voxpupuli/puppet-squid

Name: puppet-squid

Owner: Vox Pupuli

Description: Puppet module for configuration of squid caching proxy.

Created: 2016-04-13 07:33:31.0

Updated: 2017-01-20 16:18:18.0

Pushed: 2018-01-04 09:44:24.0

Homepage: https://forge.puppet.com/puppet/squid

Size: 195

Language: Ruby

GitHub Committers

User	Most Recent Commit	# Commits

Other Committers

User	Email	Most Recent Commit	# Commits

README

Puppet module for Squid

Description

Puppet module for configuring the squid caching service.

Usage

The set up a simple squid server with a cache to forward http port 80 requests.

s { 'squid': }
d::acl { 'Safe_ports':
pe    => port,
tries => ['80'],

d::http_access { 'Safe_ports':
tion => allow,

d::http_access{ '!Safe_ports':
tion => deny,

Parameters for squid Class

Parameters to the squid class almost map 1 to 1 to squid.conf parameters themselves.

• ensure_service The ensure value of the squid service, defaults to running.
• enable_service The enable value of the squid service, defaults to true.
• config Location of squid.conf file, defaults to /etc/squid/squid.conf.
• config_user user which owns the config file, default depends on $operatingsystem
• config_group group which owns the config file, default depends on $operatingsystem
• daemon_user user which runs the squid daemon, this is used for ownership of the cache directory, default depends on $operatingsystem
• daemon_group group which runs the squid daemon, this is used for ownership of the cache directory, default depends on $operatingsystem
• cache_mem defaults to 256 MB. cache_mem docs.
• cache_replacement_policy defaults to undef. cache_replacement_policy docs.
• memory_replacement_policy defaults to undef. memory_replacement_policy docs.
• memory_cache_shared defaults to undef. memory_cache_shared docs.
• maximum_object_size_in_memory defaults to 512 KB. maximum_object_size_in_memory docs
• access_log defaults to daemon:/var/logs/squid/access.log squid. access_log docs
• coredump_dir defaults to undef. coredump_dir docs.
• error_directory defaults to undef. error_directory.
• err_page_stylesheet defaults to undef. err_page_stylesheet.
• package_name name of the squid package to manage, default depends on $operatingsystem
• service_name name of the squid service to manage, default depends on $operatingsystem
• max_filedescriptors defaults to undef. max_filedescriptors docs.
• workers defaults to undef. workers docs.
• snmp_incoming_address defaults to undef. Can be set to an IP address to only listen for snmp requests on an individual interface. snmp_incoming_address.
• buffered_logs defaults to undef. buffered_logs docs.
• acls defaults to undef. If you pass in a hash of acl entries, they will be defined automatically. acl entries.
• http_access defaults to undef. If you pass in a hash of http_access entries, they will be defined automatically. http_access entries.
• http_ports defaults to undef. If you pass in a hash of http_port entries, they will be defined automatically. http_port entries.
• https_ports defaults to undef. If you pass in a hash of https_port entries, they will be defined automatically. https_port entries.
• icp_access defaults to undef. If you pass in a hash of icp_access entries, they will be defined automatically. icp_access entries.
• refresh_patterns defaults to undef. If you pass a hash of refresh_pattern entires, they will be defined automatically. refresh_pattern entries.
• snmp_ports defaults to undef. If you pass in a hash of snmp_port entries, they will be defined automatically. snmp_port entries.
• cache_dirs defaults to undef. If you pass in a hash of cache_dir entries, they will be defined automatically. cache_dir entries.
• ssl_bump defaults to undef. If you pass in a hash of ssl_bump entries, they will be defined automatically. ssl_bump entries.
• sslproxy_cert_error defaults to undef. If you pass in a hash of sslproxy_cert_error entries, they will be defined automatically. sslproxy_cert_error entries.
• extra_config_sections defaults to empty hash. If you pass in a hash of extra_config_section resources, they will be defined automatically.

s { 'squid':
che_mem    => '512 MB',
rkers      => 3,
redump_dir => '/var/spool/squid',

uppet
s { 'squid':
che_mem    => '512 MB',
rkers      => 3,
redump_dir => '/var/spool/squid',
ls         => { 'remote_urls' => {
                  type    => 'url_regex',
                  entries => ['http://example.org/path',
                              'http://example.com/anotherpath'],
                },
              },
tp_access  => { 'our_networks hosts' => { action => 'allow', }},
tp_ports   => { '10000' => { options => 'accel vhost', }},
mp_ports   => { '1000' => { process_number => 3, }},
che_dirs   => { '/data/' => { type => 'ufs', options => '15000 32 256 min-size=32769', process_number => 2 }},

The acls, http_access, http_ports, snmp_port, cache_dirs lines above are equivalent to their examples below.

Defined Type squid::acl

Defines acl entries for a squid server.

d::acl { 'remote_urls':
ype    => 'url_regex',
ntries => ['http://example.org/path',
           'http://example.com/anotherpath'],

would result in a multi entry squid acl

remote_urls url_regex http://example.org/path
remote_urls url_regex http://example.com/anotherpath

These may be defined as a hash passed to ::squid

Parameters for Type squid::acl

• type The acltype of the acl, must be defined, e.g url_regex, urlpath_regex, port, ..
• aclname The name of acl, defaults to the title.
• entries An array of acl entries, multiple members results in multiple lines in squid.conf.
• order Each ACL has an order 05 by default this can be specified if order of ACL definition matters.

Defined Type squid::cache_dir

Defines cache_dir entries for a squid server.

d::cache_dir { '/data':
pe           => 'ufs',
tions        => '15000 32 256 min-size=32769',
ocess_number => 2,

Results in the squid configuration of

{processor} = 2
e_dir ufs 15000 32 256 min-size=32769
f

Parameters for Type squid::cache_dir

• type the type of cache, e.g ufs. defaults to ufs.
• path defaults to the namevar, file path to cache.
• options String of options for the cache. Defaults to empty string.
• process_number if specfied as an integer the cache will be wrapped in a if $proceess_number statement so the cache will be used by only one process. Default is undef.

Defined Type squid::cache

Defines cache entries for a squid server.

d::cache { 'our_network_hosts_acl':
tion    => 'deny',
mment   => 'Our networks hosts are denied for caching',

Adds a squid.conf line

r networks hosts denied for caching
e deny our_network_hosts_acl

Defined Type squid::http_access

Defines http_access entries for a squid server.

d::http_access { 'our_networks hosts':
tion => 'allow',

Adds a squid.conf line

tp_access fragment for out_networks hosts
_access allow our_networks hosts

uppet
d::http_access { 'our_networks hosts':
tion    => 'allow',
mment   => 'Our networks hosts are allowed',

Adds a squid.conf line

r networks hosts are allowed
_access allow our_networks hosts

Defined Type squid::snmp_access

Defines snmp_access entries for a squid server.

d::snmp_access { 'monitoring hosts':
tion => 'allow',

Adds a squid.conf line

mp_access fragment for monitoring hosts
_access allow monitoring hosts

uppet
d::snmp_access { 'monitoring hosts':
tion    => 'allow',
mment   => 'Our monitoring hosts are allowed',

Adds a squid.conf line

r monitoring hosts are allowed
_access allow monitoring hosts

These may be defined as a hash passed to ::squid

Defined Type squid::icp_access

Defines icp_access entries for a squid server.

d::icp_access { 'our_networks hosts':
tion => 'allow',

Adds a squid.conf line

access allow our_networks hosts

These may be defined as a hash passed to ::squid

Parameters for Type squid::http_allow

• value defaults to the namevar the rule to allow or deny.
• action must be deny or allow. By default it is allow. The squid.conf file is ordered so by default all allows appear before all denys. This can be overidden with the order parameter.
• order by default is 05

Defined Type Squid::Http_port

Defines http_port entries for a squid server. By setting optional ssl parameter to true will create https_port entries instead.

d::http_port { '10000':
tions => 'accel vhost'

d::http_port { '10001':
l     => true,
tions => 'cert=/etc/squid/ssl_cert/server.cert key=/etc/squid/ssl_cert/server.key'

Results in a squid configuration of

_port 10000 accel vhost
s_port 10001 cert=/etc/squid/ssl_cert/server.cert key=/etc/squid/ssl_cert/server.key

Parameters for Type squid::http_port

• port defaults to the namevar and is the port number.
• options A string to specify any options for the default. By default and empty string.
• ssl A boolean. When set to true creates https_port entries. Defaults to false.

Defined Type Squid::Https_port

Defines https_port entries for a squid server. As an alternative to using the Squid::Http_port defined type with ssl set to true, you can use this type instead. The result is the same. Internally this type uses Squid::Http_port to create the configuration entries.

Parameters for Type squid::https_port

• port defaults to the namevar and is the port number.
• options A string to specify any options to add to the https_port line. Defaults to an empty string.

Defined Type squid::refresh_pattern

Defines refresh_pattern entries for a squid server.

d::refresh_pattern { '^ftp':
n     => 1440,
x     => 10080,
rcent => 20,
der   => 60,


d::refresh_pattern { '(/cgi-bin/|\?)':
se_sensitive => falke,
n            => 0,
x            => 0,
rcent        => 0,
der          => 61,

would result in the following squid refresh patterns

fresh_pattern fragment for ^ftp
esh_pattern ^ftp: 1440 20% 10080
fresh_pattern fragment for (/cgi-bin/|\?)
esh_pattern (/cgi-bin/|\?): -i 0 0% 0

These may be defined as a hash passed to ::squid

YAML example:

d::refresh_patterns:
ftp':
max:     10080
min:     1440
percent: 20
order:   '60'
gopher':
max:     1440
min:     1440
percent: 0
order:   '61'
/cgi-bin/|\?)':
case_sensitive: false
max:            0
min:            0
percent:        0
order:          '62'
':
max:     4320
min:     0
percent: 20
order:   '63'

Parameters for Type squid::refresh_pattern

• case_sensitive Boolean value, if true (default) the regex is case sensitive, when false the case insensitive flag '-i' is added to the pattern
• comment Comment added before refresh rule, defaults to refresh_pattern fragment for title
• min Must be defined, the time (in minutes) an object without an explicit expiry time should be considered fresh.
• max Must be defined, the upper limit (in minutes) on how long objects without an explicit expiry time will be considered fresh.
• percent Must be defined, is a percentage of the objects age (time since last modification age)
• options See squid documentation for available options.
• order Each refresh_pattern has an order 05 by default this can be specified if order of refresh_pattern definition matters.

Defined Type Squid::Snmp_port

Defines snmp_port entries for a squid server.

d::snmp_port { '1000':
ocess_number => 3

Results in a squid configuration of

{process_number} = 3
_port 1000
f

Parameters for Type squid::http_port

• port defaults to the namevar and is the port number.
• options A string to specify any options for the default. By default and empty string.
• process_number If set to and integer the snmp_port is enabled only for a particular squid thread. Defaults to undef.

Defined Type squid::auth_param

Defines auth_param entries for a squid server.

d::auth_param { 'basic auth_param':
heme  => 'basic',
tries => [
'program /usr/lib64/squid/basic_ncsa_auth /etc/squid/.htpasswd',
'children 5',
'realm Squid Basic Authentication',
'credentialsttl 5 hours',

would result in multi entry squid auth_param

_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/.htpasswd
_param basic children 5
_param basic realm Squid Basic Authentication
_param basic credentialsttl 5 hours

These may be defined as a hash passed to ::squid

Parameters for Type squid::auth_param

• scheme the scheme used for authentication must be defined
• entries An array of entries, multiple members results in multiple lines in squid.conf
• order by default is '40'

Defined Type squid::ssl_bump

Defines ssl_bump entries for a squid server.

d::ssl_bump { 'all':
tion => 'bump',

Adds a squid.conf line

bump bump all

These may be defined as a hash passed to ::squid

Parameters for Type squid::ssl_bump

• value The type of the ssl_bump, must be defined, e.g bump, peek, ..
• action The name of acl, defaults to bump.
• order by default is 05

Defined Type squid::sslproxy_cert_error

Defines sslproxy_cert_error entries for a squid server.

d::sslproxy_cert_error { 'all':
tion => 'allow',

Adds a squid.conf line

roxy_cert_error allow all

These may be defined as a hash passed to ::squid

Parameters for Type squid::sslproxy_cert_error

• value defaults to the namevar the rule to allow or deny.
• action must be deny or allow. By default it is allow. The squid.conf file is ordered so by default all allows appear before all denys. This can be overidden with the order parameter.
• order by default is 05

Defined Type squid::extra_config_section

Squid has a large number of configuration directives. Not all of these have been exposed individually in this module. For those that haven't, the extra_config_section defined type can be used.

Using a hash of config_entries:

d::extra_config_section { 'mail settings':
der          => '60',
nfig_entries => {
'mail_from'    => 'squid@example.com',
'mail_program' => 'mail',

Results in a squid configuration of

il settings
_from squid@example.com
_program mail

Using an array of config_entries:

d::extra_config_section { 'ssl_bump settings':
der          => '60',
nfig_entries => {
'ssl_bump'         => ['server-first', 'all'],
'sslcrtd_program'  => ['/usr/lib64/squid/ssl_crtd', '-s', '/var/lib/ssl_db', '-M', '4MB'],
'sslcrtd_children' => ['8', 'startup=1', 'idle=1'],

Results in a squid configuration of

l_bump settings
bump server-first all
rtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
rtd_children 8 startup=1 idle=1

Using an array of hashes of config_entries:

d::extra_config_section { 'always_directs':
der          => '60',
nfig_entries => [{
'always_direct' => ['deny    www.reallyreallybadplace.com',
                    'allow   my-good-dst',
                    'allow   my-other-good-dst'],
,

Results in a squid configuration of

ways_directs
ys_direct deny    www.reallyreallybadplace.com
ys_direct allow   my-good-dst
ys_direct allow   my-other-good-dst

Parameters for Type squid::extra_config_section

• comment defaults to the namevar and is used as a section comment in squid.conf.
• config_entries A hash of configuration entries to create in this section. The hash key is the name of the configuration directive. The value is either a string, or an array of strings to use as the configuration directive options.
• order by default is '60'. It can be used to configure where in squid.conf this configuration section should occur.