- serverinfo
- snmpd
- spamassassin
- - squid
- ssl
- stateofthemap
- subversion
- name: spamassassin
run_list:
- recipe[spamassassin::default]
- - name: squid
- run_list:
- - recipe[squid::default]
- name: ssl
run_list:
- recipe[ssl::default]
uri "ppa:osmadmins/ppa"
end
-apt_repository "squid2" do
- action repository_actions["squid2"]
- uri "ppa:osmadmins/squid2"
-end
-
-apt_repository "squid3" do
- action repository_actions["squid3"]
- uri "ppa:osmadmins/squid3"
-end
-
-apt_repository "squid4" do
- action repository_actions["squid4"]
- uri "ppa:osmadmins/squid4"
-end
-
apt_repository "management-component-pack" do
action repository_actions["management-component-pack"]
uri "https://downloads.linux.hpe.com/SDR/repo/mcp"
+++ /dev/null
-#!/bin/sh
-#
-# Plugin to monitor the number of IPs being slowed down by Squid delay pools
-# This monitors the number of IPs being delayed in the last 128 pools, which
-# are the normal requests.
-#
-# Parameters:
-#
-# config (required)
-# autoconf (optional - used by munin-config)
-#
-
-if [ "$1" = "config" ]; then
-
- echo 'graph_title IPs being delayed with referer'
- echo 'graph_args --base 1000 -l 0'
- echo 'graph_vlabel IPs'
- echo 'graph_category squid'
- echo 'squid_delay1.label IPs'
- echo 'squid_delay1.min 0'
- echo 'squid_delay1.draw AREA'
-
- exit 0
-fi
-
-req0=`squidclient -h 127.0.0.1 mgr:delay|awk '\$1 == "Pool:" && \$2 < 128 { pr = 0; } \$1 == "Pool:" && \$2 >= 128 { pr = 1; } { if (pr) { print \$0; } }'|fgrep Current|egrep --count '[0-9]{1,3}:-?[0-9]{1,3} '`
-
-echo "squid_delay1.value " `expr 0 + $req0`
+++ /dev/null
-#!/bin/sh
-#
-# Plugin to monitor the number of IPs being slowed down by Squid delay pools
-# This monitors the number of IPs being delayed in the first 128 pools, which
-# are the ones which have no referer.
-#
-# Parameters:
-#
-# config (required)
-# autoconf (optional - used by munin-config)
-#
-
-if [ "$1" = "config" ]; then
-
- echo 'graph_title No-referer IPs being delayed'
- echo 'graph_args --base 1000 -l 0'
- echo 'graph_vlabel IPs'
- echo 'graph_category squid'
- echo 'squid_delay2.label IPs'
- echo 'squid_delay2.min 0'
- echo 'squid_delay2.draw AREA'
-
- exit 0
-fi
-
-req0=`squidclient -h 127.0.0.1 mgr:delay|awk '\$1 == "Pool:" && \$2 < 128 { pr = 1; } \$1 == "Pool:" && \$2 >= 128 { pr = 0; } { if (pr) { print \$0; } }'|fgrep Current|egrep --count '[0-9]{1,3}:-?[0-9]{1,3} '`
-
-echo "squid_delay2.value " `expr 0 + $req0`
+++ /dev/null
-#!/usr/bin/perl -w
-# -*- perl -*-
-
-=head1 NAME
-
-squid_icp - Plugin to graph traffic to the ICP peers
-
-=head1 CONFIGURATION
-
-The following configuration variables are used by this plugin:
-
- [squid_icp]
- env.squidhost - host (default "localhost")
- env.squidport - port (default "3128")
- env.squiduser - username (default "")
- env.squidpasswd - password (default "")
-
-=head1 ABOUT
-
-When using squid as a "load balancer" (of sorts), who gets the
-request?
-
-=head1 AUTHORS
-
-Copyright (C) 2004 Jimmy Olsen
-
-=head1 LICENSE
-
-Gnu GPLv2
-
-=begin comment
-
-This program is free software; you can redistribute it and/or modify
-it under the terms of the GNU General Public License as published by
-the Free Software Foundation; version 2 dated June, 1991.
-
-This program is distributed in the hope that it will be useful, but
-WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-General Public License for more details.
-
-You should have received a copy of the GNU General Public License
-along with this program; if not, write to the Free Software
-Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
-02110-1301 USA.
-
-=end comment
-
-=head1 MAGIC MARKERS
-
- #%# family=manual
- #%# capabilities=autoconf
-
-=cut
-
-my $ret = undef;
-
-if (! eval "require IO::Socket;")
-{
- $ret = "IO::Socket not found";
-}
-if (! eval "require MIME::Base64;")
-{
- $ret = "MIME::Base64 not found";
-}
-if (! eval "require Net::hostent;")
-{
- $ret = "Net::hostent not found";
-}
-
-$squid_host = $ENV{squidhost} || "localhost";
-$squid_port = $ENV{squidport} || 3128;
-$user = $ENV{squiduser} || "";
-$passwd = $ENV{squidpasswd} || "";
-
-if($ARGV[0] and $ARGV[0] eq "autoconf") {
- &autoconf($squid_host, $squid_port, $user, $passwd);
-}
-
-sub autoconf {
- my ($host, $port, $user, $passwd) = @_;
-
- if ($ret)
- {
- print "no ($ret)\n";
- exit 0;
- }
-
- my $cachemgr = IO::Socket::INET->new(PeerAddr => $host,
- PeerPort => $port,
- Proto => 'tcp',
- Timeout => 5);
-
- if (!$cachemgr)
- {
- print "no (could not connect: $!)\n";
- exit 0;
- }
-
- my $request = "GET cache_object://$host/counters HTTP/1.0\r\n" .
- "Accept: */*\r\n" .
- &make_auth_header($user, $passwd) .
- "\r\n";
-
- $cachemgr->syswrite($request, length($request));
- my @lines = $cachemgr->getlines();
-
- print "yes\n";
- exit 0;
-}
-
-sub make_auth_header {
- my ($user, $passwd) = @_;
-
- if(!defined $passwd || $passwd eq "") {
- return "";
- } else {
- my $auth = MIME::Base64::encode_base64(($user ? $user : "") . ":$passwd", "");
- return "Authorization: Basic $auth\r\n" .
- "Proxy-Authorization: Basic $auth\r\n";
- }
-}
-
-
-sub query_squid {
- my ($host, $port, $user, $passwd) = @_;
- my $ret;
-
- my $cachemgr = IO::Socket::INET->new(PeerAddr => $host,
- PeerPort => $port,
- Proto => 'tcp') or die($!);
-
-
-
- my $request = "GET cache_object://$host/server_list HTTP/1.0\r\n" .
- "Accept: */*\r\n" .
- &make_auth_header($user, $passwd) .
- "\r\n";
-
- $cachemgr->syswrite($request, length($request));
- my @lines = $cachemgr->getlines();
- my $id = "";
- for(my $i = 0; $i <= $#lines; $i++) {
- chomp $lines[$i];
- if($lines[$i] =~ /Host[^:]+:\s*(\S+)\/\d+\/\d+\s*$/) {
- my $host = $1;
- $id = $host;
- $id =~ s/\./_/g;
-
- unless(exists($ret->{$id})) {
- $ret->{$id}->{host} = $host;
- $ret->{$id}->{fetches} = 0;
- }
- }
- elsif($lines[$i] =~ /FETCHES\s*:\s*(\d+)/) {
- $ret->{$id}->{fetches} += $1;
- }
- }
- return $ret;
-}
-
-my $hosts = &query_squid($squid_host, $squid_port, $user, $passwd);
-
-if($ARGV[0] and $ARGV[0] eq "config") {
- my $first = 1;
- print "graph_title Squid relay statistics\n";
- print "graph_vlabel requests / \${graph_period}\n";
- print "graph_args -l 0 --base 1000\n";
- print "graph_total total\n";
- print "graph_category squid\n";
- foreach my $i (sort keys %{$hosts}) {
- print "$i.label ", $hosts->{$i}->{host}, "\n";
- print "$i.type DERIVE\n";
- print "$i.max 500000\n";
- print "$i.min 0\n";
- if ($first) {
- print "$i.draw AREA\n";
- $first = 0;
- } else {
- print "$i.draw STACK\n";
- }
- }
- exit 0;
-}
-
-foreach my $i (keys %{$hosts}) {
- print "$i.value ", $hosts->{$i}->{fetches}, "\n";
-}
-
-# vim:syntax=perl
+++ /dev/null
-#!/bin/sh
-#
-# Copyright (C) 2008 Olivier DELHOMME. All rights reserved.
-# License GPL V2 or higher
-#
-# Abstract
-# munin plugin that logs the cache mean services times
-#
-# Authors
-# . Olivier Delhomme <olivierdelhomme at gmail dot com>
-# . Grant Slater
-#
-#%# family=auto
-#%# capabilities=autoconf
-
-if [ "$1" = "autoconf" ]; then
- SQUID_STATS=$(squidclient -h 127.0.0.1 cache_object://localhost/info)
- if [ -n "${SQUID_STATS}" ]; then
- echo yes
- exit 0
- else
- echo "no (HTTP GET failed)"
- exit 1
- fi
-fi
-
-if [ "$1" = "config" ]; then
- echo 'graph_title Squid Median Services Times'
- echo 'graph_info This graph shows the proxy median services response times.'
- echo 'graph_category squid'
- echo 'graph_args --lower-limit 0'
- echo 'graph_vlabel median reponse times (s)'
-
- echo 'mean_http.label Http'
- echo 'mean_cmis.label Cache misses'
- echo 'mean_chits.label Cache hits'
- echo 'mean_nhits.label Near hits'
- echo 'mean_nmr.label Not-modified replies'
- echo 'mean_dnsl.label Dns lookups'
- echo 'mean_icpq.label Icp queries'
-
- exit 0
-fi
-
-SQUID_TIME=$(squidclient -h 127.0.0.1 cache_object://localhost/info)
-
-SQUID_TIME_HTTP=$(echo "$SQUID_TIME" | grep "HTTP Requests (All)" | cut -d':' -f2 | sed -e "s/^\ *//" | cut -d' ' -f1)
-SQUID_TIME_CACHE_MISSES=$(echo "$SQUID_TIME" | grep "Cache Misses" | cut -d':' -f2 | sed -e "s/^\ *//" | cut -d' ' -f1)
-SQUID_TIME_CACHE_HITS=$(echo "$SQUID_TIME" | grep "Cache Hits" | cut -d':' -f2 | sed -e "s/^\ *//" | cut -d' ' -f1)
-SQUID_TIME_NEAR_HITS=$(echo "$SQUID_TIME" | grep "Near Hits" | cut -d':' -f2 | sed -e "s/^\ *//" | cut -d' ' -f1)
-SQUID_TIME_NM_REPLIES=$(echo "$SQUID_TIME" | grep "Not-Modified Replies" | cut -d':' -f2 | sed -e "s/^\ *//" | cut -d' ' -f1)
-SQUID_TIME_DNS_LOOKUPS=$(echo "$SQUID_TIME" | grep "DNS Lookups" | cut -d':' -f2 | sed -e "s/^\ *//" | cut -d' ' -f1)
-SQUID_TIME_ICP_QUERIES=$(echo "$SQUID_TIME" | grep "ICP Queries" | cut -d':' -f2 | sed -e "s/^\ *//" | cut -d' ' -f1)
-
-echo "mean_http.value $SQUID_TIME_HTTP"
-echo "mean_cmis.value $SQUID_TIME_CACHE_MISSES"
-echo "mean_chits.value $SQUID_TIME_CACHE_HITS"
-echo "mean_nhits.value $SQUID_TIME_NEAR_HITS"
-echo "mean_nmr.value $SQUID_TIME_NM_REPLIES"
-echo "mean_dnsl.value $SQUID_TIME_DNS_LOOKUPS"
-echo "mean_icpq.value $SQUID_TIME_ICP_QUERIES"
+++ /dev/null
-# Squid cookbook
-
-This cookbook installs the Squid caching proxy service and configures it for use
-as a tile cache.
+++ /dev/null
-default[:squid][:version] = 4
-default[:squid][:cache_mem] = "256 MB"
-default[:squid][:cache_dir] = "ufs /var/spool/squid 256 16 256"
-default[:squid][:access_log] = "/var/log/squid/access.log openstreetmap"
-default[:squid][:private_devices] = true
-
-default[:apt][:sources] = node[:apt][:sources] | ["squid#{node[:squid][:version]}"]
+++ /dev/null
-name "squid"
-maintainer "OpenStreetMap Administrators"
-maintainer_email "admins@openstreetmap.org"
-license "Apache-2.0"
-description "Installs and configures squid"
-
-version "1.0.0"
-supports "ubuntu"
-depends "apt"
-depends "munin"
-depends "prometheus"
-depends "systemd"
+++ /dev/null
-#
-# Cookbook:: squid
-# Recipe:: default
-#
-# Copyright:: 2011, OpenStreetMap Foundation
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# https://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-include_recipe "apt"
-include_recipe "munin"
-include_recipe "prometheus"
-
-if node[:squid][:version] >= 3
- apt_package "squid" do
- action :unlock
- end
-
- apt_package "squid-common" do
- action :unlock
- end
-
- apt_package "squid" do
- action :purge
- only_if "dpkg-query -W squid | fgrep -q 2."
- end
-
- apt_package "squid-common" do
- action :purge
- only_if "dpkg-query -W squid-common | fgrep -q 2."
- end
-
- file "/store/squid/coss-01" do
- action :delete
- backup false
- end
-
- package "squidclient" do
- action :upgrade
- end
-end
-
-package "squid"
-package "squidclient"
-
-template "/etc/squid/squid.conf" do
- source "squid.conf.erb"
- owner "root"
- group "root"
- mode "644"
-end
-
-directory "/etc/squid/squid.conf.d" do
- owner "root"
- group "root"
- mode "755"
-end
-
-Array(node[:squid][:cache_dir]).each do |cache_dir|
- if cache_dir =~ /^coss (\S+) /
- cache_dir = File.dirname(Regexp.last_match(1))
- elsif cache_dir =~ /^\S+ (\S+) /
- cache_dir = Regexp.last_match(1)
- end
-
- directory cache_dir do
- owner "proxy"
- group "proxy"
- mode "750"
- recursive true
- notifies :restart, "service[squid]"
- end
-end
-
-systemd_tmpfile "/var/run/squid" do
- type "d"
- owner "proxy"
- group "proxy"
- mode "0755"
-end
-
-address_families = %w[AF_UNIX AF_INET AF_INET6]
-
-file "/etc/systemd/system/squid.service" do
- action :delete
-end
-
-file "/etc/logrotate.d/squid.dpkg-dist" do
- action :delete
-end
-
-squid_service_exec = if node[:lsb][:release].to_f < 20.04
- "/usr/sbin/squid -YC"
- else
- "/usr/sbin/squid --foreground -YC"
- end
-
-systemd_service "squid" do
- dropin "chef"
- limit_nofile 98304
- private_tmp true
- private_devices node[:squid][:private_devices]
- protect_system "full"
- protect_home true
- restrict_address_families address_families
- restart "always"
- exec_start "#{squid_service_exec}"
-end
-
-service "squid" do
- action :enable
- subscribes :restart, "systemd_service[squid]"
- subscribes :restart, "template[/etc/squid/squid.conf]"
- subscribes :reload, "template[/etc/resolv.conf]"
-end
-
-notify_group "squid-start" do
- action :run
- notifies :start, "service[squid]"
-end
-
-service "squid-restart" do
- service_name "squid"
- action :restart
- only_if do
- IO.popen(["squidclient", "--host=127.0.0.1", "--port=3128", "mgr:counters"]) do |io|
- io.each.grep(/^[a-z][a-z_.]+ = -[0-9]+$/).count.positive?
- end
- end
-end
-
-munin_plugin "squid_cache"
-munin_plugin "squid_times"
-munin_plugin "squid_icp"
-munin_plugin "squid_objectsize"
-munin_plugin "squid_requests"
-munin_plugin "squid_traffic"
-
-munin_plugin "squid_delay_pools" do
- action :delete
-end
-
-munin_plugin "squid_delay_pools_noreferer" do
- action :delete
-end
-
-prometheus_exporter "squid" do
- port 9301
- listen_switch "listen"
-end
+++ /dev/null
-#
-# Cookbook:: squid
-# Resource:: squid_fragment
-#
-# Copyright:: 2015, OpenStreetMap Foundation
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# https://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-unified_mode true
-
-default_action :create
-
-property :fragment, :kind_of => String, :name_property => true
-property :template, :kind_of => String, :required => [:create]
-property :variables, :kind_of => Hash, :default => {}
-
-action :create do
- declare_resource :template, fragment_path do
- source new_resource.template
- owner "root"
- group "root"
- mode "644"
- variables new_resource.variables
- end
-end
-
-action :delete do
- file fragment_path do
- action :delete
- end
-end
-
-action_class do
- def fragment_path
- "/etc/squid/squid.conf.d/#{new_resource.fragment}.conf"
- end
-end
-
-def after_created
- notifies :create, "template[/etc/squid/squid.conf]"
-end
+++ /dev/null
-# DO NOT EDIT - This file is being maintained by Chef
-
-# configure host name
-visible_hostname <%= node.name %>
-
-cache_mem <%= node[:squid][:cache_mem] %>
-<% if node[:squid][:version] > 2 -%>
-
-workers <%= [ node[:cpu][:total] - 2, 1 ].max.ceil %>
-cpu_affinity_map process_numbers=<%= (1..[ node[:cpu][:total] - 2, 1 ].max.ceil).to_a.join(',') %> cores=<%=(1..[ node[:cpu][:total] - 2, 1 ].max.ceil).to_a.join(',') %>
-
-# Set short clean shutdown interval
-shutdown_lifetime 2 seconds
-
-error_log_languages off
-<% end -%>
-
-max_filedescriptors 98304
-
-<% if node[:squid][:version] > 3 -%>
-# Use RFC6891 recommended max size
-dns_packet_max 4096 bytes
-# Use low initial retry interval (backoff start)
-dns_retransmit_interval 2 seconds
-# Set low timeout
-dns_timeout 15 seconds
-<% end -%>
-dns_v4_first on
-
-# used by squidclient / munin
-http_port 3128
-# HTCP
-htcp_port 4827
-# ICP
-icp_port 3130
-log_icp_queries off
-
-<% if node[:squid][:version] < 3 -%>
-http_port 80 accel defaultsite=tile.openstreetmap.org tcpkeepalive=60,10,6 http11
-<% else -%>
-http_port 8080 accel no-vhost defaultsite=tile.openstreetmap.org tcpkeepalive=60,10,6
-<% end -%>
-
-cache_effective_user proxy
-cache_effective_group proxy
-
-<% Array(node[:squid][:cache_dir]).each do |cache_dir| -%>
-cache_dir <%= cache_dir %>
-<% end -%>
-
-<% if node[:squid][:version] < 3 -%>
-cache_swap_log /var/spool/squid/%s
-<% end -%>
-
-cache_mgr webmaster@openstreetmap.org
-
-quick_abort_min 0 KB
-quick_abort_max 0 KB
-
-read_ahead_gap 64 KB
-
-maximum_object_size 256 KB
-maximum_object_size_in_memory 64 KB
-
-cache_replacement_policy heap LFUDA
-memory_replacement_policy heap GDSF
-
-server_persistent_connections on
-<% if node[:squid][:version] < 3 -%>
-persistent_request_timeout 1 minutes
-<% else -%>
-client_idle_pconn_timeout 1 minutes
-<% end -%>
-<% if node[:squid][:version] > 3 -%>
-pconn_lifetime 5 minutes
-<% end -%>
-
-negative_ttl 15 seconds
-<% if node[:squid][:version] < 3 -%>
-pipeline_prefetch on
-<% end -%>
-
-read_timeout 90 seconds
-request_timeout 90 seconds
-connect_timeout 20 seconds
-client_lifetime 1 hours
-
-<% if node[:squid][:version] < 3 -%>
-refresh_stale_hit 300 seconds
-<% end -%>
-
-# Recommended minimum configuration:
-# ----------------------------------
-<% if node[:squid][:version] < 3 -%>
-acl all src all
-acl manager proto cache_object
-acl localhost src 127.0.0.1/32
-acl to_localhost dst 127.0.0.0/8
-<% end -%>
-acl SSL_ports port 443
-acl Safe_ports port 80 # http
-acl Safe_ports port 21 # ftp
-acl Safe_ports port 443 # https
-acl Safe_ports port 70 # gopher
-acl Safe_ports port 210 # wais
-acl Safe_ports port 1025-65535 # unregistered ports
-acl Safe_ports port 280 # http-mgmt
-acl Safe_ports port 488 # gss-http
-acl Safe_ports port 591 # filemaker
-acl Safe_ports port 777 # multiling http
-acl CONNECT method CONNECT
-http_access allow manager localhost
-
-http_access allow manager
-
-http_access deny manager
-http_access deny !Safe_ports
-http_access deny CONNECT !SSL_ports
-# ----------------------------------
-
-acl purge_hosts src 127.0.0.0/8
-acl PURGE method purge
-http_access allow purge purge_hosts
-http_access deny purge
-
-forwarded_for on
-follow_x_forwarded_for allow localhost
-
-<% if node[:squid][:version] < 3 -%>
-logformat openstreetmap %ts.%03tu %tr %>a %Ss/%03Hs %<st %rm %rp %Sh/%<A %mt "%{Referer}>h" "%{User-Agent}>h"
-access_log <%= node[:squid][:access_log] %>
-<% else -%>
-logformat openstreetmap %ts.%03tu %tr %>a %Ss/%03>Hs %<st %rm %>rp %Sh/%<A %mt "%{Referer}>h" "%{User-Agent}>h"
-access_log daemon:<%= node[:squid][:access_log] %>
-<% end -%>
-cache_log /var/log/squid/cache.log
-cache_store_log none
-
-buffered_logs on
-
-client_db off
-strip_query_terms off
-<% if node[:squid][:version] > 2 -%>
-# Work around bug in squid 3 that causes log_fqdn to be
-# turned on by some of the (unused by us) default formats:
-# http://lists.squid-cache.org/pipermail/squid-users/2016-February/thread.html#8999
-url_rewrite_extras "%>a %un %>rm myip=%la myport=%lp"
-store_id_extras "%>a %un %>rm myip=%la myport=%lp"
-<% end -%>
-
-digest_generation off
-
-refresh_pattern . 0 50% 20160
-refresh_pattern -i tile.openstreetmap.org 60 80% 20160 reload-into-ims
-
-# ZERO required for logrotate to work properly
-logfile_rotate 0
-
-<% Dir.glob("/etc/squid/squid.conf.d/*.conf") do |file| -%>
-<%= File.read(file) %>
-<% end -%>
-
-# MUST BE LAST ACL
-# --------------
-http_access deny all
-htcp_access deny all
-icp_access deny all
-# --------------
+++ /dev/null
-require "serverspec"
-
-# Required by serverspec
-set :backend, :exec
-
-describe package("squid") do
- it { should be_installed }
-end
-
-describe service("squid") do
- it { should be_enabled }
- it { should be_running }
-end
-
-describe port(3128) do
- it { should be_listening.with("tcp") }
-end
-
-describe port(8080) do
- it { should be_listening.with("tcp") }
-end
projects / chef.git / commitdiff