add support for default eessi proxy config to squid role

sjpb · sjpb · commit 8fe4bab6e9fc · 2025-12-19T10:44:02.000Z
diff --git a/ansible/roles/squid/README.md b/ansible/roles/squid/README.md
@@ -2,16 +2,30 @@
 
 Deploy a caching proxy.
 
-**NB:** The default configuration is aimed at providing a proxy for package installs etc. for
-nodes which do not have direct internet connectivity. It assumes access to the proxy is protected
-by the OpenStack security groups applied to the cluster. The generated configuration should be
-reviewed if this is not case.
+**NB:** This role provides two default configurations, selected by setting
+`squid_conf_template`:
+- `squid.conf.j2`: This is aimed at providing a proxy for package installs etc.
+  for nodes which do not have direct internet connectivity. It assumes access
+  to the proxy is protected by the OpenStack security groups applied to the
+  cluster. The generated configuration should be reviewed if this is not case.
+- `squid-eessi.conf.j2`: This provides a proxy server for EESSI clients. It uses
+  the [recommended configuration](https://www.eessi.io/docs/tutorial/access/proxy/#configuration)
+  which assumes a server with:
+      - 10Gbit link or faster to the client systems
+      - a sufficiently powerful CPU
+      - a decent amount of memory for the kernel cache (tens of GBs)
+      - fast local storage - 50GB is used for cache
+  For this use-case the above link recommends at least two squid servers and at
+  least one for every (100-500) client nodes.
 
 ## Role Variables
+- `squid_conf_template`: Optional str. Path (using Ansible search paths) to
+  squid.conf template. Default is in-role `squid.conf.j2` template as above.
+
+### Role Variables for squid_conf_template=squid.conf.j2
 
 Where noted these map to squid parameters of the same name without the `squid_` prefix - see [squid documentation](https://www.squid-cache.org/Doc/config) for details.
 
-- `squid_conf_template`: Optional str. Path (using Ansible search paths) to squid.conf template. Default is in-role template.
 - `squid_started`: Optional bool. Whether to start squid service. Default `true`.
 - `squid_enabled`: Optional bool. Whether squid service is enabled on boot. Default `true`.
 - `squid_cache_mem`: Required str. Size of memory cache, e.g "1024 KB", "12 GB" etc. See squid parameter.
@@ -37,3 +51,12 @@ Where noted these map to squid parameters of the same name without the `squid_`
         http_access deny all
 
   See squid parameter.
+
+### Role Variables for squid_conf_template=squid-eessi.conf.j2
+
+- `squid_eessi_clients`: Optional string. CIDR specifying clients allowed to
+  access this proxy. The default is to use the CIDR of the host's default IPv4
+  interface, which should allow access from the [cluster network](../../../docs/networks.md).
+  For clusters with multiple networks this may not be appropriate.
+- `squid_eessi_stratum_1`: Optional string. Domain (squid `acl dstdomain` format)
+  of Stratum 1 replica servers. Default is the upstream EEESI Stratum 1 servers.
diff --git a/ansible/roles/squid/defaults/main.yml b/ansible/roles/squid/defaults/main.yml
@@ -1,4 +1,5 @@
 ---
+## squid dnf configuration:
 squid_conf_template: squid.conf.j2
 squid_started: true
 squid_enabled: true
@@ -23,3 +24,8 @@ squid_http_access: |
   http_access allow localhost
   # Finally deny all other access to this proxy
   http_access deny all
+
+## squid eeesi configuration:
+#squid_conf_template: squid-eessi.conf.j2
+squid_eessi_clients: "{{ ansible_default_ipv4.network }}/{{ ansible_default_ipv4.prefix }}"
+squid_eessi_stratum_1: '.eessi.science'
diff --git a/ansible/roles/squid/templates/squid-eessi.conf.j2 b/ansible/roles/squid/templates/squid-eessi.conf.j2
@@ -0,0 +1,30 @@
+# From https://www.eessi.io/docs/tutorial/access/proxy/
+# List of local IP addresses (separate IPs and/or CIDR notation) allowed to access your local proxy
+acl local_nodes src {{ squid_eessi_clients }}
+
+# Destination domains that are allowed
+# cern.ch + opensciencegrid.org domains because of cvmfs-config.cern.ch repository,
+# which are provided via Stratum-1 mirror servers hosted by CERN and OSG
+acl stratum_ones dstdomain .cern.ch .opensciencegrid.org {{ squid_eessi_stratum_1 }}
+
+# Squid port
+http_port 3128
+
+# Deny access to anything which is not part of our stratum_ones ACL.
+http_access deny !stratum_ones
+
+# Only allow access from our local machines
+http_access allow local_nodes
+http_access allow localhost
+
+# Finally, deny all other access to this proxy
+http_access deny all
+
+minimum_expiry_time 0
+maximum_object_size 1024 MB
+
+# proxy memory cache of 1GB
+cache_mem 1024 MB
+maximum_object_size_in_memory 128 KB
+# 50 GB disk cache
+cache_dir ufs {{ squid_cache_dir }} 50000 16 256
