squid Cookbook

Installs and configures Squid as a caching proxy.

Maintainers

This cookbook is maintained by the Sous Chefs. The Sous Chefs are a community of Chef cookbook maintainers working together to maintain important cookbooks. If you’d like to know more please visit sous-chefs.org or come chat with us on the Chef Community Slack in #sous-chefs.

Requirements

Platforms

• Debian 10+
• Ubuntu 16.04+
• RHEL/CentOS/Scientific 7+
• openSUSE / openSUSE Leap
• FreeBSD 11+

Chef

• Chef 13+

Cookbooks

• none

Recipes

default

The default recipe installs squid and sets up simple proxy caching. As of now, the options you may change are the port (node['squid']['port']) and the network the caching proxy is available on the subnet from node.ipaddress (ie. "192.168.1.0/24") but may be overridden with node['squid']['network']. The size of objects allowed to be stored has been bumped up to allow for caching of installation files. An optional (node['squid']['cache_peer']), if set, will be written verbatim to the template. On redhat based platforms, this cookbook supports customizing the max number of file descriptors that Squid may open (node['squid']['max_file_descriptors']). The default value is 1024.

Usage

Include the squid recipe on the server. Other nodes may search for this node as their caching proxy and use the node.ipaddress and node['squid']['port'] to point at it.

Databags are able to be used for storing host & url acls and also which hosts/nets are able to access which hosts/url

LDAP Authentication

• Set (node['squid']['enable_ldap']) to true.

• Modify the ldap attributes for your environment.

  • If you use anonymous bindings, two attributes are optional, ['squid']['ldap_binddn'] and ['squid']['ldap_bindpassword'].
  • All other attributes are required.
  • See http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ldap for further help.

• To create the ldap acls in squid.conf, you also need the two ldap_auth databag items as shown in the LDAP Databags below.

Example Databags

squid_urls - yubikey item

{
  "urls": [
    "^https://api.yubico.com/wsapi/2.0/verify"
  ],
  "id": "yubikey"
}

squid_hosts - bastion item

{
  "type": "src",
  "id": "bastion",
  "net": [
    "192.168.0.2/32"
  ]
}

squid_acls - bastion item

{
  "id": "bastion",
  "acl": [
    [
      "yubikey",
      "allow"
    ],
    [
      "yubikey",
      "deny",
      "!"
    ],
    [
      "all",
      "deny"
    ]
  ]
}

LDAP Databags

The following two data bags are only required if you are using LDAP Authentication.

squid_hosts - ldap_auth item

{
  "type": "proxy_auth",
  "id": "ldap_auth",
  "net": [
    "REQUIRED"
  ]
}

squid_acls - ldap_auth item

{
  "id": "ldap_auth",
  "acl": [
    [
      "",
      "allow"
    ]
  ]
}

Additional configuration files

• Set (node['squid']['config_include_dir']) to the directory of your additional files, ex. /etc/squid/conf.d
• It is recommended that you set node['squid']['http_access_deny_all'] and node['squid']['icp_access_deny_all'] to false because the include statement is at the bottom of squid.conf. Otherwise http_access allow statements may not be evaluated in the additional configuration files.

Contributors

This project exists thanks to all the people who contribute.

Backers

Thank you to all our backers!

Sponsors

Support this project by becoming a sponsor. Your logo will show up here with a link to your website.