debops.tinyproxy default variables

Installation, APT packages

tinyproxy__base_packages

List of APT base packages which are required by the Tinyproxy application.

tinyproxy__base_packages: [ 'tinyproxy' ]
tinyproxy__packages

List of APT packages which are required by the Tinyproxy application.

tinyproxy__packages: []
tinyproxy__allow

List of IP addresses or CIDR subnets which will be allowed to connect to the Tinyproxy server in ip(6)tables and TCP wrappers. If it's empty, remote connections are not allowed.

tinyproxy__allow: []
tinyproxy__port

Port number on which this Tinyproxy listens on.

tinyproxy__port: '8888'

System configuration

tinyproxy__user

Name of the UNIX system account used by Tinyproxy service.

tinyproxy__user: 'tinyproxy'
tinyproxy__group

Name of the UNIX system group used by Tinyproxy service.

tinyproxy__group: 'tinyproxy'
tinyproxy__home

Absolute path of the Tinyproxy home directory.

tinyproxy__home: '/run/tinyproxy'

Tinyproxy configuration file

tinyproxy__configuration_file

The full path for the Tinyproxy configuration file

tinyproxy__configuration_file: '{{ "/etc/tinyproxy.conf"
                                   if (ansible_distribution_release in
                                       ["trusty", "xenial"])
                                   else "/etc/tinyproxy/tinyproxy.conf" }}'

The variables below define the contents of the /etc/tinyproxy/tinyproxy.conf configuration file. See tinyproxy__configuration for more details.

tinyproxy__default_configuration

The default configuration options which should be present in the main configuration file.

tinyproxy__default_configuration:

  - name: 'tinyproxy.conf'
    options:

      - name: 'User Group'
        comment: |
          User/Group: This allows you to set the user and group that will be
          used for tinyproxy after the initial binding to the port has been done
          as the root user. Either the user or group name or the UID or GID
          number may be used.
        raw: |
          User {{ tinyproxy__user }}
          Group {{ tinyproxy__group }}
        state: 'present'

      - name: 'Port'
        comment: |
          Port: Specify the port which tinyproxy will listen on.  Please note
          that should you choose to run on a port lower than 1024 you will need
          to start tinyproxy using root.
        raw: |
          Port {{ tinyproxy__port }}
        state: 'present'

      - name: 'Listen'
        comment: |
          Listen: If you have multiple interfaces this allows you to bind to
          only one. If this is commented out, tinyproxy will bind to all
          interfaces present.
        raw: |
          Listen 192.168.0.1
        state: 'comment'

      - name: 'Bind'
        comment: |
          Bind: This allows you to specify which interface will be used for
          outgoing connections.  This is useful for multi-home'd machines where
          you want all traffic to appear outgoing from one particular interface.
        raw: |
          Bind 192.168.0.1
        state: 'comment'

      - name: 'BindSame'
        comment: |
          BindSame: If enabled, tinyproxy will bind the outgoing connection to the
          ip address of the incoming connection.
        raw: |
          BindSame yes
        state: 'comment'

      - name: 'Timeout'
        comment: |
          Timeout: The maximum number of seconds of inactivity a connection is
          allowed to have before it is closed by tinyproxy.
        raw: |
          Timeout 600
        state: 'present'

      - name: 'ErrorFile'
        comment: |
          ErrorFile: Defines the HTML file to send when a given HTTP error
          occurs.  You will probably need to customize the location to your
          particular install.  The usual locations to check are:
            /usr/local/share/tinyproxy
            /usr/share/tinyproxy
            /etc/tinyproxy
        raw: |
          ErrorFile 404 "/usr/share/tinyproxy/404.html"
          ErrorFile 400 "/usr/share/tinyproxy/400.html"
          ErrorFile 503 "/usr/share/tinyproxy/503.html"
          ErrorFile 403 "/usr/share/tinyproxy/403.html"
          ErrorFile 408 "/usr/share/tinyproxy/408.html"
        state: 'comment'

      - name: 'DefaultErrorFile'
        comment: |
          DefaultErrorFile: The HTML file that gets sent if there is no
          HTML file defined with an ErrorFile keyword for the HTTP error
          that has occurred.
        raw: |
          DefaultErrorFile "/usr/share/tinyproxy/default.html"
        state: 'present'

      - name: 'StatHost'
        comment: |
          StatHost: This configures the host name or IP address that is treated
          as the stat host: Whenever a request for this host is received,
          Tinyproxy will return an internal statistics page instead of
          forwarding the request to that host.  The default value of StatHost is
          tinyproxy.stats.
        raw: |
          StatHost "tinyproxy.stats"
        state: 'comment'

      - name: 'StatFile'
        comment: |
          StatFile: The HTML file that gets sent when a request is made
          for the stathost.  If this file doesn't exist a basic page is
          hardcoded in tinyproxy.
        raw: |
          StatFile "/usr/share/tinyproxy/stats.html"
        state: 'present'

      - name: 'LogFile'
        comment: |
          Logfile: Allows you to specify the location where information should
          be logged to.  If you would prefer to log to syslog, then disable this
          and enable the Syslog directive.  These directives are mutually
          exclusive.
        raw: |
          Logfile "/var/log/tinyproxy/tinyproxy.log"
        state: 'present'

      - name: 'Syslog'
        comment: |
          Syslog: Tell tinyproxy to use syslog instead of a logfile.  This
          option must not be enabled if the Logfile directive is being used.
          These two directives are mutually exclusive.
        raw: |
          Syslog On
        state: 'comment'

      - name: 'LogLevel'
        comment: |
          LogLevel:

          Set the logging level. Allowed settings are:
          Critical  (least verbose)
          Error
          Warning
          Notice
          Connect   (to log connections without Info's noise)
          Info    (most verbose)

          The LogLevel logs from the set level and above. For example, if the
          LogLevel was set to Warning, then all log messages from Warning to
          Critical would be output, but Notice and below would be suppressed.
        raw: |
          LogLevel Info
        state: 'present'

      - name: 'PidFile'
        comment: |
          PidFile: Write the PID of the main tinyproxy thread to this file so it
          can be used for signalling purposes.
        raw: |
          PidFile "/run/tinyproxy/tinyproxy.pid"
        state: 'present'

      - name: 'XTinyproxy'
        comment: |
          XTinyproxy: Tell Tinyproxy to include the X-Tinyproxy header, which
          contains the client's IP address.
        raw: |
          XTinyproxy Yes
        state: 'comment'

      - name: 'upstream'
        comment: |
          Upstream:

          Turns on upstream proxy support.

          The upstream rules allow you to selectively route upstream connections
          based on the host/domain of the site being accessed.

          For example:
           # connection to test domain goes through testproxy
           upstream testproxy:8008 ".test.domain.invalid"
           upstream testproxy:8008 ".our_testbed.example.com"
           upstream testproxy:8008 "192.168.128.0/255.255.254.0"

           # no upstream proxy for internal websites and unqualified hosts
           no upstream ".internal.example.com"
           no upstream "www.example.com"
           no upstream "10.0.0.0/8"
           no upstream "192.168.0.0/255.255.254.0"
           no upstream "."

           # connection to these boxes go through their DMZ firewalls
           upstream cust1_firewall:8008 "testbed_for_cust1"
           upstream cust2_firewall:8008 "testbed_for_cust2"

           # default upstream is internet firewall
           upstream firewall.internal.example.com:80

          The LAST matching rule wins the route decision.  As you can see, you
          can use a host, or a domain:
           name     matches host exactly
           .name    matches any host in domain "name"
           .        matches any host with no domain (in 'empty' domain)
           IP/bits  matches network/mask
           IP/mask  matches network/mask
        raw: |
          Upstream some.remote.proxy:port
        state: 'comment'

      - name: 'MaxClients'
        comment: |
          MaxClients: This is the absolute highest number of threads which will
          be created. In other words, only MaxClients number of clients can be
          connected at the same time.
        raw: |
          MaxClients 100
        state: 'present'

      - name: 'MinSpareServers MaxSpareServers'
        comment: |
          MinSpareServers/MaxSpareServers: These settings set the upper and
          lower limit for the number of spare servers which should be available.

          If the number of spare servers falls below MinSpareServers then new
          server processes will be spawned.  If the number of servers exceeds
          MaxSpareServers then the extras will be killed off.
        raw: |
          MinSpareServers 5
          MaxSpareServers 20
        state: 'present'

      - name: 'StartServers'
        comment: |
          StartServers: The number of servers to start initially.
        raw: |
          StartServers 10
        state: 'present'

      - name: 'MaxRequestsPerChild'
        comment: |
          MaxRequestsPerChild: The number of connections a thread will handle
          before it is killed. In practise this should be set to 0, which
          disables thread reaping. If you do notice problems with memory
          leakage, then set this to something like 10000.
        raw: |
          MaxRequestsPerChild 0
        state: 'present'

      - name: 'Allow'
        comment: |
          Allow: Customization of authorization controls. If there are any
          access control keywords then the default action is to DENY. Otherwise,
          the default action is ALLOW.

          The order of the controls are important. All incoming connections are
          tested against the controls based on order.
        raw: |
          Allow 127.0.0.1
          {% for item in tinyproxy__allow %}
          Allow {{ item }}
          {% endfor %}
          #Allow 192.168.0.0/16
          #Allow 172.16.0.0/12
          #Allow 10.0.0.0/8
        state: 'present'

      - name: 'AddHeader'
        comment: |
          AddHeader: Adds the specified headers to outgoing HTTP requests that
          Tinyproxy makes. Note that this option will not work for HTTPS
          traffic, as Tinyproxy has no control over what headers are exchanged.
        raw: |
          AddHeader "X-My-Header" "Powered by Tinyproxy"
        state: 'comment'

      - name: 'ViaProxyName'
        comment: |
          ViaProxyName: The "Via" header is required by the HTTP RFC, but using
          the real host name is a security concern.  If the following directive
          is enabled, the string supplied will be used as the host name in the
          Via header; otherwise, the server's host name will be used.
        raw: |
          ViaProxyName "tinyproxy"
        state: 'present'

      - name: 'DisableViaHeader'
        comment: |
          DisableViaHeader: When this is set to yes, Tinyproxy does NOT add
          the Via header to the requests. This virtually puts Tinyproxy into
          stealth mode. Note that RFC 2616 requires proxies to set the Via
          header, so by enabling this option, you break compliance.
          Don't disable the Via header unless you know what you are doing...
        raw: |
          DisableViaHeader Yes
        state: 'comment'

      - name: 'Filter'
        comment: |
          Filter: This allows you to specify the location of the filter file.
        raw: |
          Filter "/etc/tinyproxy/filter"
        state: 'comment'

      - name: 'FilterURLs'
        comment: |
          FilterURLs: Filter based on URLs rather than domains.
        raw: |
          FilterURLs On
        state: 'comment'

      - name: 'FilterExtended'
        comment: |
          FilterExtended: Use POSIX Extended regular expressions rather than
          basic.
        raw: |
          FilterExtended On
        state: 'comment'

      - name: 'FilterCaseSensitive'
        comment: |
          FilterCaseSensitive: Use case sensitive regular expressions.
        raw: |
          FilterCaseSensitive On
        state: 'comment'

      - name: 'FilterDefaultDeny'
        comment: |
          FilterDefaultDeny: Change the default policy of the filtering system.
          If this directive is commented out, or is set to "No" then the default
          policy is to allow everything which is not specifically denied by the
          filter file.

          However, by setting this directive to "Yes" the default policy becomes
          to deny everything which is _not_ specifically allowed by the filter
          file.
        raw: |
          FilterDefaultDeny Yes
        state: 'comment'

      - name: 'Anonymous'
        comment: |
          Anonymous: If an Anonymous keyword is present, then anonymous proxying
          is enabled.  The headers listed are allowed through, while all others
          are denied. If no Anonymous keyword is present, then all headers are
          allowed through.  You must include quotes around the headers.

          Most sites require cookies to be enabled for them to work correctly, so
          you will need to allow Cookies through if you access those sites.
        raw: |
          Anonymous "Host"
          Anonymous "Authorization"
          Anonymous "Cookie"
        state: 'comment'

      - name: 'ConnectPort'
        comment: |
          ConnectPort: This is a list of ports allowed by tinyproxy when the
          CONNECT method is used.  To disable the CONNECT method altogether, set
          the value to 0.  If no ConnectPort line is found, all ports are
          allowed (which is not very secure.)

          The following two ports are used by SSL.
        raw: |
          ConnectPort 443
          ConnectPort 563
        state: 'present'

      - name: 'ReversePath'
        comment: |
          Configure one or more ReversePath directives to enable reverse proxy
          support. With reverse proxying it's possible to make a number of
          sites appear as if they were part of a single site.

          If you uncomment the following two directives and run tinyproxy
          on your own computer at port 8888, you can access Google using
          http://localhost:8888/google/ and Wired News using
          http://localhost:8888/wired/news/. Neither will actually work
          until you uncomment ReverseMagic as they use absolute linking.
        raw: |
          ReversePath "/google/" "https://www.google.com/"
          ReversePath "/wired/"  "https://www.wired.com/"
        state: 'comment'

      - name: 'ReverseOnly'
        comment: |
          When using tinyproxy as a reverse proxy, it is STRONGLY recommended
          that the normal proxy is turned off by uncommenting the next directive.
        raw: |
          ReverseOnly Yes
        state: 'comment'

      - name: 'ReverseMagic'
        comment: |
          Use a cookie to track reverse proxy mappings. If you need to reverse
          proxy sites which have absolute links you must uncomment this.
        raw: |
          ReverseMagic Yes
        state: 'comment'

      - name: 'ReverseBaseURL'
        comment: |
          The URL that's used to access this reverse proxy. The URL is used to
          rewrite HTTP redirects so that they won't escape the proxy. If you
          have a chain of reverse proxies, you'll need to put the outermost
          URL here (the address which the end user types into his/her browser).

          If not set then no rewriting occurs.
        raw: |
          ReverseBaseURL "http://localhost:8888/"
        state: 'comment'
tinyproxy__configuration

List of configuration options defined on all hosts in the Tinyproxy inventory.

tinyproxy__configuration: []
tinyproxy__combined_configuration

Actual list of Tinyproxy configuration options passed to the configuration template. This list defines the order in which the options from different variables are processed.

tinyproxy__combined_configuration: '{{ tinyproxy__default_configuration + tinyproxy__configuration }}'

Configuration for other Ansible roles

tinyproxy__ferm__dependent_rules

Configuration for debops.ferm Tinyproxy role.

tinyproxy__ferm__dependent_rules:

  - type: 'accept'
    dport: [ 'tinyproxy' ]
    saddr: '{{ tinyproxy__allow }}'
    accept_any: False
    weight: '40'
    role: 'tinyproxy'
tinyproxy__etc_services__dependent_list

Configuration for the debops.etc_services Ansible role.

tinyproxy__etc_services__dependent_list:

  - name: 'tinyproxy'
    port: '{{ tinyproxy__port }}'