Puppet module for Squid

Description

Puppet module for configuring the squid caching service.

Usage

The set up a simple squid server with a cache to forward http port 80 requests.

class{'::squid':}
squid::acl{'Safe_ports':
  type    => port,
  entries => ['80'],
}
squid::http_access{'Safe_ports':
  action => allow,
}
squid::http_access{'!Safe_ports':
  action => deny,
}

Parameters for squid Class

Parameters to the squid class almost map 1 to 1 to squid.conf parameters themselves.

• ensure_service The ensure value of the squid service, defaults to running.
• enable_service The enable value of the squid service, defaults to true.
• config Location of squid.conf file, defaults to /etc/squid/squid.conf.
• config_user user which owns the config file, default depends on $operatingsystem
• config_group group which owns the config file, default depends on $operatingsystem
• daemon_user user which runs the squid daemon, this is used for ownership of the cache directory, default depends on $operatingsystem
• daemon_group group which runs the squid daemon, this is used for ownership of the cache directory, default depends on $operatingsystem
• cache_mem defaults to 256 MB. cache_mem docs.
• memory_cache_shared defaults to undef. memory_cache_shared docs.
• maximum_object_size_in_memory defaults to 512 KB. maximum_object_size_in_memory docs
• access_log defaults to daemon:/var/logs/squid/access.log squid. access_log docs
• coredump_dir defaults to undef. coredump_dir docs.
• package_name name of the squid package to manage, default depends on $operatingsystem
• service_name name of the squid service to manage, default depends on $operatingsystem
• max_filedescriptors defaults to undef. max_filedescriptors docs.
• workers defaults to undef. workers docs.
• acls defaults to undef. If you pass in a hash of acl entries, they will be defined automatically. acl entries.
• http_access defaults to undef. If you pass in a hash of http_access entries, they will be defined automatically. http_access entries.
• http_ports defaults to undef. If you pass in a hash of http_port entries, they will be defined automatically. http_port entries.
• https_ports defaults to undef. If you pass in a hash of https_port entries, they will be defined automatically. https_port entries.
• icp_access defaults to undef. If you pass in a hash of icp_access entries, they will be defined automatically. icp_access entries.
• snmp_ports defaults to undef. If you pass in a hash of snmp_port entries, they will be defined automatically. snmp_port entries.
• cache_dirs defaults to undef. If you pass in a hash of cache_dir entries, they will be defined automatically. cache_dir entries.
• ssl_bump defaults to undef. If you pass in a hash of ssl_bump entries, they will be defined automatically. ssl_bump entries.
• sslproxy_cert_error defaults to undef. If you pass in a hash of sslproxy_cert_error entries, they will be defined automatically. sslproxy_cert_error entries.
• extra_config_sections defaults to empty hash. If you pass in a hash of extra_config_section resources, they will be defined automatically.

class{'::squid':
  cache_mem    => '512 MB',
  workers      => 3,
  coredump_dir => '/var/spool/squid',
}

class{'::squid':
  cache_mem    => '512 MB',
  workers      => 3,
  coredump_dir => '/var/spool/squid',
  acls         => { 'remote_urls' => {
                       type    => 'url_regex',
                       entries => ['http://example.org/path',
                                   'http://example.com/anotherpath'],
                       },
                  },
  http_access  => { 'our_networks hosts' => { action => 'allow', },
  http_ports   => { '10000' => { options => 'accel vhost'} },
  snmp_ports   => { '1000' => { process_number => 3 },
  cache_dirs   => { '/data/' => { type => 'ufs', options => '15000 32 256 min-size=32769', process_number => 2 }},
}

The acls, http_access, http_ports, snmp_port, cache_dirs lines above are equivalent to their examples below.

Defined Type squid::acl

Defines acl entries for a squid server.

squid::acl{'remote_urls':
   type    => 'url_regex',
   entries => ['http://example.org/path',
               'http://example.com/anotherpath'],

}

would result in a multi entry squid acl

acl remote_urls url_regex http://example.org/path
acl remote_urls url_regex http://example.com/anotherpath

These may be defined as a hash passed to ::squid

Parameters for Type squid::acl

• type The acltype of the acl, must be defined, e.g url_regex, urlpath_regex, port, ..
• aclname The name of acl, defaults to the title.
• entries An array of acl entries, multiple members results in multiple lines in squid.conf.
• order Each ACL has an order 05 by default this can be specified if order of ACL definition matters.

Defined Type squid::cache_dir

Defines cache_dir entries for a squid server.

squid::cache_dir{'/data':
  type           => 'ufs',
  options        => '15000 32 256 min-size=32769',
  process_number => 2,
}

Results in the squid configuration of

if ${processor} = 2
cache_dir ufs 15000 32 256 min-size=32769
endif

Parameters for Type squid::cache_dir

• type the type of cache, e.g ufs. defaults to ufs.
• path defaults to the namevar, file path to cache.
• options String of options for the cache. Defaults to empty string.
• process_number if specfied as an integer the cache will be wrapped in a if $proceess_number statement so the cache will be used by only one process. Default is undef.

Defined Type squid::http_access

Defines http_access entries for a squid server.

squid::http_access{'our_networks hosts':
  action => 'allow',
}

Adds a squid.conf line

# http_access fragment for out_networks hosts
http_access allow our_networks hosts

squid::http_access{'our_networks hosts':
  action    => 'allow',
  comment   => 'Our networks hosts are allowed',
}

Adds a squid.conf line

# Our networks hosts are allowed
http_access allow our_networks hosts

These may be defined as a hash passed to ::squid

Defined Type squid::icp_access

Defines icp_access entries for a squid server.

squid::icp_access{'our_networks hosts':
  action => 'allow',
}

Adds a squid.conf line

icp_access allow our_networks hosts

These may be defined as a hash passed to ::squid

Parameters for Type squid::http_allow

• value defaults to the namevar the rule to allow or deny.
• action must be deny or allow. By default it is allow. The squid.conf file is ordered so by default all allows appear before all denys. This can be overidden with the order parameter.
• order by default is 05

Defined Type Squid::Http_port

Defines http_port entries for a squid server. By setting optional ssl parameter to true will create https_port entries instead.

squid::http_port{'10000':
  options => 'accel vhost'
}
squid::http_port{'10001':
  ssl     => true,
  options => 'cert=/etc/squid/ssl_cert/server.cert key=/etc/squid/ssl_cert/server.key'
}

Results in a squid configuration of

http_port 10000 accel vhost
https_port 10001 cert=/etc/squid/ssl_cert/server.cert key=/etc/squid/ssl_cert/server.key

Parameters for Type squid::http_port

• port defaults to the namevar and is the port number.
• options A string to specify any options for the default. By default and empty string.
• ssl A boolean. When set to true creates https_port entries. Defaults to false.

Defined Type Squid::Https_port

Defines https_port entries for a squid server. As an alternative to using the Squid::Http_port defined type with ssl set to true, you can use this type instead. The result is the same. Internally this type uses Squid::Http_port to create the configuration entries.

Parameters for Type squid::https_port

• port defaults to the namevar and is the port number.
• options A string to specify any options to add to the https_port line. Defaults to an empty string.

Defined Type Squid::Snmp_port

Defines snmp_port entries for a squid server.

squid::snmp_port{'1000':
  process_number => 3
}

Results in a squid configuration of

if ${process_number} = 3
snmp_port 1000
endif

Parameters for Type squid::http_port

• port defaults to the namevar and is the port number.
• options A string to specify any options for the default. By default and empty string.
• process_number If set to and integer the snmp_port is enabled only for a particular squid thread. Defaults to undef.

Defined Type squid::auth_param

Defines auth_param entries for a squid server.

squid::auth_param{ 'basic auth_param':
  scheme    => 'basic',
  entries   => ['program /usr/lib64/squid/basic_ncsa_auth /etc/squid/.htpasswd',
                'children 5',
                'realm Squid Basic Authentication',
                'credentialsttl 5 hours'],
}

would result in multi entry squid auth_param

auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/.htpasswd
auth_param basic children 5
auth_param basic realm Squid Basic Authentication
auth_param basic credentialsttl 5 hours

These may be defined as a hash passed to ::squid

Parameters for Type squid::auth_param

• scheme the scheme used for authentication must be defined
• entries An array of entries, multiple members results in multiple lines in squid.conf
• order by default is '40'

Defined Type squid::ssl_bump

Defines ssl_bump entries for a squid server.

squid::ssl_bump{'all':
  action => 'bump',
}

Adds a squid.conf line

ssl_bump bump all

These may be defined as a hash passed to ::squid

Parameters for Type squid::ssl_bump

• value The type of the ssl_bump, must be defined, e.g bump, peek, ..
• action The name of acl, defaults to bump.
• order by default is 05

Defined Type squid::sslproxy_cert_error

Defines sslproxy_cert_error entries for a squid server.

squid::sslproxy_cert_error{'all':
  action => 'allow',
}

Adds a squid.conf line

sslproxy_cert_error allow all

These may be defined as a hash passed to ::squid

Parameters for Type squid::sslproxy_cert_error

• value defaults to the namevar the rule to allow or deny.
• action must be deny or allow. By default it is allow. The squid.conf file is ordered so by default all allows appear before all denys. This can be overidden with the order parameter.
• order by default is 05

Defined Type squid::extra_config_section

Squid has a large number of configuration directives. Not all of these have been exposed individually in this module. For those that haven't, the extra_config_section defined type can be used.

squid::extra_config_section {'mail settings':
  order          => '60',
  config_entries => {
    'mail_from'    => 'squid@example.com',
    'mail_program' => 'mail',
  },
}

Results in a squid configuration of

# mail settings
mail_from squid@example.com
mail_program mail

Parameters for Type squid::extra_config_section

• comment defaults to the namevar and is used as a section comment in squid.conf.
• config_entries A hash of configuration entries to create in this section. The hash key is the name of the configuration directive. The value is either a string, or an array of strings to use as the configuration directive options.
• order by default is '60'. It can be used to configure where in squid.conf this configuration section should occur.

Changelog

2017-03-30 - Release 0.5.0

• Add beaker acceptance tests
• An optional $comment param for http_access and acl (#47)
• Add support for freebsd

2017-01-12 - Release 0.4.0

Last release with Puppet 3 support!

• Fix minor syntax issue in README example code
• rubocop: fix RSpec/ImplicitExpect
• adds logformat directive to squid.conf header
• adds test for ::logformat parameter
• Added ssl_bump and sslproxy_cert_error support
• Added support for icp_access Squid conf setting
• Fix ordering issue with missing squid user for cache_dir

2016-09-19 - Release 0.3.0

• Add https_port defined type.
• Add extra_config_section permits extra random configuration.
• The auth_params defintions now appear before ACLs as it should.
• New parameters to specify owner of configuration, daemon name and executer to control cache directory.
• Addition of debian and ubuntu support.

2016-06-01 - Release 0.2.2

• Correct documentation examples.

2016-06-01 - Release 0.2.1

• All defined types can now be loaded as a hash to init and so can be loaded easily from hiera. e.g

class{'squid:
   http_ports => {'10000' =>  { options => 'accel vhost'},
                  '3000'  => {},
                 }

2016-04-18 - Release 0.1.1

• Add tags to module metadata.

2016-04-13 - Release 0.1.0