From a67fdc33fee2e59d60ac08afe12d98812529c306 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 31 Jul 2013 11:09:44 +0200 Subject: added default config files for ubuntu+debian, make config files configurable --- files/Debian/squid-deb-proxy.conf | 91 +++++++++++++++++++++++++++++++++++++++ files/Ubuntu/squid-deb-proxy.conf | 89 ++++++++++++++++++++++++++++++++++++++ manifests/server.pp | 14 ++++++ 3 files changed, 194 insertions(+) create mode 100644 files/Debian/squid-deb-proxy.conf create mode 100644 files/Ubuntu/squid-deb-proxy.conf diff --git a/files/Debian/squid-deb-proxy.conf b/files/Debian/squid-deb-proxy.conf new file mode 100644 index 0000000..2a528f8 --- /dev/null +++ b/files/Debian/squid-deb-proxy.conf @@ -0,0 +1,91 @@ + +# WELCOME TO SQUID DEB PROXY +# ------------------ +# +# This config file is a version of a squid proxy file optimized +# as a configuration for a caching proxy for Debian/Ubuntu systems. +# +# More information about squid and its configuration can be found here +# http://www.squid-cache.org/ and in the FAQ + +# settings that you may want to customize +# --------------------------------------- + +# this file contains private networks (10.0.0.0/8, 172.16.0.0/12, +# 192.168.0.0/16) by default, you can add/remove additional allowed +# source networks in it to customize it for your setup +acl allowed_networks src "/etc/squid-deb-proxy/autogenerated/allowed-networks-src.acl" + +# this file contains the archive mirrors by default, +# if you use a different mirror, add it there +acl to_archive_mirrors dstdomain "/etc/squid-deb-proxy/autogenerated/mirror-dstdomain.acl" + +# this contains the package blacklist +acl blockedpkgs urlpath_regex "/etc/squid-deb-proxy/autogenerated/pkg-blacklist-regexp.acl" + +# default to a different port than stock squid +http_port 8000 + +# ------------------------------------------------- +# settings below probably do not need customization + +# user visible name +visible_hostname squid-deb-proxy + +# we need a big cache, some debs are huge +maximum_object_size 512 MB + +# use a different dir than stock squid and default to 40G +cache_dir aufs /var/cache/squid-deb-proxy 40000 16 256 + +# use different logs +cache_access_log /var/log/squid-deb-proxy/access.log +cache_log /var/log/squid-deb-proxy/cache.log +cache_store_log /var/log/squid-deb-proxy/store.log + +# tweaks to speed things up +cache_mem 200 MB +maximum_object_size_in_memory 10240 KB + +# pid +pid_filename /var/run/squid-deb-proxy.pid + +# refresh pattern for debs and udebs +refresh_pattern deb$ 129600 100% 129600 +refresh_pattern udeb$ 129600 100% 129600 +refresh_pattern tar.gz$ 129600 100% 129600 + +# always refresh Packages and Release files +refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz)$ 0 0% 0 +refresh_pattern \/Release(|\.gpg)$ 0 0% 0 +refresh_pattern \/InRelease$ 0 0% 0 + +# handle meta-release and changelogs.ubuntu.com special +# (fine to have this on debian too) +refresh_pattern changelogs.ubuntu.com/* 0 1% 1 + +# only allow connects to ports for http, https +acl Safe_ports port 80 +acl Safe_ports port 443 563 + +# only allow ports we trust +http_access deny !Safe_ports + +# do not allow to download from the pkg blacklist +http_access deny blockedpkgs + +# allow access only to official archive mirrors +# uncomment the third and fouth line to permit any unlisted domain +http_access deny !to_archive_mirrors +#http_access allow !to_archive_mirrors + +# don't cache domains not listed in the mirrors file +# uncomment the third and fourth line to cache any unlisted domains +cache deny !to_archive_mirrors +#cache allow !to_archive_mirrors + +# allow access from our network and localhost +http_access allow allowed_networks + +# And finally deny all other access to this proxy +http_access deny all diff --git a/files/Ubuntu/squid-deb-proxy.conf b/files/Ubuntu/squid-deb-proxy.conf new file mode 100644 index 0000000..ab5bac8 --- /dev/null +++ b/files/Ubuntu/squid-deb-proxy.conf @@ -0,0 +1,89 @@ + +# WELCOME TO SQUID DEB PROXY +# ------------------ +# +# This config file is a version of a squid proxy file optimized +# as a configuration for a caching proxy for Ubuntu systems. +# +# More information about squid and its configuration can be found here +# http://www.squid-cache.org/ and in the FAQ + +# settings that you may want to customize +# --------------------------------------- + +# this file contains private networks (10.0.0.0/8, 172.16.0.0/12, +# 192.168.0.0/16) by default, you can add/remove additional allowed +# source networks in it to customize it for your setup +acl allowed_networks src "/etc/squid-deb-proxy/autogenerated/allowed-networks-src.acl" + +# this file contains the *archive.ubuntu.com mirrors by default, +# if you use a different mirror, add it there +acl to_ubuntu_mirrors dstdomain "/etc/squid-deb-proxy/autogenerated/mirror-dstdomain.acl" + +# this contains the package blacklist +acl blockedpkgs urlpath_regex "/etc/squid-deb-proxy/autogenerated/pkg-blacklist-regexp.acl" + +# default to a different port than stock squid +http_port 8000 + +# ------------------------------------------------- +# settings below probably do not need customization + +# user visible name +visible_hostname squid-deb-proxy + +# we need a big cache, some debs are huge +maximum_object_size 512 MB + +# use a different dir than stock squid and default to 40G +cache_dir aufs /var/cache/squid-deb-proxy 40000 16 256 + +# use different logs +cache_access_log /var/log/squid-deb-proxy/access.log +cache_log /var/log/squid-deb-proxy/cache.log +cache_store_log /var/log/squid-deb-proxy/store.log + +# tweaks to speed things up +cache_mem 200 MB +maximum_object_size_in_memory 10240 KB + +# pid +pid_filename /var/run/squid-deb-proxy.pid + +# refresh pattern for debs and udebs +refresh_pattern deb$ 129600 100% 129600 +refresh_pattern udeb$ 129600 100% 129600 +refresh_pattern tar.gz$ 129600 100% 129600 + +# always refresh Packages and Release files +refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz)$ 0 0% 0 +refresh_pattern \/Release(|\.gpg)$ 0 0% 0 + +# handle meta-release and changelogs.ubuntu.com special +refresh_pattern changelogs.ubuntu.com/* 0 1% 1 + +# only allow connects to ports for http, https +acl Safe_ports port 80 +acl Safe_ports port 443 563 + +# only allow ports we trust +http_access deny !Safe_ports + +# do not allow to download from the pkg blacklist +http_access deny blockedpkgs + +# allow access only to official ubuntu mirrors +# uncomment the third and fouth line to permit any unlisted domain +http_access deny !to_ubuntu_mirrors +#http_access allow !to_ubuntu_mirrors + +# don't cache domains not listed in the mirrors file +# uncomment the third and fourth line to cache any unlisted domains +cache deny !to_ubuntu_mirrors +#cache allow !to_ubuntu_mirrors + +# allow access from our network and localhost +http_access allow allowed_networks + +# And finally deny all other access to this proxy +http_access deny all diff --git a/manifests/server.pp b/manifests/server.pp index 62d41c8..94e65f3 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -15,4 +15,18 @@ class squid_deb_proxy::server { notify => Service[ 'squid-deb-proxy' ], require => Package[ 'squid-deb-proxy' ], } + + file {'/etc/squid-deb-proxy/allowed-networks-src.acl.d/20-custom': + source => [ 'puppet:///modules/site_squid_deb_proxy/allowed-networks-src.acl.d/20-custom', + 'puppet:///modules/squid_deb_proxy/allowed-networks-src.acl.d/20-custom' ], + notify => Service[ 'squid-deb-proxy' ], + require => Package[ 'squid-deb-proxy' ], + } + + file { '/etc/squid-deb-proxy/squid-deb-proxy.conf': + source => [ "puppet:///modules/site_squid_deb_proxy/${::operatingsystem}/squid-deb-proxy.conf", + "puppet:///modules/squid_deb_proxy/${::operatingsystem}/squid-deb-proxy.conf" ], + notify => Service[ 'squid-deb-proxy' ], + require => Package[ 'squid-deb-proxy' ], + } } -- cgit v1.2.3