilter mark or TOS value being copied +# from the upstream connection to the client. Note that it is the connection +# CONNMARK value not the packet MARK value that is copied. +# +# It is not currently possible to copy the mark or TOS value from the +# client to the upstream connection request. +# +# TOS values really only have local significance - so you should +# know what you're specifying. For more information, see RFC2474, +# RFC2475, and RFC3260. +# +# The TOS/DSCP byte must be exactly that - a octet value 0 - 255. Note that +# in practice often only multiples of 4 is usable as the two rightmost bits +# have been redefined for use by ECN (RFC 3168 section 23.1). +# +# Mark values can be any unsigned 32-bit integer value. +# +# This setting is configured by setting the following values: +# +# tos|mark Whether to set TOS or netfilter mark values +# +# local-hit=0xFF Value to mark local cache hits. +# +# sibling-hit=0xFF Value to mark hits from sibling peers. +# +# parent-hit=0xFF Value to mark hits from parent peers. +# +# miss=0xFF[/mask] Value to mark cache misses. Takes precedence +# over the preserve-miss feature (see below), unless +# mask is specified, in which case only the bits +# specified in the mask are written. +# +# The TOS variant of the following features are only possible on Linux +# and require your kernel to be patched with the TOS preserving ZPH +# patch, available from http://zph.bratcheda.org +# No patch is needed to preserve the netfilter mark, which will work +# with all variants of netfilter. +# +# disable-preserve-miss +# This option disables the preservation of the TOS or netfilter +# mark. By default, the existing TOS or netfilter mark value of +# the response coming from the remote server will be retained +# and masked with miss-mark. +# NOTE: in the case of a netfilter mark, the mark must be set on +# the connection (using the CONNMARK target) not on the packet +# (MARK target). +# +# miss-mask=0xFF +# Allows you to mask certain bits in the TOS or mark value +# received from the remote server, before copying the value to +# the TOS sent towards clients. +# Default for tos: 0xFF (TOS from server is not changed). +# Default for mark: 0xFFFFFFFF (mark from server is not changed). +# +# All of these features require the --enable-zph-qos compilation flag +# (enabled by default). Netfilter marking also requires the +# libnetfilter_conntrack libraries (--with-netfilter-conntrack) and +# libcap 2.09+ (--with-libcap). +# +#Default: +# none + +# TAG: tcp_outgoing_address +# Allows you to map requests to different outgoing IP addresses +# based on the username or source address of the user making +# the request. +# +# tcp_outgoing_address ipaddr [[!]aclname] ... +# +# For example; +# Forwarding clients with dedicated IPs for certain subnets. +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.2.0/24 +# +# tcp_outgoing_address 2001:db8::c001 good_service_net +# tcp_outgoing_address 10.1.0.2 good_service_net +# +# tcp_outgoing_address 2001:db8::beef normal_service_net +# tcp_outgoing_address 10.1.0.1 normal_service_net +# +# tcp_outgoing_address 2001:db8::1 +# tcp_outgoing_address 10.1.0.3 +# +# Processing proceeds in the order specified, and stops at first fully +# matching line. +# +# Squid will add an implicit IP version test to each line. +# Requests going to IPv4 websites will use the outgoing 10.1.0.* addresses. +# Requests going to IPv6 websites will use the outgoing 2001:db8:* addresses. +# +# +# NOTE: The use of this directive using client dependent ACLs is +# incompatible with the use of server side persistent connections. To +# ensure correct results it is best to set server_persistent_connections +# to off when using this directive in such configurations. +# +# NOTE: The use of this directive to set a local IP on outgoing TCP links +# is incompatible with using TPROXY to set client IP out outbound TCP links. +# When needing to contact peers use the no-tproxy cache_peer option and the +# client_dst_passthru directive re-enable normal forwarding such as this. +# +#Default: +# Address selection is performed by the operating system. + +# TAG: host_verify_strict +# Regardless of this option setting, when dealing with intercepted +# traffic, Squid always verifies that the destination IP address matches +# the Host header domain or IP (called 'authority form URL'). +# +# This enforcement is performed to satisfy a MUST-level requirement in +# RFC 2616 section 14.23: "The Host field value MUST represent the naming +# authority of the origin server or gateway given by the original URL". +# +# When set to ON: +# Squid always responds with an HTTP 409 (Conflict) error +# page and logs a security warning if there is no match. +# +# Squid verifies that the destination IP address matches +# the Host header for forward-proxy and reverse-proxy traffic +# as well. For those traffic types, Squid also enables the +# following checks, comparing the corresponding Host header +# and Request-URI components: +# +# * The host names (domain or IP) must be identical, +# but valueless or missing Host header disables all checks. +# For the two host names to match, both must be either IP +# or FQDN. +# +# * Port numbers must be identical, but if a port is missing +# the scheme-default port is assumed. +# +# +# When set to OFF (the default): +# Squid allows suspicious requests to continue but logs a +# security warning and blocks caching of the response. +# +# * Forward-proxy traffic is not checked at all. +# +# * Reverse-proxy traffic is not checked at all. +# +# * Intercepted traffic which passes verification is handled +# according to client_dst_passthru. +# +# * Intercepted requests which fail verification are sent +# to the client original destination instead of DIRECT. +# This overrides 'client_dst_passthru off'. +# +# For now suspicious intercepted CONNECT requests are always +# responded to with an HTTP 409 (Conflict) error page. +# +# +# SECURITY NOTE: +# +# As described in CVE-2009-0801 when the Host: header alone is used +# to determine the destination of a request it becomes trivial for +# malicious scripts on remote websites to bypass browser same-origin +# security policy and sandboxing protections. +# +# The cause of this is that such applets are allowed to perform their +# own HTTP stack, in which case the same-origin policy of the browser +# sandbox only verifies that the applet tries to contact the same IP +# as from where it was loaded at the IP level. The Host: header may +# be different from the connected IP and approved origin. +# +#Default: +# host_verify_strict off + +# TAG: client_dst_passthru +# With NAT or TPROXY intercepted traffic Squid may pass the request +# directly to the original client destination IP or seek a faster +# source using the HTTP Host header. +# +# Using Host to locate alternative servers can provide faster +# connectivity with a range of failure recovery options. +# But can also lead to connectivity trouble when the client and +# server are attempting stateful interactions unaware of the proxy. +# +# This option (on by default) prevents alternative DNS entries being +# located to send intercepted traffic DIRECT to an origin server. +# The clients original destination IP and port will be used instead. +# +# Regardless of this option setting, when dealing with intercepted +# traffic Squid will verify the Host: header and any traffic which +# fails Host verification will be treated as if this option were ON. +# +# see host_verify_strict for details on the verification process. +#Default: +# client_dst_passthru on + +# SSL OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: ssl_unclean_shutdown +# Note: This option is only available if Squid is rebuilt with the +# --enable-ssl +# +# Some browsers (especially MSIE) bugs out on SSL shutdown +# messages. +#Default: +# ssl_unclean_shutdown off + +# TAG: ssl_engine +# Note: This option is only available if Squid is rebuilt with the +# --enable-ssl +# +# The OpenSSL engine to use. You will need to set this if you +# would like to use hardware SSL acceleration for example. +#Default: +# none + +# TAG: sslproxy_client_certificate +# Note: This option is only available if Squid is rebuilt with the +# --enable-ssl +# +# Client SSL Certificate to use when proxying https:// URLs +#Default: +# none + +# TAG: sslproxy_client_key +# Note: This option is only available if Squid is rebuilt with the +# --enable-ssl +# +# Client SSL Key to use when proxying https:// URLs +#Default: +# none + +# TAG: sslproxy_version +# Note: This option is only available if Squid is rebuilt with the +# --enable-ssl +# +# SSL version level to use when proxying https:// URLs +# +# The versions of SSL/TLS supported: +# +# 1 automatic (default) +# 2 SSLv2 only +# 3 SSLv3 only +# 4 TLSv1.0 only +# 5 TLSv1.1 only +# 6 TLSv1.2 only +#Default: +# automatic SSL/TLS version negotiation + +# TAG: sslproxy_options +# Note: This option is only available if Squid is rebuilt with the +# --enable-ssl +# +# SSL implementation options to use when proxying https:// URLs +# +# The most important being: +# +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# SINGLE_DH_USE +# Always create a new key when using temporary/ephemeral +# DH key exchanges +# SSL_OP_NO_TICKET +# Disable use of RFC5077 session tickets. Some servers +# may have problems understanding the TLS extension due +# to ambiguous specification in RFC4507. +# ALL Enable various bug workarounds suggested as "harmless" +# by OpenSSL. Be warned that this may reduce SSL/TLS +# strength to some attacks. +# +# See the OpenSSL SSL_CTX_set_options documentation for a +# complete list of possible options. +#Default: +# none + +# TAG: sslproxy_cipher +# Note: This option is only available if Squid is rebuilt with the +# --enable-ssl +# +# SSL cipher list to use when proxying https:// URLs +# +# Colon separated list of supported ciphers. +#Default: +# none + +# TAG: sslproxy_cafile +# Note: This option is only available if Squid is rebuilt with the +# --enable-ssl +# +# file containing CA certificates to use when verifying server +# certificates while proxying https:// URLs +#Default: +# none + +# TAG: sslproxy_capath +# Note: This option is only available if Squid is rebuilt with the +# --enable-ssl +# +# directory containing CA certificates to use when verifying +# server certificates while proxying https:// URLs +#Default: +# none + +# TAG: ssl_bump +# Note: This option is only available if Squid is rebuilt with the +# --enable-ssl +# +# This option is consulted when a CONNECT request is received on +# an http_port (or a new connection is intercepted at an +# https_port), provided that port was configured with an ssl-bump +# flag. The subsequent data on the connection is either treated as +# HTTPS and decrypted OR tunneled at TCP level without decryption, +# depending on the first bumping "mode" which ACLs match. +# +# ssl_bump [!]acl ... +# +# The following bumping modes are supported: +# +# client-first +# Allow bumping of the connection. Establish a secure connection +# with the client first, then connect to the server. This old mode +# does not allow Squid to mimic server SSL certificate and does +# not work with intercepted SSL connections. +# +# server-first +# Allow bumping of the connection. Establish a secure connection +# with the server first, then establish a secure connection with +# the client, using a mimicked server certificate. Works with both +# CONNECT requests and intercepted SSL connections. +# +# none +# Become a TCP tunnel without decoding the connection. +# Works with both CONNECT requests and intercepted SSL +# connections. This is the default behavior when no +# ssl_bump option is given or no ssl_bump ACLs match. +# +# By default, no connections are bumped. +# +# The first matching ssl_bump option wins. If no ACLs match, the +# connection is not bumped. Unlike most allow/deny ACL lists, ssl_bump +# does not have an implicit "negate the last given option" rule. You +# must make that rule explicit if you convert old ssl_bump allow/deny +# rules that rely on such an implicit rule. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# See also: http_port ssl-bump, https_port ssl-bump +# +# +# # Example: Bump all requests except those originating from +# # localhost or those going to example.com. +# +# acl broken_sites dstdomain .example.com +# ssl_bump none localhost +# ssl_bump none broken_sites +# ssl_bump server-first all +#Default: +# Does not bump unless rules are present in squid.conf + +# TAG: sslproxy_flags +# Note: This option is only available if Squid is rebuilt with the +# --enable-ssl +# +# Various flags modifying the use of SSL while proxying https:// URLs: +# DONT_VERIFY_PEER Accept certificates that fail verification. +# For refined control, see sslproxy_cert_error. +# NO_DEFAULT_CA Don't use the default CA list built in +# to OpenSSL. +#Default: +# none + +# TAG: sslproxy_cert_error +# Note: This option is only available if Squid is rebuilt with the +# --enable-ssl +# +# Use this ACL to bypass server certificate validation errors. +# +# For example, the following lines will bypass all validation errors +# when talking to servers for example.com. All other +# validation errors will result in ERR_SECURE_CONNECT_FAIL error. +# +# acl BrokenButTrustedServers dstdomain example.com +# sslproxy_cert_error allow BrokenButTrustedServers +# sslproxy_cert_error deny all +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# Using slow acl types may result in server crashes +# +# Without this option, all server certificate validation errors +# terminate the transaction to protect Squid and the client. +# +# SQUID_X509_V_ERR_INFINITE_VALIDATION error cannot be bypassed +# but should not happen unless your OpenSSL library is buggy. +# +# SECURITY WARNING: +# Bypassing validation errors is dangerous because an +# error usually implies that the server cannot be trusted +# and the connection may be insecure. +# +# See also: sslproxy_flags and DONT_VERIFY_PEER. +#Default: +# Server certificate errors terminate the transaction. + +# TAG: sslproxy_cert_sign +# Note: This option is only available if Squid is rebuilt with the +# --enable-ssl +# +# +# sslproxy_cert_sign acl ... +# +# The following certificate signing algorithms are supported: +# +# signTrusted +# Sign using the configured CA certificate which is usually +# placed in and trusted by end-user browsers. This is the +# default for trusted origin server certificates. +# +# signUntrusted +# Sign to guarantee an X509_V_ERR_CERT_UNTRUSTED browser error. +# This is the default for untrusted origin server certificates +# that are not self-signed (see ssl::certUntrusted). +# +# signSelf +# Sign using a self-signed certificate with the right CN to +# generate a X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT error in the +# browser. This is the default for self-signed origin server +# certificates (see ssl::certSelfSigned). +# +# This clause only supports fast acl types. +# +# When sslproxy_cert_sign acl(s) match, Squid uses the corresponding +# signing algorithm to generate the certificate and ignores all +# subsequent sslproxy_cert_sign options (the first match wins). If no +# acl(s) match, the default signing algorithm is determined by errors +# detected when obtaining and validating the origin server certificate. +# +# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can +# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a +# CONNECT request that carries a domain name. In all other cases (CONNECT +# to an IP address or an intercepted SSL connection), Squid cannot detect +# the domain mismatch at certificate generation time when +# bump-server-first is used. +#Default: +# none + +# TAG: sslproxy_cert_adapt +# Note: This option is only available if Squid is rebuilt with the +# --enable-ssl +# +# +# sslproxy_cert_adapt acl ... +# +# The following certificate adaptation algorithms are supported: +# +# setValidAfter +# Sets the "Not After" property to the "Not After" property of +# the CA certificate used to sign generated certificates. +# +# setValidBefore +# Sets the "Not Before" property to the "Not Before" property of +# the CA certificate used to sign generated certificates. +# +# setCommonName or setCommonName{CN} +# Sets Subject.CN property to the host name specified as a +# CN parameter or, if no explicit CN parameter was specified, +# extracted from the CONNECT request. It is a misconfiguration +# to use setCommonName without an explicit parameter for +# intercepted or tproxied SSL connections. +# +# This clause only supports fast acl types. +# +# Squid first groups sslproxy_cert_adapt options by adaptation algorithm. +# Within a group, when sslproxy_cert_adapt acl(s) match, Squid uses the +# corresponding adaptation algorithm to generate the certificate and +# ignores all subsequent sslproxy_cert_adapt options in that algorithm's +# group (i.e., the first match wins within each algorithm group). If no +# acl(s) match, the default mimicking action takes place. +# +# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can +# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a +# CONNECT request that carries a domain name. In all other cases (CONNECT +# to an IP address or an intercepted SSL connection), Squid cannot detect +# the domain mismatch at certificate generation time when +# bump-server-first is used. +#Default: +# none + +# TAG: sslpassword_program +# Note: This option is only available if Squid is rebuilt with the +# --enable-ssl +# +# Specify a program used for entering SSL key passphrases +# when using encrypted SSL certificate keys. If not specified +# keys must either be unencrypted, or Squid started with the -N +# option to allow it to query interactively for the passphrase. +# +# The key file name is given as argument to the program allowing +# selection of the right password if you have multiple encrypted +# keys. +#Default: +# none + +# OPTIONS RELATING TO EXTERNAL SSL_CRTD +# ----------------------------------------------------------------------------- + +# TAG: sslcrtd_program +# Note: This option is only available if Squid is rebuilt with the +# --enable-ssl-crtd +# +# Specify the location and options of the executable for ssl_crtd process. +# /usr/lib/squid3/ssl_crtd program requires -s and -M parameters +# For more information use: +# /usr/lib/squid3/ssl_crtd -h +#Default: +# sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB + +# TAG: sslcrtd_children +# Note: This option is only available if Squid is rebuilt with the +# --enable-ssl-crtd +# +# The maximum number of processes spawn to service ssl server. +# The maximum this may be safely set to is 32. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup=N +# +# Sets the minimum number of processes to spawn when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few children temporary slows Squid under load while it +# tries to spawn enough additional processes to cope with traffic. +# +# idle=N +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# You must have at least one ssl_crtd process. +#Default: +# sslcrtd_children 32 startup=5 idle=1 + +# TAG: sslcrtvalidator_program +# Note: This option is only available if Squid is rebuilt with the +# --enable-ssl +# +# Specify the location and options of the executable for ssl_crt_validator +# process. +# +# Usage: sslcrtvalidator_program [ttl=n] [cache=n] path ... +# +# Options: +# ttl=n TTL in seconds for cached results. The default is 60 secs +# cache=n limit the result cache size. The default value is 2048 +#Default: +# none + +# TAG: sslcrtvalidator_children +# Note: This option is only available if Squid is rebuilt with the +# --enable-ssl +# +# The maximum number of processes spawn to service SSL server. +# The maximum this may be safely set to is 32. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup=N +# +# Sets the minimum number of processes to spawn when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few children temporary slows Squid under load while it +# tries to spawn enough additional processes to cope with traffic. +# +# idle=N +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each certificate validator helper can handle in +# parallel. A value of 0 indicates the certficate validator does not +# support concurrency. Defaults to 1. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# a request ID in front of the request/response. The request +# ID from the request must be echoed back with the response +# to that request. +# +# You must have at least one ssl_crt_validator process. +#Default: +# sslcrtvalidator_children 32 startup=5 idle=1 concurrency=1 + +# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM +# ----------------------------------------------------------------------------- + +# TAG: cache_peer +# To specify other caches in a hierarchy, use the format: +# +# cache_peer hostname type http-port icp-port [options] +# +# For example, +# +# # proxy icp +# # hostname type port port options +# # -------------------- -------- ----- ----- ----------- +# cache_peer parent.foo.net parent 3128 3130 default +# cache_peer sib1.foo.net sibling 3128 3130 proxy-only +# cache_peer sib2.foo.net sibling 3128 3130 proxy-only +# cache_peer example.com parent 80 0 default +# cache_peer cdn.example.com sibling 3128 0 +# +# type: either 'parent', 'sibling', or 'multicast'. +# +# proxy-port: The port number where the peer accept HTTP requests. +# For other Squid proxies this is usually 3128 +# For web servers this is usually 80 +# +# icp-port: Used for querying neighbor caches about objects. +# Set to 0 if the peer does not support ICP or HTCP. +# See ICP and HTCP options below for additional details. +# +# +# ==== ICP OPTIONS ==== +# +# You MUST also set icp_port and icp_access explicitly when using these options. +# The defaults will prevent peer traffic using ICP. +# +# +# no-query Disable ICP queries to this neighbor. +# +# multicast-responder +# Indicates the named peer is a member of a multicast group. +# ICP queries will not be sent directly to the peer, but ICP +# replies will be accepted from it. +# +# closest-only Indicates that, for ICP_OP_MISS replies, we'll only forward +# CLOSEST_PARENT_MISSes and never FIRST_PARENT_MISSes. +# +# background-ping +# To only send ICP queries to this neighbor infrequently. +# This is used to keep the neighbor round trip time updated +# and is usually used in conjunction with weighted-round-robin. +# +# +# ==== HTCP OPTIONS ==== +# +# You MUST also set htcp_port and htcp_access explicitly when using these options. +# The defaults will prevent peer traffic using HTCP. +# +# +# htcp Send HTCP, instead of ICP, queries to the neighbor. +# You probably also want to set the "icp-port" to 4827 +# instead of 3130. This directive accepts a comma separated +# list of options described below. +# +# htcp=oldsquid Send HTCP to old Squid versions (2.5 or earlier). +# +# htcp=no-clr Send HTCP to the neighbor but without +# sending any CLR requests. This cannot be used with +# only-clr. +# +# htcp=only-clr Send HTCP to the neighbor but ONLY CLR requests. +# This cannot be used with no-clr. +# +# htcp=no-purge-clr +# Send HTCP to the neighbor including CLRs but only when +# they do not result from PURGE requests. +# +# htcp=forward-clr +# Forward any HTCP CLR requests this proxy receives to the peer. +# +# +# ==== PEER SELECTION METHODS ==== +# +# The default peer selection method is ICP, with the first responding peer +# being used as source. These options can be used for better load balancing. +# +# +# default This is a parent cache which can be used as a "last-resort" +# if a peer cannot be located by any of the peer-selection methods. +# If specified more than once, only the first is used. +# +# round-robin Load-Balance parents which should be used in a round-robin +# fashion in the absence of any ICP queries. +# weight=N can be used to add bias. +# +# weighted-round-robin +# Load-Balance parents which should be used in a round-robin +# fashion with the frequency of each parent being based on the +# round trip time. Closer parents are used more often. +# Usually used for background-ping parents. +# weight=N can be used to add bias. +# +# carp Load-Balance parents which should be used as a CARP array. +# The requests will be distributed among the parents based on the +# CARP load balancing hash function based on their weight. +# +# userhash Load-balance parents based on the client proxy_auth or ident username. +# +# sourcehash Load-balance parents based on the client source IP. +# +# multicast-siblings +# To be used only for cache peers of type "multicast". +# ALL members of this multicast group have "sibling" +# relationship with it, not "parent". This is to a multicast +# group when the requested object would be fetched only from +# a "parent" cache, anyway. It's useful, e.g., when +# configuring a pool of redundant Squid proxies, being +# members of the same multicast group. +# +# +# ==== PEER SELECTION OPTIONS ==== +# +# weight=N use to affect the selection of a peer during any weighted +# peer-selection mechanisms. +# The weight must be an integer; default is 1, +# larger weights are favored more. +# This option does not affect parent selection if a peering +# protocol is not in use. +# +# basetime=N Specify a base amount to be subtracted from round trip +# times of parents. +# It is subtracted before division by weight in calculating +# which parent to fectch from. If the rtt is less than the +# base time the rtt is set to a minimal value. +# +# ttl=N Specify a TTL to use when sending multicast ICP queries +# to this address. +# Only useful when sending to a multicast group. +# Because we don't accept ICP replies from random +# hosts, you must configure other group members as +# peers with the 'multicast-responder' option. +# +# no-delay To prevent access to this neighbor from influencing the +# delay pools. +# +# digest-url=URL Tell Squid to fetch the cache digest (if digests are +# enabled) for this host from the specified URL rather +# than the Squid default location. +# +# +# ==== CARP OPTIONS ==== +# +# carp-key=key-specification +# use a different key than the full URL to hash against the peer. +# the key-specification is a comma-separated list of the keywords +# scheme, host, port, path, params +# Order is not important. +# +# ==== ACCELERATOR / REVERSE-PROXY OPTIONS ==== +# +# originserver Causes this parent to be contacted as an origin server. +# Meant to be used in accelerator setups when the peer +# is a web server. +# +# forceddomain=name +# Set the Host header of requests forwarded to this peer. +# Useful in accelerator setups where the server (peer) +# expects a certain domain name but clients may request +# others. ie example.com or www.example.com +# +# no-digest Disable request of cache digests. +# +# no-netdb-exchange +# Disables requesting ICMP RTT database (NetDB). +# +# +# ==== AUTHENTICATION OPTIONS ==== +# +# login=user:password +# If this is a personal/workgroup proxy and your parent +# requires proxy authentication. +# +# Note: The string can include URL escapes (i.e. %20 for +# spaces). This also means % must be written as %%. +# +# login=PASSTHRU +# Send login details received from client to this peer. +# Both Proxy- and WWW-Authorization headers are passed +# without alteration to the peer. +# Authentication is not required by Squid for this to work. +# +# Note: This will pass any form of authentication but +# only Basic auth will work through a proxy unless the +# connection-auth options are also used. +# +# login=PASS Send login details received from client to this peer. +# Authentication is not required by this option. +# +# If there are no client-provided authentication headers +# to pass on, but username and password are available +# from an external ACL user= and password= result tags +# they may be sent instead. +# +# Note: To combine this with proxy_auth both proxies must +# share the same user database as HTTP only allows for +# a single login (one for proxy, one for origin server). +# Also be warned this will expose your users proxy +# password to the peer. USE WITH CAUTION +# +# login=*:password +# Send the username to the upstream cache, but with a +# fixed password. This is meant to be used when the peer +# is in another administrative domain, but it is still +# needed to identify each user. +# The star can optionally be followed by some extra +# information which is added to the username. This can +# be used to identify this proxy to the peer, similar to +# the login=username:password option above. +# +# login=NEGOTIATE +# If this is a personal/workgroup proxy and your parent +# requires a secure proxy authentication. +# The first principal from the default keytab or defined by +# the environment variable KRB5_KTNAME will be used. +# +# WARNING: The connection may transmit requests from multiple +# clients. Negotiate often assumes end-to-end authentication +# and a single-client. Which is not strictly true here. +# +# login=NEGOTIATE:principal_name +# If this is a personal/workgroup proxy and your parent +# requires a secure proxy authentication. +# The principal principal_name from the default keytab or +# defined by the environment variable KRB5_KTNAME will be +# used. +# +# WARNING: The connection may transmit requests from multiple +# clients. Negotiate often assumes end-to-end authentication +# and a single-client. Which is not strictly true here. +# +# connection-auth=on|off +# Tell Squid that this peer does or not support Microsoft +# connection oriented authentication, and any such +# challenges received from there should be ignored. +# Default is auto to automatically determine the status +# of the peer. +# +# +# ==== SSL / HTTPS / TLS OPTIONS ==== +# +# ssl Encrypt connections to this peer with SSL/TLS. +# +# sslcert=/path/to/ssl/certificate +# A client SSL certificate to use when connecting to +# this peer. +# +# sslkey=/path/to/ssl/key +# The private SSL key corresponding to sslcert above. +# If 'sslkey' is not specified 'sslcert' is assumed to +# reference a combined file containing both the +# certificate and the key. +# +# sslversion=1|2|3|4|5|6 +# The SSL version to use when connecting to this peer +# 1 = automatic (default) +# 2 = SSL v2 only +# 3 = SSL v3 only +# 4 = TLS v1.0 only +# 5 = TLS v1.1 only +# 6 = TLS v1.2 only +# +# sslcipher=... The list of valid SSL ciphers to use when connecting +# to this peer. +# +# ssloptions=... Specify various SSL implementation options: +# +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# SINGLE_DH_USE +# Always create a new key when using +# temporary/ephemeral DH key exchanges +# ALL Enable various bug workarounds +# suggested as "harmless" by OpenSSL +# Be warned that this reduces SSL/TLS +# strength to some attacks. +# +# See the OpenSSL SSL_CTX_set_options documentation for a +# more complete list. +# +# sslcafile=... A file containing additional CA certificates to use +# when verifying the peer certificate. +# +# sslcapath=... A directory containing additional CA certificates to +# use when verifying the peer certificate. +# +# sslcrlfile=... A certificate revocation list file to use when +# verifying the peer certificate. +# +# sslflags=... Specify various flags modifying the SSL implementation: +# +# DONT_VERIFY_PEER +# Accept certificates even if they fail to +# verify. +# NO_DEFAULT_CA +# Don't use the default CA list built in +# to OpenSSL. +# DONT_VERIFY_DOMAIN +# Don't verify the peer certificate +# matches the server name +# +# ssldomain= The peer name as advertised in it's certificate. +# Used for verifying the correctness of the received peer +# certificate. If not specified the peer hostname will be +# used. +# +# front-end-https +# Enable the "Front-End-Https: On" header needed when +# using Squid as a SSL frontend in front of Microsoft OWA. +# See MS KB document Q307347 for details on this header. +# If set to auto the header will only be added if the +# request is forwarded as a https:// URL. +# +# +# ==== GENERAL OPTIONS ==== +# +# connect-timeout=N +# A peer-specific connect timeout. +# Also see the peer_connect_timeout directive. +# +# connect-fail-limit=N +# How many times connecting to a peer must fail before +# it is marked as down. Default is 10. +# +# allow-miss Disable Squid's use of only-if-cached when forwarding +# requests to siblings. This is primarily useful when +# icp_hit_stale is used by the sibling. To extensive use +# of this option may result in forwarding loops, and you +# should avoid having two-way peerings with this option. +# For example to deny peer usage on requests from peer +# by denying cache_peer_access if the source is a peer. +# +# max-conn=N Limit the amount of connections Squid may open to this +# peer. see also +# +# name=xxx Unique name for the peer. +# Required if you have multiple peers on the same host +# but different ports. +# This name can be used in cache_peer_access and similar +# directives to dentify the peer. +# Can be used by outgoing access controls through the +# peername ACL type. +# +# no-tproxy Do not use the client-spoof TPROXY support when forwarding +# requests to this peer. Use normal address selection instead. +# This overrides the spoof_client_ip ACL. +# +# proxy-only objects fetched from the peer will not be stored locally. +# +#Default: +# none + +# TAG: cache_peer_domain +# Use to limit the domains for which a neighbor cache will be +# queried. +# +# Usage: +# cache_peer_domain cache-host domain [domain ...] +# cache_peer_domain cache-host !domain +# +# For example, specifying +# +# cache_peer_domain parent.foo.net .edu +# +# has the effect such that UDP query packets are sent to +# 'bigserver' only when the requested object exists on a +# server in the .edu domain. Prefixing the domainname +# with '!' means the cache will be queried for objects +# NOT in that domain. +# +# NOTE: * Any number of domains may be given for a cache-host, +# either on the same or separate lines. +# * When multiple domains are given for a particular +# cache-host, the first matched domain is applied. +# * Cache hosts with no domain restrictions are queried +# for all requests. +# * There are no defaults. +# * There is also a 'cache_peer_access' tag in the ACL +# section. +#Default: +# none + +# TAG: cache_peer_access +# Similar to 'cache_peer_domain' but provides more flexibility by +# using ACL elements. +# +# Usage: +# cache_peer_access cache-host allow|deny [!]aclname ... +# +# The syntax is identical to 'http_access' and the other lists of +# ACL elements. See the comments for 'http_access' below, or +# the Squid FAQ (http://wiki.squid-cache.org/SquidFaq/SquidAcl). +#Default: +# none + +# TAG: neighbor_type_domain +# Modify the cache_peer neighbor type when passing requests +# about specific domains to the peer. +# +# Usage: +# neighbor_type_domain neighbor parent|sibling domain domain ... +# +# For example: +# cache_peer foo.example.com parent 3128 3130 +# neighbor_type_domain foo.example.com sibling .au .de +# +# The above configuration treats all requests to foo.example.com as a +# parent proxy unless the request is for a .au or .de ccTLD domain name. +#Default: +# The peer type from cache_peer directive is used for all requests to that peer. + +# TAG: dead_peer_timeout (seconds) +# This controls how long Squid waits to declare a peer cache +# as "dead." If there are no ICP replies received in this +# amount of time, Squid will declare the peer dead and not +# expect to receive any further ICP replies. However, it +# continues to send ICP queries, and will mark the peer as +# alive upon receipt of the first subsequent ICP reply. +# +# This timeout also affects when Squid expects to receive ICP +# replies from peers. If more than 'dead_peer' seconds have +# passed since the last ICP reply was received, Squid will not +# expect to receive an ICP reply on the next query. Thus, if +# your time between requests is greater than this timeout, you +# will see a lot of requests sent DIRECT to origin servers +# instead of to your parents. +#Default: +# dead_peer_timeout 10 seconds + +# TAG: forward_max_tries +# Controls how many different forward paths Squid will try +# before giving up. See also forward_timeout. +# +# NOTE: connect_retries (default: none) can make each of these +# possible forwarding paths be tried multiple times. +#Default: +# forward_max_tries 10 + +# TAG: hierarchy_stoplist +# A list of words which, if found in a URL, cause the object to +# be handled directly by this cache. In other words, use this +# to not query neighbor caches for certain objects. You may +# list this option multiple times. +# +# Example: +# hierarchy_stoplist cgi-bin ? +# +# Note: never_direct overrides this option. +#Default: +# none + +# MEMORY CACHE OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: cache_mem (bytes) +# NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE. +# IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL +# USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER +# THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS. +# +# 'cache_mem' specifies the ideal amount of memory to be used +# for: +# * In-Transit objects +# * Hot Objects +# * Negative-Cached objects +# +# Data for these objects are stored in 4 KB blocks. This +# parameter specifies the ideal upper limit on the total size of +# 4 KB blocks allocated. In-Transit objects take the highest +# priority. +# +# In-transit objects have priority over the others. When +# additional space is needed for incoming data, negative-cached +# and hot objects will be released. In other words, the +# negative-cached and hot objects will fill up any unused space +# not needed for in-transit objects. +# +# If circumstances require, this limit will be exceeded. +# Specifically, if your incoming request rate requires more than +# 'cache_mem' of memory to hold in-transit objects, Squid will +# exceed this limit to satisfy the new requests. When the load +# decreases, blocks will be freed until the high-water mark is +# reached. Thereafter, blocks will be used to store hot +# objects. +# +# If shared memory caching is enabled, Squid does not use the shared +# cache space for in-transit objects, but they still consume as much +# local memory as they need. For more details about the shared memory +# cache, see memory_cache_shared. +#Default: +# cache_mem 256 MB + +# TAG: maximum_object_size_in_memory (bytes) +# Objects greater than this size will not be attempted to kept in +# the memory cache. This should be set high enough to keep objects +# accessed frequently in memory to improve performance whilst low +# enough to keep larger objects from hoarding cache_mem. +#Default: +# maximum_object_size_in_memory 512 KB + +# TAG: memory_cache_shared on|off +# Controls whether the memory cache is shared among SMP workers. +# +# The shared memory cache is meant to occupy cache_mem bytes and replace +# the non-shared memory cache, although some entities may still be +# cached locally by workers for now (e.g., internal and in-transit +# objects may be served from a local memory cache even if shared memory +# caching is enabled). +# +# By default, the memory cache is shared if and only if all of the +# following conditions are satisfied: Squid runs in SMP mode with +# multiple workers, cache_mem is positive, and Squid environment +# supports required IPC primitives (e.g., POSIX shared memory segments +# and GCC-style atomic operations). +# +# To avoid blocking locks, shared memory uses opportunistic algorithms +# that do not guarantee that every cachable entity that could have been +# shared among SMP workers will actually be shared. +# +# Currently, entities exceeding 32KB in size cannot be shared. +#Default: +# "on" where supported if doing memory caching with multiple SMP workers. + +# TAG: memory_cache_mode +# Controls which objects to keep in the memory cache (cache_mem) +# +# always Keep most recently fetched objects in memory (default) +# +# disk Only disk cache hits are kept in memory, which means +# an object must first be cached on disk and then hit +# a second time before cached in memory. +# +# network Only objects fetched from network is kept in memory +#Default: +# Keep the most recently fetched objects in memory + +# TAG: memory_replacement_policy +# The memory replacement policy parameter determines which +# objects are purged from memory when memory space is needed. +# +# See cache_replacement_policy for details on algorithms. +#Default: +# memory_replacement_policy lru + +# DISK CACHE OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: cache_replacement_policy +# The cache replacement policy parameter determines which +# objects are evicted (replaced) when disk space is needed. +# +# lru : Squid's original list based LRU policy +# heap GDSF : Greedy-Dual Size Frequency +# heap LFUDA: Least Frequently Used with Dynamic Aging +# heap LRU : LRU policy implemented using a heap +# +# Applies to any cache_dir lines listed below this directive. +# +# The LRU policies keeps recently referenced objects. +# +# The heap GDSF policy optimizes object hit rate by keeping smaller +# popular objects in cache so it has a better chance of getting a +# hit. It achieves a lower byte hit rate than LFUDA though since +# it evicts larger (possibly popular) objects. +# +# The heap LFUDA policy keeps popular objects in cache regardless of +# their size and thus optimizes byte hit rate at the expense of +# hit rate since one large, popular object will prevent many +# smaller, slightly less popular objects from being cached. +# +# Both policies utilize a dynamic aging mechanism that prevents +# cache pollution that can otherwise occur with frequency-based +# replacement policies. +# +# NOTE: if using the LFUDA replacement policy you should increase +# the value of maximum_object_size above its default of 4 MB to +# to maximize the potential byte hit rate improvement of LFUDA. +# +# For more information about the GDSF and LFUDA cache replacement +# policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html +# and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html. +#Default: +# cache_replacement_policy lru + +# TAG: minimum_object_size (bytes) +# Objects smaller than this size will NOT be saved on disk. The +# value is specified in bytes, and the default is 0 KB, which +# means all responses can be stored. +#Default: +# no limit + +# TAG: maximum_object_size (bytes) +# Set the default value for max-size parameter on any cache_dir. +# The value is specified in bytes, and the default is 4 MB. +# +# If you wish to get a high BYTES hit ratio, you should probably +# increase this (one 32 MB object hit counts for 3200 10KB +# hits). +# +# If you wish to increase hit ratio more than you want to +# save bandwidth you should leave this low. +# +# NOTE: if using the LFUDA replacement policy you should increase +# this value to maximize the byte hit rate improvement of LFUDA! +# See cache_replacement_policy for a discussion of this policy. +#Default: +# maximum_object_size 4 MB + +# TAG: cache_dir +# Format: +# cache_dir Type Directory-Name Fs-specific-data [options] +# +# You can specify multiple cache_dir lines to spread the +# cache among different disk partitions. +# +# Type specifies the kind of storage system to use. Only "ufs" +# is built by default. To enable any of the other storage systems +# see the --enable-storeio configure option. +# +# 'Directory' is a top-level directory where cache swap +# files will be stored. If you want to use an entire disk +# for caching, this can be the mount-point directory. +# The directory must exist and be writable by the Squid +# process. Squid will NOT create this directory for you. +# +# In SMP configurations, cache_dir must not precede the workers option +# and should use configuration macros or conditionals to give each +# worker interested in disk caching a dedicated cache directory. +# +# +# ==== The ufs store type ==== +# +# "ufs" is the old well-known Squid storage format that has always +# been there. +# +# Usage: +# cache_dir ufs Directory-Name Mbytes L1 L2 [options] +# +# 'Mbytes' is the amount of disk space (MB) to use under this +# directory. The default is 100 MB. Change this to suit your +# configuration. Do NOT put the size of your disk drive here. +# Instead, if you want Squid to use the entire disk drive, +# subtract 20% and use that value. +# +# 'L1' is the number of first-level subdirectories which +# will be created under the 'Directory'. The default is 16. +# +# 'L2' is the number of second-level subdirectories which +# will be created under each first-level directory. The default +# is 256. +# +# +# ==== The aufs store type ==== +# +# "aufs" uses the same storage format as "ufs", utilizing +# POSIX-threads to avoid blocking the main Squid process on +# disk-I/O. This was formerly known in Squid as async-io. +# +# Usage: +# cache_dir aufs Directory-Name Mbytes L1 L2 [options] +# +# see argument descriptions under ufs above +# +# +# ==== The diskd store type ==== +# +# "diskd" uses the same storage format as "ufs", utilizing a +# separate process to avoid blocking the main Squid process on +# disk-I/O. +# +# Usage: +# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] +# +# see argument descriptions under ufs above +# +# Q1 specifies the number of unacknowledged I/O requests when Squid +# stops opening new files. If this many messages are in the queues, +# Squid won't open new files. Default is 64 +# +# Q2 specifies the number of unacknowledged messages when Squid +# starts blocking. If this many messages are in the queues, +# Squid blocks until it receives some replies. Default is 72 +# +# When Q1 < Q2 (the default), the cache directory is optimized +# for lower response time at the expense of a decrease in hit +# ratio. If Q1 > Q2, the cache directory is optimized for +# higher hit ratio at the expense of an increase in response +# time. +# +# +# ==== The rock store type ==== +# +# Usage: +# cache_dir rock Directory-Name Mbytes [options] +# +# The Rock Store type is a database-style storage. All cached +# entries are stored in a "database" file, using fixed-size slots, +# one entry per slot. The database size is specified in MB. The +# slot size is specified in bytes using the max-size option. See +# below for more info on the max-size option. +# +# If possible, Squid using Rock Store creates a dedicated kid +# process called "disker" to avoid blocking Squid worker(s) on disk +# I/O. One disker kid is created for each rock cache_dir. Diskers +# are created only when Squid, running in daemon mode, has support +# for the IpcIo disk I/O module. +# +# swap-timeout=msec: Squid will not start writing a miss to or +# reading a hit from disk if it estimates that the swap operation +# will take more than the specified number of milliseconds. By +# default and when set to zero, disables the disk I/O time limit +# enforcement. Ignored when using blocking I/O module because +# blocking synchronous I/O does not allow Squid to estimate the +# expected swap wait time. +# +# max-swap-rate=swaps/sec: Artificially limits disk access using +# the specified I/O rate limit. Swap out requests that +# would cause the average I/O rate to exceed the limit are +# delayed. Individual swap in requests (i.e., hits or reads) are +# not delayed, but they do contribute to measured swap rate and +# since they are placed in the same FIFO queue as swap out +# requests, they may wait longer if max-swap-rate is smaller. +# This is necessary on file systems that buffer "too +# many" writes and then start blocking Squid and other processes +# while committing those writes to disk. Usually used together +# with swap-timeout to avoid excessive delays and queue overflows +# when disk demand exceeds available disk "bandwidth". By default +# and when set to zero, disables the disk I/O rate limit +# enforcement. Currently supported by IpcIo module only. +# +# +# ==== The coss store type ==== +# +# NP: COSS filesystem in Squid-3 has been deemed too unstable for +# production use and has thus been removed from this release. +# We hope that it can be made usable again soon. +# +# block-size=n defines the "block size" for COSS cache_dir's. +# Squid uses file numbers as block numbers. Since file numbers +# are limited to 24 bits, the block size determines the maximum +# size of the COSS partition. The default is 512 bytes, which +# leads to a maximum cache_dir size of 512<<24, or 8 GB. Note +# you should not change the coss block size after Squid +# has written some objects to the cache_dir. +# +# The coss file store has changed from 2.5. Now it uses a file +# called 'stripe' in the directory names in the config - and +# this will be created by squid -z. +# +# +# ==== COMMON OPTIONS ==== +# +# no-store no new objects should be stored to this cache_dir. +# +# min-size=n the minimum object size in bytes this cache_dir +# will accept. It's used to restrict a cache_dir +# to only store large objects (e.g. AUFS) while +# other stores are optimized for smaller objects +# (e.g. COSS). +# Defaults to 0. +# +# max-size=n the maximum object size in bytes this cache_dir +# supports. +# The value in maximum_object_size directive sets +# the default unless more specific details are +# available (ie a small store capacity). +# +# Note: To make optimal use of the max-size limits you should order +# the cache_dir lines with the smallest max-size value first. +# +# Note for coss, max-size must be less than COSS_MEMBUF_SZ, +# which can be changed with the --with-coss-membuf-size=N configure +# option. +# +#Default: +# No disk cache. Store cache ojects only in memory. +# + +# Uncomment and adjust the following to add a disk cache directory. +#cache_dir ufs /var/spool/squid3 100 16 256 + +# TAG: store_dir_select_algorithm +# How Squid selects which cache_dir to use when the response +# object will fit into more than one. +# +# Regardless of which algorithm is used the cache_dir min-size +# and max-size parameters are obeyed. As such they can affect +# the selection algorithm by limiting the set of considered +# cache_dir. +# +# Algorithms: +# +# least-load +# +# This algorithm is suited to caches with similar cache_dir +# sizes and disk speeds. +# +# The disk with the least I/O pending is selected. +# When there are multiple disks with the same I/O load ranking +# the cache_dir with most available capacity is selected. +# +# When a mix of cache_dir sizes are configured the faster disks +# have a naturally lower I/O loading and larger disks have more +# capacity. So space used to store objects and data throughput +# may be very unbalanced towards larger disks. +# +# +# round-robin +# +# This algorithm is suited to caches with unequal cache_dir +# disk sizes. +# +# Each cache_dir is selected in a rotation. The next suitable +# cache_dir is used. +# +# Available cache_dir capacity is only considered in relation +# to whether the object will fit and meets the min-size and +# max-size parameters. +# +# Disk I/O loading is only considered to prevent overload on slow +# disks. This algorithm does not spread objects by size, so any +# I/O loading per-disk may appear very unbalanced and volatile. +# +#Default: +# store_dir_select_algorithm least-load + +# TAG: max_open_disk_fds +# To avoid having disk as the I/O bottleneck Squid can optionally +# bypass the on-disk cache if more than this amount of disk file +# descriptors are open. +# +# A value of 0 indicates no limit. +#Default: +# no limit + +# TAG: cache_swap_low (percent, 0-100) +# The low-water mark for cache object replacement. +# Replacement begins when the swap (disk) usage is above the +# low-water mark and attempts to maintain utilization near the +# low-water mark. As swap utilization gets close to high-water +# mark object eviction becomes more aggressive. If utilization is +# close to the low-water mark less replacement is done each time. +# +# Defaults are 90% and 95%. If you have a large cache, 5% could be +# hundreds of MB. If this is the case you may wish to set these +# numbers closer together. +# +# See also cache_swap_high +#Default: +# cache_swap_low 90 + +# TAG: cache_swap_high (percent, 0-100) +# The high-water mark for cache object replacement. +# Replacement begins when the swap (disk) usage is above the +# low-water mark and attempts to maintain utilization near the +# low-water mark. As swap utilization gets close to high-water +# mark object eviction becomes more aggressive. If utilization is +# close to the low-water mark less replacement is done each time. +# +# Defaults are 90% and 95%. If you have a large cache, 5% could be +# hundreds of MB. If this is the case you may wish to set these +# numbers closer together. +# +# See also cache_swap_low +#Default: +# cache_swap_high 95 + +# LOGFILE OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: logformat +# Usage: +# +# logformat +# +# Defines an access log format. +# +# The is a string with embedded % format codes +# +# % format codes all follow the same basic structure where all but +# the formatcode is optional. Output strings are automatically escaped +# as required according to their context and the output format +# modifiers are usually not needed, but can be specified if an explicit +# output format is desired. +# +# % ["|[|'|#] [-] [[0]width] [{argument}] formatcode +# +# " output in quoted string format +# [ output in squid text log format as used by log_mime_hdrs +# # output in URL quoted format +# ' output as-is +# +# - left aligned +# +# width minimum and/or maximum field width: +# [width_min][.width_max] +# When minimum starts with 0, the field is zero-padded. +# String values exceeding maximum width are truncated. +# +# {arg} argument such as header name etc +# +# Format codes: +# +# % a literal % character +# sn Unique sequence number per log line entry +# err_code The ID of an error response served by Squid or +# a similar internal error identifier. +# err_detail Additional err_code-dependent error information. +# note The annotation specified by the argument. Also +# logs the adaptation meta headers set by the +# adaptation_meta configuration parameter. +# If no argument given all annotations logged. +# The argument may include a separator to use with +# annotation values: +# name[:separator] +# By default, multiple note values are separated with "," +# and multiple notes are separated with "\r\n". +# When logging named notes with %{name}note, the +# explicitly configured separator is used between note +# values. When logging all notes with %note, the +# explicitly configured separator is used between +# individual notes. There is currently no way to +# specify both value and notes separators when logging +# all notes with %note. +# +# Connection related format codes: +# +# >a Client source IP address +# >A Client FQDN +# >p Client source port +# >eui Client source EUI (MAC address, EUI-48 or EUI-64 identifier) +# >la Local IP address the client connected to +# >lp Local port number the client connected to +# >qos Client connection TOS/DSCP value set by Squid +# >nfmark Client connection netfilter mark set by Squid +# +# la Local listening IP address the client connection was connected to. +# lp Local listening port number the client connection was connected to. +# +# h Original received request header. +# Usually differs from the request header sent by +# Squid, although most fields are often preserved. +# Accepts optional header field name/value filter +# argument using name[:[separator]element] format. +# [http::]>ha Received request header after adaptation and +# redirection (pre-cache REQMOD vectoring point). +# Usually differs from the request header sent by +# Squid, although most fields are often preserved. +# Optional header name argument as for >h +# [http::]h +# [http::]>Hs HTTP status code sent to the client +# [http::]rm Request method from client +# [http::]ru Request URL from client +# [http::]rp Request URL-Path excluding hostname from client +# [http::]rv Request protocol version from client +# [http::]st Received request size including HTTP headers. In the +# case of chunked requests the chunked encoding metadata +# are not included +# [http::]>sh Received HTTP request headers size +# [http::]cert_subject The Subject field of the received client +# SSL certificate or a dash ('-') if Squid has +# received an invalid/malformed certificate or +# no certificate at all. Consider encoding the +# logged value because Subject often has spaces. +# +# %ssl::>cert_issuer The Issuer field of the received client +# SSL certificate or a dash ('-') if Squid has +# received an invalid/malformed certificate or +# no certificate at all. Consider encoding the +# logged value because Issuer often has spaces. +# +# The default formats available (which do not need re-defining) are: +# +#logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh +#logformat referrer %ts.%03tu %>a %{Referer}>h %ru +#logformat useragent %>a [%tl] "%{User-Agent}>h" +# +# NOTE: When the log_mime_hdrs directive is set to ON. +# The squid, common and combined formats have a safely encoded copy +# of the mime headers appended to each line within a pair of brackets. +# +# NOTE: The common and combined formats are not quite true to the Apache definition. +# The logs from Squid contain an extra status and hierarchy code appended. +# +#Default: +# The format definitions squid, common, combined, referrer, useragent are built in. + +# TAG: access_log +# Configures whether and how Squid logs HTTP and ICP transactions. +# If access logging is enabled, a single line is logged for every +# matching HTTP or ICP request. The recommended directive formats are: +# +# access_log : [option ...] [acl acl ...] +# access_log none [acl acl ...] +# +# The following directive format is accepted but may be deprecated: +# access_log : [ [acl acl ...]] +# +# In most cases, the first ACL name must not contain the '=' character +# and should not be equal to an existing logformat name. You can always +# start with an 'all' ACL to work around those restrictions. +# +# Will log to the specified module:place using the specified format (which +# must be defined in a logformat directive) those entries which match +# ALL the acl's specified (which must be defined in acl clauses). +# If no acl is specified, all requests will be logged to this destination. +# +# ===== Available options for the recommended directive format ===== +# +# logformat=name Names log line format (either built-in or +# defined by a logformat directive). Defaults +# to 'squid'. +# +# buffer-size=64KB Defines approximate buffering limit for log +# records (see buffered_logs). Squid should not +# keep more than the specified size and, hence, +# should flush records before the buffer becomes +# full to avoid overflows under normal +# conditions (the exact flushing algorithm is +# module-dependent though). The on-error option +# controls overflow handling. +# +# on-error=die|drop Defines action on unrecoverable errors. The +# 'drop' action ignores (i.e., does not log) +# affected log records. The default 'die' action +# kills the affected worker. The drop action +# support has not been tested for modules other +# than tcp. +# +# ===== Modules Currently available ===== +# +# none Do not log any requests matching these ACL. +# Do not specify Place or logformat name. +# +# stdio Write each log line to disk immediately at the completion of +# each request. +# Place: the filename and path to be written. +# +# daemon Very similar to stdio. But instead of writing to disk the log +# line is passed to a daemon helper for asychronous handling instead. +# Place: varies depending on the daemon. +# +# log_file_daemon Place: the file name and path to be written. +# +# syslog To log each request via syslog facility. +# Place: The syslog facility and priority level for these entries. +# Place Format: facility.priority +# +# where facility could be any of: +# authpriv, daemon, local0 ... local7 or user. +# +# And priority could be any of: +# err, warning, notice, info, debug. +# +# udp To send each log line as text data to a UDP receiver. +# Place: The destination host name or IP and port. +# Place Format: //host:port +# +# tcp To send each log line as text data to a TCP receiver. +# Lines may be accumulated before sending (see buffered_logs). +# Place: The destination host name or IP and port. +# Place Format: //host:port +# +# Default: +# access_log daemon:/var/log/squid3/access.log squid +#Default: +# access_log daemon:/var/log/squid3/access.log squid + +# TAG: icap_log +# ICAP log files record ICAP transaction summaries, one line per +# transaction. +# +# The icap_log option format is: +# icap_log [ [acl acl ...]] +# icap_log none [acl acl ...]] +# +# Please see access_log option documentation for details. The two +# kinds of logs share the overall configuration approach and many +# features. +# +# ICAP processing of a single HTTP message or transaction may +# require multiple ICAP transactions. In such cases, multiple +# ICAP transaction log lines will correspond to a single access +# log line. +# +# ICAP log uses logformat codes that make sense for an ICAP +# transaction. Header-related codes are applied to the HTTP header +# embedded in an ICAP server response, with the following caveats: +# For REQMOD, there is no HTTP response header unless the ICAP +# server performed request satisfaction. For RESPMOD, the HTTP +# request header is the header sent to the ICAP server. For +# OPTIONS, there are no HTTP headers. +# +# The following format codes are also available for ICAP logs: +# +# icap::st Bytes sent to the ICAP server (TCP payload +# only; i.e., what Squid writes to the socket). +# +# icap::h ICAP request header(s). Similar to >h. +# +# icap::a %icap::to/%03icap::Hs %icap::\n - logfile data +# R\n - rotate file +# T\n - truncate file +# O\n - reopen file +# F\n - flush file +# r\n - set rotate count to +# b\n - 1 = buffer output, 0 = don't buffer output +# +# No responses is expected. +#Default: +# logfile_daemon /usr/lib/squid3/log_file_daemon + +# TAG: log_access +# Remove this line. Use acls with access_log directives to control access logging +#Default: +# none + +# TAG: log_icap +# Remove this line. Use acls with icap_log directives to control icap logging +#Default: +# none + +# TAG: stats_collection allow|deny acl acl... +# This options allows you to control which requests gets accounted +# in performance counters. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow logging for all transactions. + +# TAG: cache_store_log +# Logs the activities of the storage manager. Shows which +# objects are ejected from the cache, and which objects are +# saved and for how long. +# There are not really utilities to analyze this data, so you can safely +# disable it (the default). +# +# Store log uses modular logging outputs. See access_log for the list +# of modules supported. +# +# Example: +# cache_store_log stdio:/var/log/squid3/store.log +# cache_store_log daemon:/var/log/squid3/store.log +#Default: +# none + +# TAG: cache_swap_state +# Location for the cache "swap.state" file. This index file holds +# the metadata of objects saved on disk. It is used to rebuild +# the cache during startup. Normally this file resides in each +# 'cache_dir' directory, but you may specify an alternate +# pathname here. Note you must give a full filename, not just +# a directory. Since this is the index for the whole object +# list you CANNOT periodically rotate it! +# +# If %s can be used in the file name it will be replaced with a +# a representation of the cache_dir name where each / is replaced +# with '.'. This is needed to allow adding/removing cache_dir +# lines when cache_swap_log is being used. +# +# If have more than one 'cache_dir', and %s is not used in the name +# these swap logs will have names such as: +# +# cache_swap_log.00 +# cache_swap_log.01 +# cache_swap_log.02 +# +# The numbered extension (which is added automatically) +# corresponds to the order of the 'cache_dir' lines in this +# configuration file. If you change the order of the 'cache_dir' +# lines in this file, these index files will NOT correspond to +# the correct 'cache_dir' entry (unless you manually rename +# them). We recommend you do NOT use this option. It is +# better to keep these index files in each 'cache_dir' directory. +#Default: +# Store the journal inside its cache_dir + +# TAG: logfile_rotate +# Specifies the number of logfile rotations to make when you +# type 'squid -k rotate'. The default is 10, which will rotate +# with extensions 0 through 9. Setting logfile_rotate to 0 will +# disable the file name rotation, but the logfiles are still closed +# and re-opened. This will enable you to rename the logfiles +# yourself just before sending the rotate signal. +# +# Note, the 'squid -k rotate' command normally sends a USR1 +# signal to the running squid process. In certain situations +# (e.g. on Linux with Async I/O), USR1 is used for other +# purposes, so -k rotate uses another signal. It is best to get +# in the habit of using 'squid -k rotate' instead of 'kill -USR1 +# '. +# +# Note, from Squid-3.1 this option is only a default for cache.log, +# that log can be rotated separately by using debug_options. +# +# Note2, for Debian/Linux the default of logfile_rotate is +# zero, since it includes external logfile-rotation methods. +#Default: +# logfile_rotate 0 + +# TAG: emulate_httpd_log +# Replace this with an access_log directive using the format 'common' or 'combined'. +#Default: +# none + +# TAG: log_ip_on_direct +# Remove this option from your config. To log server or peer names use %A in the log format. +#Default: +# none + +# TAG: client_netmask +# A netmask for client addresses in logfiles and cachemgr output. +# Change this to protect the privacy of your cache clients. +# A netmask of 255.255.255.0 will log all IP's in that range with +# the last digit set to '0'. +#Default: +# Log full client IP address + +# TAG: forward_log +# Use a regular access.log with ACL limiting it to MISS events. +#Default: +# none + +# TAG: strip_query_terms +# By default, Squid strips query terms from requested URLs before +# logging. This protects your user's privacy and reduces log size. +# +# When investigating HIT/MISS or other caching behaviour you +# will need to disable this to see the full URL used by Squid. +#Default: +# strip_query_terms on + +# TAG: buffered_logs on|off +# Whether to write/send access_log records ASAP or accumulate them and +# then write/send them in larger chunks. Buffering may improve +# performance because it decreases the number of I/Os. However, +# buffering increases the delay before log records become available to +# the final recipient (e.g., a disk file or logging daemon) and, +# hence, increases the risk of log records loss. +# +# Note that even when buffered_logs are off, Squid may have to buffer +# records if it cannot write/send them immediately due to pending I/Os +# (e.g., the I/O writing the previous log record) or connectivity loss. +# +# Currently honored by 'daemon' and 'tcp' access_log modules only. +#Default: +# buffered_logs off + +# TAG: netdb_filename +# Where Squid stores it's netdb journal. +# When enabled this journal preserves netdb state between restarts. +# +# To disable, enter "none". +#Default: +# netdb_filename stdio:/var/log/squid3/netdb.state + +# OPTIONS FOR TROUBLESHOOTING +# ----------------------------------------------------------------------------- + +# TAG: cache_log +# Squid administrative logging file. +# +# This is where general information about Squid behavior goes. You can +# increase the amount of data logged to this file and how often it is +# rotated with "debug_options" +#Default: +# cache_log /var/log/squid3/cache.log + +# TAG: debug_options +# Logging options are set as section,level where each source file +# is assigned a unique section. Lower levels result in less +# output, Full debugging (level 9) can result in a very large +# log file, so be careful. +# +# The magic word "ALL" sets debugging levels for all sections. +# The default is to run with "ALL,1" to record important warnings. +# +# The rotate=N option can be used to keep more or less of these logs +# than would otherwise be kept by logfile_rotate. +# For most uses a single log should be enough to monitor current +# events affecting Squid. +#Default: +# Log all critical and important messages. + +# TAG: coredump_dir +# By default Squid leaves core files in the directory from where +# it was started. If you set 'coredump_dir' to a directory +# that exists, Squid will chdir() to that directory at startup +# and coredump files will be left there. +# +#Default: +# Use the directory from where Squid was started. +# + +# Leave coredumps in the first cache dir +coredump_dir /var/spool/squid3 + +# OPTIONS FOR FTP GATEWAYING +# ----------------------------------------------------------------------------- + +# TAG: ftp_user +# If you want the anonymous login password to be more informative +# (and enable the use of picky FTP servers), set this to something +# reasonable for your domain, like wwwuser@somewhere.net +# +# The reason why this is domainless by default is the +# request can be made on the behalf of a user in any domain, +# depending on how the cache is used. +# Some FTP server also validate the email address is valid +# (for example perl.com). +#Default: +# ftp_user Squid@ + +# TAG: ftp_passive +# If your firewall does not allow Squid to use passive +# connections, turn off this option. +# +# Use of ftp_epsv_all option requires this to be ON. +#Default: +# ftp_passive on + +# TAG: ftp_epsv_all +# FTP Protocol extensions permit the use of a special "EPSV ALL" command. +# +# NATs may be able to put the connection on a "fast path" through the +# translator, as the EPRT command will never be used and therefore, +# translation of the data portion of the segments will never be needed. +# +# When a client only expects to do two-way FTP transfers this may be +# useful. +# If squid finds that it must do a three-way FTP transfer after issuing +# an EPSV ALL command, the FTP session will fail. +# +# If you have any doubts about this option do not use it. +# Squid will nicely attempt all other connection methods. +# +# Requires ftp_passive to be ON (default) for any effect. +#Default: +# ftp_epsv_all off + +# TAG: ftp_epsv +# FTP Protocol extensions permit the use of a special "EPSV" command. +# +# NATs may be able to put the connection on a "fast path" through the +# translator using EPSV, as the EPRT command will never be used +# and therefore, translation of the data portion of the segments +# will never be needed. +# +# Turning this OFF will prevent EPSV being attempted. +# WARNING: Doing so will convert Squid back to the old behavior with all +# the related problems with external NAT devices/layers. +# +# Requires ftp_passive to be ON (default) for any effect. +#Default: +# ftp_epsv on + +# TAG: ftp_eprt +# FTP Protocol extensions permit the use of a special "EPRT" command. +# +# This extension provides a protocol neutral alternative to the +# IPv4-only PORT command. When supported it enables active FTP data +# channels over IPv6 and efficient NAT handling. +# +# Turning this OFF will prevent EPRT being attempted and will skip +# straight to using PORT for IPv4 servers. +# +# Some devices are known to not handle this extension correctly and +# may result in crashes. Devices which suport EPRT enough to fail +# cleanly will result in Squid attempting PORT anyway. This directive +# should only be disabled when EPRT results in device failures. +# +# WARNING: Doing so will convert Squid back to the old behavior with all +# the related problems with external NAT devices/layers and IPv4-only FTP. +#Default: +# ftp_eprt on + +# TAG: ftp_sanitycheck +# For security and data integrity reasons Squid by default performs +# sanity checks of the addresses of FTP data connections ensure the +# data connection is to the requested server. If you need to allow +# FTP connections to servers using another IP address for the data +# connection turn this off. +#Default: +# ftp_sanitycheck on + +# TAG: ftp_telnet_protocol +# The FTP protocol is officially defined to use the telnet protocol +# as transport channel for the control connection. However, many +# implementations are broken and does not respect this aspect of +# the FTP protocol. +# +# If you have trouble accessing files with ASCII code 255 in the +# path or similar problems involving this ASCII code you can +# try setting this directive to off. If that helps, report to the +# operator of the FTP server in question that their FTP server +# is broken and does not follow the FTP standard. +#Default: +# ftp_telnet_protocol on + +# OPTIONS FOR EXTERNAL SUPPORT PROGRAMS +# ----------------------------------------------------------------------------- + +# TAG: diskd_program +# Specify the location of the diskd executable. +# Note this is only useful if you have compiled in +# diskd as one of the store io modules. +#Default: +# diskd_program /usr/lib/squid3/diskd + +# TAG: unlinkd_program +# Specify the location of the executable for file deletion process. +#Default: +# unlinkd_program /usr/lib/squid3/unlinkd + +# TAG: pinger_program +# Specify the location of the executable for the pinger process. +#Default: +# pinger_program /usr/lib/squid3/pinger + +# TAG: pinger_enable +# Control whether the pinger is active at run-time. +# Enables turning ICMP pinger on and off with a simple +# squid -k reconfigure. +#Default: +# pinger_enable on + +# OPTIONS FOR URL REWRITING +# ----------------------------------------------------------------------------- + +# TAG: url_rewrite_program +# Specify the location of the executable URL rewriter to use. +# Since they can perform almost any function there isn't one included. +# +# For each requested URL, the rewriter will receive on line with the format +# +# [channel-ID ] URL client_ip "/" fqdn user method [ kv-pairs] +# +# +# After processing the request the helper must reply using the following format: +# +# [channel-ID ] result [ kv-pairs] +# +# The result code can be: +# +# OK status=30N url="..." +# Redirect the URL to the one supplied in 'url='. +# 'status=' is optional and contains the status code to send +# the client in Squids HTTP response. It must be one of the +# HTTP redirect status codes: 301, 302, 303, 307, 308. +# When no status is given Squid will use 302. +# +# OK rewrite-url="..." +# Rewrite the URL to the one supplied in 'rewrite-url='. +# The new URL is fetched directly by Squid and returned to +# the client as the response to its request. +# +# OK +# When neither of url= and rewrite-url= are sent Squid does +# not change the URL. +# +# ERR +# Do not change the URL. +# +# BH +# An internal error occurred in the helper, preventing +# a result being identified. The 'message=' key name is +# reserved for delivering a log message. +# +# +# In the future, the interface protocol will be extended with +# key=value pairs ("kv-pairs" shown above). Helper programs +# should be prepared to receive and possibly ignore additional +# whitespace-separated tokens on each input line. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# WARNING: URL re-writing ability should be avoided whenever possible. +# Use the URL redirect form of response instead. +# +# Re-write creates a difference in the state held by the client +# and server. Possibly causing confusion when the server response +# contains snippets of its view state. Embeded URLs, response +# and content Location headers, etc. are not re-written by this +# interface. +# +# By default, a URL rewriter is not used. +#Default: +# none + +# TAG: url_rewrite_children +# The maximum number of redirector processes to spawn. If you limit +# it too few Squid will have to wait for them to process a backlog of +# URLs, slowing it down. If you allow too many they will use RAM +# and other system resources noticably. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup= +# +# Sets a minimum of how many processes are to be spawned when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few will cause an initial slowdown in traffic as Squid +# attempts to simultaneously spawn enough processes to cope. +# +# idle= +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each redirector helper can handle in +# parallel. Defaults to 0 which indicates the redirector +# is a old-style single threaded redirector. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# an ID in front of the request/response. The ID from the request +# must be echoed back with the response to that request. +#Default: +# url_rewrite_children 20 startup=0 idle=1 concurrency=0 + +# TAG: url_rewrite_host_header +# To preserve same-origin security policies in browsers and +# prevent Host: header forgery by redirectors Squid rewrites +# any Host: header in redirected requests. +# +# If you are running an accelerator this may not be a wanted +# effect of a redirector. This directive enables you disable +# Host: alteration in reverse-proxy traffic. +# +# WARNING: Entries are cached on the result of the URL rewriting +# process, so be careful if you have domain-virtual hosts. +# +# WARNING: Squid and other software verifies the URL and Host +# are matching, so be careful not to relay through other proxies +# or inspecting firewalls with this disabled. +#Default: +# url_rewrite_host_header on + +# TAG: url_rewrite_access +# If defined, this access list specifies which requests are +# sent to the redirector processes. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow, unless rules exist in squid.conf. + +# TAG: url_rewrite_bypass +# When this is 'on', a request will not go through the +# redirector if all the helpers are busy. If this is 'off' +# and the redirector queue grows too large, Squid will exit +# with a FATAL error and ask you to increase the number of +# redirectors. You should only enable this if the redirectors +# are not critical to your caching system. If you use +# redirectors for access control, and you enable this option, +# users may have access to pages they should not +# be allowed to request. +#Default: +# url_rewrite_bypass off + +# OPTIONS FOR STORE ID +# ----------------------------------------------------------------------------- + +# TAG: store_id_program +# Specify the location of the executable StoreID helper to use. +# Since they can perform almost any function there isn't one included. +# +# For each requested URL, the helper will receive one line with the format +# +# [channel-ID ] URL client_ip "/" fqdn user method [ kv-pairs] +# +# +# After processing the request the helper must reply using the following format: +# +# [channel-ID ] result [ kv-pairs] +# +# The result code can be: +# +# OK store-id="..." +# Use the StoreID supplied in 'store-id='. +# +# ERR +# The default is to use HTTP request URL as the store ID. +# +# BH +# An internal error occured in the helper, preventing +# a result being identified. +# +# +# Helper programs should be prepared to receive and possibly ignore additional +# kv-pairs with keys they do not support. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# NOTE: when using StoreID refresh_pattern will apply to the StoreID +# returned from the helper and not the URL. +# +# WARNING: Wrong StoreID value returned by a careless helper may result +# in the wrong cached response returned to the user. +# +# By default, a StoreID helper is not used. +#Default: +# none + +# TAG: store_id_children +# The maximum number of StoreID helper processes to spawn. If you limit +# it too few Squid will have to wait for them to process a backlog of +# requests, slowing it down. If you allow too many they will use RAM +# and other system resources noticably. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup= +# +# Sets a minimum of how many processes are to be spawned when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few will cause an initial slowdown in traffic as Squid +# attempts to simultaneously spawn enough processes to cope. +# +# idle= +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each storeID helper can handle in +# parallel. Defaults to 0 which indicates the helper +# is a old-style single threaded program. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# an ID in front of the request/response. The ID from the request +# must be echoed back with the response to that request. +#Default: +# store_id_children 20 startup=0 idle=1 concurrency=0 + +# TAG: store_id_access +# If defined, this access list specifies which requests are +# sent to the StoreID processes. By default all requests +# are sent. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow, unless rules exist in squid.conf. + +# TAG: store_id_bypass +# When this is 'on', a request will not go through the +# helper if all helpers are busy. If this is 'off' +# and the helper queue grows too large, Squid will exit +# with a FATAL error and ask you to increase the number of +# helpers. You should only enable this if the helperss +# are not critical to your caching system. If you use +# helpers for critical caching components, and you enable this +# option, users may not get objects from cache. +#Default: +# store_id_bypass on + +# OPTIONS FOR TUNING THE CACHE +# ----------------------------------------------------------------------------- + +# TAG: cache +# A list of ACL elements which, if matched and denied, cause the request to +# not be satisfied from the cache and the reply to not be cached. +# In other words, use this to force certain objects to never be cached. +# +# You must use the words 'allow' or 'deny' to indicate whether items +# matching the ACL should be allowed or denied into the cache. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow caching, unless rules exist in squid.conf. + +# TAG: max_stale time-units +# This option puts an upper limit on how stale content Squid +# will serve from the cache if cache validation fails. +# Can be overriden by the refresh_pattern max-stale option. +#Default: +# max_stale 1 week + +# TAG: refresh_pattern +# usage: refresh_pattern [-i] regex min percent max [options] +# +# By default, regular expressions are CASE-SENSITIVE. To make +# them case-insensitive, use the -i option. +# +# 'Min' is the time (in minutes) an object without an explicit +# expiry time should be considered fresh. The recommended +# value is 0, any higher values may cause dynamic applications +# to be erroneously cached unless the application designer +# has taken the appropriate actions. +# +# 'Percent' is a percentage of the objects age (time since last +# modification age) an object without explicit expiry time +# will be considered fresh. +# +# 'Max' is an upper limit on how long objects without an explicit +# expiry time will be considered fresh. +# +# options: override-expire +# override-lastmod +# reload-into-ims +# ignore-reload +# ignore-no-store +# ignore-must-revalidate +# ignore-private +# ignore-auth +# max-stale=NN +# refresh-ims +# store-stale +# +# override-expire enforces min age even if the server +# sent an explicit expiry time (e.g., with the +# Expires: header or Cache-Control: max-age). Doing this +# VIOLATES the HTTP standard. Enabling this feature +# could make you liable for problems which it causes. +# +# Note: override-expire does not enforce staleness - it only extends +# freshness / min. If the server returns a Expires time which +# is longer than your max time, Squid will still consider +# the object fresh for that period of time. +# +# override-lastmod enforces min age even on objects +# that were modified recently. +# +# reload-into-ims changes a client no-cache or ``reload'' +# request for a cached entry into a conditional request using +# If-Modified-Since and/or If-None-Match headers, provided the +# cached entry has a Last-Modified and/or a strong ETag header. +# Doing this VIOLATES the HTTP standard. Enabling this feature +# could make you liable for problems which it causes. +# +# ignore-reload ignores a client no-cache or ``reload'' +# header. Doing this VIOLATES the HTTP standard. Enabling +# this feature could make you liable for problems which +# it causes. +# +# ignore-no-store ignores any ``Cache-control: no-store'' +# headers received from a server. Doing this VIOLATES +# the HTTP standard. Enabling this feature could make you +# liable for problems which it causes. +# +# ignore-must-revalidate ignores any ``Cache-Control: must-revalidate`` +# headers received from a server. Doing this VIOLATES +# the HTTP standard. Enabling this feature could make you +# liable for problems which it causes. +# +# ignore-private ignores any ``Cache-control: private'' +# headers received from a server. Doing this VIOLATES +# the HTTP standard. Enabling this feature could make you +# liable for problems which it causes. +# +# ignore-auth caches responses to requests with authorization, +# as if the originserver had sent ``Cache-control: public'' +# in the response header. Doing this VIOLATES the HTTP standard. +# Enabling this feature could make you liable for problems which +# it causes. +# +# refresh-ims causes squid to contact the origin server +# when a client issues an If-Modified-Since request. This +# ensures that the client will receive an updated version +# if one is available. +# +# store-stale stores responses even if they don't have explicit +# freshness or a validator (i.e., Last-Modified or an ETag) +# present, or if they're already stale. By default, Squid will +# not cache such responses because they usually can't be +# reused. Note that such responses will be stale by default. +# +# max-stale=NN provide a maximum staleness factor. Squid won't +# serve objects more stale than this even if it failed to +# validate the object. Default: use the max_stale global limit. +# +# Basically a cached object is: +# +# FRESH if expires < now, else STALE +# STALE if age > max +# FRESH if lm-factor < percent, else STALE +# FRESH if age < min +# else STALE +# +# The refresh_pattern lines are checked in the order listed here. +# The first entry which matches is used. If none of the entries +# match the default will be used. +# +# Note, you must uncomment all the default lines if you want +# to change one. The default setting is only active if none is +# used. +# +# + +# +# Add any of your own refresh_pattern entries above these. +# +refresh_pattern ^ftp: 1440 20% 10080 +refresh_pattern ^gopher: 1440 0% 1440 +refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 +refresh_pattern . 0 20% 4320 + +# TAG: quick_abort_min (KB) +#Default: +# quick_abort_min 16 KB + +# TAG: quick_abort_max (KB) +#Default: +# quick_abort_max 16 KB + +# TAG: quick_abort_pct (percent) +# The cache by default continues downloading aborted requests +# which are almost completed (less than 16 KB remaining). This +# may be undesirable on slow (e.g. SLIP) links and/or very busy +# caches. Impatient users may tie up file descriptors and +# bandwidth by repeatedly requesting and immediately aborting +# downloads. +# +# When the user aborts a request, Squid will check the +# quick_abort values to the amount of data transferred until +# then. +# +# If the transfer has less than 'quick_abort_min' KB remaining, +# it will finish the retrieval. +# +# If the transfer has more than 'quick_abort_max' KB remaining, +# it will abort the retrieval. +# +# If more than 'quick_abort_pct' of the transfer has completed, +# it will finish the retrieval. +# +# If you do not want any retrieval to continue after the client +# has aborted, set both 'quick_abort_min' and 'quick_abort_max' +# to '0 KB'. +# +# If you want retrievals to always continue if they are being +# cached set 'quick_abort_min' to '-1 KB'. +#Default: +# quick_abort_pct 95 + +# TAG: read_ahead_gap buffer-size +# The amount of data the cache will buffer ahead of what has been +# sent to the client when retrieving an object from another server. +#Default: +# read_ahead_gap 16 KB + +# TAG: negative_ttl time-units +# Set the Default Time-to-Live (TTL) for failed requests. +# Certain types of failures (such as "connection refused" and +# "404 Not Found") are able to be negatively-cached for a short time. +# Modern web servers should provide Expires: header, however if they +# do not this can provide a minimum TTL. +# The default is not to cache errors with unknown expiry details. +# +# Note that this is different from negative caching of DNS lookups. +# +# WARNING: Doing this VIOLATES the HTTP standard. Enabling +# this feature could make you liable for problems which it +# causes. +#Default: +# negative_ttl 0 seconds + +# TAG: positive_dns_ttl time-units +# Upper limit on how long Squid will cache positive DNS responses. +# Default is 6 hours (360 minutes). This directive must be set +# larger than negative_dns_ttl. +#Default: +# positive_dns_ttl 6 hours + +# TAG: negative_dns_ttl time-units +# Time-to-Live (TTL) for negative caching of failed DNS lookups. +# This also sets the lower cache limit on positive lookups. +# Minimum value is 1 second, and it is not recommendable to go +# much below 10 seconds. +#Default: +# negative_dns_ttl 1 minutes + +# TAG: range_offset_limit size [acl acl...] +# usage: (size) [units] [[!]aclname] +# +# Sets an upper limit on how far (number of bytes) into the file +# a Range request may be to cause Squid to prefetch the whole file. +# If beyond this limit, Squid forwards the Range request as it is and +# the result is NOT cached. +# +# This is to stop a far ahead range request (lets say start at 17MB) +# from making Squid fetch the whole object up to that point before +# sending anything to the client. +# +# Multiple range_offset_limit lines may be specified, and they will +# be searched from top to bottom on each request until a match is found. +# The first match found will be used. If no line matches a request, the +# default limit of 0 bytes will be used. +# +# 'size' is the limit specified as a number of units. +# +# 'units' specifies whether to use bytes, KB, MB, etc. +# If no units are specified bytes are assumed. +# +# A size of 0 causes Squid to never fetch more than the +# client requested. (default) +# +# A size of 'none' causes Squid to always fetch the object from the +# beginning so it may cache the result. (2.0 style) +# +# 'aclname' is the name of a defined ACL. +# +# NP: Using 'none' as the byte value here will override any quick_abort settings +# that may otherwise apply to the range request. The range request will +# be fully fetched from start to finish regardless of the client +# actions. This affects bandwidth usage. +#Default: +# none + +# TAG: minimum_expiry_time (seconds) +# The minimum caching time according to (Expires - Date) +# headers Squid honors if the object can't be revalidated. +# The default is 60 seconds. +# +# In reverse proxy environments it might be desirable to honor +# shorter object lifetimes. It is most likely better to make +# your server return a meaningful Last-Modified header however. +# +# In ESI environments where page fragments often have short +# lifetimes, this will often be best set to 0. +#Default: +# minimum_expiry_time 60 seconds + +# TAG: store_avg_object_size (bytes) +# Average object size, used to estimate number of objects your +# cache can hold. The default is 13 KB. +# +# This is used to pre-seed the cache index memory allocation to +# reduce expensive reallocate operations while handling clients +# traffic. Too-large values may result in memory allocation during +# peak traffic, too-small values will result in wasted memory. +# +# Check the cache manager 'info' report metrics for the real +# object sizes seen by your Squid before tuning this. +#Default: +# store_avg_object_size 13 KB + +# TAG: store_objects_per_bucket +# Target number of objects per bucket in the store hash table. +# Lowering this value increases the total number of buckets and +# also the storage maintenance rate. The default is 20. +#Default: +# store_objects_per_bucket 20 + +# HTTP OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: request_header_max_size (KB) +# This specifies the maximum size for HTTP headers in a request. +# Request headers are usually relatively small (about 512 bytes). +# Placing a limit on the request header size will catch certain +# bugs (for example with persistent connections) and possibly +# buffer-overflow or denial-of-service attacks. +#Default: +# request_header_max_size 64 KB + +# TAG: reply_header_max_size (KB) +# This specifies the maximum size for HTTP headers in a reply. +# Reply headers are usually relatively small (about 512 bytes). +# Placing a limit on the reply header size will catch certain +# bugs (for example with persistent connections) and possibly +# buffer-overflow or denial-of-service attacks. +#Default: +# reply_header_max_size 64 KB + +# TAG: request_body_max_size (bytes) +# This specifies the maximum size for an HTTP request body. +# In other words, the maximum size of a PUT/POST request. +# A user who attempts to send a request with a body larger +# than this limit receives an "Invalid Request" error message. +# If you set this parameter to a zero (the default), there will +# be no limit imposed. +# +# See also client_request_buffer_max_size for an alternative +# limitation on client uploads which can be configured. +#Default: +# No limit. + +# TAG: client_request_buffer_max_size (bytes) +# This specifies the maximum buffer size of a client request. +# It prevents squid eating too much memory when somebody uploads +# a large file. +#Default: +# client_request_buffer_max_size 512 KB + +# TAG: chunked_request_body_max_size (bytes) +# A broken or confused HTTP/1.1 client may send a chunked HTTP +# request to Squid. Squid does not have full support for that +# feature yet. To cope with such requests, Squid buffers the +# entire request and then dechunks request body to create a +# plain HTTP/1.0 request with a known content length. The plain +# request is then used by the rest of Squid code as usual. +# +# The option value specifies the maximum size of the buffer used +# to hold the request before the conversion. If the chunked +# request size exceeds the specified limit, the conversion +# fails, and the client receives an "unsupported request" error, +# as if dechunking was disabled. +# +# Dechunking is enabled by default. To disable conversion of +# chunked requests, set the maximum to zero. +# +# Request dechunking feature and this option in particular are a +# temporary hack. When chunking requests and responses are fully +# supported, there will be no need to buffer a chunked request. +#Default: +# chunked_request_body_max_size 64 KB + +# TAG: broken_posts +# A list of ACL elements which, if matched, causes Squid to send +# an extra CRLF pair after the body of a PUT/POST request. +# +# Some HTTP servers has broken implementations of PUT/POST, +# and rely on an extra CRLF pair sent by some WWW clients. +# +# Quote from RFC2616 section 4.1 on this matter: +# +# Note: certain buggy HTTP/1.0 client implementations generate an +# extra CRLF's after a POST request. To restate what is explicitly +# forbidden by the BNF, an HTTP/1.1 client must not preface or follow +# a request with an extra CRLF. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +#Example: +# acl buggy_server url_regex ^http://.... +# broken_posts allow buggy_server +#Default: +# Obey RFC 2616. + +# TAG: adaptation_uses_indirect_client on|off +# Controls whether the indirect client IP address (instead of the direct +# client IP address) is passed to adaptation services. +# +# See also: follow_x_forwarded_for adaptation_send_client_ip +#Default: +# adaptation_uses_indirect_client on + +# TAG: via on|off +# If set (default), Squid will include a Via header in requests and +# replies as required by RFC2616. +#Default: +# via on + +# TAG: ie_refresh on|off +# Microsoft Internet Explorer up until version 5.5 Service +# Pack 1 has an issue with transparent proxies, wherein it +# is impossible to force a refresh. Turning this on provides +# a partial fix to the problem, by causing all IMS-REFRESH +# requests from older IE versions to check the origin server +# for fresh content. This reduces hit ratio by some amount +# (~10% in my experience), but allows users to actually get +# fresh content when they want it. Note because Squid +# cannot tell if the user is using 5.5 or 5.5SP1, the behavior +# of 5.5 is unchanged from old versions of Squid (i.e. a +# forced refresh is impossible). Newer versions of IE will, +# hopefully, continue to have the new behavior and will be +# handled based on that assumption. This option defaults to +# the old Squid behavior, which is better for hit ratios but +# worse for clients using IE, if they need to be able to +# force fresh content. +#Default: +# ie_refresh off + +# TAG: vary_ignore_expire on|off +# Many HTTP servers supporting Vary gives such objects +# immediate expiry time with no cache-control header +# when requested by a HTTP/1.0 client. This option +# enables Squid to ignore such expiry times until +# HTTP/1.1 is fully implemented. +# +# WARNING: If turned on this may eventually cause some +# varying objects not intended for caching to get cached. +#Default: +# vary_ignore_expire off + +# TAG: request_entities +# Squid defaults to deny GET and HEAD requests with request entities, +# as the meaning of such requests are undefined in the HTTP standard +# even if not explicitly forbidden. +# +# Set this directive to on if you have clients which insists +# on sending request entities in GET or HEAD requests. But be warned +# that there is server software (both proxies and web servers) which +# can fail to properly process this kind of request which may make you +# vulnerable to cache pollution attacks if enabled. +#Default: +# request_entities off + +# TAG: request_header_access +# Usage: request_header_access header_name allow|deny [!]aclname ... +# +# WARNING: Doing this VIOLATES the HTTP standard. Enabling +# this feature could make you liable for problems which it +# causes. +# +# This option replaces the old 'anonymize_headers' and the +# older 'http_anonymizer' option with something that is much +# more configurable. A list of ACLs for each header name allows +# removal of specific header fields under specific conditions. +# +# This option only applies to outgoing HTTP request headers (i.e., +# headers sent by Squid to the next HTTP hop such as a cache peer +# or an origin server). The option has no effect during cache hit +# detection. The equivalent adaptation vectoring point in ICAP +# terminology is post-cache REQMOD. +# +# The option is applied to individual outgoing request header +# fields. For each request header field F, Squid uses the first +# qualifying sets of request_header_access rules: +# +# 1. Rules with header_name equal to F's name. +# 2. Rules with header_name 'Other', provided F's name is not +# on the hard-coded list of commonly used HTTP header names. +# 3. Rules with header_name 'All'. +# +# Within that qualifying rule set, rule ACLs are checked as usual. +# If ACLs of an "allow" rule match, the header field is allowed to +# go through as is. If ACLs of a "deny" rule match, the header is +# removed and request_header_replace is then checked to identify +# if the removed header has a replacement. If no rules within the +# set have matching ACLs, the header field is left as is. +# +# For example, to achieve the same behavior as the old +# 'http_anonymizer standard' option, you should use: +# +# request_header_access From deny all +# request_header_access Referer deny all +# request_header_access User-Agent deny all +# +# Or, to reproduce the old 'http_anonymizer paranoid' feature +# you should use: +# +# request_header_access Authorization allow all +# request_header_access Proxy-Authorization allow all +# request_header_access Cache-Control allow all +# request_header_access Content-Length allow all +# request_header_access Content-Type allow all +# request_header_access Date allow all +# request_header_access Host allow all +# request_header_access If-Modified-Since allow all +# request_header_access Pragma allow all +# request_header_access Accept allow all +# request_header_access Accept-Charset allow all +# request_header_access Accept-Encoding allow all +# request_header_access Accept-Language allow all +# request_header_access Connection allow all +# request_header_access All deny all +# +# HTTP reply headers are controlled with the reply_header_access directive. +# +# By default, all headers are allowed (no anonymizing is performed). +#Default: +# No limits. + +# TAG: reply_header_access +# Usage: reply_header_access header_name allow|deny [!]aclname ... +# +# WARNING: Doing this VIOLATES the HTTP standard. Enabling +# this feature could make you liable for problems which it +# causes. +# +# This option only applies to reply headers, i.e., from the +# server to the client. +# +# This is the same as request_header_access, but in the other +# direction. Please see request_header_access for detailed +# documentation. +# +# For example, to achieve the same behavior as the old +# 'http_anonymizer standard' option, you should use: +# +# reply_header_access Server deny all +# reply_header_access WWW-Authenticate deny all +# reply_header_access Link deny all +# +# Or, to reproduce the old 'http_anonymizer paranoid' feature +# you should use: +# +# reply_header_access Allow allow all +# reply_header_access WWW-Authenticate allow all +# reply_header_access Proxy-Authenticate allow all +# reply_header_access Cache-Control allow all +# reply_header_access Content-Encoding allow all +# reply_header_access Content-Length allow all +# reply_header_access Content-Type allow all +# reply_header_access Date allow all +# reply_header_access Expires allow all +# reply_header_access Last-Modified allow all +# reply_header_access Location allow all +# reply_header_access Pragma allow all +# reply_header_access Content-Language allow all +# reply_header_access Retry-After allow all +# reply_header_access Title allow all +# reply_header_access Content-Disposition allow all +# reply_header_access Connection allow all +# reply_header_access All deny all +# +# HTTP request headers are controlled with the request_header_access directive. +# +# By default, all headers are allowed (no anonymizing is +# performed). +#Default: +# No limits. + +# TAG: request_header_replace +# Usage: request_header_replace header_name message +# Example: request_header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit) +# +# This option allows you to change the contents of headers +# denied with request_header_access above, by replacing them +# with some fixed string. +# +# This only applies to request headers, not reply headers. +# +# By default, headers are removed if denied. +#Default: +# none + +# TAG: reply_header_replace +# Usage: reply_header_replace header_name message +# Example: reply_header_replace Server Foo/1.0 +# +# This option allows you to change the contents of headers +# denied with reply_header_access above, by replacing them +# with some fixed string. +# +# This only applies to reply headers, not request headers. +# +# By default, headers are removed if denied. +#Default: +# none + +# TAG: request_header_add +# Usage: request_header_add field-name field-value acl1 [acl2] ... +# Example: request_header_add X-Client-CA "CA=%ssl::>cert_issuer" all +# +# This option adds header fields to outgoing HTTP requests (i.e., +# request headers sent by Squid to the next HTTP hop such as a +# cache peer or an origin server). The option has no effect during +# cache hit detection. The equivalent adaptation vectoring point +# in ICAP terminology is post-cache REQMOD. +# +# Field-name is a token specifying an HTTP header name. If a +# standard HTTP header name is used, Squid does not check whether +# the new header conflicts with any existing headers or violates +# HTTP rules. If the request to be modified already contains a +# field with the same name, the old field is preserved but the +# header field values are not merged. +# +# Field-value is either a token or a quoted string. If quoted +# string format is used, then the surrounding quotes are removed +# while escape sequences and %macros are processed. +# +# In theory, all of the logformat codes can be used as %macros. +# However, unlike logging (which happens at the very end of +# transaction lifetime), the transaction may not yet have enough +# information to expand a macro when the new header value is needed. +# And some information may already be available to Squid but not yet +# committed where the macro expansion code can access it (report +# such instances!). The macro will be expanded into a single dash +# ('-') in such cases. Not all macros have been tested. +# +# One or more Squid ACLs may be specified to restrict header +# injection to matching requests. As always in squid.conf, all +# ACLs in an option ACL list must be satisfied for the insertion +# to happen. The request_header_add option supports fast ACLs +# only. +#Default: +# none + +# TAG: note +# This option used to log custom information about the master +# transaction. For example, an admin may configure Squid to log +# which "user group" the transaction belongs to, where "user group" +# will be determined based on a set of ACLs and not [just] +# authentication information. +# Values of key/value pairs can be logged using %{key}note macros: +# +# note key value acl ... +# logformat myFormat ... %{key}note ... +#Default: +# none + +# TAG: relaxed_header_parser on|off|warn +# In the default "on" setting Squid accepts certain forms +# of non-compliant HTTP messages where it is unambiguous +# what the sending application intended even if the message +# is not correctly formatted. The messages is then normalized +# to the correct form when forwarded by Squid. +# +# If set to "warn" then a warning will be emitted in cache.log +# each time such HTTP error is encountered. +# +# If set to "off" then such HTTP errors will cause the request +# or response to be rejected. +#Default: +# relaxed_header_parser on + +# TIMEOUTS +# ----------------------------------------------------------------------------- + +# TAG: forward_timeout time-units +# This parameter specifies how long Squid should at most attempt in +# finding a forwarding path for the request before giving up. +#Default: +# forward_timeout 4 minutes + +# TAG: connect_timeout time-units +# This parameter specifies how long to wait for the TCP connect to +# the requested server or peer to complete before Squid should +# attempt to find another path where to forward the request. +#Default: +# connect_timeout 1 minute + +# TAG: peer_connect_timeout time-units +# This parameter specifies how long to wait for a pending TCP +# connection to a peer cache. The default is 30 seconds. You +# may also set different timeout values for individual neighbors +# with the 'connect-timeout' option on a 'cache_peer' line. +#Default: +# peer_connect_timeout 30 seconds + +# TAG: read_timeout time-units +# The read_timeout is applied on server-side connections. After +# each successful read(), the timeout will be extended by this +# amount. If no data is read again after this amount of time, +# the request is aborted and logged with ERR_READ_TIMEOUT. The +# default is 15 minutes. +#Default: +# read_timeout 15 minutes + +# TAG: write_timeout time-units +# This timeout is tracked for all connections that have data +# available for writing and are waiting for the socket to become +# ready. After each successful write, the timeout is extended by +# the configured amount. If Squid has data to write but the +# connection is not ready for the configured duration, the +# transaction associated with the connection is terminated. The +# default is 15 minutes. +#Default: +# write_timeout 15 minutes + +# TAG: request_timeout +# How long to wait for complete HTTP request headers after initial +# connection establishment. +#Default: +# request_timeout 5 minutes + +# TAG: client_idle_pconn_timeout +# How long to wait for the next HTTP request on a persistent +# client connection after the previous request completes. +#Default: +# client_idle_pconn_timeout 2 minutes + +# TAG: client_lifetime time-units +# The maximum amount of time a client (browser) is allowed to +# remain connected to the cache process. This protects the Cache +# from having a lot of sockets (and hence file descriptors) tied up +# in a CLOSE_WAIT state from remote clients that go away without +# properly shutting down (either because of a network failure or +# because of a poor client implementation). The default is one +# day, 1440 minutes. +# +# NOTE: The default value is intended to be much larger than any +# client would ever need to be connected to your cache. You +# should probably change client_lifetime only as a last resort. +# If you seem to have many client connections tying up +# filedescriptors, we recommend first tuning the read_timeout, +# request_timeout, persistent_request_timeout and quick_abort values. +#Default: +# client_lifetime 1 day + +# TAG: half_closed_clients +# Some clients may shutdown the sending side of their TCP +# connections, while leaving their receiving sides open. Sometimes, +# Squid can not tell the difference between a half-closed and a +# fully-closed TCP connection. +# +# By default, Squid will immediately close client connections when +# read(2) returns "no more data to read." +# +# Change this option to 'on' and Squid will keep open connections +# until a read(2) or write(2) on the socket returns an error. +# This may show some benefits for reverse proxies. But if not +# it is recommended to leave OFF. +#Default: +# half_closed_clients off + +# TAG: server_idle_pconn_timeout +# Timeout for idle persistent connections to servers and other +# proxies. +#Default: +# server_idle_pconn_timeout 1 minute + +# TAG: ident_timeout +# Maximum time to wait for IDENT lookups to complete. +# +# If this is too high, and you enabled IDENT lookups from untrusted +# users, you might be susceptible to denial-of-service by having +# many ident requests going at once. +#Default: +# ident_timeout 10 seconds + +# TAG: shutdown_lifetime time-units +# When SIGTERM or SIGHUP is received, the cache is put into +# "shutdown pending" mode until all active sockets are closed. +# This value is the lifetime to set for all open descriptors +# during shutdown mode. Any active clients after this many +# seconds will receive a 'timeout' message. +#Default: +# shutdown_lifetime 30 seconds + +# ADMINISTRATIVE PARAMETERS +# ----------------------------------------------------------------------------- + +# TAG: cache_mgr +# Email-address of local cache manager who will receive +# mail if the cache dies. The default is "webmaster". +#Default: +# cache_mgr webmaster + +# TAG: mail_from +# From: email-address for mail sent when the cache dies. +# The default is to use 'squid@unique_hostname'. +# +# See also: unique_hostname directive. +#Default: +# none + +# TAG: mail_program +# Email program used to send mail if the cache dies. +# The default is "mail". The specified program must comply +# with the standard Unix mail syntax: +# mail-program recipient < mailfile +# +# Optional command line options can be specified. +#Default: +# mail_program mail + +# TAG: cache_effective_user +# If you start Squid as root, it will change its effective/real +# UID/GID to the user specified below. The default is to change +# to UID of proxy. +# see also; cache_effective_group +#Default: +# cache_effective_user proxy + +# TAG: cache_effective_group +# Squid sets the GID to the effective user's default group ID +# (taken from the password file) and supplementary group list +# from the groups membership. +# +# If you want Squid to run with a specific GID regardless of +# the group memberships of the effective user then set this +# to the group (or GID) you want Squid to run as. When set +# all other group privileges of the effective user are ignored +# and only this GID is effective. If Squid is not started as +# root the user starting Squid MUST be member of the specified +# group. +# +# This option is not recommended by the Squid Team. +# Our preference is for administrators to configure a secure +# user account for squid with UID/GID matching system policies. +#Default: +# Use system group memberships of the cache_effective_user account + +# TAG: httpd_suppress_version_string on|off +# Suppress Squid version string info in HTTP headers and HTML error pages. +#Default: +# httpd_suppress_version_string off + +# TAG: visible_hostname +# If you want to present a special hostname in error messages, etc, +# define this. Otherwise, the return value of gethostname() +# will be used. If you have multiple caches in a cluster and +# get errors about IP-forwarding you must set them to have individual +# names with this setting. +#Default: +# Automatically detect the system host name + +# TAG: unique_hostname +# If you want to have multiple machines with the same +# 'visible_hostname' you must give each machine a different +# 'unique_hostname' so forwarding loops can be detected. +#Default: +# Copy the value from visible_hostname + +# TAG: hostname_aliases +# A list of other DNS names your cache has. +#Default: +# none + +# TAG: umask +# Minimum umask which should be enforced while the proxy +# is running, in addition to the umask set at startup. +# +# For a traditional octal representation of umasks, start +# your value with 0. +#Default: +# umask 027 + +# OPTIONS FOR THE CACHE REGISTRATION SERVICE +# ----------------------------------------------------------------------------- +# +# This section contains parameters for the (optional) cache +# announcement service. This service is provided to help +# cache administrators locate one another in order to join or +# create cache hierarchies. +# +# An 'announcement' message is sent (via UDP) to the registration +# service by Squid. By default, the announcement message is NOT +# SENT unless you enable it with 'announce_period' below. +# +# The announcement message includes your hostname, plus the +# following information from this configuration file: +# +# http_port +# icp_port +# cache_mgr +# +# All current information is processed regularly and made +# available on the Web at http://www.ircache.net/Cache/Tracker/. + +# TAG: announce_period +# This is how frequently to send cache announcements. +# +# To enable announcing your cache, just set an announce period. +# +# Example: +# announce_period 1 day +#Default: +# Announcement messages disabled. + +# TAG: announce_host +# Set the hostname where announce registration messages will be sent. +# +# See also announce_port and announce_file +#Default: +# announce_host tracker.ircache.net + +# TAG: announce_file +# The contents of this file will be included in the announce +# registration messages. +#Default: +# none + +# TAG: announce_port +# Set the port where announce registration messages will be sent. +# +# See also announce_host and announce_file +#Default: +# announce_port 3131 + +# HTTPD-ACCELERATOR OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: httpd_accel_surrogate_id +# Surrogates (http://www.esi.org/architecture_spec_1.0.html) +# need an identification token to allow control targeting. Because +# a farm of surrogates may all perform the same tasks, they may share +# an identification token. +#Default: +# visible_hostname is used if no specific ID is set. + +# TAG: http_accel_surrogate_remote on|off +# Remote surrogates (such as those in a CDN) honour the header +# "Surrogate-Control: no-store-remote". +# +# Set this to on to have squid behave as a remote surrogate. +#Default: +# http_accel_surrogate_remote off + +# TAG: esi_parser libxml2|expat|custom +# ESI markup is not strictly XML compatible. The custom ESI parser +# will give higher performance, but cannot handle non ASCII character +# encodings. +#Default: +# esi_parser custom + +# DELAY POOL PARAMETERS +# ----------------------------------------------------------------------------- + +# TAG: delay_pools +# This represents the number of delay pools to be used. For example, +# if you have one class 2 delay pool and one class 3 delays pool, you +# have a total of 2 delay pools. +# +# See also delay_parameters, delay_class, delay_access for pool +# configuration details. +#Default: +# delay_pools 0 + +# TAG: delay_class +# This defines the class of each delay pool. There must be exactly one +# delay_class line for each delay pool. For example, to define two +# delay pools, one of class 2 and one of class 3, the settings above +# and here would be: +# +# Example: +# delay_pools 4 # 4 delay pools +# delay_class 1 2 # pool 1 is a class 2 pool +# delay_class 2 3 # pool 2 is a class 3 pool +# delay_class 3 4 # pool 3 is a class 4 pool +# delay_class 4 5 # pool 4 is a class 5 pool +# +# The delay pool classes are: +# +# class 1 Everything is limited by a single aggregate +# bucket. +# +# class 2 Everything is limited by a single aggregate +# bucket as well as an "individual" bucket chosen +# from bits 25 through 32 of the IPv4 address. +# +# class 3 Everything is limited by a single aggregate +# bucket as well as a "network" bucket chosen +# from bits 17 through 24 of the IP address and a +# "individual" bucket chosen from bits 17 through +# 32 of the IPv4 address. +# +# class 4 Everything in a class 3 delay pool, with an +# additional limit on a per user basis. This +# only takes effect if the username is established +# in advance - by forcing authentication in your +# http_access rules. +# +# class 5 Requests are grouped according their tag (see +# external_acl's tag= reply). +# +# +# Each pool also requires a delay_parameters directive to configure the pool size +# and speed limits used whenever the pool is applied to a request. Along with +# a set of delay_access directives to determine when it is used. +# +# NOTE: If an IP address is a.b.c.d +# -> bits 25 through 32 are "d" +# -> bits 17 through 24 are "c" +# -> bits 17 through 32 are "c * 256 + d" +# +# NOTE-2: Due to the use of bitmasks in class 2,3,4 pools they only apply to +# IPv4 traffic. Class 1 and 5 pools may be used with IPv6 traffic. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# See also delay_parameters and delay_access. +#Default: +# none + +# TAG: delay_access +# This is used to determine which delay pool a request falls into. +# +# delay_access is sorted per pool and the matching starts with pool 1, +# then pool 2, ..., and finally pool N. The first delay pool where the +# request is allowed is selected for the request. If it does not allow +# the request to any pool then the request is not delayed (default). +# +# For example, if you want some_big_clients in delay +# pool 1 and lotsa_little_clients in delay pool 2: +# +# delay_access 1 allow some_big_clients +# delay_access 1 deny all +# delay_access 2 allow lotsa_little_clients +# delay_access 2 deny all +# delay_access 3 allow authenticated_clients +# +# See also delay_parameters and delay_class. +# +#Default: +# Deny using the pool, unless allow rules exist in squid.conf for the pool. + +# TAG: delay_parameters +# This defines the parameters for a delay pool. Each delay pool has +# a number of "buckets" associated with it, as explained in the +# description of delay_class. +# +# For a class 1 delay pool, the syntax is: +# delay_pools pool 1 +# delay_parameters pool aggregate +# +# For a class 2 delay pool: +# delay_pools pool 2 +# delay_parameters pool aggregate individual +# +# For a class 3 delay pool: +# delay_pools pool 3 +# delay_parameters pool aggregate network individual +# +# For a class 4 delay pool: +# delay_pools pool 4 +# delay_parameters pool aggregate network individual user +# +# For a class 5 delay pool: +# delay_pools pool 5 +# delay_parameters pool tagrate +# +# The option variables are: +# +# pool a pool number - ie, a number between 1 and the +# number specified in delay_pools as used in +# delay_class lines. +# +# aggregate the speed limit parameters for the aggregate bucket +# (class 1, 2, 3). +# +# individual the speed limit parameters for the individual +# buckets (class 2, 3). +# +# network the speed limit parameters for the network buckets +# (class 3). +# +# user the speed limit parameters for the user buckets +# (class 4). +# +# tagrate the speed limit parameters for the tag buckets +# (class 5). +# +# A pair of delay parameters is written restore/maximum, where restore is +# the number of bytes (not bits - modem and network speeds are usually +# quoted in bits) per second placed into the bucket, and maximum is the +# maximum number of bytes which can be in the bucket at any time. +# +# There must be one delay_parameters line for each delay pool. +# +# +# For example, if delay pool number 1 is a class 2 delay pool as in the +# above example, and is being used to strictly limit each host to 64Kbit/sec +# (plus overheads), with no overall limit, the line is: +# +# delay_parameters 1 -1/-1 8000/8000 +# +# Note that 8 x 8000 KByte/sec -> 64Kbit/sec. +# +# Note that the figure -1 is used to represent "unlimited". +# +# +# And, if delay pool number 2 is a class 3 delay pool as in the above +# example, and you want to limit it to a total of 256Kbit/sec (strict limit) +# with each 8-bit network permitted 64Kbit/sec (strict limit) and each +# individual host permitted 4800bit/sec with a bucket maximum size of 64Kbits +# to permit a decent web page to be downloaded at a decent speed +# (if the network is not being limited due to overuse) but slow down +# large downloads more significantly: +# +# delay_parameters 2 32000/32000 8000/8000 600/8000 +# +# Note that 8 x 32000 KByte/sec -> 256Kbit/sec. +# 8 x 8000 KByte/sec -> 64Kbit/sec. +# 8 x 600 Byte/sec -> 4800bit/sec. +# +# +# Finally, for a class 4 delay pool as in the example - each user will +# be limited to 128Kbits/sec no matter how many workstations they are logged into.: +# +# delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000 +# +# +# See also delay_class and delay_access. +# +#Default: +# none + +# TAG: delay_initial_bucket_level (percent, 0-100) +# The initial bucket percentage is used to determine how much is put +# in each bucket when squid starts, is reconfigured, or first notices +# a host accessing it (in class 2 and class 3, individual hosts and +# networks only have buckets associated with them once they have been +# "seen" by squid). +#Default: +# delay_initial_bucket_level 50 + +# CLIENT DELAY POOL PARAMETERS +# ----------------------------------------------------------------------------- + +# TAG: client_delay_pools +# This option specifies the number of client delay pools used. It must +# preceed other client_delay_* options. +# +# Example: +# client_delay_pools 2 +# +# See also client_delay_parameters and client_delay_access. +#Default: +# client_delay_pools 0 + +# TAG: client_delay_initial_bucket_level (percent, 0-no_limit) +# This option determines the initial bucket size as a percentage of +# max_bucket_size from client_delay_parameters. Buckets are created +# at the time of the "first" connection from the matching IP. Idle +# buckets are periodically deleted up. +# +# You can specify more than 100 percent but note that such "oversized" +# buckets are not refilled until their size goes down to max_bucket_size +# from client_delay_parameters. +# +# Example: +# client_delay_initial_bucket_level 50 +#Default: +# client_delay_initial_bucket_level 50 + +# TAG: client_delay_parameters +# +# This option configures client-side bandwidth limits using the +# following format: +# +# client_delay_parameters pool speed_limit max_bucket_size +# +# pool is an integer ID used for client_delay_access matching. +# +# speed_limit is bytes added to the bucket per second. +# +# max_bucket_size is the maximum size of a bucket, enforced after any +# speed_limit additions. +# +# Please see the delay_parameters option for more information and +# examples. +# +# Example: +# client_delay_parameters 1 1024 2048 +# client_delay_parameters 2 51200 16384 +# +# See also client_delay_access. +# +#Default: +# none + +# TAG: client_delay_access +# This option determines the client-side delay pool for the +# request: +# +# client_delay_access pool_ID allow|deny acl_name +# +# All client_delay_access options are checked in their pool ID +# order, starting with pool 1. The first checked pool with allowed +# request is selected for the request. If no ACL matches or there +# are no client_delay_access options, the request bandwidth is not +# limited. +# +# The ACL-selected pool is then used to find the +# client_delay_parameters for the request. Client-side pools are +# not used to aggregate clients. Clients are always aggregated +# based on their source IP addresses (one bucket per source IP). +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# Additionally, only the client TCP connection details are available. +# ACLs testing HTTP properties will not work. +# +# Please see delay_access for more examples. +# +# Example: +# client_delay_access 1 allow low_rate_network +# client_delay_access 2 allow vips_network +# +# +# See also client_delay_parameters and client_delay_pools. +#Default: +# Deny use of the pool, unless allow rules exist in squid.conf for the pool. + +# WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: wccp_router +# Use this option to define your WCCP ``home'' router for +# Squid. +# +# wccp_router supports a single WCCP(v1) router +# +# wccp2_router supports multiple WCCPv2 routers +# +# only one of the two may be used at the same time and defines +# which version of WCCP to use. +#Default: +# WCCP disabled. + +# TAG: wccp2_router +# Use this option to define your WCCP ``home'' router for +# Squid. +# +# wccp_router supports a single WCCP(v1) router +# +# wccp2_router supports multiple WCCPv2 routers +# +# only one of the two may be used at the same time and defines +# which version of WCCP to use. +#Default: +# WCCPv2 disabled. + +# TAG: wccp_version +# This directive is only relevant if you need to set up WCCP(v1) +# to some very old and end-of-life Cisco routers. In all other +# setups it must be left unset or at the default setting. +# It defines an internal version in the WCCP(v1) protocol, +# with version 4 being the officially documented protocol. +# +# According to some users, Cisco IOS 11.2 and earlier only +# support WCCP version 3. If you're using that or an earlier +# version of IOS, you may need to change this value to 3, otherwise +# do not specify this parameter. +#Default: +# wccp_version 4 + +# TAG: wccp2_rebuild_wait +# If this is enabled Squid will wait for the cache dir rebuild to finish +# before sending the first wccp2 HereIAm packet +#Default: +# wccp2_rebuild_wait on + +# TAG: wccp2_forwarding_method +# WCCP2 allows the setting of forwarding methods between the +# router/switch and the cache. Valid values are as follows: +# +# gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel) +# l2 - L2 redirect (forward the packet using Layer 2/MAC rewriting) +# +# Currently (as of IOS 12.4) cisco routers only support GRE. +# Cisco switches only support the L2 redirect assignment method. +#Default: +# wccp2_forwarding_method gre + +# TAG: wccp2_return_method +# WCCP2 allows the setting of return methods between the +# router/switch and the cache for packets that the cache +# decides not to handle. Valid values are as follows: +# +# gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel) +# l2 - L2 redirect (forward the packet using Layer 2/MAC rewriting) +# +# Currently (as of IOS 12.4) cisco routers only support GRE. +# Cisco switches only support the L2 redirect assignment. +# +# If the "ip wccp redirect exclude in" command has been +# enabled on the cache interface, then it is still safe for +# the proxy server to use a l2 redirect method even if this +# option is set to GRE. +#Default: +# wccp2_return_method gre + +# TAG: wccp2_assignment_method +# WCCP2 allows the setting of methods to assign the WCCP hash +# Valid values are as follows: +# +# hash - Hash assignment +# mask - Mask assignment +# +# As a general rule, cisco routers support the hash assignment method +# and cisco switches support the mask assignment method. +#Default: +# wccp2_assignment_method hash + +# TAG: wccp2_service +# WCCP2 allows for multiple traffic services. There are two +# types: "standard" and "dynamic". The standard type defines +# one service id - http (id 0). The dynamic service ids can be from +# 51 to 255 inclusive. In order to use a dynamic service id +# one must define the type of traffic to be redirected; this is done +# using the wccp2_service_info option. +# +# The "standard" type does not require a wccp2_service_info option, +# just specifying the service id will suffice. +# +# MD5 service authentication can be enabled by adding +# "password=" to the end of this service declaration. +# +# Examples: +# +# wccp2_service standard 0 # for the 'web-cache' standard service +# wccp2_service dynamic 80 # a dynamic service type which will be +# # fleshed out with subsequent options. +# wccp2_service standard 0 password=foo +#Default: +# Use the 'web-cache' standard service. + +# TAG: wccp2_service_info +# Dynamic WCCPv2 services require further information to define the +# traffic you wish to have diverted. +# +# The format is: +# +# wccp2_service_info protocol= flags=,.. +# priority= ports=,.. +# +# The relevant WCCPv2 flags: +# + src_ip_hash, dst_ip_hash +# + source_port_hash, dst_port_hash +# + src_ip_alt_hash, dst_ip_alt_hash +# + src_port_alt_hash, dst_port_alt_hash +# + ports_source +# +# The port list can be one to eight entries. +# +# Example: +# +# wccp2_service_info 80 protocol=tcp flags=src_ip_hash,ports_source +# priority=240 ports=80 +# +# Note: the service id must have been defined by a previous +# 'wccp2_service dynamic ' entry. +#Default: +# none + +# TAG: wccp2_weight +# Each cache server gets assigned a set of the destination +# hash proportional to their weight. +#Default: +# wccp2_weight 10000 + +# TAG: wccp_address +# Use this option if you require WCCPv2 to use a specific +# interface address. +# +# The default behavior is to not bind to any specific address. +#Default: +# Address selected by the operating system. + +# TAG: wccp2_address +# Use this option if you require WCCP to use a specific +# interface address. +# +# The default behavior is to not bind to any specific address. +#Default: +# Address selected by the operating system. + +# PERSISTENT CONNECTION HANDLING +# ----------------------------------------------------------------------------- +# +# Also see "pconn_timeout" in the TIMEOUTS section + +# TAG: client_persistent_connections +# Persistent connection support for clients. +# Squid uses persistent connections (when allowed). You can use +# this option to disable persistent connections with clients. +#Default: +# client_persistent_connections on + +# TAG: server_persistent_connections +# Persistent connection support for servers. +# Squid uses persistent connections (when allowed). You can use +# this option to disable persistent connections with servers. +#Default: +# server_persistent_connections on + +# TAG: persistent_connection_after_error +# With this directive the use of persistent connections after +# HTTP errors can be disabled. Useful if you have clients +# who fail to handle errors on persistent connections proper. +#Default: +# persistent_connection_after_error on + +# TAG: detect_broken_pconn +# Some servers have been found to incorrectly signal the use +# of HTTP/1.0 persistent connections even on replies not +# compatible, causing significant delays. This server problem +# has mostly been seen on redirects. +# +# By enabling this directive Squid attempts to detect such +# broken replies and automatically assume the reply is finished +# after 10 seconds timeout. +#Default: +# detect_broken_pconn off + +# CACHE DIGEST OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: digest_generation +# This controls whether the server will generate a Cache Digest +# of its contents. By default, Cache Digest generation is +# enabled if Squid is compiled with --enable-cache-digests defined. +#Default: +# digest_generation on + +# TAG: digest_bits_per_entry +# This is the number of bits of the server's Cache Digest which +# will be associated with the Digest entry for a given HTTP +# Method and URL (public key) combination. The default is 5. +#Default: +# digest_bits_per_entry 5 + +# TAG: digest_rebuild_period (seconds) +# This is the wait time between Cache Digest rebuilds. +#Default: +# digest_rebuild_period 1 hour + +# TAG: digest_rewrite_period (seconds) +# This is the wait time between Cache Digest writes to +# disk. +#Default: +# digest_rewrite_period 1 hour + +# TAG: digest_swapout_chunk_size (bytes) +# This is the number of bytes of the Cache Digest to write to +# disk at a time. It defaults to 4096 bytes (4KB), the Squid +# default swap page. +#Default: +# digest_swapout_chunk_size 4096 bytes + +# TAG: digest_rebuild_chunk_percentage (percent, 0-100) +# This is the percentage of the Cache Digest to be scanned at a +# time. By default it is set to 10% of the Cache Digest. +#Default: +# digest_rebuild_chunk_percentage 10 + +# SNMP OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: snmp_port +# The port number where Squid listens for SNMP requests. To enable +# SNMP support set this to a suitable port number. Port number +# 3401 is often used for the Squid SNMP agent. By default it's +# set to "0" (disabled) +# +# Example: +# snmp_port 3401 +#Default: +# SNMP disabled. + +# TAG: snmp_access +# Allowing or denying access to the SNMP port. +# +# All access to the agent is denied by default. +# usage: +# +# snmp_access allow|deny [!]aclname ... +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +#Example: +# snmp_access allow snmppublic localhost +# snmp_access deny all +#Default: +# Deny, unless rules exist in squid.conf. + +# TAG: snmp_incoming_address +# Just like 'udp_incoming_address', but for the SNMP port. +# +# snmp_incoming_address is used for the SNMP socket receiving +# messages from SNMP agents. +# +# The default snmp_incoming_address is to listen on all +# available network interfaces. +#Default: +# Accept SNMP packets from all machine interfaces. + +# TAG: snmp_outgoing_address +# Just like 'udp_outgoing_address', but for the SNMP port. +# +# snmp_outgoing_address is used for SNMP packets returned to SNMP +# agents. +# +# If snmp_outgoing_address is not set it will use the same socket +# as snmp_incoming_address. Only change this if you want to have +# SNMP replies sent using another address than where this Squid +# listens for SNMP queries. +# +# NOTE, snmp_incoming_address and snmp_outgoing_address can not have +# the same value since they both use the same port. +#Default: +# Use snmp_incoming_address or an address selected by the operating system. + +# ICP OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: icp_port +# The port number where Squid sends and receives ICP queries to +# and from neighbor caches. The standard UDP port for ICP is 3130. +# +# Example: +# icp_port 3130 +#Default: +# ICP disabled. + +# TAG: htcp_port +# The port number where Squid sends and receives HTCP queries to +# and from neighbor caches. To turn it on you want to set it to +# 4827. +# +# Example: +# htcp_port 4827 +#Default: +# HTCP disabled. + +# TAG: log_icp_queries on|off +# If set, ICP queries are logged to access.log. You may wish +# do disable this if your ICP load is VERY high to speed things +# up or to simplify log analysis. +#Default: +# log_icp_queries on + +# TAG: udp_incoming_address +# udp_incoming_address is used for UDP packets received from other +# caches. +# +# The default behavior is to not bind to any specific address. +# +# Only change this if you want to have all UDP queries received on +# a specific interface/address. +# +# NOTE: udp_incoming_address is used by the ICP, HTCP, and DNS +# modules. Altering it will affect all of them in the same manner. +# +# see also; udp_outgoing_address +# +# NOTE, udp_incoming_address and udp_outgoing_address can not +# have the same value since they both use the same port. +#Default: +# Accept packets from all machine interfaces. + +# TAG: udp_outgoing_address +# udp_outgoing_address is used for UDP packets sent out to other +# caches. +# +# The default behavior is to not bind to any specific address. +# +# Instead it will use the same socket as udp_incoming_address. +# Only change this if you want to have UDP queries sent using another +# address than where this Squid listens for UDP queries from other +# caches. +# +# NOTE: udp_outgoing_address is used by the ICP, HTCP, and DNS +# modules. Altering it will affect all of them in the same manner. +# +# see also; udp_incoming_address +# +# NOTE, udp_incoming_address and udp_outgoing_address can not +# have the same value since they both use the same port. +#Default: +# Use udp_incoming_address or an address selected by the operating system. + +# TAG: icp_hit_stale on|off +# If you want to return ICP_HIT for stale cache objects, set this +# option to 'on'. If you have sibling relationships with caches +# in other administrative domains, this should be 'off'. If you only +# have sibling relationships with caches under your control, +# it is probably okay to set this to 'on'. +# If set to 'on', your siblings should use the option "allow-miss" +# on their cache_peer lines for connecting to you. +#Default: +# icp_hit_stale off + +# TAG: minimum_direct_hops +# If using the ICMP pinging stuff, do direct fetches for sites +# which are no more than this many hops away. +#Default: +# minimum_direct_hops 4 + +# TAG: minimum_direct_rtt (msec) +# If using the ICMP pinging stuff, do direct fetches for sites +# which are no more than this many rtt milliseconds away. +#Default: +# minimum_direct_rtt 400 + +# TAG: netdb_low +# The low water mark for the ICMP measurement database. +# +# Note: high watermark controlled by netdb_high directive. +# +# These watermarks are counts, not percents. The defaults are +# (low) 900 and (high) 1000. When the high water mark is +# reached, database entries will be deleted until the low +# mark is reached. +#Default: +# netdb_low 900 + +# TAG: netdb_high +# The high water mark for the ICMP measurement database. +# +# Note: low watermark controlled by netdb_low directive. +# +# These watermarks are counts, not percents. The defaults are +# (low) 900 and (high) 1000. When the high water mark is +# reached, database entries will be deleted until the low +# mark is reached. +#Default: +# netdb_high 1000 + +# TAG: netdb_ping_period +# The minimum period for measuring a site. There will be at +# least this much delay between successive pings to the same +# network. The default is five minutes. +#Default: +# netdb_ping_period 5 minutes + +# TAG: query_icmp on|off +# If you want to ask your peers to include ICMP data in their ICP +# replies, enable this option. +# +# If your peer has configured Squid (during compilation) with +# '--enable-icmp' that peer will send ICMP pings to origin server +# sites of the URLs it receives. If you enable this option the +# ICP replies from that peer will include the ICMP data (if available). +# Then, when choosing a parent cache, Squid will choose the parent with +# the minimal RTT to the origin server. When this happens, the +# hierarchy field of the access.log will be +# "CLOSEST_PARENT_MISS". This option is off by default. +#Default: +# query_icmp off + +# TAG: test_reachability on|off +# When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH +# instead of ICP_MISS if the target host is NOT in the ICMP +# database, or has a zero RTT. +#Default: +# test_reachability off + +# TAG: icp_query_timeout (msec) +# Normally Squid will automatically determine an optimal ICP +# query timeout value based on the round-trip-time of recent ICP +# queries. If you want to override the value determined by +# Squid, set this 'icp_query_timeout' to a non-zero value. This +# value is specified in MILLISECONDS, so, to use a 2-second +# timeout (the old default), you would write: +# +# icp_query_timeout 2000 +#Default: +# Dynamic detection. + +# TAG: maximum_icp_query_timeout (msec) +# Normally the ICP query timeout is determined dynamically. But +# sometimes it can lead to very large values (say 5 seconds). +# Use this option to put an upper limit on the dynamic timeout +# value. Do NOT use this option to always use a fixed (instead +# of a dynamic) timeout value. To set a fixed timeout see the +# 'icp_query_timeout' directive. +#Default: +# maximum_icp_query_timeout 2000 + +# TAG: minimum_icp_query_timeout (msec) +# Normally the ICP query timeout is determined dynamically. But +# sometimes it can lead to very small timeouts, even lower than +# the normal latency variance on your link due to traffic. +# Use this option to put an lower limit on the dynamic timeout +# value. Do NOT use this option to always use a fixed (instead +# of a dynamic) timeout value. To set a fixed timeout see the +# 'icp_query_timeout' directive. +#Default: +# minimum_icp_query_timeout 5 + +# TAG: background_ping_rate time-units +# Controls how often the ICP pings are sent to siblings that +# have background-ping set. +#Default: +# background_ping_rate 10 seconds + +# MULTICAST ICP OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: mcast_groups +# This tag specifies a list of multicast groups which your server +# should join to receive multicasted ICP queries. +# +# NOTE! Be very careful what you put here! Be sure you +# understand the difference between an ICP _query_ and an ICP +# _reply_. This option is to be set only if you want to RECEIVE +# multicast queries. Do NOT set this option to SEND multicast +# ICP (use cache_peer for that). ICP replies are always sent via +# unicast, so this option does not affect whether or not you will +# receive replies from multicast group members. +# +# You must be very careful to NOT use a multicast address which +# is already in use by another group of caches. +# +# If you are unsure about multicast, please read the Multicast +# chapter in the Squid FAQ (http://www.squid-cache.org/FAQ/). +# +# Usage: mcast_groups 239.128.16.128 224.0.1.20 +# +# By default, Squid doesn't listen on any multicast groups. +#Default: +# none + +# TAG: mcast_miss_addr +# Note: This option is only available if Squid is rebuilt with the +# -DMULTICAST_MISS_STREAM define +# +# If you enable this option, every "cache miss" URL will +# be sent out on the specified multicast address. +# +# Do not enable this option unless you are are absolutely +# certain you understand what you are doing. +#Default: +# disabled. + +# TAG: mcast_miss_ttl +# Note: This option is only available if Squid is rebuilt with the +# -DMULTICAST_MISS_STREAM define +# +# This is the time-to-live value for packets multicasted +# when multicasting off cache miss URLs is enabled. By +# default this is set to 'site scope', i.e. 16. +#Default: +# mcast_miss_ttl 16 + +# TAG: mcast_miss_port +# Note: This option is only available if Squid is rebuilt with the +# -DMULTICAST_MISS_STREAM define +# +# This is the port number to be used in conjunction with +# 'mcast_miss_addr'. +#Default: +# mcast_miss_port 3135 + +# TAG: mcast_miss_encode_key +# Note: This option is only available if Squid is rebuilt with the +# -DMULTICAST_MISS_STREAM define +# +# The URLs that are sent in the multicast miss stream are +# encrypted. This is the encryption key. +#Default: +# mcast_miss_encode_key XXXXXXXXXXXXXXXX + +# TAG: mcast_icp_query_timeout (msec) +# For multicast peers, Squid regularly sends out ICP "probes" to +# count how many other peers are listening on the given multicast +# address. This value specifies how long Squid should wait to +# count all the replies. The default is 2000 msec, or 2 +# seconds. +#Default: +# mcast_icp_query_timeout 2000 + +# INTERNAL ICON OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: icon_directory +# Where the icons are stored. These are normally kept in +# /usr/share/squid3/icons +#Default: +# icon_directory /usr/share/squid3/icons + +# TAG: global_internal_static +# This directive controls is Squid should intercept all requests for +# /squid-internal-static/ no matter which host the URL is requesting +# (default on setting), or if nothing special should be done for +# such URLs (off setting). The purpose of this directive is to make +# icons etc work better in complex cache hierarchies where it may +# not always be possible for all corners in the cache mesh to reach +# the server generating a directory listing. +#Default: +# global_internal_static on + +# TAG: short_icon_urls +# If this is enabled Squid will use short URLs for icons. +# If disabled it will revert to the old behavior of including +# it's own name and port in the URL. +# +# If you run a complex cache hierarchy with a mix of Squid and +# other proxies you may need to disable this directive. +#Default: +# short_icon_urls on + +# ERROR PAGE OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: error_directory +# If you wish to create your own versions of the default +# error files to customize them to suit your company copy +# the error/template files to another directory and point +# this tag at them. +# +# WARNING: This option will disable multi-language support +# on error pages if used. +# +# The squid developers are interested in making squid available in +# a wide variety of languages. If you are making translations for a +# language that Squid does not currently provide please consider +# contributing your translation back to the project. +# http://wiki.squid-cache.org/Translations +# +# The squid developers working on translations are happy to supply drop-in +# translated error files in exchange for any new language contributions. +#Default: +# Send error pages in the clients preferred language + +# TAG: error_default_language +# Set the default language which squid will send error pages in +# if no existing translation matches the clients language +# preferences. +# +# If unset (default) generic English will be used. +# +# The squid developers are interested in making squid available in +# a wide variety of languages. If you are interested in making +# translations for any language see the squid wiki for details. +# http://wiki.squid-cache.org/Translations +#Default: +# Generate English language pages. + +# TAG: error_log_languages +# Log to cache.log what languages users are attempting to +# auto-negotiate for translations. +# +# Successful negotiations are not logged. Only failures +# have meaning to indicate that Squid may need an upgrade +# of its error page translations. +#Default: +# error_log_languages on + +# TAG: err_page_stylesheet +# CSS Stylesheet to pattern the display of Squid default error pages. +# +# For information on CSS see http://www.w3.org/Style/CSS/ +#Default: +# err_page_stylesheet /etc/squid3/errorpage.css + +# TAG: err_html_text +# HTML text to include in error messages. Make this a "mailto" +# URL to your admin address, or maybe just a link to your +# organizations Web page. +# +# To include this in your error messages, you must rewrite +# the error template files (found in the "errors" directory). +# Wherever you want the 'err_html_text' line to appear, +# insert a %L tag in the error template file. +#Default: +# none + +# TAG: email_err_data on|off +# If enabled, information about the occurred error will be +# included in the mailto links of the ERR pages (if %W is set) +# so that the email body contains the data. +# Syntax is %w +#Default: +# email_err_data on + +# TAG: deny_info +# Usage: deny_info err_page_name acl +# or deny_info http://... acl +# or deny_info TCP_RESET acl +# +# This can be used to return a ERR_ page for requests which +# do not pass the 'http_access' rules. Squid remembers the last +# acl it evaluated in http_access, and if a 'deny_info' line exists +# for that ACL Squid returns a corresponding error page. +# +# The acl is typically the last acl on the http_access deny line which +# denied access. The exceptions to this rule are: +# - When Squid needs to request authentication credentials. It's then +# the first authentication related acl encountered +# - When none of the http_access lines matches. It's then the last +# acl processed on the last http_access line. +# - When the decision to deny access was made by an adaptation service, +# the acl name is the corresponding eCAP or ICAP service_name. +# +# NP: If providing your own custom error pages with error_directory +# you may also specify them by your custom file name: +# Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys +# +# By defaut Squid will send "403 Forbidden". A different 4xx or 5xx +# may be specified by prefixing the file name with the code and a colon. +# e.g. 404:ERR_CUSTOM_ACCESS_DENIED +# +# Alternatively you can tell Squid to reset the TCP connection +# by specifying TCP_RESET. +# +# Or you can specify an error URL or URL pattern. The browsers will +# get redirected to the specified URL after formatting tags have +# been replaced. Redirect will be done with 302 or 307 according to +# HTTP/1.1 specs. A different 3xx code may be specified by prefixing +# the URL. e.g. 303:http://example.com/ +# +# URL FORMAT TAGS: +# %a - username (if available. Password NOT included) +# %B - FTP path URL +# %e - Error number +# %E - Error description +# %h - Squid hostname +# %H - Request domain name +# %i - Client IP Address +# %M - Request Method +# %o - Message result from external ACL helper +# %p - Request Port number +# %P - Request Protocol name +# %R - Request URL path +# %T - Timestamp in RFC 1123 format +# %U - Full canonical URL from client +# (HTTPS URLs terminate with *) +# %u - Full canonical URL from client +# %w - Admin email from squid.conf +# %x - Error name +# %% - Literal percent (%) code +# +#Default: +# none + +# OPTIONS INFLUENCING REQUEST FORWARDING +# ----------------------------------------------------------------------------- + +# TAG: nonhierarchical_direct +# By default, Squid will send any non-hierarchical requests +# (matching hierarchy_stoplist or not cacheable request type) direct +# to origin servers. +# +# When this is set to "off", Squid will prefer to send these +# requests to parents. +# +# Note that in most configurations, by turning this off you will only +# add latency to these request without any improvement in global hit +# ratio. +# +# This option only sets a preference. If the parent is unavailable a +# direct connection to the origin server may still be attempted. To +# completely prevent direct connections use never_direct. +#Default: +# nonhierarchical_direct on + +# TAG: prefer_direct +# Normally Squid tries to use parents for most requests. If you for some +# reason like it to first try going direct and only use a parent if +# going direct fails set this to on. +# +# By combining nonhierarchical_direct off and prefer_direct on you +# can set up Squid to use a parent as a backup path if going direct +# fails. +# +# Note: If you want Squid to use parents for all requests see +# the never_direct directive. prefer_direct only modifies how Squid +# acts on cacheable requests. +#Default: +# prefer_direct off + +# TAG: cache_miss_revalidate on|off +# RFC 7232 defines a conditional request mechanism to prevent +# response objects being unnecessarily transferred over the network. +# If that mechanism is used by the client and a cache MISS occurs +# it can prevent new cache entries being created. +# +# This option determines whether Squid on cache MISS will pass the +# client revalidation request to the server or tries to fetch new +# content for caching. It can be useful while the cache is mostly +# empty to more quickly have the cache populated by generating +# non-conditional GETs. +# +# When set to 'on' (default), Squid will pass all client If-* headers +# to the server. This permits server responses without a cacheable +# payload to be delivered and on MISS no new cache entry is created. +# +# When set to 'off' and if the request is cacheable, Squid will +# remove the clients If-Modified-Since and If-None-Match headers from +# the request sent to the server. This requests a 200 status response +# from the server to create a new cache entry with. +#Default: +# cache_miss_revalidate on + +# TAG: always_direct +# Usage: always_direct allow|deny [!]aclname ... +# +# Here you can use ACL elements to specify requests which should +# ALWAYS be forwarded by Squid to the origin servers without using +# any peers. For example, to always directly forward requests for +# local servers ignoring any parents or siblings you may have use +# something like: +# +# acl local-servers dstdomain my.domain.net +# always_direct allow local-servers +# +# To always forward FTP requests directly, use +# +# acl FTP proto FTP +# always_direct allow FTP +# +# NOTE: There is a similar, but opposite option named +# 'never_direct'. You need to be aware that "always_direct deny +# foo" is NOT the same thing as "never_direct allow foo". You +# may need to use a deny rule to exclude a more-specific case of +# some other rule. Example: +# +# acl local-external dstdomain external.foo.net +# acl local-servers dstdomain .foo.net +# always_direct deny local-external +# always_direct allow local-servers +# +# NOTE: If your goal is to make the client forward the request +# directly to the origin server bypassing Squid then this needs +# to be done in the client configuration. Squid configuration +# can only tell Squid how Squid should fetch the object. +# +# NOTE: This directive is not related to caching. The replies +# is cached as usual even if you use always_direct. To not cache +# the replies see the 'cache' directive. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Prevent any cache_peer being used for this request. + +# TAG: never_direct +# Usage: never_direct allow|deny [!]aclname ... +# +# never_direct is the opposite of always_direct. Please read +# the description for always_direct if you have not already. +# +# With 'never_direct' you can use ACL elements to specify +# requests which should NEVER be forwarded directly to origin +# servers. For example, to force the use of a proxy for all +# requests, except those in your local domain use something like: +# +# acl local-servers dstdomain .foo.net +# never_direct deny local-servers +# never_direct allow all +# +# or if Squid is inside a firewall and there are local intranet +# servers inside the firewall use something like: +# +# acl local-intranet dstdomain .foo.net +# acl local-external dstdomain external.foo.net +# always_direct deny local-external +# always_direct allow local-intranet +# never_direct allow all +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow DNS results to be used for this request. + +# ADVANCED NETWORKING OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: incoming_udp_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! +#Default: +# incoming_udp_average 6 + +# TAG: incoming_tcp_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! +#Default: +# incoming_tcp_average 4 + +# TAG: incoming_dns_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! +#Default: +# incoming_dns_average 4 + +# TAG: min_udp_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! +#Default: +# min_udp_poll_cnt 8 + +# TAG: min_dns_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! +#Default: +# min_dns_poll_cnt 8 + +# TAG: min_tcp_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! +#Default: +# min_tcp_poll_cnt 8 + +# TAG: accept_filter +# FreeBSD: +# +# The name of an accept(2) filter to install on Squid's +# listen socket(s). This feature is perhaps specific to +# FreeBSD and requires support in the kernel. +# +# The 'httpready' filter delays delivering new connections +# to Squid until a full HTTP request has been received. +# See the accf_http(9) man page for details. +# +# The 'dataready' filter delays delivering new connections +# to Squid until there is some data to process. +# See the accf_dataready(9) man page for details. +# +# Linux: +# +# The 'data' filter delays delivering of new connections +# to Squid until there is some data to process by TCP_ACCEPT_DEFER. +# You may optionally specify a number of seconds to wait by +# 'data=N' where N is the number of seconds. Defaults to 30 +# if not specified. See the tcp(7) man page for details. +#EXAMPLE: +## FreeBSD +#accept_filter httpready +## Linux +#accept_filter data +#Default: +# none + +# TAG: client_ip_max_connections +# Set an absolute limit on the number of connections a single +# client IP can use. Any more than this and Squid will begin to drop +# new connections from the client until it closes some links. +# +# Note that this is a global limit. It affects all HTTP, HTCP, Gopher and FTP +# connections from the client. For finer control use the ACL access controls. +# +# Requires client_db to be enabled (the default). +# +# WARNING: This may noticably slow down traffic received via external proxies +# or NAT devices and cause them to rebound error messages back to their clients. +#Default: +# No limit. + +# TAG: tcp_recv_bufsize (bytes) +# Size of receive buffer to set for TCP sockets. Probably just +# as easy to change your kernel's default. +# Omit from squid.conf to use the default buffer size. +#Default: +# Use operating system TCP defaults. + +# ICAP OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: icap_enable on|off +# If you want to enable the ICAP module support, set this to on. +#Default: +# icap_enable off + +# TAG: icap_connect_timeout +# This parameter specifies how long to wait for the TCP connect to +# the requested ICAP server to complete before giving up and either +# terminating the HTTP transaction or bypassing the failure. +# +# The default for optional services is peer_connect_timeout. +# The default for essential services is connect_timeout. +# If this option is explicitly set, its value applies to all services. +#Default: +# none + +# TAG: icap_io_timeout time-units +# This parameter specifies how long to wait for an I/O activity on +# an established, active ICAP connection before giving up and +# either terminating the HTTP transaction or bypassing the +# failure. +#Default: +# Use read_timeout. + +# TAG: icap_service_failure_limit limit [in memory-depth time-units] +# The limit specifies the number of failures that Squid tolerates +# when establishing a new TCP connection with an ICAP service. If +# the number of failures exceeds the limit, the ICAP service is +# not used for new ICAP requests until it is time to refresh its +# OPTIONS. +# +# A negative value disables the limit. Without the limit, an ICAP +# service will not be considered down due to connectivity failures +# between ICAP OPTIONS requests. +# +# Squid forgets ICAP service failures older than the specified +# value of memory-depth. The memory fading algorithm +# is approximate because Squid does not remember individual +# errors but groups them instead, splitting the option +# value into ten time slots of equal length. +# +# When memory-depth is 0 and by default this option has no +# effect on service failure expiration. +# +# Squid always forgets failures when updating service settings +# using an ICAP OPTIONS transaction, regardless of this option +# setting. +# +# For example, +# # suspend service usage after 10 failures in 5 seconds: +# icap_service_failure_limit 10 in 5 seconds +#Default: +# icap_service_failure_limit 10 + +# TAG: icap_service_revival_delay +# The delay specifies the number of seconds to wait after an ICAP +# OPTIONS request failure before requesting the options again. The +# failed ICAP service is considered "down" until fresh OPTIONS are +# fetched. +# +# The actual delay cannot be smaller than the hardcoded minimum +# delay of 30 seconds. +#Default: +# icap_service_revival_delay 180 + +# TAG: icap_preview_enable on|off +# The ICAP Preview feature allows the ICAP server to handle the +# HTTP message by looking only at the beginning of the message body +# or even without receiving the body at all. In some environments, +# previews greatly speedup ICAP processing. +# +# During an ICAP OPTIONS transaction, the server may tell Squid what +# HTTP messages should be previewed and how big the preview should be. +# Squid will not use Preview if the server did not request one. +# +# To disable ICAP Preview for all ICAP services, regardless of +# individual ICAP server OPTIONS responses, set this option to "off". +#Example: +#icap_preview_enable off +#Default: +# icap_preview_enable on + +# TAG: icap_preview_size +# The default size of preview data to be sent to the ICAP server. +# This value might be overwritten on a per server basis by OPTIONS requests. +#Default: +# No preview sent. + +# TAG: icap_206_enable on|off +# 206 (Partial Content) responses is an ICAP extension that allows the +# ICAP agents to optionally combine adapted and original HTTP message +# content. The decision to combine is postponed until the end of the +# ICAP response. Squid supports Partial Content extension by default. +# +# Activation of the Partial Content extension is negotiated with each +# ICAP service during OPTIONS exchange. Most ICAP servers should handle +# negotation correctly even if they do not support the extension, but +# some might fail. To disable Partial Content support for all ICAP +# services and to avoid any negotiation, set this option to "off". +# +# Example: +# icap_206_enable off +#Default: +# icap_206_enable on + +# TAG: icap_default_options_ttl +# The default TTL value for ICAP OPTIONS responses that don't have +# an Options-TTL header. +#Default: +# icap_default_options_ttl 60 + +# TAG: icap_persistent_connections on|off +# Whether or not Squid should use persistent connections to +# an ICAP server. +#Default: +# icap_persistent_connections on + +# TAG: adaptation_send_client_ip on|off +# If enabled, Squid shares HTTP client IP information with adaptation +# services. For ICAP, Squid adds the X-Client-IP header to ICAP requests. +# For eCAP, Squid sets the libecap::metaClientIp transaction option. +# +# See also: adaptation_uses_indirect_client +#Default: +# adaptation_send_client_ip off + +# TAG: adaptation_send_username on|off +# This sends authenticated HTTP client username (if available) to +# the adaptation service. +# +# For ICAP, the username value is encoded based on the +# icap_client_username_encode option and is sent using the header +# specified by the icap_client_username_header option. +#Default: +# adaptation_send_username off + +# TAG: icap_client_username_header +# ICAP request header name to use for adaptation_send_username. +#Default: +# icap_client_username_header X-Client-Username + +# TAG: icap_client_username_encode on|off +# Whether to base64 encode the authenticated client username. +#Default: +# icap_client_username_encode off + +# TAG: icap_service +# Defines a single ICAP service using the following format: +# +# icap_service id vectoring_point uri [option ...] +# +# id: ID +# an opaque identifier or name which is used to direct traffic to +# this specific service. Must be unique among all adaptation +# services in squid.conf. +# +# vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache +# This specifies at which point of transaction processing the +# ICAP service should be activated. *_postcache vectoring points +# are not yet supported. +# +# uri: icap://servername:port/servicepath +# ICAP server and service location. +# +# ICAP does not allow a single service to handle both REQMOD and RESPMOD +# transactions. Squid does not enforce that requirement. You can specify +# services with the same service_url and different vectoring_points. You +# can even specify multiple identical services as long as their +# service_names differ. +# +# To activate a service, use the adaptation_access directive. To group +# services, use adaptation_service_chain and adaptation_service_set. +# +# Service options are separated by white space. ICAP services support +# the following name=value options: +# +# bypass=on|off|1|0 +# If set to 'on' or '1', the ICAP service is treated as +# optional. If the service cannot be reached or malfunctions, +# Squid will try to ignore any errors and process the message as +# if the service was not enabled. No all ICAP errors can be +# bypassed. If set to 0, the ICAP service is treated as +# essential and all ICAP errors will result in an error page +# returned to the HTTP client. +# +# Bypass is off by default: services are treated as essential. +# +# routing=on|off|1|0 +# If set to 'on' or '1', the ICAP service is allowed to +# dynamically change the current message adaptation plan by +# returning a chain of services to be used next. The services +# are specified using the X-Next-Services ICAP response header +# value, formatted as a comma-separated list of service names. +# Each named service should be configured in squid.conf. Other +# services are ignored. An empty X-Next-Services value results +# in an empty plan which ends the current adaptation. +# +# Dynamic adaptation plan may cross or cover multiple supported +# vectoring points in their natural processing order. +# +# Routing is not allowed by default: the ICAP X-Next-Services +# response header is ignored. +# +# ipv6=on|off +# Only has effect on split-stack systems. The default on those systems +# is to use IPv4-only connections. When set to 'on' this option will +# make Squid use IPv6-only connections to contact this ICAP service. +# +# on-overload=block|bypass|wait|force +# If the service Max-Connections limit has been reached, do +# one of the following for each new ICAP transaction: +# * block: send an HTTP error response to the client +# * bypass: ignore the "over-connected" ICAP service +# * wait: wait (in a FIFO queue) for an ICAP connection slot +# * force: proceed, ignoring the Max-Connections limit +# +# In SMP mode with N workers, each worker assumes the service +# connection limit is Max-Connections/N, even though not all +# workers may use a given service. +# +# The default value is "bypass" if service is bypassable, +# otherwise it is set to "wait". +# +# +# max-conn=number +# Use the given number as the Max-Connections limit, regardless +# of the Max-Connections value given by the service, if any. +# +# Older icap_service format without optional named parameters is +# deprecated but supported for backward compatibility. +# +#Example: +#icap_service svcBlocker reqmod_precache icap://icap1.mydomain.net:1344/reqmod bypass=0 +#icap_service svcLogger reqmod_precache icap://icap2.mydomain.net:1344/respmod routing=on +#Default: +# none + +# TAG: icap_class +# This deprecated option was documented to define an ICAP service +# chain, even though it actually defined a set of similar, redundant +# services, and the chains were not supported. +# +# To define a set of redundant services, please use the +# adaptation_service_set directive. For service chains, use +# adaptation_service_chain. +#Default: +# none + +# TAG: icap_access +# This option is deprecated. Please use adaptation_access, which +# has the same ICAP functionality, but comes with better +# documentation, and eCAP support. +#Default: +# none + +# eCAP OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: ecap_enable on|off +# Controls whether eCAP support is enabled. +#Default: +# ecap_enable off + +# TAG: ecap_service +# Defines a single eCAP service +# +# ecap_service id vectoring_point uri [option ...] +# +# id: ID +# an opaque identifier or name which is used to direct traffic to +# this specific service. Must be unique among all adaptation +# services in squid.conf. +# +# vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache +# This specifies at which point of transaction processing the +# eCAP service should be activated. *_postcache vectoring points +# are not yet supported. +# +# uri: ecap://vendor/service_name?custom&cgi=style¶meters=optional +# Squid uses the eCAP service URI to match this configuration +# line with one of the dynamically loaded services. Each loaded +# eCAP service must have a unique URI. Obtain the right URI from +# the service provider. +# +# To activate a service, use the adaptation_access directive. To group +# services, use adaptation_service_chain and adaptation_service_set. +# +# Service options are separated by white space. eCAP services support +# the following name=value options: +# +# bypass=on|off|1|0 +# If set to 'on' or '1', the eCAP service is treated as optional. +# If the service cannot be reached or malfunctions, Squid will try +# to ignore any errors and process the message as if the service +# was not enabled. No all eCAP errors can be bypassed. +# If set to 'off' or '0', the eCAP service is treated as essential +# and all eCAP errors will result in an error page returned to the +# HTTP client. +# +# Bypass is off by default: services are treated as essential. +# +# routing=on|off|1|0 +# If set to 'on' or '1', the eCAP service is allowed to +# dynamically change the current message adaptation plan by +# returning a chain of services to be used next. +# +# Dynamic adaptation plan may cross or cover multiple supported +# vectoring points in their natural processing order. +# +# Routing is not allowed by default. +# +# Older ecap_service format without optional named parameters is +# deprecated but supported for backward compatibility. +# +# +#Example: +#ecap_service s1 reqmod_precache ecap://filters.R.us/leakDetector?on_error=block bypass=off +#ecap_service s2 respmod_precache ecap://filters.R.us/virusFilter config=/etc/vf.cfg bypass=on +#Default: +# none + +# TAG: loadable_modules +# Instructs Squid to load the specified dynamic module(s) or activate +# preloaded module(s). +#Example: +#loadable_modules /usr/lib/MinimalAdapter.so +#Default: +# none + +# MESSAGE ADAPTATION OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: adaptation_service_set +# +# Configures an ordered set of similar, redundant services. This is +# useful when hot standby or backup adaptation servers are available. +# +# adaptation_service_set set_name service_name1 service_name2 ... +# +# The named services are used in the set declaration order. The first +# applicable adaptation service from the set is used first. The next +# applicable service is tried if and only if the transaction with the +# previous service fails and the message waiting to be adapted is still +# intact. +# +# When adaptation starts, broken services are ignored as if they were +# not a part of the set. A broken service is a down optional service. +# +# The services in a set must be attached to the same vectoring point +# (e.g., pre-cache) and use the same adaptation method (e.g., REQMOD). +# +# If all services in a set are optional then adaptation failures are +# bypassable. If all services in the set are essential, then a +# transaction failure with one service may still be retried using +# another service from the set, but when all services fail, the master +# transaction fails as well. +# +# A set may contain a mix of optional and essential services, but that +# is likely to lead to surprising results because broken services become +# ignored (see above), making previously bypassable failures fatal. +# Technically, it is the bypassability of the last failed service that +# matters. +# +# See also: adaptation_access adaptation_service_chain +# +#Example: +#adaptation_service_set svcBlocker urlFilterPrimary urlFilterBackup +#adaptation service_set svcLogger loggerLocal loggerRemote +#Default: +# none + +# TAG: adaptation_service_chain +# +# Configures a list of complementary services that will be applied +# one-by-one, forming an adaptation chain or pipeline. This is useful +# when Squid must perform different adaptations on the same message. +# +# adaptation_service_chain chain_name service_name1 svc_name2 ... +# +# The named services are used in the chain declaration order. The first +# applicable adaptation service from the chain is used first. The next +# applicable service is applied to the successful adaptation results of +# the previous service in the chain. +# +# When adaptation starts, broken services are ignored as if they were +# not a part of the chain. A broken service is a down optional service. +# +# Request satisfaction terminates the adaptation chain because Squid +# does not currently allow declaration of RESPMOD services at the +# "reqmod_precache" vectoring point (see icap_service or ecap_service). +# +# The services in a chain must be attached to the same vectoring point +# (e.g., pre-cache) and use the same adaptation method (e.g., REQMOD). +# +# A chain may contain a mix of optional and essential services. If an +# essential adaptation fails (or the failure cannot be bypassed for +# other reasons), the master transaction fails. Otherwise, the failure +# is bypassed as if the failed adaptation service was not in the chain. +# +# See also: adaptation_access adaptation_service_set +# +#Example: +#adaptation_service_chain svcRequest requestLogger urlFilter leakDetector +#Default: +# none + +# TAG: adaptation_access +# Sends an HTTP transaction to an ICAP or eCAP adaptation service. +# +# adaptation_access service_name allow|deny [!]aclname... +# adaptation_access set_name allow|deny [!]aclname... +# +# At each supported vectoring point, the adaptation_access +# statements are processed in the order they appear in this +# configuration file. Statements pointing to the following services +# are ignored (i.e., skipped without checking their ACL): +# +# - services serving different vectoring points +# - "broken-but-bypassable" services +# - "up" services configured to ignore such transactions +# (e.g., based on the ICAP Transfer-Ignore header). +# +# When a set_name is used, all services in the set are checked +# using the same rules, to find the first applicable one. See +# adaptation_service_set for details. +# +# If an access list is checked and there is a match, the +# processing stops: For an "allow" rule, the corresponding +# adaptation service is used for the transaction. For a "deny" +# rule, no adaptation service is activated. +# +# It is currently not possible to apply more than one adaptation +# service at the same vectoring point to the same HTTP transaction. +# +# See also: icap_service and ecap_service +# +#Example: +#adaptation_access service_1 allow all +#Default: +# Allow, unless rules exist in squid.conf. + +# TAG: adaptation_service_iteration_limit +# Limits the number of iterations allowed when applying adaptation +# services to a message. If your longest adaptation set or chain +# may have more than 16 services, increase the limit beyond its +# default value of 16. If detecting infinite iteration loops sooner +# is critical, make the iteration limit match the actual number +# of services in your longest adaptation set or chain. +# +# Infinite adaptation loops are most likely with routing services. +# +# See also: icap_service routing=1 +#Default: +# adaptation_service_iteration_limit 16 + +# TAG: adaptation_masterx_shared_names +# For each master transaction (i.e., the HTTP request and response +# sequence, including all related ICAP and eCAP exchanges), Squid +# maintains a table of metadata. The table entries are (name, value) +# pairs shared among eCAP and ICAP exchanges. The table is destroyed +# with the master transaction. +# +# This option specifies the table entry names that Squid must accept +# from and forward to the adaptation transactions. +# +# An ICAP REQMOD or RESPMOD transaction may set an entry in the +# shared table by returning an ICAP header field with a name +# specified in adaptation_masterx_shared_names. +# +# An eCAP REQMOD or RESPMOD transaction may set an entry in the +# shared table by implementing the libecap::visitEachOption() API +# to provide an option with a name specified in +# adaptation_masterx_shared_names. +# +# Squid will store and forward the set entry to subsequent adaptation +# transactions within the same master transaction scope. +# +# Only one shared entry name is supported at this time. +# +#Example: +## share authentication information among ICAP services +#adaptation_masterx_shared_names X-Subscriber-ID +#Default: +# none + +# TAG: adaptation_meta +# This option allows Squid administrator to add custom ICAP request +# headers or eCAP options to Squid ICAP requests or eCAP transactions. +# Use it to pass custom authentication tokens and other +# transaction-state related meta information to an ICAP/eCAP service. +# +# The addition of a meta header is ACL-driven: +# adaptation_meta name value [!]aclname ... +# +# Processing for a given header name stops after the first ACL list match. +# Thus, it is impossible to add two headers with the same name. If no ACL +# lists match for a given header name, no such header is added. For +# example: +# +# # do not debug transactions except for those that need debugging +# adaptation_meta X-Debug 1 needs_debugging +# +# # log all transactions except for those that must remain secret +# adaptation_meta X-Log 1 !keep_secret +# +# # mark transactions from users in the "G 1" group +# adaptation_meta X-Authenticated-Groups "G 1" authed_as_G1 +# +# The "value" parameter may be a regular squid.conf token or a "double +# quoted string". Within the quoted string, use backslash (\) to escape +# any character, which is currently only useful for escaping backslashes +# and double quotes. For example, +# "this string has one backslash (\\) and two \"quotes\"" +# +# Used adaptation_meta header values may be logged via %note +# logformat code. If multiple adaptation_meta headers with the same name +# are used during master transaction lifetime, the header values are +# logged in the order they were used and duplicate values are ignored +# (only the first repeated value will be logged). +#Default: +# none + +# TAG: icap_retry +# This ACL determines which retriable ICAP transactions are +# retried. Transactions that received a complete ICAP response +# and did not have to consume or produce HTTP bodies to receive +# that response are usually retriable. +# +# icap_retry allow|deny [!]aclname ... +# +# Squid automatically retries some ICAP I/O timeouts and errors +# due to persistent connection race conditions. +# +# See also: icap_retry_limit +#Default: +# icap_retry deny all + +# TAG: icap_retry_limit +# Limits the number of retries allowed. +# +# Communication errors due to persistent connection race +# conditions are unavoidable, automatically retried, and do not +# count against this limit. +# +# See also: icap_retry +#Default: +# No retries are allowed. + +# DNS OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: check_hostnames +# For security and stability reasons Squid can check +# hostnames for Internet standard RFC compliance. If you want +# Squid to perform these checks turn this directive on. +#Default: +# check_hostnames off + +# TAG: allow_underscore +# Underscore characters is not strictly allowed in Internet hostnames +# but nevertheless used by many sites. Set this to off if you want +# Squid to be strict about the standard. +# This check is performed only when check_hostnames is set to on. +#Default: +# allow_underscore on + +# TAG: cache_dns_program +# Note: This option is only available if Squid is rebuilt with the +# --disable-internal-dns +# +# Specify the location of the executable for dnslookup process. +#Default: +# cache_dns_program /usr/lib/squid3/dnsserver + +# TAG: dns_children +# Note: This option is only available if Squid is rebuilt with the +# --disable-internal-dns +# +# The maximum number of processes spawn to service DNS name lookups. +# If you limit it too few Squid will have to wait for them to process +# a backlog of requests, slowing it down. If you allow too many they +# will use RAM and other system resources noticably. +# The maximum this may be safely set to is 32. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup= +# +# Sets a minimum of how many processes are to be spawned when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few will cause an initial slowdown in traffic as Squid +# attempts to simultaneously spawn enough processes to cope. +# +# idle= +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +#Default: +# dns_children 32 startup=1 idle=1 + +# TAG: dns_retransmit_interval +# Initial retransmit interval for DNS queries. The interval is +# doubled each time all configured DNS servers have been tried. +#Default: +# dns_retransmit_interval 5 seconds + +# TAG: dns_timeout +# DNS Query timeout. If no response is received to a DNS query +# within this time all DNS servers for the queried domain +# are assumed to be unavailable. +#Default: +# dns_timeout 30 seconds + +# TAG: dns_packet_max +# Maximum number of bytes packet size to advertise via EDNS. +# Set to "none" to disable EDNS large packet support. +# +# For legacy reasons DNS UDP replies will default to 512 bytes which +# is too small for many responses. EDNS provides a means for Squid to +# negotiate receiving larger responses back immediately without having +# to failover with repeat requests. Responses larger than this limit +# will retain the old behaviour of failover to TCP DNS. +# +# Squid has no real fixed limit internally, but allowing packet sizes +# over 1500 bytes requires network jumbogram support and is usually not +# necessary. +# +# WARNING: The RFC also indicates that some older resolvers will reply +# with failure of the whole request if the extension is added. Some +# resolvers have already been identified which will reply with mangled +# EDNS response on occasion. Usually in response to many-KB jumbogram +# sizes being advertised by Squid. +# Squid will currently treat these both as an unable-to-resolve domain +# even if it would be resolvable without EDNS. +#Default: +# EDNS disabled + +# TAG: dns_defnames on|off +# Normally the RES_DEFNAMES resolver option is disabled +# (see res_init(3)). This prevents caches in a hierarchy +# from interpreting single-component hostnames locally. To allow +# Squid to handle single-component names, enable this option. +#Default: +# Search for single-label domain names is disabled. + +# TAG: dns_multicast_local on|off +# When set to on, Squid sends multicast DNS lookups on the local +# network for domains ending in .local and .arpa. +# This enables local servers and devices to be contacted in an +# ad-hoc or zero-configuration network environment. +#Default: +# Search for .local and .arpa names is disabled. + +# TAG: dns_nameservers +# Use this if you want to specify a list of DNS name servers +# (IP addresses) to use instead of those given in your +# /etc/resolv.conf file. +# +# On Windows platforms, if no value is specified here or in +# the /etc/resolv.conf file, the list of DNS name servers are +# taken from the Windows registry, both static and dynamic DHCP +# configurations are supported. +# +# Example: dns_nameservers 10.0.0.1 192.172.0.4 +#Default: +# Use operating system definitions + +# TAG: hosts_file +# Location of the host-local IP name-address associations +# database. Most Operating Systems have such a file on different +# default locations: +# - Un*X & Linux: /etc/hosts +# - Windows NT/2000: %SystemRoot%\system32\drivers\etc\hosts +# (%SystemRoot% value install default is c:\winnt) +# - Windows XP/2003: %SystemRoot%\system32\drivers\etc\hosts +# (%SystemRoot% value install default is c:\windows) +# - Windows 9x/Me: %windir%\hosts +# (%windir% value is usually c:\windows) +# - Cygwin: /etc/hosts +# +# The file contains newline-separated definitions, in the +# form ip_address_in_dotted_form name [name ...] names are +# whitespace-separated. Lines beginning with an hash (#) +# character are comments. +# +# The file is checked at startup and upon configuration. +# If set to 'none', it won't be checked. +# If append_domain is used, that domain will be added to +# domain-local (i.e. not containing any dot character) host +# definitions. +#Default: +# hosts_file /etc/hosts + +# TAG: append_domain +# Appends local domain name to hostnames without any dots in +# them. append_domain must begin with a period. +# +# Be warned there are now Internet names with no dots in +# them using only top-domain names, so setting this may +# cause some Internet sites to become unavailable. +# +#Example: +# append_domain .yourdomain.com +#Default: +# Use operating system definitions + +# TAG: ignore_unknown_nameservers +# By default Squid checks that DNS responses are received +# from the same IP addresses they are sent to. If they +# don't match, Squid ignores the response and writes a warning +# message to cache.log. You can allow responses from unknown +# nameservers by setting this option to 'off'. +#Default: +# ignore_unknown_nameservers on + +# TAG: dns_v4_first +# With the IPv6 Internet being as fast or faster than IPv4 Internet +# for most networks Squid prefers to contact websites over IPv6. +# +# This option reverses the order of preference to make Squid contact +# dual-stack websites over IPv4 first. Squid will still perform both +# IPv6 and IPv4 DNS lookups before connecting. +# +# WARNING: +# This option will restrict the situations under which IPv6 +# connectivity is used (and tested), potentially hiding network +# problems which would otherwise be detected and warned about. +#Default: +# dns_v4_first off + +# TAG: ipcache_size (number of entries) +# Maximum number of DNS IP cache entries. +#Default: +# ipcache_size 1024 + +# TAG: ipcache_low (percent) +#Default: +# ipcache_low 90 + +# TAG: ipcache_high (percent) +# The size, low-, and high-water marks for the IP cache. +#Default: +# ipcache_high 95 + +# TAG: fqdncache_size (number of entries) +# Maximum number of FQDN cache entries. +#Default: +# fqdncache_size 1024 + +# MISCELLANEOUS +# ----------------------------------------------------------------------------- + +# TAG: configuration_includes_quoted_values on|off +# Previous Squid versions have defined "quoted/string" as syntax for +# ACL to signifiy the value is an included file containing values and +# has treated the " characters in other places of the configuration file +# as part of the parameter value it was used for. +# +# For compatibility with existing installations that behaviour +# remains the default. +# +# If this directive is set to 'on', Squid will start parsing each +# "quoted string" as a single configuration directive parameter. The +# quotes are stripped before the parameter value is interpreted or use. +# +# That will continue for all lines until this directive is set to 'off', +# where Squid will return to the default configuration parsing. +# +# For example; +# +# configuration_includes_quoted_values on +# acl group external groupCheck Administrators "Internet Users" Guest +# configuration_includes_quoted_values off +# +#Default: +# configuration_includes_quoted_values off + +# TAG: memory_pools on|off +# If set, Squid will keep pools of allocated (but unused) memory +# available for future use. If memory is a premium on your +# system and you believe your malloc library outperforms Squid +# routines, disable this. +#Default: +# memory_pools on + +# TAG: memory_pools_limit (bytes) +# Used only with memory_pools on: +# memory_pools_limit 50 MB +# +# If set to a non-zero value, Squid will keep at most the specified +# limit of allocated (but unused) memory in memory pools. All free() +# requests that exceed this limit will be handled by your malloc +# library. Squid does not pre-allocate any memory, just safe-keeps +# objects that otherwise would be free()d. Thus, it is safe to set +# memory_pools_limit to a reasonably high value even if your +# configuration will use less memory. +# +# If set to none, Squid will keep all memory it can. That is, there +# will be no limit on the total amount of memory used for safe-keeping. +# +# To disable memory allocation optimization, do not set +# memory_pools_limit to 0 or none. Set memory_pools to "off" instead. +# +# An overhead for maintaining memory pools is not taken into account +# when the limit is checked. This overhead is close to four bytes per +# object kept. However, pools may actually _save_ memory because of +# reduced memory thrashing in your malloc library. +#Default: +# memory_pools_limit 5 MB + +# TAG: forwarded_for on|off|transparent|truncate|delete +# If set to "on", Squid will append your client's IP address +# in the HTTP requests it forwards. By default it looks like: +# +# X-Forwarded-For: 192.1.2.3 +# +# If set to "off", it will appear as +# +# X-Forwarded-For: unknown +# +# If set to "transparent", Squid will not alter the +# X-Forwarded-For header in any way. +# +# If set to "delete", Squid will delete the entire +# X-Forwarded-For header. +# +# If set to "truncate", Squid will remove all existing +# X-Forwarded-For entries, and place the client IP as the sole entry. +#Default: +# forwarded_for on + +# TAG: cachemgr_passwd +# Specify passwords for cachemgr operations. +# +# Usage: cachemgr_passwd password action action ... +# +# Some valid actions are (see cache manager menu for a full list): +# 5min +# 60min +# asndb +# authenticator +# cbdata +# client_list +# comm_incoming +# config * +# counters +# delay +# digest_stats +# dns +# events +# filedescriptors +# fqdncache +# histograms +# http_headers +# info +# io +# ipcache +# mem +# menu +# netdb +# non_peers +# objects +# offline_toggle * +# pconn +# peer_select +# reconfigure * +# redirector +# refresh +# server_list +# shutdown * +# store_digest +# storedir +# utilization +# via_headers +# vm_objects +# +# * Indicates actions which will not be performed without a +# valid password, others can be performed if not listed here. +# +# To disable an action, set the password to "disable". +# To allow performing an action without a password, set the +# password to "none". +# +# Use the keyword "all" to set the same password for all actions. +# +#Example: +# cachemgr_passwd secret shutdown +# cachemgr_passwd lesssssssecret info stats/objects +# cachemgr_passwd disable all +#Default: +# No password. Actions which require password are denied. + +# TAG: client_db on|off +# If you want to disable collecting per-client statistics, +# turn off client_db here. +#Default: +# client_db on + +# TAG: refresh_all_ims on|off +# When you enable this option, squid will always check +# the origin server for an update when a client sends an +# If-Modified-Since request. Many browsers use IMS +# requests when the user requests a reload, and this +# ensures those clients receive the latest version. +# +# By default (off), squid may return a Not Modified response +# based on the age of the cached version. +#Default: +# refresh_all_ims off + +# TAG: reload_into_ims on|off +# When you enable this option, client no-cache or ``reload'' +# requests will be changed to If-Modified-Since requests. +# Doing this VIOLATES the HTTP standard. Enabling this +# feature could make you liable for problems which it +# causes. +# +# see also refresh_pattern for a more selective approach. +#Default: +# reload_into_ims off + +# TAG: connect_retries +# This sets the maximum number of connection attempts made for each +# TCP connection. The connect_retries attempts must all still +# complete within the connection timeout period. +# +# The default is not to re-try if the first connection attempt fails. +# The (not recommended) maximum is 10 tries. +# +# A warning message will be generated if it is set to a too-high +# value and the configured value will be over-ridden. +# +# Note: These re-tries are in addition to forward_max_tries +# which limit how many different addresses may be tried to find +# a useful server. +#Default: +# Do not retry failed connections. + +# TAG: retry_on_error +# If set to ON Squid will automatically retry requests when +# receiving an error response with status 403 (Forbidden), +# 500 (Internal Error), 501 or 503 (Service not available). +# Status 502 and 504 (Gateway errors) are always retried. +# +# This is mainly useful if you are in a complex cache hierarchy to +# work around access control errors. +# +# NOTE: This retry will attempt to find another working destination. +# Which is different from the server which just failed. +#Default: +# retry_on_error off + +# TAG: as_whois_server +# WHOIS server to query for AS numbers. NOTE: AS numbers are +# queried only when Squid starts up, not for every request. +#Default: +# as_whois_server whois.ra.net + +# TAG: offline_mode +# Enable this option and Squid will never try to validate cached +# objects. +#Default: +# offline_mode off + +# TAG: uri_whitespace +# What to do with requests that have whitespace characters in the +# URI. Options: +# +# strip: The whitespace characters are stripped out of the URL. +# This is the behavior recommended by RFC2396 and RFC3986 +# for tolerant handling of generic URI. +# NOTE: This is one difference between generic URI and HTTP URLs. +# +# deny: The request is denied. The user receives an "Invalid +# Request" message. +# This is the behaviour recommended by RFC2616 for safe +# handling of HTTP request URL. +# +# allow: The request is allowed and the URI is not changed. The +# whitespace characters remain in the URI. Note the +# whitespace is passed to redirector processes if they +# are in use. +# Note this may be considered a violation of RFC2616 +# request parsing where whitespace is prohibited in the +# URL field. +# +# encode: The request is allowed and the whitespace characters are +# encoded according to RFC1738. +# +# chop: The request is allowed and the URI is chopped at the +# first whitespace. +# +# +# NOTE the current Squid implementation of encode and chop violates +# RFC2616 by not using a 301 redirect after altering the URL. +#Default: +# uri_whitespace strip + +# TAG: chroot +# Specifies a directory where Squid should do a chroot() while +# initializing. This also causes Squid to fully drop root +# privileges after initializing. This means, for example, if you +# use a HTTP port less than 1024 and try to reconfigure, you may +# get an error saying that Squid can not open the port. +#Default: +# none + +# TAG: balance_on_multiple_ip +# Modern IP resolvers in squid sort lookup results by preferred access. +# By default squid will use these IP in order and only rotates to +# the next listed when the most preffered fails. +# +# Some load balancing servers based on round robin DNS have been +# found not to preserve user session state across requests +# to different IP addresses. +# +# Enabling this directive Squid rotates IP's per request. +#Default: +# balance_on_multiple_ip off + +# TAG: pipeline_prefetch +# HTTP clients may send a pipeline of 1+N requests to Squid using a +# single connection, without waiting for Squid to respond to the first +# of those requests. This option limits the number of concurrent +# requests Squid will try to handle in parallel. If set to N, Squid +# will try to receive and process up to 1+N requests on the same +# connection concurrently. +# +# Defaults to 0 (off) for bandwidth management and access logging +# reasons. +# +# NOTE: pipelining requires persistent connections to clients. +# +# WARNING: pipelining breaks NTLM and Negotiate/Kerberos authentication. +#Default: +# Do not pre-parse pipelined requests. + +# TAG: high_response_time_warning (msec) +# If the one-minute median response time exceeds this value, +# Squid prints a WARNING with debug level 0 to get the +# administrators attention. The value is in milliseconds. +#Default: +# disabled. + +# TAG: high_page_fault_warning +# If the one-minute average page fault rate exceeds this +# value, Squid prints a WARNING with debug level 0 to get +# the administrators attention. The value is in page faults +# per second. +#Default: +# disabled. + +# TAG: high_memory_warning +# Note: This option is only available if Squid is rebuilt with the +# GNU Malloc with mstats() +# +# If the memory usage (as determined by mallinfo) exceeds +# this amount, Squid prints a WARNING with debug level 0 to get +# the administrators attention. +#Default: +# disabled. + +# TAG: sleep_after_fork (microseconds) +# When this is set to a non-zero value, the main Squid process +# sleeps the specified number of microseconds after a fork() +# system call. This sleep may help the situation where your +# system reports fork() failures due to lack of (virtual) +# memory. Note, however, if you have a lot of child +# processes, these sleep delays will add up and your +# Squid will not service requests for some amount of time +# until all the child processes have been started. +# On Windows value less then 1000 (1 milliseconds) are +# rounded to 1000. +#Default: +# sleep_after_fork 0 + +# TAG: windows_ipaddrchangemonitor on|off +# Note: This option is only available if Squid is rebuilt with the +# MS Windows +# +# On Windows Squid by default will monitor IP address changes and will +# reconfigure itself after any detected event. This is very useful for +# proxies connected to internet with dial-up interfaces. +# In some cases (a Proxy server acting as VPN gateway is one) it could be +# desiderable to disable this behaviour setting this to 'off'. +# Note: after changing this, Squid service must be restarted. +#Default: +# windows_ipaddrchangemonitor on + +# TAG: eui_lookup +# Whether to lookup the EUI or MAC address of a connected client. +#Default: +# eui_lookup on + +# TAG: max_filedescriptors +# Reduce the maximum number of filedescriptors supported below +# the usual operating system defaults. +# +# Remove from squid.conf to inherit the current ulimit setting. +# +# Note: Changing this requires a restart of Squid. Also +# not all I/O types supports large values (eg on Windows). +#Default: +# Use operating system limits set by ulimit. + +# TAG: workers +# Number of main Squid processes or "workers" to fork and maintain. +# 0: "no daemon" mode, like running "squid -N ..." +# 1: "no SMP" mode, start one main Squid process daemon (default) +# N: start N main Squid process daemons (i.e., SMP mode) +# +# In SMP mode, each worker does nearly all what a single Squid daemon +# does (e.g., listen on http_port and forward HTTP requests). +#Default: +# SMP support disabled. + +# TAG: cpu_affinity_map +# Usage: cpu_affinity_map process_numbers=P1,P2,... cores=C1,C2,... +# +# Sets 1:1 mapping between Squid processes and CPU cores. For example, +# +# cpu_affinity_map process_numbers=1,2,3,4 cores=1,3,5,7 +# +# affects processes 1 through 4 only and places them on the first +# four even cores, starting with core #1. +# +# CPU cores are numbered starting from 1. Requires support for +# sched_getaffinity(2) and sched_setaffinity(2) system calls. +# +# Multiple cpu_affinity_map options are merged. +# +# See also: workers +#Default: +# Let operating system decide. + diff --git a/roles/squid/handlers/main.yml b/roles/squid/handlers/main.yml new file mode 100644 index 0000000..d309cc2 --- /dev/null +++ b/roles/squid/handlers/main.yml @@ -0,0 +1,3 @@ +--- + - name: restart squid + service: name=squid state=restarted diff --git a/roles/squid/tasks/main.yml b/roles/squid/tasks/main.yml new file mode 100644 index 0000000..ae557d8 --- /dev/null +++ b/roles/squid/tasks/main.yml @@ -0,0 +1,9 @@ +--- + +- name: Installation squid + apt: name=squid state=present + +- name: Copie du fichier squid.conf + copy: src=squid.{{ansible_hostname}}.conf dest=/etc/squid/squid.conf + notify: + - restart squid diff --git a/roles/ssh-cli/tasks/main.yml b/roles/ssh-cli/tasks/main.yml new file mode 100644 index 0000000..ea32e53 --- /dev/null +++ b/roles/ssh-cli/tasks/main.yml @@ -0,0 +1,10 @@ +--- + +- name: Creation de .ssh + file: path=/root/.ssh mode=0700 state=directory + +- name: Copie cle public s-adm + shell: curl 192.168.99.99/id_rsa.pub > ~/.ssh/authorized_keys + +#- name: Copie cle public s-spec +# shell: curl 192.168.99.10/id_rsa.pub >> ~/.ssh/authorized_keys diff --git a/roles/ssh-root-access/tasks/main.yml b/roles/ssh-root-access/tasks/main.yml new file mode 100644 index 0000000..d9f0a6b --- /dev/null +++ b/roles/ssh-root-access/tasks/main.yml @@ -0,0 +1,7 @@ +- name: Activation acces ssh root pour r-vp1 (certificat) + lineinfile: + dest: /etc/ssh/sshd_config + regexp: "^PermitRootLogin" + line: "PermitRootLogin yes" + state: present + diff --git a/roles/sshk/tasks/main.yml b/roles/sshk/tasks/main.yml new file mode 100644 index 0000000..8c89382 --- /dev/null +++ b/roles/sshk/tasks/main.yml @@ -0,0 +1,10 @@ +--- + + +- name: creation user admu + user: name=admu comment="admu" shell=/bin/bash + +- name: Copie cle ssh + authorized_key: user=root key="{{lookup('file','/home/admu/.ssh/id_rsa_pub') }}" + + diff --git a/roles/ssl-apache/README.md b/roles/ssl-apache/README.md new file mode 100644 index 0000000..03a1e55 --- /dev/null +++ b/roles/ssl-apache/README.md @@ -0,0 +1,7 @@ +## Principe du rôle ssl-apache + +Ce rôle permet d'avoir un certificat SSL autosigné sur le site, configuré avec Apache, que l'on souhaite utilisé en HTTPS. + +Il installe le paquet "OpenSSL" s'il n'est pas installé, ensuite pour créer un certificat x509. + +Pour finir il fait la redirection HTTPS et ouvre le port 443. diff --git a/roles/ssl-apache/files/000-default.conf b/roles/ssl-apache/files/000-default.conf new file mode 100644 index 0000000..65c2eba --- /dev/null +++ b/roles/ssl-apache/files/000-default.conf @@ -0,0 +1,32 @@ + + # The ServerName directive sets the request scheme, hostname and port that + # the server uses to identify itself. This is used when creating + # redirection URLs. In the context of virtual hosts, the ServerName + # specifies what hostname must appear in the request's Host: header to + # match this virtual host. For the default virtual host (this file) this + # value is not decisive as it is used as a last resort host regardless. + # However, you must set it for any further virtual host explicitly. + #ServerName www.example.com + ServerName s-appli.gsb.lan + ServerAdmin webmaster@localhost + DocumentRoot /var/www/html + + # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, + # error, crit, alert, emerg. + # It is also possible to configure the loglevel for particular + # modules, e.g. + #LogLevel info ssl:warn + + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + + # For most configuration files from conf-available/, which are + # enabled or disabled at a global level, it is possible to + # include a line for only one particular virtual host. For example the + # following line enables the CGI configuration for this host only + # after it has been globally disabled with "a2disconf". + #Include conf-available/serve-cgi-bin.conf + Redirect "/" "https://s-appli.gsb.lan/wordpress" + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/roles/ssl-apache/files/default-ssl.conf b/roles/ssl-apache/files/default-ssl.conf new file mode 100644 index 0000000..b1d07e6 --- /dev/null +++ b/roles/ssl-apache/files/default-ssl.conf @@ -0,0 +1,24 @@ +# + + ServerAdmin webmaster@localhost + ServerName s-appli.gsb.lan + + DocumentRoot /var/www/html + + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + + SSLEngine on + + SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt + SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key + + + SSLOptions +StdEnvVars + + + SSLOptions +StdEnvVars + + + +# diff --git a/roles/ssl-apache/files/ports.conf b/roles/ssl-apache/files/ports.conf new file mode 100644 index 0000000..ef8a4fe --- /dev/null +++ b/roles/ssl-apache/files/ports.conf @@ -0,0 +1,15 @@ +# If you just change the port or add more ports here, you will likely also +# have to change the VirtualHost statement in +# /etc/apache2/sites-enabled/000-default.conf + +Listen 80 +Listen 443 https +# +# Listen 443 +# + + + Listen 443 + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/roles/ssl-apache/handlers/main.yml b/roles/ssl-apache/handlers/main.yml new file mode 100644 index 0000000..670471f --- /dev/null +++ b/roles/ssl-apache/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: restart apache2 + service: + name: apache2 + state: restarted diff --git a/roles/ssl-apache/tasks/main.yml b/roles/ssl-apache/tasks/main.yml new file mode 100644 index 0000000..4bd4b3a --- /dev/null +++ b/roles/ssl-apache/tasks/main.yml @@ -0,0 +1,51 @@ +--- +- name: Installation de openssl + apt: + name: openssl + +- name: Création de la clé + community.crypto.openssl_privatekey: + path: /etc/ssl/private/apache-selfsigned.key + mode: "640" + owner: root + group: root + +- name: Création du certificat + community.crypto.x509_certificate: + path: /etc/ssl/certs/apache-selfsigned.crt + privatekey_path: /etc/ssl/private/apache-selfsigned.key + provider: selfsigned + mode: "644" + owner: root + group: root + +- name: Suppression du fichier 000-default.conf + file: + path: /etc/apache2/sites-available/000-default.conf + state: absent + +- name: Supression du fichier default-ssl.conf + file: + path: /etc/apache2/sites-available/default-ssl.conf + state: absent + +- name: Supression du fichier ports.conf + file: + path: /etc/apache2/ports.conf + state: absent + +- name: ajout de la redirection https + copy: + src: 000-default.conf + dest: /etc/apache2/sites-available + +- name: ajout du site https + copy: + src: default-ssl.conf + dest: /etc/apache2/sites-available + +- name: ajout du port 443 + copy: + src: ports.conf + dest: /etc/apache2 + notify: restart apache2 diff --git a/roles/syslog-cli/README.md b/roles/syslog-cli/README.md new file mode 100644 index 0000000..bd36878 --- /dev/null +++ b/roles/syslog-cli/README.md @@ -0,0 +1,12 @@ +# Role syslog-cli : Installation et configuration de syslog client (centralisation des logs) +*** + +Ce role a pour objectif de parametrer le fichier /etc/rsyslog.conf pour envoyer les logs vers la machine **s-infra**: +on ajoute au bout du fichier : +''*.* @adresse srv-syslog'' + +Ensuite le role décommente dans le fichier /etc/systemd/journald.conf la ligne suivante : +'ForwardToSyslog=yes' +afin d'autoriser l'envoie de log sur la machine srv qui est **s-infra** + +une fois tout cela fait le role redémarre automatiquement les services journald et rsyslog diff --git a/roles/syslog-cli/handlers/main.yml b/roles/syslog-cli/handlers/main.yml new file mode 100644 index 0000000..fb17a84 --- /dev/null +++ b/roles/syslog-cli/handlers/main.yml @@ -0,0 +1,10 @@ +--- + - name: restart rsyslog + service: + name: rsyslog + state: restarted + + - name: restart journald + service: + name: systemd-journald.service + state: restarted diff --git a/roles/syslog-cli/tasks/main.yml b/roles/syslog-cli/tasks/main.yml new file mode 100644 index 0000000..b09bbf8 --- /dev/null +++ b/roles/syslog-cli/tasks/main.yml @@ -0,0 +1,17 @@ +--- + - name: ajoute l'indication de serveur syslog distant si elle n'est pas presente + lineinfile: + path: /etc/rsyslog.conf + regexp: '^' + line: '*.* @syslog.gsb.adm' + state: present + notify: + - restart rsyslog + + - name: decommente le chargement du module imudp dans rsyslog.conf + replace: + path: /etc/systemd/journald.conf + regexp: '^#ForwardToSyslog=yes' + replace: 'ForwardToSyslog=yes' + notify: + - restart journald diff --git a/roles/syslog/README.md b/roles/syslog/README.md new file mode 100644 index 0000000..e691ab2 --- /dev/null +++ b/roles/syslog/README.md @@ -0,0 +1,16 @@ +# Role syslog : installation et configuration de syslog serveur (centralisation des logs) +*** + +Ce role a pour objectif de activer le module UDP dans le fichier /etc/rsyslog.conf pour accepter les logs entrants des machines concernées : +on décommente la ligne suivante : +'module(load="imudp"\)' + +Ensuite le role active l'écoute du module UDP sur le port 514 afin de pouvoir envoyer les logs. +on décommente la ligne suivante dans le même fichier que ci-dessus : +'input\(type="imudp" port="514"\)' + +pour finir le role va charger le module UDP afin que la machine **s-infra** puissent reçevoir les logs entrants. +Pour faire cela on décommente la ligne suivante dans le fichier /etc/systemd/journald.conf : +'ForwardToSyslog=yes' + +pour finir le role va redemmarer automatiquement les services journald et rsyslog diff --git a/roles/syslog/handlers/main.yml b/roles/syslog/handlers/main.yml new file mode 100644 index 0000000..9f5b879 --- /dev/null +++ b/roles/syslog/handlers/main.yml @@ -0,0 +1,10 @@ +--- + - name: restart syslog + service: + name: rsyslog + state: restarted + + - name: restart journald + service: + name: systemd-journald.service + state: restarted diff --git a/roles/syslog/tasks/main.yml b/roles/syslog/tasks/main.yml new file mode 100644 index 0000000..ddf3031 --- /dev/null +++ b/roles/syslog/tasks/main.yml @@ -0,0 +1,26 @@ +--- +- name: chargement module UDP + replace: + dest: /etc/rsyslog.conf + regexp: '^#module\(load="imudp"\)' + replace: 'module(load="imudp")' + backup: yes + notify: + - restart syslog + +- name: ecoute UDP port 514 + replace: + dest: /etc/rsyslog.conf + regexp: '^#input\(type="imudp" port="514"\)' + replace: 'input(type="imudp" port="514")' + backup: yes + notify: + - restart syslog + +- name: chargement module UDP dans rsyslog.conf + replace: + dest: /etc/systemd/journald.conf + regexp: '^#ForwardToSyslog=yes' + replace: 'ForwardToSyslog=yes' + notify: + - restart syslog diff --git a/roles/webautoconf/files/wpad.dat b/roles/webautoconf/files/wpad.dat new file mode 100644 index 0000000..30b5560 --- /dev/null +++ b/roles/webautoconf/files/wpad.dat @@ -0,0 +1,12 @@ +// config automatique +// PS - 2015-06-09 +function FindProxyForURL(url, host) + { + if (isPlainHostName(host) || + dnsDomainIs(host, "gsb.lan") || + isInNet(host, "172.16.0.0", "255.255.255.0") || + isInNet(host, "127.0.0.1", "255.255.255.255")) + return "DIRECT"; + else + return "PROXY 172.16.0.2:8080"; + } diff --git a/roles/webautoconf/tasks/main.yml b/roles/webautoconf/tasks/main.yml new file mode 100644 index 0000000..b43eede --- /dev/null +++ b/roles/webautoconf/tasks/main.yml @@ -0,0 +1,9 @@ +--- + +- name: Installation lighttpd + apt: name=lighttpd state=present + +- name: Copie wpad.dat + copy: src=wpad.dat dest=/var/www/html + + diff --git a/roles/wireguard-l/tasks/main.yml b/roles/wireguard-l/tasks/main.yml new file mode 100644 index 0000000..1b59d14 --- /dev/null +++ b/roles/wireguard-l/tasks/main.yml @@ -0,0 +1,21 @@ +--- +- name: installation de wireguard + apt: + name: wireguard + state: present + +- name: installation de wireguard-tools + apt: + name: wireguard-tools + state: present + +- name: installation de sshpass + apt: + name: sshpass + state: present + +- name: copie du fichier de configuration depuis r-vp1 + command: "sshpass -p 'root' scp -r root@192.168.99.112:/root/confwg/wg0-b.conf /etc/wireguard/" + +- name: renommage du fichier de configuration + command: "mv /etc/wireguard/wg0-b.conf /etc/wireguard/wg0.conf" diff --git a/roles/wireguard-r/README.md b/roles/wireguard-r/README.md new file mode 100644 index 0000000..c3e7dcf --- /dev/null +++ b/roles/wireguard-r/README.md @@ -0,0 +1,14 @@ +#Installation de r-vp1 (Wireguard) + +*** +Ce fichier à pour but de présenter l'installation de r-vp1 +*** + +Se rendre dans le dossier gsb2022 et éxécuter la commande suivante : +_"ansible-playbook -i localhost, -c local r-vp1.yml"_ +Attendre la fin de l'installation, puis se rendre dans le dossier confwg +Faites une copie à distance du fichier wg0-b.conf sur r-vp2 et déplacer le fichier wg0-a.conf localement dans /etc/wireguard +Renommer les deux fichiers en wg0.conf +Executer _"systemctl enable wg-quick@wg0"_ puis _"systemctl start wg-quick@wg0"_ sur r-vp1 et r-vp2 +Entrer la commande _"wg"_ si des paquets sont envoyés et reçus votre VPN fonctionne. +Lorsque votre infrastructure est prête rendez vous dans gsb2022 et éxécuter le **fichier ping-sagence** afin vérifier le bon fonctionnement. diff --git a/roles/wireguard-r/files/mk-wgconf.sh b/roles/wireguard-r/files/mk-wgconf.sh new file mode 100755 index 0000000..b3faf38 --- /dev/null +++ b/roles/wireguard-r/files/mk-wgconf.sh @@ -0,0 +1,70 @@ +#!/bin/bash +set -u +set -e +# Version Site to Site + +AddressAwg=10.0.0.1/32 # Adresse VPN Wireguard cote A +EndpointA=192.168.0.51 # Adresse extremite A +PortA=51820 # Port ecoute extremite A +NetworkA=192.168.1.0/24 # reseau cote A +NetworkC=192.168.200.0/24 #reseau cote A +NetworkD=172.16.0.0/24 #reseau cote A + +AddressBwg=10.0.0.2/32 # Adresse VPN Wireguard cote B +EndpointB=192.168.0.52 # Adresse extremite B +PortB=51820 # Port ecoute extremite B +NetworkB=172.16.128.0/24 # reseau cote B + +umask 077 +wg genkey > endpoint-a.key +wg pubkey < endpoint-a.key > endpoint-a.pub + +wg genkey > endpoint-b.key +wg pubkey < endpoint-b.key > endpoint-b.pub + + +PKA=$(cat endpoint-a.key) +pKA=$(cat endpoint-a.pub) +PKB=$(cat endpoint-b.key) +pKB=$(cat endpoint-b.pub) + +cat < wg0-a.conf +# local settings for Endpoint A +[Interface] +PrivateKey = $PKA +Address = $AddressAwg +ListenPort = $PortA + +# IP forwarding +PreUp = sysctl -w net.ipv4.ip_forward=1 + +# remote settings for Endpoint B +[Peer] +PublicKey = $pKB +Endpoint = ${EndpointB}:$PortB +AllowedIPs = $AddressBwg, $NetworkB + +FINI + + +cat < wg0-b.conf +# local settings for Endpoint B +[Interface] +PrivateKey = $PKB +Address = $AddressBwg +ListenPort = $PortB + +# IP forwarding +PreUp = sysctl -w net.ipv4.ip_forward=1 + +# remote settings for Endpoint A +[Peer] +PublicKey = $pKA +Endpoint = ${EndpointA}:$PortA +AllowedIPs = $AddressAwg, $NetworkA, $NetworkC, $NetworkD + +FINI + +echo "wg0-a.conf et wg0-b.conf sont generes ..." +echo "copier wg0-b.conf sur la machine b et renommer les fichiers de configuration ..." + diff --git a/roles/wireguard-r/files/scriptwg.sh b/roles/wireguard-r/files/scriptwg.sh new file mode 100755 index 0000000..2d499c9 --- /dev/null +++ b/roles/wireguard-r/files/scriptwg.sh @@ -0,0 +1,67 @@ +#!/bin/bash +set -u +set -e +# Version Site to Site + +AddressAwg=10.0.0.1/32 # Adresse VPN Wireguard cote A +EndpointA=192.168.0.51 # Adresse extremite A +PortA=51820 # Port ecoute extremite A +NetworkA=192.168.1.0/24 # reseau cote A + +AddressBwg=10.0.0.2/32 # Adresse VPN Wireguard cote B +EndpointB=192.168.0.52 # Adresse extremite B +PortB=51820 # Port ecoute extremite B +NetworkB=172.16.128.0/24 # reseau cote B + +umask 077 +wg genkey > endpoint-a.key +wg pubkey < endpoint-a.key > endpoint-a.pub + +wg genkey > endpoint-b.key +wg pubkey < endpoint-b.key > endpoint-b.pub + + +PKA=$(cat endpoint-a.key) +pKA=$(cat endpoint-a.pub) +PKB=$(cat endpoint-b.key) +pKB=$(cat endpoint-b.pub) + +cat < wg0-a.conf +# local settings for Endpoint A +[Interface] +PrivateKey = $PKA +Address = $AddressAwg +ListenPort = $PortA + +# IP forwarding +PreUp = sysctl -w net.ipv4.ip_forward=1 + +# remote settings for Endpoint B +[Peer] +PublicKey = $pKB +Endpoint = ${EndpointB}:$PortB +AllowedIPs = $AddressBwg, $NetworkB + +FINI + + +cat < wg0-b.conf +# local settings for Endpoint B +[Interface] +PrivateKey = $PKB +Address = $AddressBwg +ListenPort = $PortB + +# IP forwarding +PreUp = sysctl -w net.ipv4.ip_forward=1 + +# remote settings for Endpoint A +[Peer] +PublicKey = $pKA +Endpoint = ${EndpointA}:$PortA +AllowedIPs = $AddressAwg, $NetworkA + +FINI + +echo "wg0-a.conf et wg0-b.conf sont generes ..." +echo "copier wg0-b.conf sur la machine b et renommer les fichiers de configuration ..." diff --git a/roles/wireguard-r/tasks/main.yml b/roles/wireguard-r/tasks/main.yml new file mode 100644 index 0000000..51fe16b --- /dev/null +++ b/roles/wireguard-r/tasks/main.yml @@ -0,0 +1,38 @@ +--- +- name: installation de wireguard + apt: + name: wireguard + state: present + +- name: installation de wireguard-tools + apt: + name: wireguard-tools + state: present + +- name: création du dossier conf + file: + path: /root/confwg + state: directory + +- name: copie du script mk-wgconf.sh + copy: + src: mk-wgconf.sh + dest: /root/confwg + +- name: execution script mk-wgconf.sh + command: bash ./mk-wgconf.sh + args: + chdir: /root/confwg + +- name: copie du fichier de configuration + copy: + src: /root/confwg/wg0-a.conf + dest: /etc/wireguard + +- name: renommage fichier de configuration + command: "mv /etc/wireguard/wg0-a.conf /etc/wireguard/wg0.conf" + +- name: demarrage du service wireguard + tags: aaaa + command: "systemctl enable wg-quick@wg0" + command: "systemctl restart wg-quick@wg0" diff --git a/s-adm.yml b/s-adm.yml new file mode 100644 index 0000000..48ec9d5 --- /dev/null +++ b/s-adm.yml @@ -0,0 +1,14 @@ +--- +- hosts: localhost + connection: local + + roles: + - base + - goss + - s-ssh + - dnsmasq + - squid + - local-store + - snmp-agent + - syslog-cli + - post diff --git a/s-agence.yml b/s-agence.yml new file mode 100644 index 0000000..4f636a8 --- /dev/null +++ b/s-agence.yml @@ -0,0 +1,10 @@ +--- +- hosts: localhost + connection: local + + roles: + - base + - ssh-cli + - syslog-cli + - post + - goss diff --git a/s-appli.yml b/s-appli.yml new file mode 100644 index 0000000..9a8110d --- /dev/null +++ b/s-appli.yml @@ -0,0 +1,14 @@ +--- +- hosts: localhost + connection: local + + roles: + - base + - goss + - appli + - ssh-cli + - syslog-cli + - snmp-agent + - ssl-apache + - post + diff --git a/s-backup.yml b/s-backup.yml new file mode 100644 index 0000000..983e4d3 --- /dev/null +++ b/s-backup.yml @@ -0,0 +1,13 @@ +--- +- hosts: localhost + connection: local + + roles: + - base +# - proxy3 + - snmp-agent +# - ssh-cli + - syslog-cli + - smb-backup + - dns-slave + - post diff --git a/s-bdd.yml b/s-bdd.yml new file mode 100644 index 0000000..83e4dc1 --- /dev/null +++ b/s-bdd.yml @@ -0,0 +1,23 @@ +--- + - hosts: localhost + connection: local + vars: + maria_dbhost: "192.168.102.254" + maria_dbname: "wordpress" + maria_dbuser: "wp" + maria_dbpasswd: "wp" + + + roles: + - base + - goss +# - s-lb-bd + - mariadb + - role: db-user + cli_ip: "192.168.102.1" + - role: db-user + cli_ip: "192.168.102.2" + - role: db-user + cli_ip: "192.168.102.3" + - snmp-agent + - post diff --git a/s-docker.yml b/s-docker.yml new file mode 100644 index 0000000..b7343ac --- /dev/null +++ b/s-docker.yml @@ -0,0 +1,14 @@ +--- +- hosts: localhost + connection: local + # include: config.yml + roles: + - base + - goss + - snmp-agent + - ssh-cli + - syslog-cli + - docker-openvas-ab + #- docker-iredmail-ab + - post + diff --git a/s-elk.yml b/s-elk.yml new file mode 100644 index 0000000..b14cdf2 --- /dev/null +++ b/s-elk.yml @@ -0,0 +1,11 @@ +--- +- hosts: localhost + connection: local + roles: + - base + - goss + - docker + - elk + - ssh-cli + - syslog-cli + - post diff --git a/s-fog.yml b/s-fog.yml new file mode 100644 index 0000000..9e030c2 --- /dev/null +++ b/s-fog.yml @@ -0,0 +1,13 @@ +--- +- hosts: localhost + connection: local + + roles: + - base + - goss + - dhcp-fog + - ssh-cli + - snmp-agent + - syslog-cli + - fog + - post diff --git a/s-gestsup.yml b/s-gestsup.yml new file mode 100644 index 0000000..897d116 --- /dev/null +++ b/s-gestsup.yml @@ -0,0 +1,12 @@ +--- +- hosts: localhost + connection: local + + roles: + - base + - gestsup + - postfix-gestsup + - ssh-cli + - syslog-cli + - snmp-agent + - post diff --git a/s-graylog.yml b/s-graylog.yml new file mode 100644 index 0000000..0127d98 --- /dev/null +++ b/s-graylog.yml @@ -0,0 +1,12 @@ +--- +- hosts: localhost + connection: local + + roles: + - base + - goss + - docker-graylog + - ssh-cli + - syslog + - post + diff --git a/s-infra.yml b/s-infra.yml new file mode 100644 index 0000000..c7bf1ff --- /dev/null +++ b/s-infra.yml @@ -0,0 +1,14 @@ +--- +- hosts: localhost + connection: local + # include: config.yml + roles: + - base + - goss + - dns-master + - webautoconf + - snmp-agent + - syslog-cli + - ssh-cli + - post + diff --git a/s-itil.yml b/s-itil.yml new file mode 100644 index 0000000..5bab648 --- /dev/null +++ b/s-itil.yml @@ -0,0 +1,24 @@ +--- +- hosts: localhost + connection: local + + vars: + + glpi_version: "9.4.5" + fd_version: "9.4+1.1" + fd_version64: "x64_2.5.2" + fd_version86: "x86_2.5.2" + glpi_dir: "/var/www/html/glpi" + glpi_dbhost: "127.0.0.1" + glpi_dbname: "glpi" + glpi_dbuser: "glpi" + glpi_dbpasswd: "glpi" + + roles: + - base + - goss + - snmp-agent + - itil + - ssh-cli + - syslog-cli + - post diff --git a/s-lb-bd.yml b/s-lb-bd.yml new file mode 100644 index 0000000..c31f907 --- /dev/null +++ b/s-lb-bd.yml @@ -0,0 +1,24 @@ +--- + - hosts: localhost + connection: local + vars: + maria_dbhost: "192.168.102.254" + maria_dbname: "wordpress" + maria_dbuser: "wp" + maria_dbpasswd: "wp" + + + roles: + - base + - goss + - post + #- s-lb-bd-ab + - mariadb-ab +# - role: db-user +# cli_ip: "192.168.102.1" +# - role: db-user +# cli_ip: "192.168.102.2" +# - role: db-user +# cli_ip: "192.168.102.3" + - snmp-agent +# - post diff --git a/s-lb-web1.yml b/s-lb-web1.yml new file mode 100644 index 0000000..0c1dc9b --- /dev/null +++ b/s-lb-web1.yml @@ -0,0 +1,11 @@ +--- +- hosts: localhost + connection: local + + roles: + - base + - s-lb-web-ab + - snmp-agent + - s-nas-client + - post + diff --git a/s-lb-web2.yml b/s-lb-web2.yml new file mode 100644 index 0000000..0c1dc9b --- /dev/null +++ b/s-lb-web2.yml @@ -0,0 +1,11 @@ +--- +- hosts: localhost + connection: local + + roles: + - base + - s-lb-web-ab + - snmp-agent + - s-nas-client + - post + diff --git a/s-lb-web3.yml b/s-lb-web3.yml new file mode 100644 index 0000000..0c1dc9b --- /dev/null +++ b/s-lb-web3.yml @@ -0,0 +1,11 @@ +--- +- hosts: localhost + connection: local + + roles: + - base + - s-lb-web-ab + - snmp-agent + - s-nas-client + - post + diff --git a/s-lb-wordpress.yml b/s-lb-wordpress.yml new file mode 100644 index 0000000..ed195a5 --- /dev/null +++ b/s-lb-wordpress.yml @@ -0,0 +1,18 @@ +--- + - hosts: localhost + connection: local + vars: + wp_mysql_db: "wordpress" + wp_mysql_user: "wp" + wp_mysql_password: "wp" + wp_mysql_host: "192.168.102.50" + + roles: + - base + - goss + - apache2 + - s-lb-wordpress + - snmp-agent + - post + - mysql + - php-fpm diff --git a/s-lb-wordpress2.yml b/s-lb-wordpress2.yml new file mode 100644 index 0000000..ed195a5 --- /dev/null +++ b/s-lb-wordpress2.yml @@ -0,0 +1,18 @@ +--- + - hosts: localhost + connection: local + vars: + wp_mysql_db: "wordpress" + wp_mysql_user: "wp" + wp_mysql_password: "wp" + wp_mysql_host: "192.168.102.50" + + roles: + - base + - goss + - apache2 + - s-lb-wordpress + - snmp-agent + - post + - mysql + - php-fpm diff --git a/s-lb-wordpress3.yml b/s-lb-wordpress3.yml new file mode 100644 index 0000000..ed195a5 --- /dev/null +++ b/s-lb-wordpress3.yml @@ -0,0 +1,18 @@ +--- + - hosts: localhost + connection: local + vars: + wp_mysql_db: "wordpress" + wp_mysql_user: "wp" + wp_mysql_password: "wp" + wp_mysql_host: "192.168.102.50" + + roles: + - base + - goss + - apache2 + - s-lb-wordpress + - snmp-agent + - post + - mysql + - php-fpm diff --git a/s-lb.yml b/s-lb.yml new file mode 100644 index 0000000..7b0374f --- /dev/null +++ b/s-lb.yml @@ -0,0 +1,11 @@ +--- + - hosts: localhost + connection: local + + roles: + - base + - goss + - s-lb-ab + - snmp-agent + - post + diff --git a/s-mess.yml b/s-mess.yml new file mode 100644 index 0000000..a523a38 --- /dev/null +++ b/s-mess.yml @@ -0,0 +1,11 @@ +--- +- hosts: localhost + connection: local + + roles: + - base + - docker-nextcloud + - ssh-cli + - syslog-cli + - snmp-agent + - post diff --git a/s-mon.yml b/s-mon.yml new file mode 100644 index 0000000..78d3cfb --- /dev/null +++ b/s-mon.yml @@ -0,0 +1,16 @@ +- name: Nagios + hosts: localhost + connection: local + become: yes + become_method: sudo + become_user: root + vars: + access: "Restricted Nagios4 Access" + roles: + - base + - goss + - nagios + - postfix + - ssh-cli + - syslog + - post diff --git a/s-nas.yml b/s-nas.yml new file mode 100644 index 0000000..357cdb8 --- /dev/null +++ b/s-nas.yml @@ -0,0 +1,17 @@ +--- +- hosts: localhost + connection: local + vars: + wp_mysql_db: "wordpress" + wp_mysql_user: "wp" + wp_mysql_password: "wp" + wp_mysql_host: "192.168.102.254" + + roles: + - base + - snmp-agent + - s-lb-wordpress + - s-nas-server + - ssh-cli + - syslog-cli + - post diff --git a/s-nxc.yml b/s-nxc.yml new file mode 100644 index 0000000..573d8ad --- /dev/null +++ b/s-nxc.yml @@ -0,0 +1,12 @@ +--- +- hosts: localhost + connection: local + + roles: + - base + - docker + - nxc-traefik + - ssh-cli + - syslog-cli + - snmp-agent + - post diff --git a/s-proxy.yml b/s-proxy.yml new file mode 100644 index 0000000..78d1644 --- /dev/null +++ b/s-proxy.yml @@ -0,0 +1,12 @@ +--- +- hosts: localhost + connection: local + + roles: + - base + - goss + - squid + - snmp-agent + - ssh-cli + - syslog-cli + - post diff --git a/s-test.yml b/s-test.yml new file mode 100644 index 0000000..521df21 --- /dev/null +++ b/s-test.yml @@ -0,0 +1,12 @@ +--- +- hosts: localhost + connection: local + # include: config.yml + roles: + - base + - goss + - snmp-agent + - syslog-cli + - ssh-cli + - post + diff --git a/s-web.yml b/s-web.yml new file mode 100644 index 0000000..6b5b855 --- /dev/null +++ b/s-web.yml @@ -0,0 +1,14 @@ +--- +- hosts: localhost + connection: local + + roles: + - base + - apache2 + - snmp-agent + - ssh-cli + - syslog-cli + - post + #- mysql + - wordpress + diff --git a/s-web1.yml b/s-web1.yml new file mode 100644 index 0000000..708b134 --- /dev/null +++ b/s-web1.yml @@ -0,0 +1,11 @@ +--- +- hosts: localhost + connection: local + + roles: + - base + - s-lb-web + - snmp-agent + - s-nas-client + - post + diff --git a/s-web2.yml b/s-web2.yml new file mode 100644 index 0000000..708b134 --- /dev/null +++ b/s-web2.yml @@ -0,0 +1,11 @@ +--- +- hosts: localhost + connection: local + + roles: + - base + - s-lb-web + - snmp-agent + - s-nas-client + - post + diff --git a/s-web3.yml b/s-web3.yml new file mode 100644 index 0000000..708b134 --- /dev/null +++ b/s-web3.yml @@ -0,0 +1,11 @@ +--- +- hosts: localhost + connection: local + + roles: + - base + - s-lb-web + - snmp-agent + - s-nas-client + - post + diff --git a/scripts/Windows/addint-r-ext.bat b/scripts/Windows/addint-r-ext.bat new file mode 100644 index 0000000..6954297 --- /dev/null +++ b/scripts/Windows/addint-r-ext.bat @@ -0,0 +1,31 @@ +cd C:\Program Files\Oracle\VirtualBox + +VBoxManage modifyvm r-ext --nic1 intnet +VBoxManage modifyvm r-ext --intnet1 "n-adm" +VBoxManage modifyvm r-ext --nictype1 82540EM +VBoxManage modifyvm r-ext --cableconnected1 on +VBoxManage modifyvm r-ext --nicpromisc1 allow-all + +VBoxManage modifyvm r-ext --nic2 intnet +VBoxManage modifyvm r-ext --intnet2 "n-dmz" +VBoxManage modifyvm r-ext --nictype2 82540EM +VBoxManage modifyvm r-ext --cableconnected2 on +VBoxManage modifyvm r-ext --nicpromisc2 allow-all + +VBoxManage modifyvm r-ext --nic3 bridged +VBoxManage modifyvm r-ext --bridgeadapter3 "enp0s3" +VBoxManage modifyvm r-ext --nictype3 82540EM +VBoxManage modifyvm r-ext --cableconnected3 on +VBoxManage modifyvm r-ext --nicpromisc3 allow-all + +VBoxManage modifyvm r-ext --nic4 intnet +VBoxManage modifyvm r-ext --intnet4 "n-linkv" +VBoxManage modifyvm r-ext --nictype4 82540EM +VBoxManage modifyvm r-ext --cableconnected4 on +VBoxManage modifyvm r-ext --nicpromisc4 allow-all + +VBoxManage modifyvm r-ext --nic5 intnet +VBoxManage modifyvm r-ext --intnet5 "n-link" +VBoxManage modifyvm r-ext --nictype5 82540EM +VBoxManage modifyvm r-ext --cableconnected5 on +VBoxManage modifyvm r-ext --nicpromisc5 allow-all diff --git a/scripts/Windows/addint-r-int.bat b/scripts/Windows/addint-r-int.bat new file mode 100644 index 0000000..cefd634 --- /dev/null +++ b/scripts/Windows/addint-r-int.bat @@ -0,0 +1,33 @@ +cd C:\Program Files\Oracle\VirtualBox + +VBoxManage modifyvm r-int --nic1 intnet +VBoxManage modifyvm r-int --intnet1 "n-adm" +VBoxManage modifyvm r-int --nictype1 82540EM +VBoxManage modifyvm r-int --cableconnected1 on +VBoxManage modifyvm r-int --nicpromisc1 allow-all + +VBoxManage modifyvm r-int --nic2 intnet +VBoxManage modifyvm r-int --intnet2 "n-link" +VBoxManage modifyvm r-int --nictype2 82540EM +VBoxManage modifyvm r-int --cableconnected2 on +VBoxManage modifyvm r-int --nicpromisc2 allow-all + +VBoxManage modifyvm r-int --nic3 intnet +VBoxManage modifyvm r-int --intnet3 "n-wifi" +VBoxManage modifyvm r-int --nictype3 82540EM +VBoxManage modifyvm r-int --cableconnected3 on +VBoxManage modifyvm r-int --nicpromisc3 allow-all + +VBoxManage modifyvm r-int --nic4 intnet +VBoxManage modifyvm r-int --intnet4 "n-user" +VBoxManage modifyvm r-int --nictype4 82540EM +VBoxManage modifyvm r-int --cableconnected4 on +VBoxManage modifyvm r-int --nicpromisc4 allow-all + +VBoxManage modifyvm r-int --nic5 intnet +VBoxManage modifyvm r-int --intnet5 "n-infra" +VBoxManage modifyvm r-int --nictype5 82540EM +VBoxManage modifyvm r-int --cableconnected5 on +VBoxManage modifyvm r-int --nicpromisc5 allow-all + + diff --git a/scripts/addint.r-ext b/scripts/addint.r-ext new file mode 100755 index 0000000..e2d5e96 --- /dev/null +++ b/scripts/addint.r-ext @@ -0,0 +1,42 @@ +#!/bin/bash +nom=r-ext + +# N-adm (enp0s3) + +VBoxManage modifyvm $nom --nic1 intnet +VBoxManage modifyvm $nom --intnet1 "n-adm" +VBoxManage modifyvm $nom --nictype1 82540EM +VBoxManage modifyvm $nom --cableconnected1 on +VBoxManage modifyvm $nom --nicpromisc1 allow-all + +# N-dmz (enp0s8) + +VBoxManage modifyvm $nom --nic2 intnet +VBoxManage modifyvm $nom --intnet2 "n-dmz" +VBoxManage modifyvm $nom --nictype2 82540EM +VBoxManage modifyvm $nom --cableconnected2 on +VBoxManage modifyvm $nom --nicpromisc2 allow-all + +# (enp0s9) + +VBoxManage modifyvm $nom --nic3 bridged +VBoxManage modifyvm $nom --bridgeadapter3 "eno1" +VBoxManage modifyvm $nom --nictype3 82540EM +VBoxManage modifyvm $nom --cableconnected3 on +VBoxManage modifyvm $nom --nicpromisc3 allow-all + +# N-linkv (enp0s10) + +VBoxManage modifyvm $nom --nic4 intnet +VBoxManage modifyvm $nom --intnet4 "n-linkv" +VBoxManage modifyvm $nom --nictype4 82540EM +VBoxManage modifyvm $nom --cableconnected4 on +VBoxManage modifyvm $nom --nicpromisc4 allow-all + +# N-link (enp0s16) + +VBoxManage modifyvm $nom --nic5 intnet +VBoxManage modifyvm $nom --intnet5 "n-link" +VBoxManage modifyvm $nom --nictype5 82540EM +VBoxManage modifyvm $nom --cableconnected5 on +VBoxManage modifyvm $nom --nicpromisc5 allow-all diff --git a/scripts/addint.r-int b/scripts/addint.r-int new file mode 100755 index 0000000..720fdd7 --- /dev/null +++ b/scripts/addint.r-int @@ -0,0 +1,41 @@ +#!/bin/bash +nom=r-int + +# N-adm (enp0s3) + +VBoxManage modifyvm $nom --nic1 intnet +VBoxManage modifyvm $nom --intnet1 "n-adm" +VBoxManage modifyvm $nom --nictype1 82540EM +VBoxManage modifyvm $nom --cableconnected1 on +VBoxManage modifyvm $nom --nicpromisc1 allow-all +# N-link (enp0s8) + +VBoxManage modifyvm $nom --nic2 intnet +VBoxManage modifyvm $nom --intnet2 "n-link" +VBoxManage modifyvm $nom --nictype2 82540EM +VBoxManage modifyvm $nom --cableconnected2 on +VBoxManage modifyvm $nom --nicpromisc2 allow-all + +# N-wifi (enp0s9) + +VBoxManage modifyvm $nom --nic3 intnet +VBoxManage modifyvm $nom --intnet3 "n-wifi" +VBoxManage modifyvm $nom --nictype3 82540EM +VBoxManage modifyvm $nom --cableconnected3 on +VBoxManage modifyvm $nom --nicpromisc3 allow-all + +# N-user (enp0s10) + +VBoxManage modifyvm $nom --nic4 intnet +VBoxManage modifyvm $nom --intnet4 "n-user" +VBoxManage modifyvm $nom --nictype4 82540EM +VBoxManage modifyvm $nom --cableconnected4 on +VBoxManage modifyvm $nom --nicpromisc4 allow-all + +# N-infra (enp0s16) + +VBoxManage modifyvm $nom --nic5 intnet +VBoxManage modifyvm $nom --intnet5 "n-infra" +VBoxManage modifyvm $nom --nictype5 82540EM +VBoxManage modifyvm $nom --cableconnected5 on +VBoxManage modifyvm $nom --nicpromisc5 allow-all diff --git a/scripts/addint.r-vp1 b/scripts/addint.r-vp1 new file mode 100755 index 0000000..0ddbb3e --- /dev/null +++ b/scripts/addint.r-vp1 @@ -0,0 +1,26 @@ +#!/bin/bash +nom=r-vp1 + +# N-adm (enp0s3) + +VBoxManage modifyvm $nom --nic1 intnet +VBoxManage modifyvm $nom --intnet1 "n-adm" +VBoxManage modifyvm $nom --nictype1 82540EM +VBoxManage modifyvm $nom --cableconnected1 on +VBoxManage modifyvm $nom --nicpromisc1 allow-all + +# N-linkv (enp0s8) + +VBoxManage modifyvm $nom --nic2 intnet +VBoxManage modifyvm $nom --intnet2 "n-linkv" +VBoxManage modifyvm $nom --nictype2 82540EM +VBoxManage modifyvm $nom --cableconnected2 on +VBoxManage modifyvm $nom --nicpromisc2 allow-all + +# (enp0s9) + +VBoxManage modifyvm $nom --nic3 bridged +VBoxManage modifyvm $nom --bridgeadapter3 "enp11s0f0" +VBoxManage modifyvm $nom --nictype3 82540EM +VBoxManage modifyvm $nom --cableconnected3 on +VBoxManage modifyvm $nom --nicpromisc3 allow-all diff --git a/scripts/addint.r-vp2 b/scripts/addint.r-vp2 new file mode 100755 index 0000000..67a1453 --- /dev/null +++ b/scripts/addint.r-vp2 @@ -0,0 +1,26 @@ +#!/bin/bash +nom=r-vp2 + +# N-adm (enp0s3) + +VBoxManage modifyvm $nom --nic1 intnet +VBoxManage modifyvm $nom --intnet1 "n-adm" +VBoxManage modifyvm $nom --nictype1 82540EM +VBoxManage modifyvm $nom --cableconnected1 on +VBoxManage modifyvm $nom --nicpromisc1 allow-all + +# N-linkv (enp0s8) + +VBoxManage modifyvm $nom --nic2 intnet +VBoxManage modifyvm $nom --intnet2 "n-agence" +VBoxManage modifyvm $nom --nictype2 82540EM +VBoxManage modifyvm $nom --cableconnected2 on +VBoxManage modifyvm $nom --nicpromisc2 allow-all + +# (enp0s9) + +VBoxManage modifyvm $nom --nic3 bridged +VBoxManage modifyvm $nom --bridgeadapter3 "enp11s0f0" +VBoxManage modifyvm $nom --nictype3 82540EM +VBoxManage modifyvm $nom --cableconnected3 on +VBoxManage modifyvm $nom --nicpromisc3 allow-all diff --git a/scripts/addint.s-adm b/scripts/addint.s-adm new file mode 100755 index 0000000..da6c9de --- /dev/null +++ b/scripts/addint.s-adm @@ -0,0 +1,16 @@ +#!/bin/bash +nom=s-adm + +VBoxManage modifyvm $nom --nic1 bridged +VBoxManage modifyvm $nom --bridgeadapter1 "eno1" +VBoxManage modifyvm $nom --nictype1 82540EM +VBoxManage modifyvm $nom --cableconnected1 on +VBoxManage modifyvm $nom --nicpromisc1 allow-all + +#(enp0s8) + +VBoxManage modifyvm $nom --nic2 intnet +VBoxManage modifyvm $nom --intnet2 "n-adm" +VBoxManage modifyvm $nom --nictype2 82540EM +VBoxManage modifyvm $nom --cableconnected2 on +VBoxManage modifyvm $nom --nicpromisc2 allow-all \ No newline at end of file diff --git a/scripts/addint.s-infra b/scripts/addint.s-infra new file mode 100755 index 0000000..3cf7d32 --- /dev/null +++ b/scripts/addint.s-infra @@ -0,0 +1,18 @@ +#!/bin/bash +nom=s-infra + +#(enp0s3) + +VBoxManage modifyvm $nom --nic1 intnet +VBoxManage modifyvm $nom --intnet1 "n-adm" +VBoxManage modifyvm $nom --nictype1 82540EM +VBoxManage modifyvm $nom --cableconnected1 on +VBoxManage modifyvm $nom --nicpromisc1 allow-all + +#(enp0s8) + +VBoxManage modifyvm $nom --nic2 intnet +VBoxManage modifyvm $nom --intnet2 "n-infra" +VBoxManage modifyvm $nom --nictype2 82540EM +VBoxManage modifyvm $nom --cableconnected2 on +VBoxManage modifyvm $nom --nicpromisc2 allow-all diff --git a/scripts/addint.s-lb b/scripts/addint.s-lb new file mode 100755 index 0000000..b90a5a2 --- /dev/null +++ b/scripts/addint.s-lb @@ -0,0 +1,26 @@ +#!/bin/bash +nom=s-lb + +# N-adm (enp0s3) + +VBoxManage modifyvm $nom --nic1 intnet +VBoxManage modifyvm $nom --intnet1 "n-adm" +VBoxManage modifyvm $nom --nictype1 82540EM +VBoxManage modifyvm $nom --cableconnected1 on +VBoxManage modifyvm $nom --nicpromisc1 allow-all + +# N-dmz (enp0s8) + +VBoxManage modifyvm $nom --nic2 intnet +VBoxManage modifyvm $nom --intnet2 "n-dmz" +VBoxManage modifyvm $nom --nictype2 82540EM +VBoxManage modifyvm $nom --cableconnected2 on +VBoxManage modifyvm $nom --nicpromisc2 allow-all + +# N-dmz-lb (enp0s9) + +VBoxManage modifyvm $nom --nic3 intnet +VBoxManage modifyvm $nom --intnet3 "n-dmz-lb" +VBoxManage modifyvm $nom --nictype3 82540EM +VBoxManage modifyvm $nom --cableconnected3 on +VBoxManage modifyvm $nom --nicpromisc3 allow-all diff --git a/scripts/addint.s-lb-bd b/scripts/addint.s-lb-bd new file mode 100755 index 0000000..325f6b9 --- /dev/null +++ b/scripts/addint.s-lb-bd @@ -0,0 +1,18 @@ +#!/bin/bash +nom=s-lb-bd + +# N-adm (enp0s3) + +VBoxManage modifyvm $nom --nic1 intnet +VBoxManage modifyvm $nom --intnet1 "n-adm" +VBoxManage modifyvm $nom --nictype1 82540EM +VBoxManage modifyvm $nom --cableconnected1 on +VBoxManage modifyvm $nom --nicpromisc1 allow-all + +# N-dmz-db (enp0s8) + +VBoxManage modifyvm $nom --nic2 intnet +VBoxManage modifyvm $nom --intnet2 "n-dmz-db" +VBoxManage modifyvm $nom --nictype2 82540EM +VBoxManage modifyvm $nom --cableconnected2 on +VBoxManage modifyvm $nom --nicpromisc2 allow-all diff --git a/scripts/addint.s-lb-web1 b/scripts/addint.s-lb-web1 new file mode 100755 index 0000000..afb7269 --- /dev/null +++ b/scripts/addint.s-lb-web1 @@ -0,0 +1,26 @@ +#!/bin/bash +nom=s-lb-web1 + +# N-adm (enp0s3) + +VBoxManage modifyvm $nom --nic1 intnet +VBoxManage modifyvm $nom --intnet1 "n-adm" +VBoxManage modifyvm $nom --nictype1 82540EM +VBoxManage modifyvm $nom --cableconnected1 on +VBoxManage modifyvm $nom --nicpromisc1 allow-all + +# N-dmz-lb (enp0s8) + +VBoxManage modifyvm $nom --nic2 intnet +VBoxManage modifyvm $nom --intnet2 "n-dmz-lb" +VBoxManage modifyvm $nom --nictype2 82540EM +VBoxManage modifyvm $nom --cableconnected2 on +VBoxManage modifyvm $nom --nicpromisc2 allow-all + +# N-dmz-db (enp0s9) + +VBoxManage modifyvm $nom --nic3 intnet +VBoxManage modifyvm $nom --intnet3 "n-dmz-db" +VBoxManage modifyvm $nom --nictype3 82540EM +VBoxManage modifyvm $nom --cableconnected3 on +VBoxManage modifyvm $nom --nicpromisc3 allow-all diff --git a/scripts/addint.s-lb-web2 b/scripts/addint.s-lb-web2 new file mode 100755 index 0000000..13605fc --- /dev/null +++ b/scripts/addint.s-lb-web2 @@ -0,0 +1,26 @@ +#!/bin/bash +nom=s-lb-web2 + +# N-adm (enp0s3) + +VBoxManage modifyvm $nom --nic1 intnet +VBoxManage modifyvm $nom --intnet1 "n-adm" +VBoxManage modifyvm $nom --nictype1 82540EM +VBoxManage modifyvm $nom --cableconnected1 on +VBoxManage modifyvm $nom --nicpromisc1 allow-all + +# N-dmz-lb (enp0s8) + +VBoxManage modifyvm $nom --nic2 intnet +VBoxManage modifyvm $nom --intnet2 "n-dmz-lb" +VBoxManage modifyvm $nom --nictype2 82540EM +VBoxManage modifyvm $nom --cableconnected2 on +VBoxManage modifyvm $nom --nicpromisc2 allow-all + +# N-dmz-db (enp0s9) + +VBoxManage modifyvm $nom --nic3 intnet +VBoxManage modifyvm $nom --intnet3 "n-dmz-db" +VBoxManage modifyvm $nom --nictype3 82540EM +VBoxManage modifyvm $nom --cableconnected3 on +VBoxManage modifyvm $nom --nicpromisc3 allow-all diff --git a/scripts/addint.s-lb-web3 b/scripts/addint.s-lb-web3 new file mode 100755 index 0000000..2d29eb6 --- /dev/null +++ b/scripts/addint.s-lb-web3 @@ -0,0 +1,26 @@ +#!/bin/bash +nom=s-lb-web3 + +# N-adm (enp0s3) + +VBoxManage modifyvm $nom --nic1 intnet +VBoxManage modifyvm $nom --intnet1 "n-adm" +VBoxManage modifyvm $nom --nictype1 82540EM +VBoxManage modifyvm $nom --cableconnected1 on +VBoxManage modifyvm $nom --nicpromisc1 allow-all + +# N-dmz-lb (enp0s8) + +VBoxManage modifyvm $nom --nic2 intnet +VBoxManage modifyvm $nom --intnet2 "n-dmz-lb" +VBoxManage modifyvm $nom --nictype2 82540EM +VBoxManage modifyvm $nom --cableconnected2 on +VBoxManage modifyvm $nom --nicpromisc2 allow-all + +# N-dmz-db (enp0s9) + +VBoxManage modifyvm $nom --nic3 intnet +VBoxManage modifyvm $nom --intnet3 "n-dmz-db" +VBoxManage modifyvm $nom --nictype3 82540EM +VBoxManage modifyvm $nom --cableconnected3 on +VBoxManage modifyvm $nom --nicpromisc3 allow-all diff --git a/scripts/addint.s-mon-kb b/scripts/addint.s-mon-kb new file mode 100755 index 0000000..be39c26 --- /dev/null +++ b/scripts/addint.s-mon-kb @@ -0,0 +1,18 @@ +#!/bin/bash +nom=s-mon-kb + +# N-adm (enp0s3) + +VBoxManage modifyvm $nom --nic1 intnet +VBoxManage modifyvm $nom --intnet1 "n-adm" +VBoxManage modifyvm $nom --nictype1 82540EM +VBoxManage modifyvm $nom --cableconnected1 on +VBoxManage modifyvm $nom --nicpromisc1 allow-all + +# N-infra (enp0s8) + +VBoxManage modifyvm $nom --nic2 intnet +VBoxManage modifyvm $nom --intnet2 "n-infra" +VBoxManage modifyvm $nom --nictype2 82540EM +VBoxManage modifyvm $nom --cableconnected2 on +VBoxManage modifyvm $nom --nicpromisc2 allow-all diff --git a/scripts/addint.s-nas b/scripts/addint.s-nas new file mode 100755 index 0000000..ae4584b --- /dev/null +++ b/scripts/addint.s-nas @@ -0,0 +1,18 @@ +#!/bin/bash +nom=s-nas + +# N-adm (enp0s3) + +VBoxManage modifyvm $nom --nic1 intnet +VBoxManage modifyvm $nom --intnet1 "n-adm" +VBoxManage modifyvm $nom --nictype1 82540EM +VBoxManage modifyvm $nom --cableconnected1 on +VBoxManage modifyvm $nom --nicpromisc1 allow-all + +# N-dmz-db (enp0s8) + +VBoxManage modifyvm $nom --nic2 intnet +VBoxManage modifyvm $nom --intnet2 "n-dmz-db" +VBoxManage modifyvm $nom --nictype2 82540EM +VBoxManage modifyvm $nom --cableconnected2 on +VBoxManage modifyvm $nom --nicpromisc2 allow-all diff --git a/scripts/getall-2019 b/scripts/getall-2019 new file mode 100644 index 0000000..b37a753 --- /dev/null +++ b/scripts/getall-2019 @@ -0,0 +1,16 @@ +#!/bin/bash +GLPIREL=9.3.3 +wget -nc https://github.com/glpi-project/glpi/releases/download/$GLPIREL/glpi-$GLPIREL.tgz + +wget -nc https://github.com/fusioninventory/fusioninventory-for-glpi/releases/download/glpi9.3%2B1.2/fusioninventory-9.3+1.2.tar.gz + +FIAGREL=2.4.2 +wget -nc https://github.com/fusioninventory/fusioninventory-agent/releases/download/$FIAGREL/fusioninventory-agent_windows-x64_$FIAGREL.exe + +wget -nc https://github.com/fusioninventory/fusioninventory-agent/releases/download/$FIAGREL/fusioninventory-agent_windows-x86_$FIAGREL.exe + +FOGREL=1.5.5 +wget -nc https://github.com/FOGProject/fogproject/archive/$FOGREL.tar.gz -O fogproject-$FOGREL.tar.gz + +#wget -nc https://fr.wordpress.org/wordpress-4.9.1-fr_FR.tar.gz +wget -nc https://fr.wordpress.org/wordpress-5.0.3-fr_FR.tar.gz diff --git a/scripts/lb-http.bash b/scripts/lb-http.bash new file mode 100644 index 0000000..019b660 --- /dev/null +++ b/scripts/lb-http.bash @@ -0,0 +1,6 @@ +#!/bin/bash + +while [ 1 ] +do + curl --max-time 1 192.168.100.10/wordpress/ +done \ No newline at end of file diff --git a/scripts/mkvm b/scripts/mkvm new file mode 100755 index 0000000..32e9f0c --- /dev/null +++ b/scripts/mkvm @@ -0,0 +1,96 @@ +#!/bin/bash + +ovarelease="2022b" +ovafile="$HOME/Téléchargements/debian-bullseye-gsb-${ovarelease}.ova" + + +usage () { + echo "$0 : creation VM et parametrage interfaces" + echo "usage : $0 " + exit 1 +} + +create_vm () { + nom=$1 + if [[ ! -r "${ovafile}" ]]; then + echo "$0 : erreur ouverture fichier ${ovafile} ..." + exit 3 + fi + vboxmanage import "${ovafile}" --vsys 0 --vmname "${nom}" +} + +setif () { + + VBoxManage modifyvm $1 --nic${2} intnet + VBoxManage modifyvm $1 --intnet${2} $3 + VBoxManage modifyvm $1 --nictype${2} 82540EM + VBoxManage modifyvm $1 --cableconnected${2} on + VBoxManage modifyvm $1 --nicpromisc${2} allow-all +} + +create_if () { +# enp0s3 + setif $1 1 $2 + setif $1 2 $3 +#(enp0s8) +} + + +vm=$1 + +create_vm "${vm}" +if [[ "${vm}" == "s-infra" ]] ; then + create_if "${vm}" "n-adm" "n-infra" +elif [[ "${vm}" == "s-proxy" ]] ; then + create_if "${vm}" "n-adm" "n-infra" +elif [[ "${vm}" == "r-int" ]] ; then +# n-adm, n-link, n-wifi, n-user, n-infra + create_if "${vm}" "n-adm" "n-infra" + setif "${vm}" 2 "n-link" + setif "${vm}" 3 "n-wifi" + setif "${vm}" 4 "n-user" + setif "${vm}" 5 "n-infra" +elif [[ "${vm}" == "r-ext" ]] ; then + ./addint.r-ext +elif [[ "${vm}" == "s-mon" ]] ; then + create_if "${vm}" "n-adm" "n-infra" +elif [[ "${vm}" == "s-appli" ]] ; then + create_if "${vm}" "n-adm" "n-infra" +elif [[ "${vm}" == "s-backup" ]] ; then + create_if "${vm}" "n-adm" "n-infra" +elif [[ "${vm}" == "s-itil" ]] ; then + create_if "${vm}" "n-adm" "n-infra" +elif [[ "${vm}" == "s-nxc" ]] ; then + create_if "${vm}" "n-adm" "n-infra" +elif [[ "${vm}" == "s-fog" ]] ; then + create_if "${vm}" "n-adm" "n-infra" + setif "${vm}" 3 "n-user" +elif [[ "${vm}" == "s-DNS-ext" ]] ; then + create_if "${vm}" "n-adm" "n-dmz" +elif [[ "${vm}" == "s-web-ext" ]] ; then + create_if "${vm}" "n-adm" "n-dmz" +elif [[ "${vm}" == "s-lb" ]] ; then + create_if "${vm}" "n-adm" "n-dmz" "n-dmz-lb" +elif [[ "${vm}" == "s-web1" ]] ; then + create_if "${vm}" "n-adm" "n-dmz-lb" "n-dmz-db" +# setif "${vm}" 3 "n-dmz-lb" +elif [[ "${vm}" == "s-web2" ]] ; then + create_if "${vm}" "n-adm" "n-dmz-lb" "n-dmz-db" +elif [[ "${vm}" == "s-web3" ]] ; then + create_if "${vm}" "n-adm" "n-dmz-lb" "n-dmz-db" + # setif "${vm}" 3 "n-dmz-lb" +elif [[ "${vm}" == "s-lb-bd" ]] ; then + create_if "${vm}" "n-adm" "n-dmz-db" +elif [[ "${vm}" == "s-nas" ]] ; then + create_if "${vm}" "n-adm" "n-dmz-db" +elif [[ "${vm}" == "r-vp1" ]] ; then + ./addint.r-vp1 +elif [[ "${vm}" == "r-vp2" ]] ; then + ./addint.r-vp2 +elif [[ "${vm}" == "s-agence" ]] ; then + create_if "${vm}" "n-adm" "n-agence" + +else + echo "$0 : vm ${vm} non prevu" + exit 2 +fi diff --git a/scripts/recup-s-lb.bash b/scripts/recup-s-lb.bash new file mode 100644 index 0000000..08323c9 --- /dev/null +++ b/scripts/recup-s-lb.bash @@ -0,0 +1,4 @@ +#!/bin/bash +while [ 1 ]; do +wget index.html http://192.168.100.10 +done diff --git a/snmp.yml b/snmp.yml new file mode 100644 index 0000000..dea70ef --- /dev/null +++ b/snmp.yml @@ -0,0 +1,7 @@ +--- +- hosts: localhost + connection: local + + roles: + - snmp-agent + diff --git a/sv/postfix/README.md b/sv/postfix/README.md new file mode 100644 index 0000000..a2785d2 --- /dev/null +++ b/sv/postfix/README.md @@ -0,0 +1,40 @@ +# Post-installation de Postfix + +Entrer votre adresse mail et votre mot de passe dans le fichier /etc/postfix/sasl_passwd + +``` + +nano /etc/postfix/sasl_passwd + +[smpt.gmail.com]:587 votreadresse@domaine.fr:motdepasse + +``` + +Entrer votre addresse mail dans le fichier /etc/icinga/objects/contacts_icinga.cfg + +``` + +nano /etc/icinga/objects/contacts_icinga.cfg + +define contact... + +email votreadresse@domaine.fr + +``` +Lancer la commande suivante pour prendre en compte la modification: + +``` + +/usr/sbin/postmap /etc/postfix/sasl_passwd + +``` + +Activer l'**Accès moins sécurisé des applications** depuis son compte google + +Désactiver un service puis vérifier ses mails (attendre 5 minutes entre chaque test) + +``` + +tail -f /var/log/icinga/icinga.log pour vérifier l'envoi de l'email + +``` diff --git a/sv/postfix/files/main.cf b/sv/postfix/files/main.cf new file mode 100644 index 0000000..8b2bf4f --- /dev/null +++ b/sv/postfix/files/main.cf @@ -0,0 +1,50 @@ +# See /usr/share/postfix/main.cf.dist for a commented, more complete version + + +# Debian specific: Specifying a file name will cause the first +# line of that file to be used as the name. The Debian default +# is /etc/mailname. +#myorigin = /etc/mailname + +smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) +biff = no + +# appending .domain is the MUA's job. +append_dot_mydomain = no + +# Uncomment the next line to generate "delayed mail" warnings +#delay_warning_time = 4h + +readme_directory = no + +# TLS parameters +#smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem +#smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key +#smtpd_use_tls=yes +#smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache +#smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache + +# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for +# information on enabling SSL in the smtp client. + +mydomain = gsb.lan +myhostname = s-mon.gsb.lan +alias_maps = hash:/etc/aliases +alias_database = hash:/etc/aliases +mydestination = $myhostname, s-mon, s-mon.gsb.lan +relayhost = [smtp.gmail.com]:587 +mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 172.16.0.0/24 +#mailbox_command = procmail -a "$EXTENSION" +mailbox_size_limit = 0 +recipient_delimiter = + +inet_interfaces = all +inet_protocols = ipv4 +default_transport = smtp +relay_transport = smtp + +smtp_sasl_auth_enable = yes +smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd +smtp_sasl_security_options = +smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt +smtp_use_tls = yes + diff --git a/sv/postfix/files/sasl_passwd b/sv/postfix/files/sasl_passwd new file mode 100644 index 0000000..db077bd --- /dev/null +++ b/sv/postfix/files/sasl_passwd @@ -0,0 +1 @@ +[smtp.gmail.com]:587 supervisiongsb@gmail.com:sio2018cst diff --git a/sv/postfix/files/thawte_Premium_Server_CA.pem b/sv/postfix/files/thawte_Premium_Server_CA.pem new file mode 100644 index 0000000..29cf7e1 --- /dev/null +++ b/sv/postfix/files/thawte_Premium_Server_CA.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDNjCCAp+gAwIBAgIQNhIilsXjOKUgodJfTNcJVDANBgkqhkiG9w0BAQUFADCB +zjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJ +Q2FwZSBUb3duMR0wGwYDVQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UE +CxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhh +d3RlIFByZW1pdW0gU2VydmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNl +cnZlckB0aGF3dGUuY29tMB4XDTk2MDgwMTAwMDAwMFoXDTIxMDEwMTIzNTk1OVow +gc4xCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcT +CUNhcGUgVG93bjEdMBsGA1UEChMUVGhhd3RlIENvbnN1bHRpbmcgY2MxKDAmBgNV +BAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24xITAfBgNVBAMTGFRo +YXd0ZSBQcmVtaXVtIFNlcnZlciBDQTEoMCYGCSqGSIb3DQEJARYZcHJlbWl1bS1z +ZXJ2ZXJAdGhhd3RlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0jY2 +aovXwlue2oFBYo847kkEVdbQ7xwblRZH7xhINTpS9CtqBo87L+pW46+GjZ4X9560 +ZXUCTe/LCaIhUdib0GfQug2SBhRz1JPLlyoAnFxODLz6FVL88kRu2hFKbgifLy3j ++ao6hnO2RlNYyIkFvYMRuHM/qgeN9EJN50CdHDcCAwEAAaMTMBEwDwYDVR0TAQH/ +BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQBlkKyID1bZ5jA01CbH0FDxkt5r1DmI +CSLGpmODA/eZd9iy5Ri4XWPz1HP7bJyZePFLeH0ZJMMrAoT4vCLZiiLXoPxx7JGH +IPG47LHlVYCsPVLIOQ7C8MAFT9aCdYy9X9LcdpoFEsmvcsPcJX6kTY4XpeCHf+Ga +WuFg3GQjPEIuTQ== +-----END CERTIFICATE----- \ No newline at end of file diff --git a/sv/postfix/handlers/main.yml b/sv/postfix/handlers/main.yml new file mode 100644 index 0000000..84e69de --- /dev/null +++ b/sv/postfix/handlers/main.yml @@ -0,0 +1,5 @@ +--- + - name: restart postfix + service: + name: postfix + state: restarted diff --git a/sv/postfix/tasks/main.yml b/sv/postfix/tasks/main.yml new file mode 100644 index 0000000..e1c6fe8 --- /dev/null +++ b/sv/postfix/tasks/main.yml @@ -0,0 +1,28 @@ +- name: Installation de postfix et de mailutils + tags: install postfix + apt: + name: + - postfix + - mailutils + state: latest + +- name: Copie du fichier sasl_passwd + tags: sasl_passwd + copy: + src: sasl_passwd + dest: /etc/postfix/sasl/ + +- name: Copie du fichier main.cf + tags: main.cf + template: + src: main.cf.j2 + dest: /etc/postfix.main.cf + +- name: Commande postmap + tags: postmap + command: postmap /etc/postfix/sasl/sasl_passwd + notify: restart postfix + +- name: message d'information pour gmail + tags: msg2 + debug: msg="Il faut activer les applications moins sécurisées sur le compte google" \ No newline at end of file diff --git a/tests/s-infra.test b/tests/s-infra.test new file mode 100755 index 0000000..f35a313 --- /dev/null +++ b/tests/s-infra.test @@ -0,0 +1,24 @@ +#!/bin/bash + +# Tests resolution directe dans gsb.lan nom court +host s-infra +host s-mon + +# Tests resolution directe nom long +host s-infra.gsb.lan +host s-mon.gsb.lan + +# Tests resolution inverse +host 172.16.0.2 +host 172.16.0.9 + +# Tests resolution hors zone +host lemonde.fr +host free.fr + +# Tests de connectivite +ping -c 2 172.16.0.254 +ping -c 2 s-adm.gsb.adm + +# Test wpad +curl wpad/wpad.dat diff --git a/tests/s-proxy.test b/tests/s-proxy.test new file mode 100755 index 0000000..a3bdbe3 --- /dev/null +++ b/tests/s-proxy.test @@ -0,0 +1,17 @@ +#!/bin/bash + +# Test wpad +curl wpad/wpad.dat + +# Verification ouverture port 8080 +netstat -ln|grep 8080 + +# Affichage access.log +tail -5 /var/log/squid3/access.log + +# Affichage cache.log +tail /var/log/squid3/cache.log + + +# Affichage curl +curl s-proxy:8080 diff --git a/user-yb.yml b/user-yb.yml new file mode 100644 index 0000000..5c50af5 --- /dev/null +++ b/user-yb.yml @@ -0,0 +1,9 @@ +--- +- hosts: localhost + connection: local + + roles: + - base + - syslog-cli + - post + - db-user diff --git a/vagrant/Vagrantfile b/vagrant/Vagrantfile new file mode 100644 index 0000000..9c4280a --- /dev/null +++ b/vagrant/Vagrantfile @@ -0,0 +1,22 @@ +Vagrant.configure("2") do |config| + + config.vm.define "s-adm" do |sadm| + sadm.vm.box = "bento/debian-10.7" + sadm.vm.hostname = 's-adm' + sadm.vm.network :public_network, ip: "dhcp" + sadm.vm.network :private_network, ip: "192.168.99.99", mask: "24" + + config.vm.provider :virtualbox do |v| + v.memory = 512 +# v.cpus = 2 + end + end + + config.vm.define "s-infra" do |v| + v.vm.box = "bento/debian-10.7" + v.vm.hostname = 's-infra' + v.vm.network :private_network, ip: "192.168.99.1", mask: "24" + v.vm.network :private_network, ip: "172.16.0.1", mask: "24" + end +end + diff --git a/windows/README.md b/windows/README.md new file mode 100644 index 0000000..1c3b17a --- /dev/null +++ b/windows/README.md @@ -0,0 +1,15 @@ +# Création des dossiers partagés et des utilisateur + +Les fichiers .cmd lancer sur la machine s-win permet de créer les utilisateur, leurs mettres +droits et créer des dossiers partagés. + +le fichier mkusr.cmd permet de créer un autre utiliateur avec les mêmes droits que les autres. + +# Utilisation des comptes utilisateurs + +Pour vous connecter au serveurs DNS s-win il faut créer un machine dans le réseau n-user et que +cette machine puisse ping le serveur. + +Après il suffit de changer le domaine de cette machine et la redémarrer. + +suite à ça, connecter vous avec les identifiants d'un utilisateurs. diff --git a/windows/gsb-dossiers.cmd b/windows/gsb-dossiers.cmd new file mode 100644 index 0000000..dfbc281 --- /dev/null +++ b/windows/gsb-dossiers.cmd @@ -0,0 +1,15 @@ +mkdir C:\gsb\partages +cd C:\gsb\partages +mkdir compta +mkdir ventes +mkdir public +cd C:\gsb +mkdir users + + +for %%g in (gg-compta gg-ventes) do net group %%g /add + +net share compta=C:\gsb\partages\compta /grant:"Utilisateurs du domaine":FULL +net share ventes=C:\gsb\partages\ventes /grant:"Utilisateurs du domaine":FULL +net share commun=C:\gsb\partages\commun /grant:"Utilisateurs du domaine":FULL +net share public=C:\gsb\partages\public /grant:"Utilisateurs du domaine":FULL \ No newline at end of file diff --git a/windows/mkusr-compta.cmd b/windows/mkusr-compta.cmd new file mode 100644 index 0000000..00c956d --- /dev/null +++ b/windows/mkusr-compta.cmd @@ -0,0 +1,4 @@ +call mkusr aDupont "Albert Dupon" gg-compta +call mkusr cSeum "Claire Seum" gg-compta +call mkusr nPaul "Nicolas Paul" gg-compta +call mkusr atour "Alexandre Tour" gg-compta diff --git a/windows/mkusr-ventes.cmd b/windows/mkusr-ventes.cmd new file mode 100644 index 0000000..4ff36aa --- /dev/null +++ b/windows/mkusr-ventes.cmd @@ -0,0 +1,5 @@ +@echo off +call mkusr aDeloin "Alain Deloin" gg-ventes +call mkusr sDel "Simon del" gg-ventes +call mkusr aSalet "alfred Salet" gg-ventes +call mkusr tInio "Thomas Inio" gg-ventes \ No newline at end of file diff --git a/windows/mkusr.cmd b/windows/mkusr.cmd new file mode 100644 index 0000000..75fb801 --- /dev/null +++ b/windows/mkusr.cmd @@ -0,0 +1,7 @@ +@echo off +echo Creation de %1 - %2 +mkdir C:\gsb\users\%1 +net user %1 Azerty1+ /fullname:%2 /homedir:\\cd\%1$ /ScriptPath:%3.cmd /add +net share %1$=C:\gsb\users\%1 +icacls "C:\gsb\users\%1" /Grant:r %1:M /T +net group %3 %1 /add \ No newline at end of file