diff --git a/modules/cloud-config-container/squid/README.md b/modules/cloud-config-container/squid/README.md
index be982fb99..e74ac26cc 100644
--- a/modules/cloud-config-container/squid/README.md
+++ b/modules/cloud-config-container/squid/README.md
@@ -8,7 +8,7 @@ The resulting `cloud-config` can be customized in a number of ways:
- additional files (e.g. additional acls) can be passed in via the `files` variable
- a completely custom `cloud-config` can be passed in via the `cloud_config` variable, and additional template variables can be passed in via `config_variables`
-The default instance configuration inserts iptables rules to allow traffic on TCP port 3128.
+The default instance configuration inserts iptables rules to allow traffic on TCP port 3128. With the default `squid.conf`, deny rules take precedence over allow rules.
Logging and monitoring are enabled via the [Google Cloud Logging driver](https://docs.docker.com/config/containers/logging/gcplogs/) configured for the Squid container, and the [Node Problem Detector](https://cloud.google.com/container-optimized-os/docs/how-to/monitoring) service started by default on boot.
@@ -61,15 +61,17 @@ module "cos-squid" {
| name | description | type | required | default |
|---|---|:---: |:---:|:---:|
-| *clients* | List of CIDRs from which Squid will allow connections | list(string) | | [] |
+| *allow* | List of domains Squid will allow connections to. | list(string) | | [] |
+| *clients* | List of CIDR ranges from which Squid will allow connections. | list(string) | | [] |
| *cloud_config* | Cloud config template path. If null default will be used. | string | | null |
| *config_variables* | Additional variables used to render the cloud-config and Squid templates. | map(any) | | {} |
+| *default_action* | Default action for domains not matching neither the allow or deny lists | string | | ... |
+| *deny* | List of domains Squid will deny connections to. | list(string) | | [] |
| *file_defaults* | Default owner and permissions for files. | object({...}) | | ... |
| *files* | Map of extra files to create on the instance, path as key. Owner and permissions will use defaults if null. | map(object({...})) | | {} |
| *squid_config* | Squid configuration path, if null default will be used. | string | | null |
| *test_instance* | Test/development instance attributes, leave null to skip creation. | object({...}) | | null |
| *test_instance_defaults* | Test/development instance defaults used for optional configuration. If image is null, COS stable will be used. | object({...}) | | ... |
-| *whitelist* | List of domains Squid will allow connections to | list(string) | | [] |
## Outputs
diff --git a/modules/cloud-config-container/squid/cloud-config.yaml b/modules/cloud-config-container/squid/cloud-config.yaml
index 484d213de..abd58a705 100644
--- a/modules/cloud-config-container/squid/cloud-config.yaml
+++ b/modules/cloud-config-container/squid/cloud-config.yaml
@@ -39,11 +39,17 @@ write_files:
content: |
${indent(6, squid_config)}
- - path: /etc/squid/whitelist.txt
+ - path: /etc/squid/allowlist.txt
permissions: 0644
owner: root
content: |
- ${indent(6, join("\n", whitelist))}
+ ${indent(6, join("\n", allow))}
+
+ - path: /etc/squid/denylist.txt
+ permissions: 0644
+ owner: root
+ content: |
+ ${indent(6, join("\n", deny))}
- path: /etc/squid/clients.txt
permissions: 0644
diff --git a/modules/cloud-config-container/squid/main.tf b/modules/cloud-config-container/squid/main.tf
index 2ef4ce52d..6805a7999 100644
--- a/modules/cloud-config-container/squid/main.tf
+++ b/modules/cloud-config-container/squid/main.tf
@@ -39,7 +39,9 @@ locals {
: var.cloud_config
)
config_variables = merge(var.config_variables, {
- whitelist = var.whitelist
- clients = var.clients
+ allow = var.allow
+ deny = var.deny
+ clients = var.clients
+ default_action = var.default_action
})
}
diff --git a/modules/cloud-config-container/squid/squid.conf b/modules/cloud-config-container/squid/squid.conf
index 2507c2204..b1c45fc8e 100644
--- a/modules/cloud-config-container/squid/squid.conf
+++ b/modules/cloud-config-container/squid/squid.conf
@@ -8,12 +8,16 @@ acl ssl_ports port 443
acl safe_ports port 80
acl safe_ports port 443
acl CONNECT method CONNECT
+acl to_metadata dst 169.254.169.254
-# read clientd cidr from clients.txt
+# read client CIDR ranges from clients.txt
acl clients src "/etc/squid/clients.txt"
-# read whitelisted domains from whitelist.txt
-acl whitelist dstdomain "/etc/squid/whitelist.txt"
+# read allowed domains from allowlist.txt
+acl allowlist dstdomain "/etc/squid/allowlist.txt"
+
+# read denied domains from denylist.txt
+acl denylist dstdomain "/etc/squid/denylist.txt"
# deny access to anything other than ports 80 and 443
http_access deny !safe_ports
@@ -24,11 +28,17 @@ http_access deny CONNECT !ssl_ports
# deny acccess to cachemgr
http_access deny manager
-# deny access to localhost though the proxy
+# deny access to localhost through the proxy
http_access deny to_localhost
-# allow connection from allowed clients only to the whitelisted domains
-http_access allow clients whitelist
+# deny access to the local metadata server through the proxy
+http_access deny to_metadata
+
+# deny connection from allowed clients to any denied domains
+http_access deny clients denylist
+
+# allow connection from allowed clients only to the allowed domains
+http_access allow clients allowlist
# deny everything else
-http_access deny all
+http_access ${default_action} all
diff --git a/modules/cloud-config-container/squid/variables.tf b/modules/cloud-config-container/squid/variables.tf
index 67bd4d3b0..20c050848 100644
--- a/modules/cloud-config-container/squid/variables.tf
+++ b/modules/cloud-config-container/squid/variables.tf
@@ -54,14 +54,30 @@ variable "files" {
default = {}
}
-variable "whitelist" {
- description = "List of domains Squid will allow connections to"
+variable "allow" {
+ description = "List of domains Squid will allow connections to."
+ type = list(string)
+ default = []
+}
+
+variable "deny" {
+ description = "List of domains Squid will deny connections to."
type = list(string)
default = []
}
variable "clients" {
- description = "List of CIDRs from which Squid will allow connections"
+ description = "List of CIDR ranges from which Squid will allow connections."
type = list(string)
default = []
}
+
+variable "default_action" {
+ description = "Default action for domains not matching neither the allow or deny lists"
+ type = string
+ default = "deny"
+ validation {
+ condition = var.default_action == "deny" || var.default_action == "allow"
+ error_message = "Default action must be allow or deny."
+ }
+}