chef-cookbook squid chef-resource chef hacktoberfest managed-by-terraform

squid Cookbook

Installs and configures Squid as a caching proxy.

Maintainers

This cookbook is maintained by the Sous Chefs. The Sous Chefs are a community of Chef cookbook maintainers working together to maintain important cookbooks. If you’d like to know more please visit sous-chefs.org or come chat with us on the Chef Community Slack in #sous-chefs.

Requirements

Platforms

Debian 10+
Ubuntu 16.04+
RHEL/CentOS/Scientific 7+
openSUSE / openSUSE Leap
FreeBSD 11+

Chef

Chef 13+

Cookbooks

none

Recipes

default

The default recipe installs squid and sets up simple proxy caching. As of now, the options you may change are the port (node['squid']['port']) and the network the caching proxy is available on the subnet from node.ipaddress (ie. "192.168.1.0/24") but may be overridden with node['squid']['network']. The size of objects allowed to be stored has been bumped up to allow for caching of installation files. An optional (node['squid']['cache_peer']), if set, will be written verbatim to the template. On redhat based platforms, this cookbook supports customizing the max number of file descriptors that Squid may open (node['squid']['max_file_descriptors']). The default value is 1024.

Usage

Include the squid recipe on the server. Other nodes may search for this node as their caching proxy and use the node.ipaddress and node['squid']['port'] to point at it.

Databags are able to be used for storing host & url acls and also which hosts/nets are able to access which hosts/url

LDAP Authentication

Set (node['squid']['enable_ldap']) to true.
Modify the ldap attributes for your environment.
- If you use anonymous bindings, two attributes are optional, ['squid']['ldap_binddn'] and ['squid']['ldap_bindpassword'].
- All other attributes are required.
- See http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ldap for further help.
To create the ldap acls in squid.conf, you also need the two ldap_auth databag items as shown in the LDAP Databags below.

Example Databags

squid_urls - yubikey item

{
  "urls": [
    "^https://api.yubico.com/wsapi/2.0/verify"
  ],
  "id": "yubikey"
}

squid_hosts - bastion item

{
  "type": "src",
  "id": "bastion",
  "net": [
    "192.168.0.2/32"
  ]
}

squid_acls - bastion item

{
  "id": "bastion",
  "acl": [
    [
      "yubikey",
      "allow"
    ],
    [
      "yubikey",
      "deny",
      "!"
    ],
    [
      "all",
      "deny"
    ]
  ]
}

LDAP Databags

The following two data bags are only required if you are using LDAP Authentication.

squid_hosts - ldap_auth item

{
  "type": "proxy_auth",
  "id": "ldap_auth",
  "net": [
    "REQUIRED"
  ]
}

squid_acls - ldap_auth item

{
  "id": "ldap_auth",
  "acl": [
    [
      "",
      "allow"
    ]
  ]
}

Additional configuration files

Set (node['squid']['config_include_dir']) to the directory of your additional files, ex. /etc/squid/conf.d
It is recommended that you set node['squid']['http_access_deny_all'] and node['squid']['icp_access_deny_all'] to false because the include statement is at the bottom of squid.conf. Otherwise http_access allow statements may not be evaluated in the additional configuration files.