From a049188b6899f2500d15059790afee3abed52275 Mon Sep 17 00:00:00 2001
From: ashaposhnikov <ashaposhnikov@mirantis.com>
Date: Mon, 11 Mar 2013 11:45:43 +0000
Subject: [PATCH] Squid config tune. Iptables rule added.

---
 deployment/puppet/cobbler/manifests/iptables.pp  |  4 +++-
 deployment/puppet/squid/manifests/params.pp      | 16 +++++-----------
 deployment/puppet/squid/templates/squid.conf.erb | 10 +++++-----
 iso/bootstrap_admin_node.sh                      | 13 ++++++-------
 4 files changed, 19 insertions(+), 24 deletions(-)

diff --git a/deployment/puppet/cobbler/manifests/iptables.pp b/deployment/puppet/cobbler/manifests/iptables.pp
index 81dc2c81fb..d63df299a9 100644
--- a/deployment/puppet/cobbler/manifests/iptables.pp
+++ b/deployment/puppet/cobbler/manifests/iptables.pp
@@ -49,8 +49,10 @@ class cobbler::iptables {
   # DHCP
   access_to_cobbler_port { "dhcp_67":    port => '67',  protocol => 'udp' }
   access_to_cobbler_port { "dhcp_68":    port => '68',  protocol => 'udp' }
+  # SQUID PROXY
+  access_to_cobbler_port { "http_3128":  port => '3128',protocol => 'tcp' }
   # PXE
-  access_to_cobbler_port { "pxe_4011":    port => '4011',  protocol => 'udp' }
+  access_to_cobbler_port { "pxe_4011":   port => '4011',protocol => 'udp' }
   # TFTP
   access_to_cobbler_port { "tftp_tcp":   port => '69' }
   access_to_cobbler_port { "tftp_udp":   port => '69',  protocol => 'udp' }
diff --git a/deployment/puppet/squid/manifests/params.pp b/deployment/puppet/squid/manifests/params.pp
index 0a28a887ac..dc94379020 100644
--- a/deployment/puppet/squid/manifests/params.pp
+++ b/deployment/puppet/squid/manifests/params.pp
@@ -3,7 +3,11 @@
 # Sets internal variables and defaults for squid module
 # This class is automatically loaded in all the classes that use the values set here 
 #
-class squid::params  {
+class squid::params (
+   $cache_size = 4096,
+   $cache_mem = 128,
+)
+  {
 
 ## DEFAULTS FOR VARIABLES USERS CAN SET
 # (Here are set the defaults, provide your custom variables externally)
@@ -70,16 +74,6 @@ class squid::params  {
         default => "${squid_cache_dir_type}",
     }
 
-    $cache_size = $squid_cache_size ? {
-        ''      => "100",
-        default => "${squid_cache_size}",
-    }
-
-    $cache_mem = $squid_cache_mem ? {
-        ''      => "8",
-        default => "${squid_cache_mem}",
-    }
-
     $cache_parent = $squid_cache_parent ? {
         default => "${squid_cache_parent}",
     }
diff --git a/deployment/puppet/squid/templates/squid.conf.erb b/deployment/puppet/squid/templates/squid.conf.erb
index 2e048ac32c..1627704546 100644
--- a/deployment/puppet/squid/templates/squid.conf.erb
+++ b/deployment/puppet/squid/templates/squid.conf.erb
@@ -589,9 +589,9 @@ acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
 # Example rule allowing access from your local networks.
 # Adapt to list your (internal) IP networks from where browsing
 # should be allowed
-#acl localnet src 10.0.0.0/8	# RFC1918 possible internal network
-#acl localnet src 172.16.0.0/12	# RFC1918 possible internal network
-#acl localnet src 192.168.0.0/16	# RFC1918 possible internal network
+acl localnet src 10.0.0.0/8	# RFC1918 possible internal network
+acl localnet src 172.16.0.0/12	# RFC1918 possible internal network
+acl localnet src 192.168.0.0/16	# RFC1918 possible internal network
 #
 <% if (scope.lookupvar('squid::params::default_acls') == true) -%>
 acl SSL_ports port 443
@@ -654,7 +654,7 @@ http_access deny CONNECT !SSL_ports
 # Example rule allowing access from your local networks.
 # Adapt localnet in the ACL section to list your (internal) IP networks
 # from where browsing should be allowed
-#http_access allow localnet
+http_access allow localnet
 http_access allow localhost
 <% end -%>
 
@@ -892,7 +892,7 @@ htcp_access deny all
 #
 # Squid normally listens to port 3128
 <% if (scope.lookupvar('squid::params::http_port_options') == "") -%>
-http_port <%= scope.lookupvar('squid::params::http_port') %>
+http_port <%= scope.lookupvar('squid::params::http_port') %> transparent
 <% else %>
 http_port <%= scope.lookupvar('squid::params::http_port') %> <%= scope.lookupvar('squid::params::http_port_options') %>
 <% end %>
diff --git a/iso/bootstrap_admin_node.sh b/iso/bootstrap_admin_node.sh
index ee4f2afc2a..52f17de136 100644
--- a/iso/bootstrap_admin_node.sh
+++ b/iso/bootstrap_admin_node.sh
@@ -63,7 +63,7 @@ puppet apply -e "
         arch      => 'x86_64',
         breed     => 'redhat',
         osversion => 'rhel6',
-        ksmeta    => 'tree=http://mirror.stanford.edu/yum/pub/centos', }
+        ksmeta    => 'tree=http://mirror.stanford.edu/yum/pub/centos/6.3/os/x86_64', }
     class { 'cobbler::profile::centos63_x86_64': }"
 
 puppet apply -e '
@@ -84,10 +84,9 @@ puppet apply -e '
 	stomppassword => $stomppassword,
 	stomphost => $stomphost,
 	stompport => $stompport
-    } 
-    class { squid:
-	squid_cache_size => 4096,
-	squid_cache_mem  => 128
-    }'
+    } '
+puppet apply -e 'class { squid: }'
+iptables -A PREROUTING -t nat -i $mgmt_if -s $mgmt_ip/$mgmt_mask ! -d $mgmt_ip -p tcp --dport 80 -j REDIRECT --to-port 3128
+
 gem install /var/www/astute-0.0.1.gem
-) >> $log
\ No newline at end of file
+) >> $log