Puppet Class: profile::installserver::proxy

Defined in:
modules/profile/manifests/installserver/proxy.pp

Summary

Installs a proxy server for the install server

Overview

SPDX-License-Identifier: Apache-2.0

Parameters:

  • ensure (Wmflib::Ensure) (defaults to: lookup('profile::installserver::proxy::ensure'))

    ensurable parameter

  • structured_logs (Boolean) (defaults to: lookup('profile::installserver::proxy::structured_logs'))

    use the cee structured logs format

  • ssl_ports (Array[Stdlib::Port]) (defaults to: lookup('profile::installserver::proxy::ssl_ports'))

    list of ssl ports

  • safe_ports (Array[Stdlib::Port]) (defaults to: lookup('profile::installserver::proxy::safe_ports'))

    list of safe ports

  • custom_acls (Hash[String[1], Squid::Acl]) (defaults to: lookup('profile::installserver::proxy::custom_acls'))

    A list of acls to allow proxying of custom ports from specific sources to specific destinations



8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
 
# File 'modules/profile/manifests/installserver/proxy.pp', line 8

class profile::installserver::proxy(
    Wmflib::Ensure              $ensure          = lookup('profile::installserver::proxy::ensure'),
    Boolean                     $structured_logs = lookup('profile::installserver::proxy::structured_logs'),
    Array[Stdlib::Port]         $ssl_ports       = lookup('profile::installserver::proxy::ssl_ports'),
    Array[Stdlib::Port]         $safe_ports      = lookup('profile::installserver::proxy::safe_ports'),
    Hash[String[1], Squid::Acl] $custom_acls     = lookup('profile::installserver::proxy::custom_acls')
){
    include network::constants
    include profile::logrotate
    $prod_networks = $network::constants::production_networks
    $_custom_acls = squid::acl::normalise($custom_acls)

    $syslog_facility = 'local0'
    $syslog_priority = 'info'
    class { 'squid':
        ensure              => $ensure,
        config_content      => template('profile/installserver/proxy/squid.conf.erb'),
        logrotate_frequency => $profile::logrotate::hourly.bool2str('hourly', 'daily'),
    }

    profile::auto_restarts::service { 'squid': }

    $rsyslog_content = @("CONF"/L$)
    # Send squid access logs
    if \$programname startswith 'squid' \
    and  \$syslogfacility-text == '${syslog_facility}' \
    and \$syslogpriority-text == '${syslog_priority}' \
    then /var/log/squid/access.log
    &~
    | CONF

    rsyslog::conf { 'squid-access':
        content => $rsyslog_content,
    }
    systemd::timer::job { 'squid-logrotate':
        ensure      => $ensure,
        user        => 'root',
        description => 'rotate squid proxy log files',
        command     => '/usr/sbin/squid -k rotate',
        interval    => {'start' => 'OnCalendar', 'interval' => '*-*-* 17:15:00'},
    }

    firewall::service { 'proxy':
        proto    => 'tcp',
        port     => 8080,
        src_sets => ['PRODUCTION_NETWORKS'],
    }

    # Monitoring
    monitoring::service { 'squid':
        ensure        => $ensure,
        description   => 'Squid',
        check_command => 'check_tcp!8080',
        notes_url     => 'https://wikitech.wikimedia.org/wiki/HTTP_proxy',
    }

    prometheus::blackbox::check::http { 'squid':
        port           => 8080,
        status_matches => [400],
        probe_runbook  => 'https://wikitech.wikimedia.org/wiki/HTTP_proxy',
    }
}