revert changes to squid - now broken out as #718

sjpb · sjpb · commit 4cc447b9cd89 · 2025-06-24T15:46:15.000Z
no-checks: true

# Please enter the commit message for your changes. Lines starting
# with '#' will be kept; you may remove them yourself if you want to.
# An empty message aborts the commit.
#
# Date:      Tue Jun 24 15:30:50 2025 +0000
#
# On branch feat/isolated-env-2
# Your branch is ahead of 'origin/feat/isolated-env-2' by 1 commit.
#   (use "git push" to publish your local commits)
#
# Changes to be committed:
#	modified:   ansible/roles/squid/README.md
#	modified:   ansible/roles/squid/defaults/main.yml
#	modified:   ansible/roles/squid/templates/squid.conf.j2
#
# Changes not staged for commit:
#	modified:   ansible/slurm.yml
#	modified:   environments/.stackhpc/hooks/pre.yml
#	modified:   environments/.stackhpc/inventory/group_vars/all/bastion.yml
#	modified:   environments/.stackhpc/tofu/SMS.tfvars
#	modified:   environments/.stackhpc/tofu/cluster_image.auto.tfvars.json
#	modified:   environments/.stackhpc/tofu/main.tf
#
# Untracked files:
#	NOTES-feat-isolated-env.md
#	NOTES.md
#	activate
#	ansible/image-pull.yml
#	ansible/roles/basic_users/filter_plugins/__pycache__/
#	environments/.stackhpc/SMS-steveb.pkrvars.hcl
#	environments/.stackhpc/inventory/group_vars/all/squid.yml.orig
#	environments/.stackhpc/inventory/group_vars/all/steveb_ark.yml
#	environments/.stackhpc/inventory/hosts.yml
#	environments/.stackhpc/inventory/network_groups
#	environments/.stackhpc/tofu/SMS-NO-GATEWAY.tfvars
#	environments/.stackhpc/tofu/cluster_name.auto.tfvars
#	packer/sms-build.sh
#
diff --git a/ansible/roles/squid/README.md b/ansible/roles/squid/README.md
@@ -20,15 +20,20 @@ Where noted these map to squid parameters of the same name without the `squid_`
 - `squid_maximum_object_size_in_memory`: Optional str. Upper size limit for objects in memory cache, default '64 MB'. See squid parameter.
 - `squid_maximum_object_size`: Optional str. Upper size limit for objects in disk cache, default '200 MB'. See squid parameter.
 - `squid_http_port`: Optional str. Socket addresses to listen for client requests, default '3128'. See squid parameter.
-- `squid_acls`: Optional list of strs. Define access lists. Default: `['acl anywhere src all']`, i.e. allow connection from anywhere, relying on OpenStack security groups (or other firewall if deployed). See squid parameter `acl`. NB: The default template also defines acls for `SSL_ports` and `Safe_ports` as is common practice.
-- `squid_http_access`: Optional str, can be multiline. Allow/deny access based on access lists. The default will:
-  - Deny requests to certain unsafe ports (see `squid.conf.j2`)
-  - Deny CONNECT to other than secure SSL ports
-  - Only allow cachemgr access from localhost
-  - Allow access for all ACLs defined in `squid_acls`
-  - Allow access for localhost
-  - Deny all other access
+- `squid_acls`: Optional str, can be multiline. Define access lists. Default `acl anywhere src all`, i.e. rely on OpenStack security groups (or other firewall if deployed). See squid parameter `acl`. NB: The default template also defines acls for `SSL_ports` and `Safe_ports` as is common practice.
+- `squid_http_access`: Optional str, can be multiline. Allow/deny access based on access lists. Default:
 
+        # Deny requests to certain unsafe ports
+        http_access deny !Safe_ports
+        # Deny CONNECT to other than secure SSL ports
+        http_access deny CONNECT !SSL_ports
+        # Only allow cachemgr access from localhost
+        http_access allow localhost manager
+        http_access deny manager
+        # Rules allowing http access
+        http_access allow anywhere
+        http_access allow localhost
+        # Finally deny all other access to this proxy
+        http_access deny all
+        
   See squid parameter.
-
-- `squid_auth_param`: Optional str, can be multiline. Parameters for authentication schemes. Default empty string.
diff --git a/ansible/roles/squid/defaults/main.yml b/ansible/roles/squid/defaults/main.yml
@@ -8,8 +8,7 @@ squid_cache_disk: "{{ undef(hint='squid_cache_disk (in MB) required, e.g. \"1024
 squid_maximum_object_size_in_memory: '64 MB'
 squid_maximum_object_size: '200 MB'
 squid_http_port: 3128
-squid_acls:
-  - acl anywhere src all # rely on openstack security groups
+squid_acls: acl anywhere src all # rely on openstack security groups
 squid_http_access: |
   # Deny requests to certain unsafe ports
   http_access deny !Safe_ports
@@ -19,10 +18,7 @@ squid_http_access: |
   http_access allow localhost manager
   http_access deny manager
   # Rules allowing http access
-  {% for acl in squid_acls %}
-  http_access allow {{ (acl | split)[1] }}
-  {% endfor %}
+  http_access allow anywhere
   http_access allow localhost
   # Finally deny all other access to this proxy
   http_access deny all
-squid_auth_param: ''
diff --git a/ansible/roles/squid/templates/squid.conf.j2 b/ansible/roles/squid/templates/squid.conf.j2
@@ -4,14 +4,8 @@
 # - https://github.com/drosskopp/squid-cache/blob/main/squid.conf
 #
 
-# Configure authentication parameters
-# NB: required before ACL definitions using them
-{{ squid_auth_param }}
-
 # Define ACLs:
-{% for acl in squid_acls %}
-{{ acl }}
-{% endfor %}
+{{ squid_acls }}
 
 acl SSL_ports port 443
 acl Safe_ports port 80		# http
