https://github.com/thias/puppet-squid3/blob/master/templates/squid.conf.short.erb#L41-43

I've implemented Squid as a whitelist HTTP proxy for a secure network segment. the config looks like the following:

# user-defined ACLs
acl whitelist dstdomain foo.com
acl whitelist dstdomain bar.com
acl whitelist dstdomain baz.com

# user-defined http_accesses
http_access allow whitelist
http_access allow localnet
http_access allow localhost
http_access deny all

http_access allow localnet will allow all requests from my "secure intranet segment". if I add an additional http_access deny all to "user-defined http_accesses", then the behavior is consistent with my goals/expectations but results in duplicate http_access deny all rules.

a potential fix would be to have these rules as default values on a parameter or to not include any defaults and document that adding http_access deny all is probably a very good idea. the module seems to assume you know how to read/write squid.conf, I don't think it's unfair to tell users they need to explicitly manage all the rules.

Using the module with Puppet v3.2.4 results in an error:

Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Invalid parameter validate_cmd at /.../modules/squid3/manifests/init.pp:65 on node ...
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run

The forge page says it is compatible with Puppet >=2.7.20 <4.1.0

The following occurs when applying the module on Ubuntu 14.04.

Debug: Executing '/usr/sbin/update-rc.d squid3 defaults'
Error: Execution of '/usr/sbin/update-rc.d squid3 defaults' returned 1: update-rc.d: /etc/init.d/squid3: file does not exist

This occurs on Ubuntu 14.04.

Support for FreeBSD should be trivial by the looks of it.

Here's the relevant paths (pulled from 2.7 - the paths where relevant are the same for 3.x) if you wouldn't mind adding support:

Config file: /usr/local/etc/squid/squid.conf
cache_dir: /var/squid/cache
access_log: /var/squid/logs/access.log
cache_log: /var/squid/logs/cache.log
cache_store_log: /var/squid/logs/store.log
pid_filename: /var/squid/logs/squid.pid
netdb_filename: /var/squid/logs/netdb.state
coredump_dir: /var/squid/cache

Currently the log format in this module is hard-coded to timestamps as epoch rather than something readable (and easy to grep etc...).

https://github.com/thias/puppet-squid3/blob/master/manifests/params.pp#L53

The variable logformat can be used in squid.conf to set the log format as per https://github.com/thias/puppet-squid3/blob/master/templates/squid.conf.documented#L2258

Example:

logformat squid %tl.%03tu %6tr %>a %Ss/%03Hs %

access_log /var/log/squid/access.log squid

• Making Squid log timestamps human readable
• Squid Docs - logformat

resource in init.pp:
service { 'squid3_service':
enable => true,
name => $service_name,
ensure => running,
restart => "service ${service_name} reload",
path => ['/sbin', '/usr/sbin'],
hasstatus => true,
require => Package['squid3_package'],
}

Restart command is only a reload. Problem is that it doesn't activate all settings.
Can you modify this to real restart?

The value of coredump_dir in squid.conf.short.erb is hardcoded as "/var/spool/squid" which is incorrect for Debian-family operating system. So instead use

coredump_dir                               <%= @coredump_dir %>

Debian 9 uses the same package naming and directory structure as Ubuntu 16.04 and above. I am about to submit a pull request that treats them equally.

The ACL rule below is a default configuration in squid.conf templates (short and long) and so gets applied always with this module

http_access allow localnet

However, this is not always desirable. For instance, assuming you want to restrict outbound internet access of your private network to a few whitelisted sites. In this case the desired ACL in squid.conf should look like below to achieve the expected access restriction.

<...snip...>
# user-defined ACLs
acl sitesWhitelist dstdomain "/etc/squid3/sites.whitelist"

# user-defined http_accesses
http_access allow localnet sitesWhitelist
http_access allow localhost
http_access deny all

<...snip...>

In their infinite wisdom the squid folks have 'built in' the ACLs manager, localhost and to_localhost.

This means that putting those in the config file now causes this error:

Error: Could not start Service[squid3_service]: Execution of '/usr/sbin/squid3 start' returned 1: 2014/11/07 10:31:12| aclParseAclLine: ACL 'manager' already exists with different type.
FATAL: Bungled /etc/squid3/squid.conf line 642: acl manager proto cache_object
Squid Cache (Version 3.3.8): Terminated abnormally.

Squid Cache: Version 3.3.8

When manifest reads enable => true on ubuntu 14.04. Thows the following error:

change from false to true failed: Execution of '/usr/sbin/update-rc.d squid3 defaults' returned 1: update-rc.d: /etc/init.d/squid3: file does not exist

Hi,

We use this module at the moment. But, we need "max_filedescriptors" parameter (which is not supported by the module.) now. Without this parameter we cannot use the module. So, is it possible to implement it ?

Thanks A Lot In Advance,

Tarkan

CentOS Project has adopted a new rule for versioning numbers. The major number matches the RHEL major number, but the minor number is generated from the release date. For example, CentOS 7.1407.

you need use "operatingsystemmajrelease" and not "operatingsystemrelease" in squid3::params

Why do we not enable the service on newer version of ubuntu(like 18.04)?