squid

Table of Contents

1. Overview
2. Module Description
3. Setup
   • What squid affects
   • Setup requirements
   • Beginning with squid
4. Usage
5. Reference
6. Limitations
7. Development
   • TODO
   • Contributing

Overview

squid management

Module Description

This module setups and configures squid. It has limited ACL support

Setup

What squid affects

• squid package management
• squid configuration management
• logrotation configurtion (only if eyp-logrotate is available)

Setup Requirements

This module requires pluginsync enabled

Beginning with squid

class { 'squid':
        visible_hostname => 'example',
        disable_cache => true,
    }

Usage

accesslog/logformat

squid::logformat { 'squid-demo':
  format => 'timestamp="%{%Y-%m-%dT%H:%M:%S%z}tg" vendor="Squid" src=%>a url="%>ru" src_ip=%">a status=%<Hs http_user_agent="%{User-Agent}>h" http_method=%>rm http_content_type=%mt http_content_type_raw="%{Content-Type}<h" bytes_in=%<st bytes_out=%>st user=%un http_referer="%{Referer}>h" uri_path="%rp" url_port=%<p uri_scheme=%>rs duration=%<tt dest_port=%<p src_port=%>p dest_ip=%<a proxy_ip=%<la proxy_dest_port=%>lp proxy_src_port=%<lp dest_host=%{Host}>h',
}

squid::accesslog { '/var/log/squid/access.log':
  logformat => 'squid-demo',
}

allow/deny domains

squid::domain { '.systemadmin.es':
  action => 'allow',
}

squid::domain { '.facebook.com':
  action => 'deny',
}

squid::domain { '.meneame.net':
  action => 'deny',
}

squid::domain { '.twitter.com':
  action => 'deny',
}

acl management

squid::acl { 'RHEL-UpdateServers':
  type => 'dst',
  values => [ 'subscription.rhn.redhat.com', 'subscription.rhsm.redhat.com' ],
}

this generates the following ACLs:

acl RHEL-UpdateServers dst subscription.rhn.redhat.com
acl RHEL-UpdateServers dst subscription.rhsm.redhat.com

http_access management

squid::httpaccess { 'RHEL-UpdateServers':
}

http_access allow RHEL-UpdateServers

squidclient example

# squidclient -h 127.0.0.1 -p 3128 mgr:info
HTTP/1.1 200 OK
Server: squid
Mime-Version: 1.0
Date: Wed, 30 Nov 2016 16:07:26 GMT
Content-Type: text/plain
Expires: Wed, 30 Nov 2016 16:07:26 GMT
Last-Modified: Wed, 30 Nov 2016 16:07:26 GMT
X-Cache: MISS from =
X-Cache-Lookup: MISS from =:3128
Connection: close

Squid Object Cache: Version 3.3.8
Start Time: Wed, 30 Nov 2016 16:06:53 GMT
Current Time:   Wed, 30 Nov 2016 16:07:26 GMT
Connection information for squid:
    Number of clients accessing cache:  1
    Number of HTTP requests received:   0
    Number of ICP messages received:    0
    Number of ICP messages sent:    0
    Number of queued ICP replies:   0
    Number of HTCP messages received:   0
    Number of HTCP messages sent:   0
    Request failure ratio:   0.00
    Average HTTP requests per minute since start:   0.0
    Average ICP messages per minute since start:    0.0
    Select loop called: 4562 times, 7.216 ms avg
Cache information for squid:
    Hits as % of all requests:  5min: 0.0%, 60min: 0.0%
    Hits as % of bytes sent:    5min: -0.0%, 60min: -0.0%
    Memory hits as % of hit requests:   5min: 0.0%, 60min: 0.0%
    Disk hits as % of hit requests: 5min: 0.0%, 60min: 0.0%
    Storage Swap size:  0 KB
    Storage Swap capacity:   0.0% used,  0.0% free
    Storage Mem size:   216 KB
    Storage Mem capacity:    0.1% used, 99.9% free
    Mean Object Size:   0.00 KB
    Requests given to unlinkd:  0
Median Service Times (seconds)  5 min    60 min:
    HTTP Requests (All):   0.00000  0.00000
    Cache Misses:          0.00000  0.00000
    Cache Hits:            0.00000  0.00000
    Near Hits:             0.00000  0.00000
    Not-Modified Replies:  0.00000  0.00000
    DNS Lookups:           0.00000  0.00000
    ICP Queries:           0.00000  0.00000
Resource usage for squid:
    UP Time:    32.919 seconds
    CPU Time:   0.125 seconds
    CPU Usage:  0.38%
    CPU Usage, 5 minute avg:    0.00%
    CPU Usage, 60 minute avg:   0.00%
    Process Data Segment Size via sbrk(): 5708 KB
    Maximum Resident Size: 62496 KB
    Page faults with physical i/o: 0
Memory usage for squid via mallinfo():
    Total space in arena:    5840 KB
    Ordinary blocks:         5764 KB      4 blks
    Small blocks:               0 KB      0 blks
    Holding blocks:          9940 KB      6 blks
    Free Small blocks:          0 KB
    Free Ordinary blocks:      76 KB
    Total in use:              76 KB 0%
    Total free:                76 KB 0%
    Total size:             15780 KB
Memory accounted for:
    Total accounted:          359 KB   2%
    memPool accounted:        359 KB   2%
    memPool unaccounted:    15421 KB  98%
    memPoolAlloc calls:      1555
    memPoolFree calls:       1565
File descriptor usage for squid:
    Maximum number of file descriptors:   16384
    Largest file desc currently in use:     11
    Number of file desc currently in use:    6
    Files queued for open:                   0
    Available number of file descriptors: 16378
    Reserved number of file descriptors:   100
    Store Disk files open:                   0
Internal Data Structures:
        52 StoreEntries
        52 StoreEntries with MemObjects
        51 Hot Object Cache Items
         0 on-disk objects

Reference

classes

squid

• port: = '0.0.0.0:3128',
• disable_cache: = true,
• httpd_suppress_version_string: = true,
• add_via_header: = false,
• add_forwarded_for_header: = false,
• strip_query_terms: = true,
• coredump_dir: = $squid::params::coredump_dir_default,
• localnet: = [ '10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16', 'fc00::/7', 'fe80::/10' ],
• ssl_ports: = [ '443' ],
• safe_ports: = [ '80', '21', '443', '3128' ],
• unsafeports_action: = 'deny',
• localnet_action: = 'allow',
• localhost_action: = 'allow',
• default_action: = 'deny',
• manage_package: = true,
• package_ensure: = 'installed',
• manage_service: = true,
• manage_docker_service: = true,
• service_ensure: = 'running',
• service_enable: = true,
• manager_allow: = [ 'localhost' ],
• manager_default_rule: = 'deny',
• install_client: = true,
• visible_hostname: = undef,
• configure_logrotate: = true,
• logrotate_rotate: = '4',
• logrotate_compress: = true,
• logrotate_missingok: = true,
• logrotate_notifempty: = true,
• logrotate_frequency: = 'weekly',
• cache_dir: = '/var/spool/squid',
• cache_format: = 'ufs',
• cache_l1: = '16',
• cache_l2: = '256',
• cache_size_mb: = '100',

defines

accesslog

• path: = $name,
• module: = 'daemon',
• logformat: = 'squid',

domain

• domainname: = $name,
• action: = 'deny',
• order: = undef,

logformat

• format:,
• logname: = $name,

httpaccess

• acls: [ $name ]
• action: 'allow'
• description: undef
• order: '0'

acl

• values:
• type: (defalt: src)
• aclname: = $name,
• order: = '0',
• description: = undef,

Limitations

Manually validated on CentOS 7

Development

We are pushing to have acceptance testing in place, so any new feature should have some test to check both presence and absence of any feature

TODO

• upstream proxy: http://www.christianschenk.org/blog/using-a-parent-proxy-with-squid/

Contributing

1. Fork it
2. Create your feature branch (git checkout -b my-new-feature)
3. Commit your changes (git commit -am 'Added some feature')
4. Push to the branch (git push origin my-new-feature)
5. Create new Pull Request

CHANGELOG

0.1.6

• modified squid::httpaccess to allow multiple ACLs
• added a variable (add_default_localnet_rule) if a default http_access rule needs to be included for localnet

0.1.5

• added squid::accesslog
• added squid::logformat
• added squid::acl
• added squid::httpaccess

0.1.4

• dropped centos5 support
• added logrotate management
• added cache_dir settings

0.1.3

• manager access rules (squidclient)
• added a variable for visible_hostname
• added 3128 as a safe port (to be able to get stats using squidclient)

0.1.2

• added squid::domain

0.1.1

• changed default listen to 0.0.0.0:3128

0.1.0

initial release