defaults/main.yml

---
# defaults file for ansible-squid

# Example of DNS server to query
# squid_dns_nameservers: 127.0.0.1

# squid auth parameters
squid_auth_param: []
# - name: basic
#   type: program
#   arg: /usr/lib/squid3/basic_ncsa_auth /etc/squid/htpasswd
# - name: basic
#   type: realm
#   arg: Authentication REQUIRED

# acl aclname acltype argument
squid_acl:
  - name: SSL_ports
    type: port
    arg: 443
  - name: CONNECT
    type: method
    arg: CONNECT

# Adapt to list your (internal) IP networks from where browsing
# should be allowed
squid_acl_localnet:
  - 10.0.0.0/8
  - 172.16.0.0/12
  - 192.168.0.0/16

squid_acl_safeports:
  - port: 21
    comment: ftp
  - port: 70
    comment: gopher
  - port: 80
    comment: http
  - port: 210
    comment: wais
  - port: 280
    comment: http-mgmt
  - port: 443
    comment: https
  - port: 488
    comment: gss-http
  - port: 591
    comment: filemaker
  - port: 777
    comment: multiling http
  - port: 1025-65535
    comment: unregistered ports

# Defines squid peers to sync with
# #do not enter FQDN...It will be added
squid_cache_peer:
  []
  # # do not enter FQDN...hostname only
  # - host: squid-1
  #   #enter domain name for hostname above
  #   domain: "{{ squid_pri_domain_name }}"
  #   type: sibling
  #   proxy_port: "{{ squid_http_port }}"
  #   icp_port: "{{ squid_icp_port }}"
  #   options: default
  #   # do not enter FQDN...hostname only
  # - host: squid-2
  #   # enter domain name for hostname above
  #   domain: "{{ squid_pri_domain_name }}"
  #   type: sibling
  #   proxy_port: "{{ squid_http_port }}"
  #   icp_port: "{{ squid_icp_port }}"
  #   options: default

squid_cache_peering: false

squid_http_access:
  - action: deny
    acl:
      - "!Safe_ports"
  - action: deny
    acl:
      - CONNECT
      - "!SSL_ports"
  - action: allow
    acl:
      - localhost
      - manager
  - action: deny
    acl:
      - manager
  - action: allow
    acl:
      - localhost
  - action: allow
    acl:
      - localnet
  - action: deny
    acl:
      - all

squid_http_port: 3128

# Define if squid should listen over HTTPS, as well as certificate files to be used
# NOTE: If you plan to enable it, you're supposed to generate certificates by yourself
#       and place it in the appropriate directory.
#       As a suggestion, you could use a selfsigned certificate if proxy will listen'
#       on a private IP, or use a automated script (like certbot) to generate valid
#       public certificate.
squid_https_enabled: false
squid_https_port: 3129
squid_cert_filename: /etc/squid/cert.pem
squid_key_filename: /etc/squid/cert.key

squid_icp_access: all

squid_icp_port: 3130

# Define primary domain name
squid_pri_domain_name: example.org

squid_refresh_patterns:
  - regex: "^ftp:"
    min: 1440
    percent: 20%
    max: 10080
  - regex: "^gopher:"
    min: 1440
    percent: 0%
    max: 1440
  - regex: -i (/cgi-bin/|\?)
    min: 0
    percent: 0%
    max: 0
  - regex: (Release|Packages(.gz)*)$
    min: 0
    percent: 20%
    max: 2880
  # - regex: (\.deb|\.udeb)$
  #   min: 129600
  #   percent: 100%
  #   max: 129600
  - regex: .
    min: 0
    percent: 20%
    max: 4320

# Defines if squid should function in transparent mode
squid_transparent_proxy: false

# Defines if squid transparent should configure ferm firewall for masquerading
squid_transparent_proxy_ferm: false

# Defines how much time squid should wait before reboot
squid_shutdown_lifetime: 30 seconds

# Defines if squid version might be suppressed on error messages
squid_suppress_version: true

# Supply extra configuration - eg lists of domains or IPs
# These are templated so can be populated with values from Ansible
# NOTE: If this you override this you need to re-specify this entry
squid_config_files:
  - name: squid.conf
    source: etc/squid/squid.conf.j2