From c987e62821927bad8e0010e2670b73da86aaf904 Mon Sep 17 00:00:00 2001 From: Ali Makki Date: Sun, 30 Sep 2018 07:31:26 -0400 Subject: [PATCH] somewhat cleaner --- global_vars/vars.yml | 4 +- playbooks/roles/common/vars/main.yml | 2 - .../roles/dnsmasq/templates/dnsmasq.conf.j2 | 10 +- playbooks/roles/gpg/tasks/main.yml | 3 - playbooks/roles/openvpn/meta/main.yml | 2 +- playbooks/roles/openvpn/tasks/install.yml | 12 +- playbooks/roles/openvpn/tasks/main.yml | 10 +- playbooks/roles/stunnel/tasks/main.yml | 5 - .../stunnel/templates/stunnel-remote.conf.j2 | 1 - playbooks/roles/tinyproxy/tasks/main.yml | 61 ++--- .../tinyproxy/templates/tinyproxy.conf.j2 | 211 +++++++++++++++++- .../tinyproxy/templates/tinyproxy.service.j2 | 10 +- playbooks/roles/tinyproxy/vars/main.yml | 4 +- playbooks/roles/wireguard/meta/main.yml | 2 +- playbooks/streisand.yml | 4 +- 15 files changed, 261 insertions(+), 80 deletions(-) diff --git a/global_vars/vars.yml b/global_vars/vars.yml index b470ec66c..e9440163d 100644 --- a/global_vars/vars.yml +++ b/global_vars/vars.yml @@ -1,7 +1,7 @@ --- upstream_dns_servers: - - 8.8.8.8 - - 8.8.4.4 + - 1.1.1.1 + - 1.0.0.1 streisand_client_test: no diff --git a/playbooks/roles/common/vars/main.yml b/playbooks/roles/common/vars/main.yml index 45bef2dac..c43964e80 100644 --- a/playbooks/roles/common/vars/main.yml +++ b/playbooks/roles/common/vars/main.yml @@ -6,8 +6,6 @@ streisand_common_packages: - apt-transport-https # Used to perform a system upgrade - aptitude - # Used to compile Libreswan and OpenConnect Server (ocserv) - #- build-essential # Used to perform API requests, including the version check for # the Tor Browser Bundle - curl diff --git a/playbooks/roles/dnsmasq/templates/dnsmasq.conf.j2 b/playbooks/roles/dnsmasq/templates/dnsmasq.conf.j2 index d28901e6a..1b31c2089 100644 --- a/playbooks/roles/dnsmasq/templates/dnsmasq.conf.j2 +++ b/playbooks/roles/dnsmasq/templates/dnsmasq.conf.j2 @@ -18,6 +18,10 @@ bogus-priv # uncomment this. no-resolv -{% for item in upstream_dns_servers %} -server={{ item }} -{% endfor %} +bind-interfaces + +server=127.0.0.53 + +#{% for item in upstream_dns_servers %} +#server={{ item }} +#{% endfor %} diff --git a/playbooks/roles/gpg/tasks/main.yml b/playbooks/roles/gpg/tasks/main.yml index 1a746f93c..1a086080b 100644 --- a/playbooks/roles/gpg/tasks/main.yml +++ b/playbooks/roles/gpg/tasks/main.yml @@ -51,9 +51,6 @@ - name: "Start a new dirmngr with our config changes" command: "gpgconf --launch dirmngr" -- name: "Start the gpg-agent" - command: "gpg-agent --daemon --write-env-file {{ root_gpg_dir }}" - - name: "Wait for the GPG agent and dirmngr control sockets" wait_for: path: "{{ root_gpg_dir }}/{{ item }}" diff --git a/playbooks/roles/openvpn/meta/main.yml b/playbooks/roles/openvpn/meta/main.yml index 3a2781432..c2fd8b436 100644 --- a/playbooks/roles/openvpn/meta/main.yml +++ b/playbooks/roles/openvpn/meta/main.yml @@ -2,5 +2,5 @@ dependencies: # OpenVPN needs to be added to the firewall - { role: ufw } - # - { role: dnsmasq } + - { role: dnsmasq } - { role: ip-forwarding } diff --git a/playbooks/roles/openvpn/tasks/install.yml b/playbooks/roles/openvpn/tasks/install.yml index d63c667c6..949ba0a4c 100644 --- a/playbooks/roles/openvpn/tasks/install.yml +++ b/playbooks/roles/openvpn/tasks/install.yml @@ -1,10 +1,10 @@ --- -#- name: "Add the official OpenVPN APT key; hiding 25 lines of log..." -# apt_key: -# id: E158C569 -# data: "{{ item }}" -# with_file: openvpn_signing.key -# no_log: True +- name: "Add the official OpenVPN APT key; hiding 25 lines of log..." + apt_key: + id: E158C569 + data: "{{ item }}" + with_file: openvpn_signing.key + no_log: True #- name: Add the official OpenVPN repository # apt_repository: diff --git a/playbooks/roles/openvpn/tasks/main.yml b/playbooks/roles/openvpn/tasks/main.yml index 697127f52..18d03f64c 100644 --- a/playbooks/roles/openvpn/tasks/main.yml +++ b/playbooks/roles/openvpn/tasks/main.yml @@ -2,11 +2,11 @@ # Add the apt key and install OpenVPN - import_tasks: install.yml -#- name: "Configure DNSMasq to listen on {{ dnsmasq_openvpn_tcp_ip }}:53 and {{ dnsmasq_openvpn_udp_ip }}:53" -# template: -# src: openvpn_dnsmasq.conf.j2 -# dest: /etc/dnsmasq.d/openvpn.conf -# notify: Restart dnsmasq +- name: "Configure DNSMasq to listen on {{ dnsmasq_openvpn_tcp_ip }}:53 and {{ dnsmasq_openvpn_udp_ip }}:53" + template: + src: openvpn_dnsmasq.conf.j2 + dest: /etc/dnsmasq.d/openvpn.conf + notify: Restart dnsmasq - include_role: name: certificates diff --git a/playbooks/roles/stunnel/tasks/main.yml b/playbooks/roles/stunnel/tasks/main.yml index 5fd9eac1e..034f463db 100644 --- a/playbooks/roles/stunnel/tasks/main.yml +++ b/playbooks/roles/stunnel/tasks/main.yml @@ -41,11 +41,6 @@ name: stunnel4.service state: stopped -- name: Remove the stunnel init.d script - file: - state: absent - path: "/etc/init.d/stunnel4" - - name: Copy the stunnel system unit file template: src: stunnel.service.j2 diff --git a/playbooks/roles/stunnel/templates/stunnel-remote.conf.j2 b/playbooks/roles/stunnel/templates/stunnel-remote.conf.j2 index f2fe15428..74135f5e6 100644 --- a/playbooks/roles/stunnel/templates/stunnel-remote.conf.j2 +++ b/playbooks/roles/stunnel/templates/stunnel-remote.conf.j2 @@ -1,7 +1,6 @@ cert = {{ stunnel_cert }} key = {{ stunnel_key }} debug = 4 -options = NO_SSLv2 options = NO_SSLv3 options = NO_TLSv1 options = NO_TLSv1.1 diff --git a/playbooks/roles/tinyproxy/tasks/main.yml b/playbooks/roles/tinyproxy/tasks/main.yml index d532f9b2b..d784faa93 100644 --- a/playbooks/roles/tinyproxy/tasks/main.yml +++ b/playbooks/roles/tinyproxy/tasks/main.yml @@ -3,37 +3,42 @@ apt: name: tinyproxy -- name: Create the tinyproxy config directory - file: - path: "{{ tinyproxy_conf_dir }}" - state: directory - owner: nobody - group: nogroup - mode: 0755 +#- name: Create the tinyproxy config directory +# file: +# path: "{{ tinyproxy_conf_dir }}" +# state: directory +# owner: nobody +# group: nogroup +# mode: 0755 -- name: Generate the tinyproxy configuration file - template: - src: tinyproxy.conf.j2 - dest: "{{ tinyproxy_conf_file }}" - owner: root - group: root - mode: 0644 +#- name: Generate the tinyproxy configuration file +# template: +# src: tinyproxy.conf.j2 +# dest: "{{ tinyproxy_conf_file }}" +# owner: root +# group: root +# mode: 0644 -- name: Generate the tinyproxy system unit file - template: - src: tinyproxy.service.j2 - dest: /etc/systemd/system/tinyproxy.service - owner: root - group: root - mode: 0644 +#- name: Create the tinyproxy systemd drop-in configuration directory +# file: +# path: "{{ tinyproxy_systemd_service_path }}" +# state: directory -- name: Generate the systemd tmpfile for tinyproxy - template: - src: tinyproxytmp.conf.j2 - dest: /etc/tmpfiles.d/tinyproxy.conf - owner: root - group: root - mode: 0644 +#- name: Generate the tinyproxy systemd drop-in service file +# template: +# src: tinyproxy.service.j2 +# dest: "{{ tinyproxy_systemd_service_path }}/10-restart-failure.service" +# owner: root +# group: root +# mode: 0644 + +#- name: Generate the systemd tmpfile for tinyproxy +# template: +# src: tinyproxytmp.conf.j2 +# dest: /etc/tmpfiles.d/tinyproxy.conf +# owner: root +# group: root +# mode: 0644 - name: Enable and restart the tinyproxy service systemd: diff --git a/playbooks/roles/tinyproxy/templates/tinyproxy.conf.j2 b/playbooks/roles/tinyproxy/templates/tinyproxy.conf.j2 index 41c264461..7600c3234 100644 --- a/playbooks/roles/tinyproxy/templates/tinyproxy.conf.j2 +++ b/playbooks/roles/tinyproxy/templates/tinyproxy.conf.j2 @@ -12,8 +12,8 @@ # as the root user. Either the user or group name or the UID or GID # number may be used. # -User nobody -Group nogroup +User tinyproxy +Group tinyproxy # # Port: Specify the port which tinyproxy will listen on. Please note @@ -29,11 +29,38 @@ Port {{ tinyproxy_port }} # Listen {{ tinyproxy_listen_address }} +# +# Bind: This allows you to specify which interface will be used for +# outgoing connections. This is useful for multi-home'd machines where +# you want all traffic to appear outgoing from one particular interface. +# +#Bind 192.168.0.1 + +# +# BindSame: If enabled, tinyproxy will bind the outgoing connection to the +# ip address of the incoming connection. +# +#BindSame yes + # # Timeout: The maximum number of seconds of inactivity a connection is # allowed to have before it is closed by tinyproxy. # -Timeout {{ tinyproxy_timeout_seconds }} +Timeout 600 + +# +# ErrorFile: Defines the HTML file to send when a given HTTP error +# occurs. You will probably need to customize the location to your +# particular install. The usual locations to check are: +# /usr/local/share/tinyproxy +# /usr/share/tinyproxy +# /etc/tinyproxy +# +#ErrorFile 404 "/usr/share/tinyproxy/404.html" +#ErrorFile 400 "/usr/share/tinyproxy/400.html" +#ErrorFile 503 "/usr/share/tinyproxy/503.html" +#ErrorFile 403 "/usr/share/tinyproxy/403.html" +#ErrorFile 408 "/usr/share/tinyproxy/408.html" # # DefaultErrorFile: The HTML file that gets sent if there is no @@ -42,6 +69,16 @@ Timeout {{ tinyproxy_timeout_seconds }} # DefaultErrorFile "/usr/share/tinyproxy/default.html" +# +# StatHost: This configures the host name or IP address that is treated +# as the stat host: Whenever a request for this host is received, +# Tinyproxy will return an internal statistics page instead of +# forwarding the request to that host. The default value of StatHost is +# tinyproxy.stats. +# +#StatHost "tinyproxy.stats" +# + # # StatFile: The HTML file that gets sent when a request is made # for the stathost. If this file doesn't exist a basic page is @@ -55,18 +92,25 @@ StatFile "/usr/share/tinyproxy/stats.html" # and enable the Syslog directive. These directives are mutually # exclusive. # -# Logfile "{{ tinyproxy_log_file }}" +Logfile "{{ tinyproxy_log_file }}" + +# +# Syslog: Tell tinyproxy to use syslog instead of a logfile. This +# option must not be enabled if the Logfile directive is being used. +# These two directives are mutually exclusive. +# +#Syslog On # -# LogLevel: +# LogLevel: # # Set the logging level. Allowed settings are: -# Critical (least verbose) -# Error -# Warning -# Notice -# Connect (to log connections without Info's noise) -# Info (most verbose) +# Critical (least verbose) +# Error +# Warning +# Notice +# Connect (to log connections without Info's noise) +# Info (most verbose) # # The LogLevel logs from the set level and above. For example, if the # LogLevel was set to Warning, then all log messages from Warning to @@ -80,6 +124,50 @@ LogLevel {{ tinyproxy_log_level }} # PidFile "{{ tinyproxy_pid_file }}" +# +# XTinyproxy: Tell Tinyproxy to include the X-Tinyproxy header, which +# contains the client's IP address. +# +#XTinyproxy Yes + +# +# Upstream: +# +# Turns on upstream proxy support. +# +# The upstream rules allow you to selectively route upstream connections +# based on the host/domain of the site being accessed. +# +# For example: +# # connection to test domain goes through testproxy +# upstream testproxy:8008 ".test.domain.invalid" +# upstream testproxy:8008 ".our_testbed.example.com" +# upstream testproxy:8008 "192.168.128.0/255.255.254.0" +# +# # no upstream proxy for internal websites and unqualified hosts +# no upstream ".internal.example.com" +# no upstream "www.example.com" +# no upstream "10.0.0.0/8" +# no upstream "192.168.0.0/255.255.254.0" +# no upstream "." +# +# # connection to these boxes go through their DMZ firewalls +# upstream cust1_firewall:8008 "testbed_for_cust1" +# upstream cust2_firewall:8008 "testbed_for_cust2" +# +# # default upstream is internet firewall +# upstream firewall.internal.example.com:80 +# +# The LAST matching rule wins the route decision. As you can see, you +# can use a host, or a domain: +# name matches host exactly +# .name matches any host in domain "name" +# . matches any host with no domain (in 'empty' domain) +# IP/bits matches network/mask +# IP/mask matches network/mask +# +#Upstream some.remote.proxy:port + # # MaxClients: This is the absolute highest number of threads which will # be created. In other words, only MaxClients number of clients can be @@ -121,6 +209,16 @@ MaxRequestsPerChild 0 # Allow {{ tinyproxy_listen_address }} Allow {{ streisand_ipv4_address }} +#Allow 192.168.0.0/16 +#Allow 172.16.0.0/12 +#Allow 10.0.0.0/8 + +# +# AddHeader: Adds the specified headers to outgoing HTTP requests that +# Tinyproxy makes. Note that this option will not work for HTTPS +# traffic, as Tinyproxy has no control over what headers are exchanged. +# +#AddHeader "X-My-Header" "Powered by Tinyproxy" # # ViaProxyName: The "Via" header is required by the HTTP RFC, but using @@ -130,6 +228,61 @@ Allow {{ streisand_ipv4_address }} # ViaProxyName "tinyproxy" +# +# DisableViaHeader: When this is set to yes, Tinyproxy does NOT add +# the Via header to the requests. This virtually puts Tinyproxy into +# stealth mode. Note that RFC 2616 requires proxies to set the Via +# header, so by enabling this option, you break compliance. +# Don't disable the Via header unless you know what you are doing... +# +#DisableViaHeader Yes + +# +# Filter: This allows you to specify the location of the filter file. +# +#Filter "/etc/tinyproxy/filter" + +# +# FilterURLs: Filter based on URLs rather than domains. +# +#FilterURLs On + +# +# FilterExtended: Use POSIX Extended regular expressions rather than +# basic. +# +#FilterExtended On + +# +# FilterCaseSensitive: Use case sensitive regular expressions. +# +#FilterCaseSensitive On + +# +# FilterDefaultDeny: Change the default policy of the filtering system. +# If this directive is commented out, or is set to "No" then the default +# policy is to allow everything which is not specifically denied by the +# filter file. +# +# However, by setting this directive to "Yes" the default policy becomes +# to deny everything which is _not_ specifically allowed by the filter +# file. +# +#FilterDefaultDeny Yes + +# +# Anonymous: If an Anonymous keyword is present, then anonymous proxying +# is enabled. The headers listed are allowed through, while all others +# are denied. If no Anonymous keyword is present, then all headers are +# allowed through. You must include quotes around the headers. +# +# Most sites require cookies to be enabled for them to work correctly, so +# you will need to allow Cookies through if you access those sites. +# +#Anonymous "Host" +#Anonymous "Authorization" +#Anonymous "Cookie" + # # ConnectPort: This is a list of ports allowed by tinyproxy when the # CONNECT method is used. To disable the CONNECT method altogether, set @@ -140,3 +293,39 @@ ViaProxyName "tinyproxy" # ConnectPort 443 ConnectPort 563 + +# +# Configure one or more ReversePath directives to enable reverse proxy +# support. With reverse proxying it's possible to make a number of +# sites appear as if they were part of a single site. +# +# If you uncomment the following two directives and run tinyproxy +# on your own computer at port 8888, you can access Google using +# http://localhost:8888/google/ and Wired News using +# http://localhost:8888/wired/news/. Neither will actually work +# until you uncomment ReverseMagic as they use absolute linking. +# +#ReversePath "/google/" "http://www.google.com/" +#ReversePath "/wired/" "http://www.wired.com/" + +# +# When using tinyproxy as a reverse proxy, it is STRONGLY recommended +# that the normal proxy is turned off by uncommenting the next directive. +# +#ReverseOnly Yes + +# +# Use a cookie to track reverse proxy mappings. If you need to reverse +# proxy sites which have absolute links you must uncomment this. +# +#ReverseMagic Yes + +# +# The URL that's used to access this reverse proxy. The URL is used to +# rewrite HTTP redirects so that they won't escape the proxy. If you +# have a chain of reverse proxies, you'll need to put the outermost +# URL here (the address which the end user types into his/her browser). +# +# If not set then no rewriting occurs. +# +#ReverseBaseURL "http://localhost:8888/" diff --git a/playbooks/roles/tinyproxy/templates/tinyproxy.service.j2 b/playbooks/roles/tinyproxy/templates/tinyproxy.service.j2 index 75289b646..49ffe33a4 100644 --- a/playbooks/roles/tinyproxy/templates/tinyproxy.service.j2 +++ b/playbooks/roles/tinyproxy/templates/tinyproxy.service.j2 @@ -1,18 +1,10 @@ [Unit] -Description=tinyproxy - a light-weight HTTP/HTTPS proxy daemon for POSIX operating systems After=network.target sshd.service -Documentation=man:tinyproxy(8) +Documentation=man:tinyproxy(8) man:tinyproxy.conf(5) Documentation=https://www.banu.com/tinyproxy/ [Service] -Type=forking -PIDFile={{ tinyproxy_pid_file }} ExecStart=/usr/sbin/tinyproxy -c {{ tinyproxy_conf_file }} -ExecReload=/bin/kill -HUP $MAINPID PrivateTmp=true -PrivateDevices=yes RestartSec=5s Restart=on-failure - -[Install] -WantedBy=multi-user.target diff --git a/playbooks/roles/tinyproxy/vars/main.yml b/playbooks/roles/tinyproxy/vars/main.yml index ef4df9142..71bd582e9 100644 --- a/playbooks/roles/tinyproxy/vars/main.yml +++ b/playbooks/roles/tinyproxy/vars/main.yml @@ -5,10 +5,12 @@ tinyproxy_port: 8888 tinyproxy_listen_address: "127.0.0.1" tinyproxy_log_level: "Critical" +tinyproxy_systemd_service_path: "/etc/systemd/system/tinyproxy.service.d" + tinyproxy_log_dir: "/var/log/tinyproxy" tinyproxy_log_file: "{{ tinyproxy_log_dir }}/tinyproxy.log" -tinyproxy_pid_dir: "/var/run/tinyproxy" +tinyproxy_pid_dir: "/run/tinyproxy" tinyproxy_pid_file: "{{ tinyproxy_pid_dir }}/tinyproxy.pid" tinyproxy_conf_dir: "/etc/tinyproxy" diff --git a/playbooks/roles/wireguard/meta/main.yml b/playbooks/roles/wireguard/meta/main.yml index 3814d9a6c..fb954d5d4 100644 --- a/playbooks/roles/wireguard/meta/main.yml +++ b/playbooks/roles/wireguard/meta/main.yml @@ -1,4 +1,4 @@ --- dependencies: - #- { role: dnsmasq } + - { role: dnsmasq } - { role: ip-forwarding } diff --git a/playbooks/streisand.yml b/playbooks/streisand.yml index 649fbb234..2edb1c4fd 100644 --- a/playbooks/streisand.yml +++ b/playbooks/streisand.yml @@ -24,8 +24,8 @@ when: streisand_openconnect_enabled - role: openvpn when: streisand_openvpn_enabled - #- role: shadowsocks - # when: streisand_shadowsocks_enabled + - role: shadowsocks + when: streisand_shadowsocks_enabled - role: ssh-forward when: streisand_ssh_forward_enabled - role: tinyproxy