summaryrefslogtreecommitdiff
path: root/puppet/modules/squid_deb_proxy/files
diff options
context:
space:
mode:
Diffstat (limited to 'puppet/modules/squid_deb_proxy/files')
-rw-r--r--puppet/modules/squid_deb_proxy/files/Debian/squid-deb-proxy.conf91
-rw-r--r--puppet/modules/squid_deb_proxy/files/Ubuntu/squid-deb-proxy.conf89
-rw-r--r--puppet/modules/squid_deb_proxy/files/allowed-networks-src.acl.d/20-custom1
-rwxr-xr-xpuppet/modules/squid_deb_proxy/files/client/apt-avahi-discover138
-rw-r--r--puppet/modules/squid_deb_proxy/files/mirror-dstdomain.acl.d/20-custom1
5 files changed, 320 insertions, 0 deletions
diff --git a/puppet/modules/squid_deb_proxy/files/Debian/squid-deb-proxy.conf b/puppet/modules/squid_deb_proxy/files/Debian/squid-deb-proxy.conf
new file mode 100644
index 00000000..2a528f84
--- /dev/null
+++ b/puppet/modules/squid_deb_proxy/files/Debian/squid-deb-proxy.conf
@@ -0,0 +1,91 @@
+
+# WELCOME TO SQUID DEB PROXY
+# ------------------
+#
+# This config file is a version of a squid proxy file optimized
+# as a configuration for a caching proxy for Debian/Ubuntu systems.
+#
+# More information about squid and its configuration can be found here
+# http://www.squid-cache.org/ and in the FAQ
+
+# settings that you may want to customize
+# ---------------------------------------
+
+# this file contains private networks (10.0.0.0/8, 172.16.0.0/12,
+# 192.168.0.0/16) by default, you can add/remove additional allowed
+# source networks in it to customize it for your setup
+acl allowed_networks src "/etc/squid-deb-proxy/autogenerated/allowed-networks-src.acl"
+
+# this file contains the archive mirrors by default,
+# if you use a different mirror, add it there
+acl to_archive_mirrors dstdomain "/etc/squid-deb-proxy/autogenerated/mirror-dstdomain.acl"
+
+# this contains the package blacklist
+acl blockedpkgs urlpath_regex "/etc/squid-deb-proxy/autogenerated/pkg-blacklist-regexp.acl"
+
+# default to a different port than stock squid
+http_port 8000
+
+# -------------------------------------------------
+# settings below probably do not need customization
+
+# user visible name
+visible_hostname squid-deb-proxy
+
+# we need a big cache, some debs are huge
+maximum_object_size 512 MB
+
+# use a different dir than stock squid and default to 40G
+cache_dir aufs /var/cache/squid-deb-proxy 40000 16 256
+
+# use different logs
+cache_access_log /var/log/squid-deb-proxy/access.log
+cache_log /var/log/squid-deb-proxy/cache.log
+cache_store_log /var/log/squid-deb-proxy/store.log
+
+# tweaks to speed things up
+cache_mem 200 MB
+maximum_object_size_in_memory 10240 KB
+
+# pid
+pid_filename /var/run/squid-deb-proxy.pid
+
+# refresh pattern for debs and udebs
+refresh_pattern deb$ 129600 100% 129600
+refresh_pattern udeb$ 129600 100% 129600
+refresh_pattern tar.gz$ 129600 100% 129600
+
+# always refresh Packages and Release files
+refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz)$ 0 0% 0
+refresh_pattern \/Release(|\.gpg)$ 0 0% 0
+refresh_pattern \/InRelease$ 0 0% 0
+
+# handle meta-release and changelogs.ubuntu.com special
+# (fine to have this on debian too)
+refresh_pattern changelogs.ubuntu.com/* 0 1% 1
+
+# only allow connects to ports for http, https
+acl Safe_ports port 80
+acl Safe_ports port 443 563
+
+# only allow ports we trust
+http_access deny !Safe_ports
+
+# do not allow to download from the pkg blacklist
+http_access deny blockedpkgs
+
+# allow access only to official archive mirrors
+# uncomment the third and fouth line to permit any unlisted domain
+http_access deny !to_archive_mirrors
+#http_access allow !to_archive_mirrors
+
+# don't cache domains not listed in the mirrors file
+# uncomment the third and fourth line to cache any unlisted domains
+cache deny !to_archive_mirrors
+#cache allow !to_archive_mirrors
+
+# allow access from our network and localhost
+http_access allow allowed_networks
+
+# And finally deny all other access to this proxy
+http_access deny all
diff --git a/puppet/modules/squid_deb_proxy/files/Ubuntu/squid-deb-proxy.conf b/puppet/modules/squid_deb_proxy/files/Ubuntu/squid-deb-proxy.conf
new file mode 100644
index 00000000..ab5bac8a
--- /dev/null
+++ b/puppet/modules/squid_deb_proxy/files/Ubuntu/squid-deb-proxy.conf
@@ -0,0 +1,89 @@
+
+# WELCOME TO SQUID DEB PROXY
+# ------------------
+#
+# This config file is a version of a squid proxy file optimized
+# as a configuration for a caching proxy for Ubuntu systems.
+#
+# More information about squid and its configuration can be found here
+# http://www.squid-cache.org/ and in the FAQ
+
+# settings that you may want to customize
+# ---------------------------------------
+
+# this file contains private networks (10.0.0.0/8, 172.16.0.0/12,
+# 192.168.0.0/16) by default, you can add/remove additional allowed
+# source networks in it to customize it for your setup
+acl allowed_networks src "/etc/squid-deb-proxy/autogenerated/allowed-networks-src.acl"
+
+# this file contains the *archive.ubuntu.com mirrors by default,
+# if you use a different mirror, add it there
+acl to_ubuntu_mirrors dstdomain "/etc/squid-deb-proxy/autogenerated/mirror-dstdomain.acl"
+
+# this contains the package blacklist
+acl blockedpkgs urlpath_regex "/etc/squid-deb-proxy/autogenerated/pkg-blacklist-regexp.acl"
+
+# default to a different port than stock squid
+http_port 8000
+
+# -------------------------------------------------
+# settings below probably do not need customization
+
+# user visible name
+visible_hostname squid-deb-proxy
+
+# we need a big cache, some debs are huge
+maximum_object_size 512 MB
+
+# use a different dir than stock squid and default to 40G
+cache_dir aufs /var/cache/squid-deb-proxy 40000 16 256
+
+# use different logs
+cache_access_log /var/log/squid-deb-proxy/access.log
+cache_log /var/log/squid-deb-proxy/cache.log
+cache_store_log /var/log/squid-deb-proxy/store.log
+
+# tweaks to speed things up
+cache_mem 200 MB
+maximum_object_size_in_memory 10240 KB
+
+# pid
+pid_filename /var/run/squid-deb-proxy.pid
+
+# refresh pattern for debs and udebs
+refresh_pattern deb$ 129600 100% 129600
+refresh_pattern udeb$ 129600 100% 129600
+refresh_pattern tar.gz$ 129600 100% 129600
+
+# always refresh Packages and Release files
+refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz)$ 0 0% 0
+refresh_pattern \/Release(|\.gpg)$ 0 0% 0
+
+# handle meta-release and changelogs.ubuntu.com special
+refresh_pattern changelogs.ubuntu.com/* 0 1% 1
+
+# only allow connects to ports for http, https
+acl Safe_ports port 80
+acl Safe_ports port 443 563
+
+# only allow ports we trust
+http_access deny !Safe_ports
+
+# do not allow to download from the pkg blacklist
+http_access deny blockedpkgs
+
+# allow access only to official ubuntu mirrors
+# uncomment the third and fouth line to permit any unlisted domain
+http_access deny !to_ubuntu_mirrors
+#http_access allow !to_ubuntu_mirrors
+
+# don't cache domains not listed in the mirrors file
+# uncomment the third and fourth line to cache any unlisted domains
+cache deny !to_ubuntu_mirrors
+#cache allow !to_ubuntu_mirrors
+
+# allow access from our network and localhost
+http_access allow allowed_networks
+
+# And finally deny all other access to this proxy
+http_access deny all
diff --git a/puppet/modules/squid_deb_proxy/files/allowed-networks-src.acl.d/20-custom b/puppet/modules/squid_deb_proxy/files/allowed-networks-src.acl.d/20-custom
new file mode 100644
index 00000000..d4058b80
--- /dev/null
+++ b/puppet/modules/squid_deb_proxy/files/allowed-networks-src.acl.d/20-custom
@@ -0,0 +1 @@
+# managed by puppet
diff --git a/puppet/modules/squid_deb_proxy/files/client/apt-avahi-discover b/puppet/modules/squid_deb_proxy/files/client/apt-avahi-discover
new file mode 100755
index 00000000..8dbc1be2
--- /dev/null
+++ b/puppet/modules/squid_deb_proxy/files/client/apt-avahi-discover
@@ -0,0 +1,138 @@
+#!/usr/bin/python
+#
+# use avahi to find a _apt_proxy._tcp provider and return
+# a http proxy string suitable for apt
+
+import asyncore
+import functools
+import os
+import socket
+import sys
+import time
+from subprocess import Popen, PIPE, call
+from syslog import syslog, LOG_INFO, LOG_USER
+
+DEFAULT_CONNECT_TIMEOUT_SEC = 2
+
+def DEBUG(msg):
+ if "--debug" in sys.argv:
+ sys.stderr.write(msg + "\n")
+
+
+def get_avahi_discover_timeout():
+ APT_AVAHI_TIMEOUT_VAR = "APT::Avahi-Discover::Timeout"
+ p = Popen(
+ ["/usr/bin/apt-config", "shell", "TIMEOUT", APT_AVAHI_TIMEOUT_VAR],
+ stdout=PIPE)
+ stdout, stderr = p.communicate()
+ if not stdout:
+ DEBUG(
+ "no timeout set, using default '%s'" % DEFAULT_CONNECT_TIMEOUT_SEC)
+ return DEFAULT_CONNECT_TIMEOUT_SEC
+ if not stdout.startswith("TIMEOUT="):
+ raise ValueError("got unexpected apt-config output: '%s'" % stdout)
+ varname, sep, value = stdout.strip().partition("=")
+ timeout = int(value.strip("'"))
+ DEBUG("using timeout: '%s'" % timeout)
+ return timeout
+
+@functools.total_ordering
+class AptAvahiClient(asyncore.dispatcher):
+ def __init__(self, addr):
+ asyncore.dispatcher.__init__(self)
+ if is_ipv6(addr[0]):
+ self.create_socket(socket.AF_INET6, socket.SOCK_STREAM)
+ self.connect( (addr[0], addr[1], 0, 0) )
+ else:
+ self.create_socket(socket.AF_INET, socket.SOCK_STREAM)
+ self.connect(addr)
+ self._time_init = time.time()
+ self.time_to_connect = sys.maxint
+ self.address = addr
+ def handle_connect(self):
+ self.time_to_connect = time.time() - self._time_init
+ self.close()
+ def __eq__(self, other):
+ return self.time_to_connect == other.time_to_connect
+ def __lt__(self, other):
+ return self.time_to_connect < other.time_to_connect
+ def __repr__(self):
+ return "<%s> %s: %s" % (
+ self.__class__.__name__, self.addr, self.time_to_connect)
+ def log(self, message):
+ syslog((LOG_INFO|LOG_USER), '%s\n' % str(message))
+ def log_info(self, message, type='info'):
+ if type not in self.ignore_log_types:
+ self.log('%s: %s' % (type, message))
+
+
+def is_ipv6(a):
+ return ':' in a
+
+def is_linklocal(addr):
+ # Link-local should start with fe80 and six null bytes
+ return addr.startswith("fe80::")
+
+def get_proxy_host_port_from_avahi():
+ service = '_apt_proxy._tcp'
+
+ # Obtain all of the services addresses from avahi, pulling the IPv6
+ # addresses to the top.
+ addr4 = []
+ addr6 = []
+ p = Popen(['avahi-browse', '-kprtf', service], stdout=PIPE)
+ DEBUG("avahi-browse output:")
+ for line in p.stdout:
+ DEBUG(" '%s'" % line)
+ if line.startswith('='):
+ tokens = line.split(';')
+ addr = tokens[7]
+ port = int(tokens[8])
+ if is_ipv6(addr):
+ # We need to skip ipv6 link-local addresses since
+ # APT can't use them
+ if not is_linklocal(addr):
+ addr6.append((addr, port))
+ else:
+ addr4.append((addr, port))
+
+ # Run through the offered addresses and see if we we have a bound local
+ # address for it.
+ addrs = []
+ for (ip, port) in addr6 + addr4:
+ try:
+ res = socket.getaddrinfo(ip, port, 0, 0, 0, socket.AI_ADDRCONFIG)
+ if res:
+ addrs.append((ip, port))
+ except socket.gaierror:
+ pass
+ if not addrs:
+ return None
+
+ # sort by answering speed
+ hosts = []
+ for addr in addrs:
+ hosts.append(AptAvahiClient(addr))
+ # 2s timeout, arbitray
+ timeout = get_avahi_discover_timeout()
+ asyncore.loop(timeout=timeout)
+ DEBUG("sorted hosts: '%s'" % sorted(hosts))
+
+ # No host wanted to connect
+ if (all(h.time_to_connect == sys.maxint for h in hosts)):
+ return None
+
+ fastest_host = sorted(hosts)[0]
+ fastest_address = fastest_host.address
+ return fastest_address
+
+
+if __name__ == "__main__":
+ # Dump the approved address out in an appropriate format.
+ address = get_proxy_host_port_from_avahi()
+ if address:
+ (ip, port) = address
+ if is_ipv6(ip):
+ print "http://[%s]:%s/" % (ip, port)
+ else:
+ print "http://%s:%s/" % (ip, port)
diff --git a/puppet/modules/squid_deb_proxy/files/mirror-dstdomain.acl.d/20-custom b/puppet/modules/squid_deb_proxy/files/mirror-dstdomain.acl.d/20-custom
new file mode 100644
index 00000000..d4058b80
--- /dev/null
+++ b/puppet/modules/squid_deb_proxy/files/mirror-dstdomain.acl.d/20-custom
@@ -0,0 +1 @@
+# managed by puppet