Puppet module for configuring the squid caching service.
The set up a simple squid server with a cache to forward http port 80 requests.
class{'::squid':}
squid::acl{'Safe_ports':
type => port,
entries => ['80'],
}
squid::http_access{'Safe_ports':
action => allow,
}
squid::http_access{'!Safe_ports':
action => deny,
}Parameters to the squid class almost map 1 to 1 to squid.conf parameters themselves.
ensure_serviceThe ensure value of the squid service, defaults torunning.enable_serviceThe enable value of the squid service, defaults totrue.configLocation of squid.conf file, defaults to/etc/squid/squid.conf.config_useruser which owns the config file, default depends on$operatingsystemconfig_groupgroup which owns the config file, default depends on$operatingsystemdaemon_useruser which runs the squid daemon, this is used for ownership of the cache directory, default depends on$operatingsystemdaemon_groupgroup which runs the squid daemon, this is used for ownership of the cache directory, default depends on$operatingsystemcache_memdefaults to256 MB. cache_mem docs.memory_cache_shareddefaults to undef. memory_cache_shared docs.maximum_object_size_in_memorydefaults to512 KB. maximum_object_size_in_memory docsaccess_logdefaults todaemon:/var/logs/squid/access.log squid. access_log docscoredump_dirdefaults to undef. coredump_dir docs.package_namename of the squid package to manage, default depends on$operatingsystemservice_namename of the squid service to manage, default depends on$operatingsystemmax_filedescriptorsdefaults to undef. max_filedescriptors docs.workersdefaults to undef. workers docs.aclsdefaults to undef. If you pass in a hash of acl entries, they will be defined automatically. acl entries.http_accessdefaults to undef. If you pass in a hash of http_access entries, they will be defined automatically. http_access entries.http_portsdefaults to undef. If you pass in a hash of http_port entries, they will be defined automatically. http_port entries.https_portsdefaults to undef. If you pass in a hash of https_port entries, they will be defined automatically. https_port entries.icp_accessdefaults to undef. If you pass in a hash of icp_access entries, they will be defined automatically. icp_access entries.refresh_patternsdefaults to undef. If you pass a hash of refresh_pattern entires, they will be defined automatically. refresh_pattern entries.snmp_portsdefaults to undef. If you pass in a hash of snmp_port entries, they will be defined automatically. snmp_port entries.cache_dirsdefaults to undef. If you pass in a hash of cache_dir entries, they will be defined automatically. cache_dir entries.ssl_bumpdefaults to undef. If you pass in a hash of ssl_bump entries, they will be defined automatically. ssl_bump entries.sslproxy_cert_errordefaults to undef. If you pass in a hash of sslproxy_cert_error entries, they will be defined automatically. sslproxy_cert_error entries.extra_config_sectionsdefaults to empty hash. If you pass in a hash ofextra_config_sectionresources, they will be defined automatically.
class{'::squid':
cache_mem => '512 MB',
workers => 3,
coredump_dir => '/var/spool/squid',
}class{'::squid':
cache_mem => '512 MB',
workers => 3,
coredump_dir => '/var/spool/squid',
acls => { 'remote_urls' => {
type => 'url_regex',
entries => ['http://example.org/path',
'http://example.com/anotherpath'],
},
},
http_access => { 'our_networks hosts' => { action => 'allow', }},
http_ports => { '10000' => { options => 'accel vhost', }},
snmp_ports => { '1000' => { process_number => 3, }},
cache_dirs => { '/data/' => { type => 'ufs', options => '15000 32 256 min-size=32769', process_number => 2, }},
}The acls, http_access, http_ports, snmp_port, cache_dirs lines above are equivalent to their examples below.
Defines acl entries for a squid server.
squid::acl{'remote_urls':
type => 'url_regex',
entries => ['http://example.org/path',
'http://example.com/anotherpath'],
}would result in a multi entry squid acl
acl remote_urls url_regex http://example.org/path
acl remote_urls url_regex http://example.com/anotherpath
These may be defined as a hash passed to ::squid
typeThe acltype of the acl, must be defined, e.g url_regex, urlpath_regex, port, ..aclnameThe name of acl, defaults to thetitle.entriesAn array of acl entries, multiple members results in multiple lines in squid.conf.orderEach ACL has an order05by default this can be specified if order of ACL definition matters.
Defines cache_dir entries for a squid server.
squid::cache_dir{'/data':
type => 'ufs',
options => '15000 32 256 min-size=32769',
process_number => 2,
}Results in the squid configuration of
if ${processor} = 2
cache_dir ufs 15000 32 256 min-size=32769
endif
typethe type of cache, e.g ufs. defaults toufs.pathdefaults to the namevar, file path to cache.optionsString of options for the cache. Defaults to empty string.process_numberif specfied as an integer the cache will be wrapped in aif $proceess_numberstatement so the cache will be used by only one process. Default is undef.
Defines http_access entries for a squid server.
squid::http_access{'our_networks hosts':
action => 'allow',
}Adds a squid.conf line
# http_access fragment for out_networks hosts
http_access allow our_networks hosts
squid::http_access{'our_networks hosts':
action => 'allow',
comment => 'Our networks hosts are allowed',
}Adds a squid.conf line
# Our networks hosts are allowed
http_access allow our_networks hosts
These may be defined as a hash passed to ::squid
Defines icp_access entries for a squid server.
squid::icp_access{'our_networks hosts':
action => 'allow',
}Adds a squid.conf line
icp_access allow our_networks hosts
These may be defined as a hash passed to ::squid
valuedefaults to thenamevarthe rule to allow or deny.actionmust bedenyorallow. By default it is allow. The squid.conf file is ordered so by default all allows appear before all denys. This can be overidden with theorderparameter.orderby default is05
Defines http_port entries for a squid server.
By setting optional ssl parameter to true will create https_port entries instead.
squid::http_port{'10000':
options => 'accel vhost'
}
squid::http_port{'10001':
ssl => true,
options => 'cert=/etc/squid/ssl_cert/server.cert key=/etc/squid/ssl_cert/server.key'
}Results in a squid configuration of
http_port 10000 accel vhost
https_port 10001 cert=/etc/squid/ssl_cert/server.cert key=/etc/squid/ssl_cert/server.key
portdefaults to the namevar and is the port number.optionsA string to specify any options for the default. By default and empty string.sslA boolean. When set totruecreates https_port entries. Defaults tofalse.
Defines https_port entries for a squid server.
As an alternative to using the Squid::Http_port defined type with ssl set to true, you can use this type instead. The result is the same. Internally this type uses Squid::Http_port to create the configuration entries.
portdefaults to the namevar and is the port number.optionsA string to specify any options to add to the https_port line. Defaults to an empty string.
Defines refresh_pattern entries for a squid server.
squid::refresh_pattern{'^ftp':
min => 1440,
max => 10080,
percent => 20,
order => 60,
}
squid::refresh_pattern{'(/cgi-bin/|\?)':
case_sensitive => falke,
min => 0,
max => 0,
percent => 0,
order => 61,
}would result in the following squid refresh patterns
# refresh_pattern fragment for ^ftp
refresh_pattern ^ftp: 1440 20% 10080
# refresh_pattern fragment for (/cgi-bin/|\?)
refresh_pattern (/cgi-bin/|\?): -i 0 0% 0
These may be defined as a hash passed to ::squid
YAML example:
squid::refresh_patterns:
'^ftp':
max: 10080
min: 1440
percent: 20
order: '60'
'^gopher':
max: 1440
min: 1440
percent: 0
order: '61'
'(/cgi-bin/|\?)':
case_sensitive: false
max: 0
min: 0
percent: 0
order: '62'
'.':
max: 4320
min: 0
percent: 20
order: '63'
case_sensitiveBoolean value, if true (default) the regex is case sensitive, when false the case insensitive flag '-i' is added to the patterncommentComment added before refresh rule, defaults to refresh_pattern fragment fortitleminMust be defined, the time (in minutes) an object without an explicit expiry time should be considered fresh.maxMust be defined, the upper limit (in minutes) on how long objects without an explicit expiry time will be considered fresh.percentMust be defined, is a percentage of the objects age (time since last modification age)optionsSee squid documentation for available options.orderEach refresh_pattern has an order05by default this can be specified if order of refresh_pattern definition matters.
Defines snmp_port entries for a squid server.
squid::snmp_port{'1000':
process_number => 3
}Results in a squid configuration of
if ${process_number} = 3
snmp_port 1000
endif
portdefaults to the namevar and is the port number.optionsA string to specify any options for the default. By default and empty string.process_numberIf set to and integer the snmp_port is enabled only for a particular squid thread. Defaults to undef.
Defines auth_param entries for a squid server.
squid::auth_param{ 'basic auth_param':
scheme => 'basic',
entries => ['program /usr/lib64/squid/basic_ncsa_auth /etc/squid/.htpasswd',
'children 5',
'realm Squid Basic Authentication',
'credentialsttl 5 hours'],
}would result in multi entry squid auth_param
auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/.htpasswd
auth_param basic children 5
auth_param basic realm Squid Basic Authentication
auth_param basic credentialsttl 5 hours
These may be defined as a hash passed to ::squid
schemethe scheme used for authentication must be definedentriesAn array of entries, multiple members results in multiple lines in squid.conforderby default is '40'
Defines ssl_bump entries for a squid server.
squid::ssl_bump{'all':
action => 'bump',
}Adds a squid.conf line
ssl_bump bump all
These may be defined as a hash passed to ::squid
valueThe type of the ssl_bump, must be defined, e.g bump, peek, ..actionThe name of acl, defaults tobump.orderby default is05
Defines sslproxy_cert_error entries for a squid server.
squid::sslproxy_cert_error{'all':
action => 'allow',
}Adds a squid.conf line
sslproxy_cert_error allow all
These may be defined as a hash passed to ::squid
valuedefaults to thenamevarthe rule to allow or deny.actionmust bedenyorallow. By default it is allow. The squid.conf file is ordered so by default all allows appear before all denys. This can be overidden with theorderparameter.orderby default is05
Squid has a large number of configuration directives. Not all of these have been exposed individually in this module. For those that haven't, the extra_config_section defined type can be used.
squid::extra_config_section {'mail settings':
order => '60',
config_entries => {
'mail_from' => 'squid@example.com',
'mail_program' => 'mail',
},
}Results in a squid configuration of
# mail settings
mail_from squid@example.com
mail_program mail
And using an array:
squid::extra_config_section { 'refresh patterns':
order => '60',
config_entries => [{
'refresh_pattern' => ['^ftp: 1440 20% 10080',
'^gopher: 1440 0% 1440',
'-i (/cgi-bin/|\?) 0 0% 0',
'. 0 20% 4320'],
}],
}Results in a squid configuration of
# refresh_patterns
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
commentdefaults to the namevar and is used as a section comment insquid.conf.config_entriesA hash of configuration entries to create in this section. The hash key is the name of the configuration directive. The value is either a string, or an array of strings to use as the configuration directive options.orderby default is '60'. It can be used to configure where insquid.confthis configuration section should occur.