Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Redhat (and derivatives) support and ACLs from databag #1

Merged
merged 11 commits into from

2 participants

Welby McRoberts Matt Ray
Welby McRoberts

I've made a few changes to allow this cookbook to be used in RedHat/Fedora/CentOS etc and have also added in some other changes requiring databags to be used for the ACLs

Matt Ray
Owner
Matt Ray
Owner
Welby McRoberts

Hi Matt

I've signed the CLA and that should be on there now.

Cheers
Welby

Welby McRoberts

I appear to have actually forgotten to include the redhat/sysconfig/squid.erb file and the squid31.conf.erb files from the last commits - i've added them in the latest commit

Matt Ray
Owner

I'd done some merging and testing in this branch https://github.com/mattray/squid-cookbook/tree/rhel, haven't had time to test again but I figured I'd push my stuff up for review. If it still works with your setup, I'll release as 0.2.0.

Welby McRoberts

I've tested this, and with the slight change to the template this seems to be working as expected

Matt Ray mattray merged commit ac17930 into from
Matt Ray
Owner

Pushed version 0.2 of the squid cookbook to the Community site, I can add you as a collaborator if you want.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
This page is out of date. Refresh to see the latest.
41 README.md
View
@@ -12,6 +12,47 @@ Usage
=====
Include the squid recipe on the server. Other nodes may search for this node as their caching proxy and use the `node.ipaddress` and `node['squid']['port']` to point at it.
+Databags are able to be used for storing host & url acls and also which hosts/nets are able to access which hosts/url
+
+Example Databags
+================
+
+squid_urls - yubikey item
+-------------------------
+{
+ "urls": [
+ "^https://api.yubico.com/wsapi/2.0/verify"
+ ],
+ "id": "yubikey"
+}
+
+squid_hosts - bastion item
+--------------------------
+{
+ "type": "src",
+ "id": "bastion",
+ "net": [
+ "192.168.0.2/32"
+ ]
+}
+
+squid_acls - bastion item
+-------------------------
+{
+ "id": "bastion",
+ "acl": [
+ [
+ "yubikey",
+ "allow"
+ ],
+ [
+ "all",
+ "deny"
+ ]
+ ]
+}
+
+
License and Author
==================
8 attributes/default.rb
View
@@ -18,5 +18,9 @@
# limitations under the License.
#
-default[:squid][:port] = 3128
-default[:squid][:network] = nil
+default['squid']['port'] = 3128
+default['squid']['network'] = nil
+default['squid']['config_file'] = "/etc/squid/squid.conf"
+default['squid']['timeout'] = "10"
+default['squid']['opts'] = ""
+default['squid']['version'] = ""
4 metadata.rb
View
@@ -3,8 +3,8 @@
license "Apache 2.0"
description "Installs/Configures squid as a simple caching proxy"
long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
-version "0.1.0"
+version "0.2.0"
-%w{ debian ubuntu }.each do |os|
+%w{ debian ubuntu centos fedora redhat scientific suse}.each do |os|
supports os
end
67 recipes/default.rb
View
@@ -18,11 +18,27 @@
# limitations under the License.
#
-package "squid"
+package "squid" do
+ action :install
+end
+
+case node['platform']
+when "redhat","centos","scientific","fedora","suse"
+ template "/etc/sysconfig/squid" do
+ source "redhat/sysconfig/squid.erb"
+ notifies :restart, "service[squid]", :delayed
+ mode "644"
+ end
+end
service "squid" do
supports :restart => true, :status => true, :reload => true
- provider Chef::Provider::Service::Upstart
+ case node['platform']
+ when "redhat","centos","scientific","fedora","suse"
+ provider Chef::Provider::Service::Redhat
+ when "debian","ubuntu"
+ provider Chef::Provider::Service::Upstart
+ end
action [ :enable, :start ]
end
@@ -33,15 +49,58 @@
end
Chef::Log.info "Squid network #{network}"
+version = node['squid']['version']
+Chef::Log.info "Squid version number (unknown if blank): #{version}"
+
template "/etc/squid/squid.conf" do
- source "squid.conf.erb"
+ source "squid#{version}.conf.erb"
notifies :reload, "service[squid]"
+ mode "644"
+end
+
+url_acl = []
+begin
+ data_bag("squid_urls").each do |bag|
+ group = data_bag_item("squid_urls",bag)
+ group['urls'].each do |url|
+ url_acl.push [group['id'],url]
+ end
+ end
+rescue
+ Chef::Log.info "no 'squid_urls' data bag"
+end
+
+host_acl = []
+begin
+ data_bag("squid_hosts").each do |bag|
+ group = data_bag_item("squid_hosts",bag)
+ group['net'].each do |host|
+ host_acl.push [group['id'],group['type'],host]
+ end
+ end
+rescue
+ Chef::Log.info "no 'squid_hosts' data bag"
+end
+
+acls = []
+begin
+ data_bag("squid_acls").each do |bag|
+ group = data_bag_item("squid_acls",bag)
+ group['acl'].each do |acl|
+ acls.push [acl[1],group['id'],acl[0]]
+ end
+ end
+rescue
+ Chef::Log.info "no 'squid_acls' data bag"
end
template "/etc/squid/chef.acl.config" do
source "chef.acl.config.erb"
variables(
- :network => network
+ :acls => acls,
+ :host_acl => host_acl,
+ :url_acl => url_acl
)
notifies :reload, "service[squid]"
end
+
16 templates/default/chef.acl.config.erb
View
@@ -1,6 +1,12 @@
#managed with Chef
-acl chef_network src <%= @network %>
-http_access allow chef_network
-refresh_pattern deb$ 1577846 100% 1577846
-cache_dir ufs /var/spool/squid 15000 2 8
-maximum_object_size 1024000 KB
+#acl chef_network src <%= @network %>
+#http_access allow chef_network
+<% @host_acl.each do |host| %>
+acl <%= host[0] %> <%= host[1] %> <%= host[2] %>
+<% end %>
+<% @url_acl.each do |url| %>
+acl <%= url[0] %> url_regex <%= url[1] %>
+<% end %>
+<% @acls.each do |acl| %>
+http_access <%= acl[0] %> <%= acl[1] %> <%= acl[2] %>
+<% end %>
8 templates/default/redhat/sysconfig/squid.erb
View
@@ -0,0 +1,8 @@
+# default squid options
+SQUID_OPTS="<%= node["squid"]["opts"] %>"
+# Time to wait for Squid to shut down when asked. Should not be necessary
+# most of the time.
+SQUID_SHUTDOWN_TIMEOUT=<%= node["squid"]["timeout"] %>
+
+# default squid conf file
+SQUID_CONF="<%= node["squid"]["config_file"] %>"
4 templates/default/squid.conf.erb
View
@@ -4962,4 +4962,6 @@ coredump_dir /var/spool/squid
#
#Default:
# windows_ipaddrchangemonitor on
-
+refresh_pattern deb$ 1577846 100% 1577846
+cache_dir ufs /var/spool/squid 15000 2 8
+maximum_object_size 1024000 KB
49 templates/default/squid31.conf.erb
View
@@ -0,0 +1,49 @@
+include /etc/squid/chef.acl.config
+acl all src all
+acl manager proto cache_object
+acl localhost src 127.0.0.1/32
+acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
+acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
+acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
+acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
+acl SSL_ports port 443 # https
+acl SSL_ports port 563 # snews
+acl SSL_ports port 873 # rsync
+acl Safe_ports port 80 # http
+acl Safe_ports port 21 # ftp
+acl Safe_ports port 443 # https
+acl Safe_ports port 70 # gopher
+acl Safe_ports port 210 # wais
+acl Safe_ports port 1025-65535 # unregistered ports
+acl Safe_ports port 280 # http-mgmt
+acl Safe_ports port 488 # gss-http
+acl Safe_ports port 591 # filemaker
+acl Safe_ports port 777 # multiling http
+acl Safe_ports port 631 # cups
+acl Safe_ports port 873 # rsync
+acl Safe_ports port 901 # SWAT
+acl purge method PURGE
+acl CONNECT method CONNECT
+http_access allow manager localhost
+http_access deny manager
+http_access allow purge localhost
+http_access deny purge
+http_access deny !Safe_ports
+http_access deny CONNECT !SSL_ports
+http_access allow localhost
+http_access deny all
+icp_access allow localnet
+icp_access deny all
+http_port <%= node[:squid][:port] %>
+hierarchy_stoplist cgi-bin ?
+access_log /var/log/squid/access.log squid
+refresh_pattern ^ftp: 1440 20% 10080
+refresh_pattern ^gopher: 1440 0% 1440
+refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
+refresh_pattern (Release|Package(.gz)*)$ 0 20% 2880
+refresh_pattern . 0 20% 4320
+hosts_file /etc/hosts
+cache_dir ufs /var/spool/squid 100 16 256
+coredump_dir /var/spool/squid
+refresh_pattern deb$ 1577846 100% 1577846
+maximum_object_size 1024000 KB
Something went wrong with that request. Please try again.