Name: puppet-squid
Owner: Vox Pupuli
Description: Puppet module for configuration of squid caching proxy.
Created: 2016-04-13 07:33:31.0
Updated: 2017-01-20 16:18:18.0
Pushed: 2018-01-04 09:44:24.0
Homepage: https://forge.puppet.com/puppet/squid
Size: 195
Language: Ruby
GitHub Committers
User | Most Recent Commit | # Commits |
---|
Other Committers
User | Most Recent Commit | # Commits |
---|
Puppet module for configuring the squid caching service.
The set up a simple squid server with a cache to forward http port 80 requests.
s { 'squid': }
d::acl { 'Safe_ports':
pe => port,
tries => ['80'],
d::http_access { 'Safe_ports':
tion => allow,
d::http_access{ '!Safe_ports':
tion => deny,
Parameters to the squid class almost map 1 to 1 to squid.conf parameters themselves.
ensure_service
The ensure value of the squid service, defaults to running
.enable_service
The enable value of the squid service, defaults to true
.config
Location of squid.conf file, defaults to /etc/squid/squid.conf
.config_user
user which owns the config file, default depends on $operatingsystem
config_group
group which owns the config file, default depends on $operatingsystem
daemon_user
user which runs the squid daemon, this is used for ownership of the cache directory, default depends on $operatingsystem
daemon_group
group which runs the squid daemon, this is used for ownership of the cache directory, default depends on $operatingsystem
cache_mem
defaults to 256 MB
. cache_mem docs.cache_replacement_policy
defaults to undef. cache_replacement_policy docs.memory_replacement_policy
defaults to undef. memory_replacement_policy docs.memory_cache_shared
defaults to undef. memory_cache_shared docs.maximum_object_size_in_memory
defaults to 512 KB
. maximum_object_size_in_memory docsaccess_log
defaults to daemon:/var/logs/squid/access.log squid
. access_log docscoredump_dir
defaults to undef. coredump_dir docs.error_directory
defaults to undef. error_directory.err_page_stylesheet
defaults to undef. err_page_stylesheet.package_name
name of the squid package to manage, default depends on $operatingsystem
service_name
name of the squid service to manage, default depends on $operatingsystem
max_filedescriptors
defaults to undef. max_filedescriptors docs.workers
defaults to undef. workers docs.snmp_incoming_address
defaults to undef. Can be set to an IP address to only listen for snmp requests on an individual interface. snmp_incoming_address.buffered_logs
defaults to undef. buffered_logs docs.acls
defaults to undef. If you pass in a hash of acl entries, they will be defined automatically. acl entries.http_access
defaults to undef. If you pass in a hash of http_access entries, they will be defined automatically. http_access entries.http_ports
defaults to undef. If you pass in a hash of http_port entries, they will be defined automatically. http_port entries.https_ports
defaults to undef. If you pass in a hash of https_port entries, they will be defined automatically. https_port entries.icp_access
defaults to undef. If you pass in a hash of icp_access entries, they will be defined automatically. icp_access entries.refresh_patterns
defaults to undef. If you pass a hash of refresh_pattern entires, they will be defined automatically. refresh_pattern entries.snmp_ports
defaults to undef. If you pass in a hash of snmp_port entries, they will be defined automatically. snmp_port entries.cache_dirs
defaults to undef. If you pass in a hash of cache_dir entries, they will be defined automatically. cache_dir entries.ssl_bump
defaults to undef. If you pass in a hash of ssl_bump entries, they will be defined automatically. ssl_bump entries.sslproxy_cert_error
defaults to undef. If you pass in a hash of sslproxy_cert_error entries, they will be defined automatically. sslproxy_cert_error entries.extra_config_sections
defaults to empty hash. If you pass in a hash of extra_config_section
resources, they will be defined automatically.s { 'squid':
che_mem => '512 MB',
rkers => 3,
redump_dir => '/var/spool/squid',
uppet
s { 'squid':
che_mem => '512 MB',
rkers => 3,
redump_dir => '/var/spool/squid',
ls => { 'remote_urls' => {
type => 'url_regex',
entries => ['http://example.org/path',
'http://example.com/anotherpath'],
},
},
tp_access => { 'our_networks hosts' => { action => 'allow', }},
tp_ports => { '10000' => { options => 'accel vhost', }},
mp_ports => { '1000' => { process_number => 3, }},
che_dirs => { '/data/' => { type => 'ufs', options => '15000 32 256 min-size=32769', process_number => 2 }},
The acls, http_access, http_ports, snmp_port, cache_dirs lines above are equivalent to their examples below.
Defines acl entries for a squid server.
d::acl { 'remote_urls':
ype => 'url_regex',
ntries => ['http://example.org/path',
'http://example.com/anotherpath'],
would result in a multi entry squid acl
remote_urls url_regex http://example.org/path
remote_urls url_regex http://example.com/anotherpath
These may be defined as a hash passed to ::squid
type
The acltype of the acl, must be defined, e.g url_regex, urlpath_regex, port, ..aclname
The name of acl, defaults to the title
.entries
An array of acl entries, multiple members results in multiple lines in squid.conf.order
Each ACL has an order 05
by default this can be specified if order of ACL definition matters.Defines cache_dir entries for a squid server.
d::cache_dir { '/data':
pe => 'ufs',
tions => '15000 32 256 min-size=32769',
ocess_number => 2,
Results in the squid configuration of
{processor} = 2
e_dir ufs 15000 32 256 min-size=32769
f
type
the type of cache, e.g ufs. defaults to ufs
.path
defaults to the namevar, file path to cache.options
String of options for the cache. Defaults to empty string.process_number
if specfied as an integer the cache will be wrapped
in a if $proceess_number
statement so the cache will be used by only
one process. Default is undef.Defines cache entries for a squid server.
d::cache { 'our_network_hosts_acl':
tion => 'deny',
mment => 'Our networks hosts are denied for caching',
Adds a squid.conf line
r networks hosts denied for caching
e deny our_network_hosts_acl
Defines http_access entries for a squid server.
d::http_access { 'our_networks hosts':
tion => 'allow',
Adds a squid.conf line
tp_access fragment for out_networks hosts
_access allow our_networks hosts
uppet
d::http_access { 'our_networks hosts':
tion => 'allow',
mment => 'Our networks hosts are allowed',
Adds a squid.conf line
r networks hosts are allowed
_access allow our_networks hosts
Defines snmp_access entries for a squid server.
d::snmp_access { 'monitoring hosts':
tion => 'allow',
Adds a squid.conf line
mp_access fragment for monitoring hosts
_access allow monitoring hosts
uppet
d::snmp_access { 'monitoring hosts':
tion => 'allow',
mment => 'Our monitoring hosts are allowed',
Adds a squid.conf line
r monitoring hosts are allowed
_access allow monitoring hosts
These may be defined as a hash passed to ::squid
Defines icp_access entries for a squid server.
d::icp_access { 'our_networks hosts':
tion => 'allow',
Adds a squid.conf line
access allow our_networks hosts
These may be defined as a hash passed to ::squid
value
defaults to the namevar
the rule to allow or deny.action
must be deny
or allow
. By default it is allow. The squid.conf file is ordered so by default
all allows appear before all denys. This can be overidden with the order
parameter.order
by default is 05
Defines http_port entries for a squid server.
By setting optional ssl
parameter to true
will create https_port entries instead.
d::http_port { '10000':
tions => 'accel vhost'
d::http_port { '10001':
l => true,
tions => 'cert=/etc/squid/ssl_cert/server.cert key=/etc/squid/ssl_cert/server.key'
Results in a squid configuration of
_port 10000 accel vhost
s_port 10001 cert=/etc/squid/ssl_cert/server.cert key=/etc/squid/ssl_cert/server.key
port
defaults to the namevar and is the port number.options
A string to specify any options for the default. By default and empty string.ssl
A boolean. When set to true
creates https_port entries. Defaults to false
.Defines https_port entries for a squid server.
As an alternative to using the Squid::Http_port defined type with ssl
set to true
, you can use this type instead. The result is the same. Internally this type uses Squid::Http_port to create the configuration entries.
port
defaults to the namevar and is the port number.options
A string to specify any options to add to the https_port line. Defaults to an empty string.Defines refresh_pattern entries for a squid server.
d::refresh_pattern { '^ftp':
n => 1440,
x => 10080,
rcent => 20,
der => 60,
d::refresh_pattern { '(/cgi-bin/|\?)':
se_sensitive => falke,
n => 0,
x => 0,
rcent => 0,
der => 61,
would result in the following squid refresh patterns
fresh_pattern fragment for ^ftp
esh_pattern ^ftp: 1440 20% 10080
fresh_pattern fragment for (/cgi-bin/|\?)
esh_pattern (/cgi-bin/|\?): -i 0 0% 0
These may be defined as a hash passed to ::squid
YAML example:
d::refresh_patterns:
ftp':
max: 10080
min: 1440
percent: 20
order: '60'
gopher':
max: 1440
min: 1440
percent: 0
order: '61'
/cgi-bin/|\?)':
case_sensitive: false
max: 0
min: 0
percent: 0
order: '62'
':
max: 4320
min: 0
percent: 20
order: '63'
case_sensitive
Boolean value, if true (default) the regex is case sensitive, when false the case insensitive flag '-i' is added to the patterncomment
Comment added before refresh rule, defaults to refresh_pattern fragment for title
min
Must be defined, the time (in minutes) an object without an explicit expiry time should be considered fresh.max
Must be defined, the upper limit (in minutes) on how long objects without an explicit expiry time will be considered fresh.percent
Must be defined, is a percentage of the objects age (time since last modification age)options
See squid documentation for available options.order
Each refresh_pattern has an order 05
by default this can be specified if order of refresh_pattern definition matters.Defines snmp_port entries for a squid server.
d::snmp_port { '1000':
ocess_number => 3
Results in a squid configuration of
{process_number} = 3
_port 1000
f
port
defaults to the namevar and is the port number.options
A string to specify any options for the default. By default and empty string.process_number
If set to and integer the snmp_port is enabled only for
a particular squid thread. Defaults to undef.Defines auth_param entries for a squid server.
d::auth_param { 'basic auth_param':
heme => 'basic',
tries => [
'program /usr/lib64/squid/basic_ncsa_auth /etc/squid/.htpasswd',
'children 5',
'realm Squid Basic Authentication',
'credentialsttl 5 hours',
would result in multi entry squid auth_param
_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/.htpasswd
_param basic children 5
_param basic realm Squid Basic Authentication
_param basic credentialsttl 5 hours
These may be defined as a hash passed to ::squid
scheme
the scheme used for authentication must be definedentries
An array of entries, multiple members results in multiple lines in squid.conforder
by default is '40'Defines ssl_bump entries for a squid server.
d::ssl_bump { 'all':
tion => 'bump',
Adds a squid.conf line
bump bump all
These may be defined as a hash passed to ::squid
value
The type of the ssl_bump, must be defined, e.g bump, peek, ..action
The name of acl, defaults to bump
.order
by default is 05
Defines sslproxy_cert_error entries for a squid server.
d::sslproxy_cert_error { 'all':
tion => 'allow',
Adds a squid.conf line
roxy_cert_error allow all
These may be defined as a hash passed to ::squid
value
defaults to the namevar
the rule to allow or deny.action
must be deny
or allow
. By default it is allow. The squid.conf file is ordered so by default
all allows appear before all denys. This can be overidden with the order
parameter.order
by default is 05
Squid has a large number of configuration directives. Not all of these have been exposed individually in this module. For those that haven't, the extra_config_section
defined type can be used.
Using a hash of config_entries:
d::extra_config_section { 'mail settings':
der => '60',
nfig_entries => {
'mail_from' => 'squid@example.com',
'mail_program' => 'mail',
Results in a squid configuration of
il settings
_from squid@example.com
_program mail
Using an array of config_entries:
d::extra_config_section { 'ssl_bump settings':
der => '60',
nfig_entries => {
'ssl_bump' => ['server-first', 'all'],
'sslcrtd_program' => ['/usr/lib64/squid/ssl_crtd', '-s', '/var/lib/ssl_db', '-M', '4MB'],
'sslcrtd_children' => ['8', 'startup=1', 'idle=1'],
Results in a squid configuration of
l_bump settings
bump server-first all
rtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
rtd_children 8 startup=1 idle=1
Using an array of hashes of config_entries:
d::extra_config_section { 'always_directs':
der => '60',
nfig_entries => [{
'always_direct' => ['deny www.reallyreallybadplace.com',
'allow my-good-dst',
'allow my-other-good-dst'],
,
Results in a squid configuration of
ways_directs
ys_direct deny www.reallyreallybadplace.com
ys_direct allow my-good-dst
ys_direct allow my-other-good-dst
comment
defaults to the namevar and is used as a section comment in squid.conf
.config_entries
A hash of configuration entries to create in this section. The hash key is the name of the configuration directive. The value is either a string, or an array of strings to use as the configuration directive options.order
by default is '60'. It can be used to configure where in squid.conf
this configuration section should occur.