Infrastructure/ansible
3
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

Switch from Varnish to Squid

Browse source 
Signed-off-by: Leo Puvilland <leo@craftcat.dev>
This commit is contained in:
Leo Puvilland 2023-12-05 18:08:01 -08:00
parent 0beee2770d
commit 9269704887
No known key found for this signature in database
GPG key ID: 20EA96682F9368EB
8 changed files with 100 additions and 46 deletions
Download patch file Download diff file Expand all files Collapse all files

20
playbooks/openshift-apps/flatpak-cache.yml
View file

@ -17,6 +17,8 @@
description: "Flatpak Cache"
appowners:
- leo
- kevin
- adamwill
tags:
- apply-appowners
@ -35,6 +37,24 @@
file: storage.yml
objectname: storage.yml
- role: openshift/secret-file
app: flatpak-cache
secret_name: flatpak-cache-ca
key: ca.crt
privatefile: "flatpak-cache-certs/{{env}}/pki/ca.crt"
- role: openshift/secret-file
app: flatpak-cache
secret_name: flatpak-cache-key
key: ca.key
privatefile: "flatpak-cache-certs/{{env}}/pki/ca.key"
- role: openshift/secret-file
app: flatpak-cache
secret_name: flatpak-cache-dhparam
key: dh.pem
privatefile: "flatpak-cache-certs/{{env}}/pki/dh.pem"
- role: openshift/object
app: flatpak-cache
template: configmap.yml

2
roles/openshift-apps/flatpak-cache/files/service.yml
View file

@ -10,6 +10,6 @@ spec:
ports:
- name: web
port: 80
targetPort: 8080
targetPort: 3128
selector:
deploymentconfig: flatpak-cache

3
roles/openshift-apps/flatpak-cache/templates/buildconfig.yml
View file

@ -21,9 +21,10 @@ items:
hostname \
nss_wrapper \
bind-utils \
varnish && \
squid && \
dnf autoremove -y && \
dnf clean all -y
RUN mkdir -p /var/spool/squid
EXPOSE 80
type: Dockerfile
strategy:

2
roles/openshift-apps/flatpak-cache/templates/configmap.yml
View file

@ -12,6 +12,6 @@ items:
app: flatpak-cache
data:
flatpak-cache.vcl: |-
{{ load_file('flatpak-cache.vcl') | indent(6) }}
{{ load_file('squid.conf') | indent(6) }}
start.sh: |-
{{ load_file('start.sh') | indent(6) }}

22
roles/openshift-apps/flatpak-cache/templates/deployment.yml
View file

@ -28,16 +28,25 @@
- env:
volumeMounts:
- name: config-volume
mountPath: /etc/varnish
mountPath: /etc/squid
readOnly: true
- name: data
mountPath: /srv
- name: flatpak-cache-ca-volume
mountPath: /etc/pki/squid/ca
readOnly: true
- name: flatpak-cache-key-volume
mountPath: /etc/pki/squid/key
readOnly: true
- name: flatpak-cache-dhparam
mountPath: /etc/pki/squid/dhparam
readOnly: true
imagePullPolicy: Always
name: flatpak-cache
command:
- bash
args:
- /etc/varnish/start.sh
- /etc/squid/start.sh
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
@ -53,3 +62,12 @@
- name: data
persistentVolumeClaim:
claimName: data
- name: flatpak-cache-ca-volume
secret:
secretName: flatpak-cache-ca
- name: flatpak-cache-key-volume
secret:
secretName: flatpak-cache-key
- name: flatpak-cache-dhparam-volume
secret:
secretName: flatpak-cache-dhparam

35
roles/openshift-apps/flatpak-cache/templates/flatpak-cache.vcl
View file

@ -1,35 +0,0 @@
vcl 4.1;
import std;
acl whitelist {
"localhost";
"10.3.174.52";
"10.3.174.61";
"10.3.174.62";
"10.3.174.63";
"10.3.174.64";
"10.3.174.57";
"10.3.174.42";
"10.3.174.43";
"10.3.174.21";
"10.3.174.22";
"10.3.174.23";
"10.3.174.24";
"10.3.174.25";
"10.3.174.26";
}
backend default {
.host = "dl.flathub.org";
.port = "80";
}
sub vcl_recv {
set req.http.X-Actual-IP = regsub(req.http.X-Forwarded-For, "[, ].*$", "");
if (std.ip(req.http.X-Actual-IP, "0.0.0.0") !~ whitelist && client.ip !~ whitelist) {
return (pass);
# return(synth(403, "Access denied."));
}
set req.http.Host = "dl.flathub.org";
}

53
roles/openshift-apps/flatpak-cache/templates/squid.conf Normal file
View file

@ -0,0 +1,53 @@
acl openqa src 10.3.174.21-10.3.174.64
acl SSL_ports port 443
acl Safe_ports port 80 443
acl CONNECT method CONNECT
acl intermediate_fetching transaction_initiator certificate-fetching
http_access allow intermediate_fetching
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from openqa
http_access allow openqa
# Only cache flathub
acl cacheDomain dstdomain dl.flathub.org
cache deny !cacheDomain
# And finally deny all other access to this proxy
http_access deny all
http_port 3128 tcpkeepalive=60,30,3 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB tls-cert=/etc/pki/squid/ca/ca.crt tls-key=/etc/pki/squid/key/ca.key cipher=HIGH:MEDIUM:!LOW:!RC4:!SEED:!IDEA:!3DES:!MD5:!EXP:!PSK:!DSS options=NO_TLSv1,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE tls-dh=prime256v1:/etc/pki/squid/dhparam/dh.pem
sslcrtd_program /usr/lib64/squid/security_file_certgen -s /var/spool/squid/ssl_db -M 20MB
sslcrtd_children 5
ssl_bump server-first all
ssl_bump stare all
sslproxy_cert_error deny all
# Uncomment and adjust the following to add a disk cache directory.
maximum_object_size 6 GB
cache_dir ufs /srv/squid 20000 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern -i dl.flathub.org\/.* 1440 20% 10080 override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern . 0 20% 4320
# <Client IP> <Username> [<Local Time>] "<Request Method> <Request URL> HTTP/<Protocol Version> <Response Status Code> \
# <Sent reply size (with hdrs)> <Referer> <User Agent> <Squid Request Status>:<Squid Hierarchy Status>
logformat combined %>a %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
access_log /var/log/squid/squid.log squid
access_log /var/log/squid/access.log combined

9
roles/openshift-apps/flatpak-cache/templates/start.sh
View file

@ -1,6 +1,3 @@
exec varnishd \
-F \
-f /etc/varnish/flatpak-cache.vcl
-a :8080
-t 120
-s file,/srv/varnish_storage.bin,20G
exec squid
--foreground
-f /etc/squid/squid.conf