Add support for allow- and deny-lists
This commit is contained in:
Julio Castillo
@@ -8,7 +8,7 @@ The resulting `cloud-config` can be customized in a number of ways:
|
||||
- additional files (e.g. additional acls) can be passed in via the `files` variable
|
||||
- a completely custom `cloud-config` can be passed in via the `cloud_config` variable, and additional template variables can be passed in via `config_variables`
|
||||
|
||||
The default instance configuration inserts iptables rules to allow traffic on TCP port 3128.
|
||||
The default instance configuration inserts iptables rules to allow traffic on TCP port 3128. With the default `squid.conf`, deny rules take precedence over allow rules.
|
||||
|
||||
Logging and monitoring are enabled via the [Google Cloud Logging driver](https://docs.docker.com/config/containers/logging/gcplogs/) configured for the Squid container, and the [Node Problem Detector](https://cloud.google.com/container-optimized-os/docs/how-to/monitoring) service started by default on boot.
|
||||
|
||||
@@ -61,15 +61,17 @@ module "cos-squid" {
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---: |:---:|:---:|
|
||||
| *clients* | List of CIDRs from which Squid will allow connections | <code title="list(string)">list(string)</code> | | <code title="">[]</code> |
|
||||
| *allow* | List of domains Squid will allow connections to. | <code title="list(string)">list(string)</code> | | <code title="">[]</code> |
|
||||
| *clients* | List of CIDR ranges from which Squid will allow connections. | <code title="list(string)">list(string)</code> | | <code title="">[]</code> |
|
||||
| *cloud_config* | Cloud config template path. If null default will be used. | <code title="">string</code> | | <code title="">null</code> |
|
||||
| *config_variables* | Additional variables used to render the cloud-config and Squid templates. | <code title="map(any)">map(any)</code> | | <code title="">{}</code> |
|
||||
| *default_action* | Default action for domains not matching neither the allow or deny lists | <code title="">string</code> | | <code title="deny validation { condition = var.default_action == "deny" || var.default_action == "allow" error_message = "Default action must be allow or deny." }">...</code> |
|
||||
| *deny* | List of domains Squid will deny connections to. | <code title="list(string)">list(string)</code> | | <code title="">[]</code> |
|
||||
| *file_defaults* | Default owner and permissions for files. | <code title="object({ owner = string permissions = string })">object({...})</code> | | <code title="{ owner = "root" permissions = "0644" }">...</code> |
|
||||
| *files* | Map of extra files to create on the instance, path as key. Owner and permissions will use defaults if null. | <code title="map(object({ content = string owner = string permissions = string }))">map(object({...}))</code> | | <code title="">{}</code> |
|
||||
| *squid_config* | Squid configuration path, if null default will be used. | <code title="">string</code> | | <code title="">null</code> |
|
||||
| *test_instance* | Test/development instance attributes, leave null to skip creation. | <code title="object({ project_id = string zone = string name = string type = string network = string subnetwork = string })">object({...})</code> | | <code title="">null</code> |
|
||||
| *test_instance_defaults* | Test/development instance defaults used for optional configuration. If image is null, COS stable will be used. | <code title="object({ disks = map(object({ read_only = bool size = number })) image = string metadata = map(string) nat = bool service_account_roles = list(string) tags = list(string) })">object({...})</code> | | <code title="{ disks = {} image = null metadata = {} nat = false service_account_roles = [ "roles/logging.logWriter", "roles/monitoring.metricWriter" ] tags = ["ssh"] }">...</code> |
|
||||
| *whitelist* | List of domains Squid will allow connections to | <code title="list(string)">list(string)</code> | | <code title="">[]</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
||||
@@ -39,11 +39,17 @@ write_files:
|
||||
content: |
|
||||
${indent(6, squid_config)}
|
||||
|
||||
- path: /etc/squid/whitelist.txt
|
||||
- path: /etc/squid/allowlist.txt
|
||||
permissions: 0644
|
||||
owner: root
|
||||
content: |
|
||||
${indent(6, join("\n", whitelist))}
|
||||
${indent(6, join("\n", allow))}
|
||||
|
||||
- path: /etc/squid/denylist.txt
|
||||
permissions: 0644
|
||||
owner: root
|
||||
content: |
|
||||
${indent(6, join("\n", deny))}
|
||||
|
||||
- path: /etc/squid/clients.txt
|
||||
permissions: 0644
|
||||
|
||||
@@ -39,7 +39,9 @@ locals {
|
||||
: var.cloud_config
|
||||
)
|
||||
config_variables = merge(var.config_variables, {
|
||||
whitelist = var.whitelist
|
||||
clients = var.clients
|
||||
allow = var.allow
|
||||
deny = var.deny
|
||||
clients = var.clients
|
||||
default_action = var.default_action
|
||||
})
|
||||
}
|
||||
|
||||
@@ -8,12 +8,16 @@ acl ssl_ports port 443
|
||||
acl safe_ports port 80
|
||||
acl safe_ports port 443
|
||||
acl CONNECT method CONNECT
|
||||
acl to_metadata dst 169.254.169.254
|
||||
|
||||
# read clientd cidr from clients.txt
|
||||
# read client CIDR ranges from clients.txt
|
||||
acl clients src "/etc/squid/clients.txt"
|
||||
|
||||
# read whitelisted domains from whitelist.txt
|
||||
acl whitelist dstdomain "/etc/squid/whitelist.txt"
|
||||
# read allowed domains from allowlist.txt
|
||||
acl allowlist dstdomain "/etc/squid/allowlist.txt"
|
||||
|
||||
# read denied domains from denylist.txt
|
||||
acl denylist dstdomain "/etc/squid/denylist.txt"
|
||||
|
||||
# deny access to anything other than ports 80 and 443
|
||||
http_access deny !safe_ports
|
||||
@@ -24,11 +28,17 @@ http_access deny CONNECT !ssl_ports
|
||||
# deny acccess to cachemgr
|
||||
http_access deny manager
|
||||
|
||||
# deny access to localhost though the proxy
|
||||
# deny access to localhost through the proxy
|
||||
http_access deny to_localhost
|
||||
|
||||
# allow connection from allowed clients only to the whitelisted domains
|
||||
http_access allow clients whitelist
|
||||
# deny access to the local metadata server through the proxy
|
||||
http_access deny to_metadata
|
||||
|
||||
# deny connection from allowed clients to any denied domains
|
||||
http_access deny clients denylist
|
||||
|
||||
# allow connection from allowed clients only to the allowed domains
|
||||
http_access allow clients allowlist
|
||||
|
||||
# deny everything else
|
||||
http_access deny all
|
||||
http_access ${default_action} all
|
||||
|
||||
@@ -54,14 +54,30 @@ variable "files" {
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "whitelist" {
|
||||
description = "List of domains Squid will allow connections to"
|
||||
variable "allow" {
|
||||
description = "List of domains Squid will allow connections to."
|
||||
type = list(string)
|
||||
default = []
|
||||
}
|
||||
|
||||
variable "deny" {
|
||||
description = "List of domains Squid will deny connections to."
|
||||
type = list(string)
|
||||
default = []
|
||||
}
|
||||
|
||||
variable "clients" {
|
||||
description = "List of CIDRs from which Squid will allow connections"
|
||||
description = "List of CIDR ranges from which Squid will allow connections."
|
||||
type = list(string)
|
||||
default = []
|
||||
}
|
||||
|
||||
variable "default_action" {
|
||||
description = "Default action for domains not matching neither the allow or deny lists"
|
||||
type = string
|
||||
default = "deny"
|
||||
validation {
|
||||
condition = var.default_action == "deny" || var.default_action == "allow"
|
||||
error_message = "Default action must be allow or deny."
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user