From 268d07db11b04171c7e520bb3209524c392ab6cf Mon Sep 17 00:00:00 2001 From: Geoff Williams Date: Mon, 13 Apr 2015 23:37:41 +1000 Subject: [PATCH 1/2] support for authenticated proxies --- README.md | 27 +++++++++++++++++++++++++++ manifests/init.pp | 1 + templates/squid.conf.long.erb | 2 ++ templates/squid.conf.short.erb | 2 ++ 4 files changed, 32 insertions(+) diff --git a/README.md b/README.md index 0cfcf24..c7beb3e 100644 --- a/README.md +++ b/README.md @@ -37,3 +37,30 @@ class { '::squid3': } ``` +Password protected proxy (basic authentication): +```puppet + class { "::squid3": + template => "short", + auth_required => true, + config_hash => { + "auth_param basic program" => "/usr/lib64/squid/ncsa_auth /etc/squid/squid.passwd", + "auth_param basic realm" => "proxy", + "acl authenticated proxy_auth" => "REQUIRED", + "http_access allow" => "authenticated", + "http_access deny" => "all", + } + } + + file { "/etc/squid/squid.passwd": + ensure => file, + source => "puppet:///modules/profiles/squid.passwd", + owner => "root", + group => "squid", + mode => "0640", + notify => Service["squid"], + } +``` +Here, we have installed the password file we built with `htpasswd` to the squid +directory and have updated squid to use it with the `ncsa_auth` program (this +is a centos box). The `auth_required` attribute disables the rules allowing +`localnet` access in squid.conf. diff --git a/manifests/init.pp b/manifests/init.pp index eac4574..9b68052 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -44,6 +44,7 @@ $config_hash = {}, $refresh_patterns = [], $template = 'long', + $auth_required = false, ) inherits ::squid3::params { $use_template = $template ? { diff --git a/templates/squid.conf.long.erb b/templates/squid.conf.long.erb index 9b59c87..858b735 100644 --- a/templates/squid.conf.long.erb +++ b/templates/squid.conf.long.erb @@ -789,11 +789,13 @@ http_access <%= line %> # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed +<% if not @auth_required -%> http_access allow localnet http_access allow localhost # And finally deny all other access to this proxy http_access deny all +<% end %> # TAG: adapted_http_access # Allowing or Denying access based on defined access lists diff --git a/templates/squid.conf.short.erb b/templates/squid.conf.short.erb index 1ffa0c1..13ed26b 100644 --- a/templates/squid.conf.short.erb +++ b/templates/squid.conf.short.erb @@ -38,9 +38,11 @@ acl <%= line %> <% @http_access.each do |line| -%> http_access <%= line %> <% end -%> +<% if not @auth_required -%> http_access allow localnet http_access allow localhost http_access deny all +<% end -%> # user-defined icp_access <% @icp_access.each do |line| -%> From 3c9e8fa1237967c61c327aa317d4a969a88031f6 Mon Sep 17 00:00:00 2001 From: Geoff Williams Date: Sat, 18 Apr 2015 12:09:35 +1000 Subject: [PATCH 2/2] updated doco to reflect config_hash has gone --- README.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index c7beb3e..4defd2f 100644 --- a/README.md +++ b/README.md @@ -42,12 +42,12 @@ Password protected proxy (basic authentication): class { "::squid3": template => "short", auth_required => true, - config_hash => { - "auth_param basic program" => "/usr/lib64/squid/ncsa_auth /etc/squid/squid.passwd", - "auth_param basic realm" => "proxy", - "acl authenticated proxy_auth" => "REQUIRED", - "http_access allow" => "authenticated", - "http_access deny" => "all", + config => { + "auth_param basic program /usr/lib64/squid/ncsa_auth /etc/squid/squid.passwd", + "auth_param basic realm proxy", + "acl authenticated proxy_auth REQUIRED", + "http_access allow authenticated", + "http_access deny all", } }