Squid config tune. Iptables rule added.

2013-03-11 11:45:43 +00:00 · 2013-03-11 11:45:43 +00:00 · a049188b68
commit a049188b68
parent c1594d80c5
4 changed files with 19 additions and 24 deletions
--- a/deployment/puppet/cobbler/manifests/iptables.pp
+++ b/deployment/puppet/cobbler/manifests/iptables.pp
@ -49,6 +49,8 @@ class cobbler::iptables {
  # DHCP
  access_to_cobbler_port { "dhcp_67":    port => '67',  protocol => 'udp' }
  access_to_cobbler_port { "dhcp_68":    port => '68',  protocol => 'udp' }
+  # SQUID PROXY
+  access_to_cobbler_port { "http_3128":  port => '3128',protocol => 'tcp' }
  # PXE
  access_to_cobbler_port { "pxe_4011":   port => '4011',protocol => 'udp' }
  # TFTP
--- a/deployment/puppet/squid/manifests/params.pp
+++ b/deployment/puppet/squid/manifests/params.pp
@ -3,7 +3,11 @@
 # Sets internal variables and defaults for squid module
 # This class is automatically loaded in all the classes that use the values set here 
 #
-class squid::params  {
+class squid::params (
+   $cache_size = 4096,
+   $cache_mem = 128,
+)
+  {

 ## DEFAULTS FOR VARIABLES USERS CAN SET
 # (Here are set the defaults, provide your custom variables externally)
@ -70,16 +74,6 @@ class squid::params  {
        default => "${squid_cache_dir_type}",
    }

-    $cache_size = $squid_cache_size ? {
-        ''      => "100",
-        default => "${squid_cache_size}",
-    }
-
-    $cache_mem = $squid_cache_mem ? {
-        ''      => "8",
-        default => "${squid_cache_mem}",
-    }
-
    $cache_parent = $squid_cache_parent ? {
        default => "${squid_cache_parent}",
    }
--- a/deployment/puppet/squid/templates/squid.conf.erb
+++ b/deployment/puppet/squid/templates/squid.conf.erb
@ -589,9 +589,9 @@ acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
 # Example rule allowing access from your local networks.
 # Adapt to list your (internal) IP networks from where browsing
 # should be allowed
-#acl localnet src 10.0.0.0/8	# RFC1918 possible internal network
-#acl localnet src 172.16.0.0/12	# RFC1918 possible internal network
-#acl localnet src 192.168.0.0/16	# RFC1918 possible internal network
+acl localnet src 10.0.0.0/8	# RFC1918 possible internal network
+acl localnet src 172.16.0.0/12	# RFC1918 possible internal network
+acl localnet src 192.168.0.0/16	# RFC1918 possible internal network
 #
 <% if (scope.lookupvar('squid::params::default_acls') == true) -%>
 acl SSL_ports port 443
@ -654,7 +654,7 @@ http_access deny CONNECT !SSL_ports
 # Example rule allowing access from your local networks.
 # Adapt localnet in the ACL section to list your (internal) IP networks
 # from where browsing should be allowed
-#http_access allow localnet
+http_access allow localnet
 http_access allow localhost
 <% end -%>

@ -892,7 +892,7 @@ htcp_access deny all
 #
 # Squid normally listens to port 3128
 <% if (scope.lookupvar('squid::params::http_port_options') == "") -%>
-http_port <%= scope.lookupvar('squid::params::http_port') %>
+http_port <%= scope.lookupvar('squid::params::http_port') %> transparent
 <% else %>
 http_port <%= scope.lookupvar('squid::params::http_port') %> <%= scope.lookupvar('squid::params::http_port_options') %>
 <% end %>
--- a/iso/bootstrap_admin_node.sh
+++ b/iso/bootstrap_admin_node.sh
@ -63,7 +63,7 @@ puppet apply -e "
        arch      => 'x86_64',
        breed     => 'redhat',
        osversion => 'rhel6',
-        ksmeta    => 'tree=http://mirror.stanford.edu/yum/pub/centos', }
+        ksmeta    => 'tree=http://mirror.stanford.edu/yum/pub/centos/6.3/os/x86_64', }
    class { 'cobbler::profile::centos63_x86_64': }"

 puppet apply -e '
@ -84,10 +84,9 @@ puppet apply -e '
 	stomppassword => $stomppassword,
 	stomphost => $stomphost,
 	stompport => $stompport
-    } 
-    class { squid:
-	squid_cache_size => 4096,
-	squid_cache_mem  => 128
    } '
+puppet apply -e 'class { squid: }'
+iptables -A PREROUTING -t nat -i $mgmt_if -s $mgmt_ip/$mgmt_mask ! -d $mgmt_ip -p tcp --dport 80 -j REDIRECT --to-port 3128
+
 gem install /var/www/astute-0.0.1.gem
 ) >> $log