Adding your Squid to Shoal

This page describes how to configure a Squid server with shoal-agent.

Squid Installation

If you already have a squid installed, skip to the next part. Otherwise, follow the instructions for installing the frontier squid variant. The frontier squid is nicely packaged and optimized for Frontier and CVMFS.

Shoal Agent Installation

If you want to set up Shoal Agent very quickly, do:

curl https://raw.github.com/hep-gc/shoal/master/scripts/production-agent-install-for-hep.sh | bash
service shoal-agent start

Otherwise, follow the instructions in the Github documentation to install Shoal Agent. In particular, note the shoal_agent.conf recommended for ATLAS.

Squid Configuration

The recommended modus operandi when using Shoal is to allow client connections to the squid from anywhere, but restrict destinations to the known CVMFS (and Frontier) servers. This way, CVMFS and Frontier access can be provided via the squid to any location, without the need for configuring specific ACLs for each known group of users. (If the risk of DOS is a concern, you can employ rate limiting.)

Here are good references for the syntax to use in customize.sh :

You should have this in customize.sh

uncomment("acl MAJOR_CVMFS")
uncomment("acl ATLAS_FRONTIER")
insertline("^# http_access deny !RESTRICT_DEST", "http_access allow MAJOR_CVMFS")
insertline("^# http_access deny !RESTRICT_DEST", "http_access allow ATLAS_FRONTIER")
setoption("acl NET_LOCAL src", "")

Note that this will allow connections that are either:

  • from the specified NET_LOCAL subnet(s) to anywhere
  • or, from anywhere to a CVMFS or Frontier server

