thias / puppet-squid3 Goto Github PK
View Code? Open in Web Editor NEWPuppet Squid3 module
License: Other
Puppet Squid3 module
License: Other
The ACL rule below is a default configuration in squid.conf templates (short and long) and so gets applied always with this module
http_access allow localnet
However, this is not always desirable. For instance, assuming you want to restrict outbound internet access of your private network to a few whitelisted sites. In this case the desired ACL in squid.conf should look like below to achieve the expected access restriction.
<...snip...>
# user-defined ACLs
acl sitesWhitelist dstdomain "/etc/squid3/sites.whitelist"
# user-defined http_accesses
http_access allow localnet sitesWhitelist
http_access allow localhost
http_access deny all
<...snip...>
Using the module with Puppet v3.2.4 results in an error:
Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Invalid parameter validate_cmd at /.../modules/squid3/manifests/init.pp:65 on node ...
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
The forge page says it is compatible with Puppet >=2.7.20 <4.1.0
Support for FreeBSD should be trivial by the looks of it.
Here's the relevant paths (pulled from 2.7 - the paths where relevant are the same for 3.x) if you wouldn't mind adding support:
Config file: /usr/local/etc/squid/squid.conf
cache_dir: /var/squid/cache
access_log: /var/squid/logs/access.log
cache_log: /var/squid/logs/cache.log
cache_store_log: /var/squid/logs/store.log
pid_filename: /var/squid/logs/squid.pid
netdb_filename: /var/squid/logs/netdb.state
coredump_dir: /var/squid/cache
Hi,
We use this module at the moment. But, we need "max_filedescriptors" parameter (which is not supported by the module.) now. Without this parameter we cannot use the module. So, is it possible to implement it ?
Thanks A Lot In Advance,
Tarkan
When manifest reads enable => true
on ubuntu 14.04. Thows the following error:
change from false to true failed: Execution of '/usr/sbin/update-rc.d squid3 defaults' returned 1: update-rc.d: /etc/init.d/squid3: file does not exist
Debian 9 uses the same package naming and directory structure as Ubuntu 16.04 and above. I am about to submit a pull request that treats them equally.
CentOS Project has adopted a new rule for versioning numbers. The major number matches the RHEL major number, but the minor number is generated from the release date. For example, CentOS 7.1407.
you need use "operatingsystemmajrelease" and not "operatingsystemrelease" in squid3::params
https://github.com/thias/puppet-squid3/blob/master/templates/squid.conf.short.erb#L41-43
I've implemented Squid as a whitelist HTTP proxy for a secure network segment. the config looks like the following:
# user-defined ACLs
acl whitelist dstdomain foo.com
acl whitelist dstdomain bar.com
acl whitelist dstdomain baz.com
# user-defined http_accesses
http_access allow whitelist
http_access allow localnet
http_access allow localhost
http_access deny all
http_access allow localnet
will allow all requests from my "secure intranet segment". if I add an additional http_access deny all
to "user-defined http_accesses", then the behavior is consistent with my goals/expectations but results in duplicate http_access deny all
rules.
a potential fix would be to have these rules as default values on a parameter or to not include any defaults and document that adding http_access deny all
is probably a very good idea. the module seems to assume you know how to read/write squid.conf, I don't think it's unfair to tell users they need to explicitly manage all the rules.
Currently the log format in this module is hard-coded to timestamps as epoch rather than something readable (and easy to grep etc...).
https://github.com/thias/puppet-squid3/blob/master/manifests/params.pp#L53
The variable logformat
can be used in squid.conf to set the log format as per https://github.com/thias/puppet-squid3/blob/master/templates/squid.conf.documented#L2258
Example:
logformat squid %tl.%03tu %6tr %>a %Ss/%03Hs %
access_log /var/log/squid/access.log squid
Why do we not enable the service on newer version of ubuntu(like 18.04)?
puppet-squid3/manifests/params.pp
Line 29 in 1c9b9a8
The value of coredump_dir in squid.conf.short.erb is hardcoded as "/var/spool/squid" which is incorrect for Debian-family operating system. So instead use
coredump_dir <%= @coredump_dir %>
The following occurs when applying the module on Ubuntu 14.04.
Debug: Executing '/usr/sbin/update-rc.d squid3 defaults'
Error: Execution of '/usr/sbin/update-rc.d squid3 defaults' returned 1: update-rc.d: /etc/init.d/squid3: file does not exist
This occurs on Ubuntu 14.04.
In their infinite wisdom the squid folks have 'built in' the ACLs manager, localhost and to_localhost.
This means that putting those in the config file now causes this error:
Error: Could not start Service[squid3_service]: Execution of '/usr/sbin/squid3 start' returned 1: 2014/11/07 10:31:12| aclParseAclLine: ACL 'manager' already exists with different type.
FATAL: Bungled /etc/squid3/squid.conf line 642: acl manager proto cache_object
Squid Cache (Version 3.3.8): Terminated abnormally.
Squid Cache: Version 3.3.8
resource in init.pp:
service { 'squid3_service':
enable => true,
name => $service_name,
ensure => running,
restart => "service ${service_name} reload",
path => ['/sbin', '/usr/sbin'],
hasstatus => true,
require => Package['squid3_package'],
}
Restart command is only a reload. Problem is that it doesn't activate all settings.
Can you modify this to real restart?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.