Redhat (and derivatives) support and ACLs from databag #1

Merged
merged 11 commits into from May 10, 2012
View
@@ -12,6 +12,47 @@ Usage
=====
Include the squid recipe on the server. Other nodes may search for this node as their caching proxy and use the `node.ipaddress` and `node['squid']['port']` to point at it.
+Databags are able to be used for storing host & url acls and also which hosts/nets are able to access which hosts/url
+
+Example Databags
+================
+
+squid_urls - yubikey item
+-------------------------
+{
+ "urls": [
+ "^https://api.yubico.com/wsapi/2.0/verify"
+ ],
+ "id": "yubikey"
+}
+
+squid_hosts - bastion item
+--------------------------
+{
+ "type": "src",
+ "id": "bastion",
+ "net": [
+ "192.168.0.2/32"
+ ]
+}
+
+squid_acls - bastion item
+-------------------------
+{
+ "id": "bastion",
+ "acl": [
+ [
+ "yubikey",
+ "allow"
+ ],
+ [
+ "all",
+ "deny"
+ ]
+ ]
+}
+
+
License and Author
==================
View
@@ -18,5 +18,9 @@
# limitations under the License.
#
-default[:squid][:port] = 3128
-default[:squid][:network] = nil
+default['squid']['port'] = 3128
+default['squid']['network'] = nil
+default['squid']['config_file'] = "/etc/squid/squid.conf"
+default['squid']['timeout'] = "10"
+default['squid']['opts'] = ""
+default['squid']['version'] = ""
View
@@ -3,8 +3,8 @@
license "Apache 2.0"
description "Installs/Configures squid as a simple caching proxy"
long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
-version "0.1.0"
+version "0.2.0"
-%w{ debian ubuntu }.each do |os|
+%w{ debian ubuntu centos fedora redhat scientific suse}.each do |os|
supports os
end
View
@@ -18,11 +18,27 @@
# limitations under the License.
#
-package "squid"
+package "squid" do
+ action :install
+end
+
+case node['platform']
+when "redhat","centos","scientific","fedora","suse"
+ template "/etc/sysconfig/squid" do
+ source "redhat/sysconfig/squid.erb"
+ notifies :restart, "service[squid]", :delayed
+ mode "644"
+ end
+end
service "squid" do
supports :restart => true, :status => true, :reload => true
- provider Chef::Provider::Service::Upstart
+ case node['platform']
+ when "redhat","centos","scientific","fedora","suse"
+ provider Chef::Provider::Service::Redhat
+ when "debian","ubuntu"
+ provider Chef::Provider::Service::Upstart
+ end
action [ :enable, :start ]
end
@@ -33,15 +49,58 @@
end
Chef::Log.info "Squid network #{network}"
+version = node['squid']['version']
+Chef::Log.info "Squid version number (unknown if blank): #{version}"
+
template "/etc/squid/squid.conf" do
- source "squid.conf.erb"
+ source "squid#{version}.conf.erb"
notifies :reload, "service[squid]"
+ mode "644"
+end
+
+url_acl = []
+begin
+ data_bag("squid_urls").each do |bag|
+ group = data_bag_item("squid_urls",bag)
+ group['urls'].each do |url|
+ url_acl.push [group['id'],url]
+ end
+ end
+rescue
+ Chef::Log.info "no 'squid_urls' data bag"
+end
+
+host_acl = []
+begin
+ data_bag("squid_hosts").each do |bag|
+ group = data_bag_item("squid_hosts",bag)
+ group['net'].each do |host|
+ host_acl.push [group['id'],group['type'],host]
+ end
+ end
+rescue
+ Chef::Log.info "no 'squid_hosts' data bag"
+end
+
+acls = []
+begin
+ data_bag("squid_acls").each do |bag|
+ group = data_bag_item("squid_acls",bag)
+ group['acl'].each do |acl|
+ acls.push [acl[1],group['id'],acl[0]]
+ end
+ end
+rescue
+ Chef::Log.info "no 'squid_acls' data bag"
end
template "/etc/squid/chef.acl.config" do
source "chef.acl.config.erb"
variables(
- :network => network
+ :acls => acls,
+ :host_acl => host_acl,
+ :url_acl => url_acl
)
notifies :reload, "service[squid]"
end
+
@@ -1,6 +1,12 @@
#managed with Chef
-acl chef_network src <%= @network %>
-http_access allow chef_network
-refresh_pattern deb$ 1577846 100% 1577846
-cache_dir ufs /var/spool/squid 15000 2 8
-maximum_object_size 1024000 KB
+#acl chef_network src <%= @network %>
+#http_access allow chef_network
+<% @host_acl.each do |host| %>
+acl <%= host[0] %> <%= host[1] %> <%= host[2] %>
+<% end %>
+<% @url_acl.each do |url| %>
+acl <%= url[0] %> url_regex <%= url[1] %>
+<% end %>
+<% @acls.each do |acl| %>
+http_access <%= acl[0] %> <%= acl[1] %> <%= acl[2] %>
+<% end %>
@@ -0,0 +1,8 @@
+# default squid options
+SQUID_OPTS="<%= node["squid"]["opts"] %>"
+# Time to wait for Squid to shut down when asked. Should not be necessary
+# most of the time.
+SQUID_SHUTDOWN_TIMEOUT=<%= node["squid"]["timeout"] %>
+
+# default squid conf file
+SQUID_CONF="<%= node["squid"]["config_file"] %>"
@@ -4962,4 +4962,6 @@ coredump_dir /var/spool/squid
#
#Default:
# windows_ipaddrchangemonitor on
-
+refresh_pattern deb$ 1577846 100% 1577846
+cache_dir ufs /var/spool/squid 15000 2 8
+maximum_object_size 1024000 KB
@@ -0,0 +1,49 @@
+include /etc/squid/chef.acl.config
+acl all src all
+acl manager proto cache_object
+acl localhost src 127.0.0.1/32
+acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
+acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
+acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
+acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
+acl SSL_ports port 443 # https
+acl SSL_ports port 563 # snews
+acl SSL_ports port 873 # rsync
+acl Safe_ports port 80 # http
+acl Safe_ports port 21 # ftp
+acl Safe_ports port 443 # https
+acl Safe_ports port 70 # gopher
+acl Safe_ports port 210 # wais
+acl Safe_ports port 1025-65535 # unregistered ports
+acl Safe_ports port 280 # http-mgmt
+acl Safe_ports port 488 # gss-http
+acl Safe_ports port 591 # filemaker
+acl Safe_ports port 777 # multiling http
+acl Safe_ports port 631 # cups
+acl Safe_ports port 873 # rsync
+acl Safe_ports port 901 # SWAT
+acl purge method PURGE
+acl CONNECT method CONNECT
+http_access allow manager localhost
+http_access deny manager
+http_access allow purge localhost
+http_access deny purge
+http_access deny !Safe_ports
+http_access deny CONNECT !SSL_ports
+http_access allow localhost
+http_access deny all
+icp_access allow localnet
+icp_access deny all
+http_port <%= node[:squid][:port] %>
+hierarchy_stoplist cgi-bin ?
+access_log /var/log/squid/access.log squid
+refresh_pattern ^ftp: 1440 20% 10080
+refresh_pattern ^gopher: 1440 0% 1440
+refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
+refresh_pattern (Release|Package(.gz)*)$ 0 20% 2880
+refresh_pattern . 0 20% 4320
+hosts_file /etc/hosts
+cache_dir ufs /var/spool/squid 100 16 256
+coredump_dir /var/spool/squid
+refresh_pattern deb$ 1577846 100% 1577846
+maximum_object_size 1024000 KB