squid Cookbook
(opens in a new tab)
(opens in a new tab)
(opens in a new tab)
Installs and configures Squid as a caching proxy.
Maintainers
This cookbook is maintained by the Sous Chefs. The Sous Chefs are a community of Chef cookbook maintainers working together to maintain important cookbooks. If you’d like to know more please visit sous-chefs.org (opens in a new tab) or come chat with us on the Chef Community Slack in #sous-chefs (opens in a new tab).
Requirements
Platforms
- Debian 10+
- Ubuntu 16.04+
- RHEL/CentOS/Scientific 7+
- openSUSE / openSUSE Leap
- FreeBSD 11+
Chef
- Chef 13+
Cookbooks
- none
Recipes
default
The default recipe installs squid and sets up simple proxy caching. As of now, the options you may change are the port (node['squid']['port']) and the network the caching proxy is available on the subnet from node.ipaddress (ie. "192.168.1.0/24") but may be overridden with node['squid']['network']. The size of objects allowed to be stored has been bumped up to allow for caching of installation files. An optional (node['squid']['cache_peer']), if set, will be written verbatim to the template. On redhat based platforms, this cookbook supports customizing the max number of file descriptors that Squid may open (node['squid']['max_file_descriptors']). The default value is 1024.
Usage
Include the squid recipe on the server. Other nodes may search for this node as their caching proxy and use the node.ipaddress and node['squid']['port'] to point at it.
Databags are able to be used for storing host & url acls and also which hosts/nets are able to access which hosts/url
LDAP Authentication
-
Set (
node['squid']['enable_ldap']) to true. -
Modify the ldap attributes for your environment.
- If you use anonymous bindings, two attributes are optional,
['squid']['ldap_binddn']and['squid']['ldap_bindpassword']. - All other attributes are required.
- See http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ldap (opens in a new tab) for further help.
- If you use anonymous bindings, two attributes are optional,
-
To create the ldap acls in squid.conf, you also need the two ldap_auth databag items as shown in the LDAP Databags below.
Example Databags
squid_urls - yubikey item
{
"urls": [
"^https://api.yubico.com/wsapi/2.0/verify"
],
"id": "yubikey"
}squid_hosts - bastion item
{
"type": "src",
"id": "bastion",
"net": [
"192.168.0.2/32"
]
}squid_acls - bastion item
{
"id": "bastion",
"acl": [
[
"yubikey",
"allow"
],
[
"yubikey",
"deny",
"!"
],
[
"all",
"deny"
]
]
}LDAP Databags
The following two data bags are only required if you are using LDAP Authentication.
squid_hosts - ldap_auth item
{
"type": "proxy_auth",
"id": "ldap_auth",
"net": [
"REQUIRED"
]
}squid_acls - ldap_auth item
{
"id": "ldap_auth",
"acl": [
[
"",
"allow"
]
]
}Additional configuration files
- Set (
node['squid']['config_include_dir']) to the directory of your additional files, ex. /etc/squid/conf.d - It is recommended that you set
node['squid']['http_access_deny_all']andnode['squid']['icp_access_deny_all']to false because the include statement is at the bottom of squid.conf. Otherwise http_access allow statements may not be evaluated in the additional configuration files.
Contributors
This project exists thanks to all the people who contribute. (opens in a new tab)
Backers
Thank you to all our backers!
Sponsors
Support this project by becoming a sponsor. Your logo will show up here with a link to your website.
