Adding your Squid to Shoal
This page describes how to configure a Squid server with shoal-agent.
Squid Installation
If you already have a squid installed, skip to the next part. Otherwise, follow the instructions for installing the
frontier squid variant
. The frontier squid is nicely packaged and optimized for Frontier and CVMFS.
Shoal Agent Installation
If you want to set up Shoal Agent very quickly, do:
%STARTCONSOLE%
curl
https://raw.github.com/hep-gc/shoal/master/scripts/production-agent-install-for-hep.sh
| bash
service shoal-agent start
%ENDCONSOLE%
Otherwise, follow the instructions in the
Github documentation
to install Shoal Agent.
In particular, note the
shoal_agent.conf
recommended for ATLAS.
Squid Configuration
The recommended modus operandi when using Shoal is to allow client connections to the squid from anywhere, but restrict destinations to the known CVMFS (and Frontier) servers. This way, CVMFS and Frontier access can be provided via the squid to any location, without the need for configuring specific ACLs for each known group of users. (If the risk of DOS is a concern, you can employ
rate limiting
.)
Here are good references for the syntax to use in
customize.sh
:
You should have this in
customize.sh
uncomment("acl MAJOR_CVMFS")
uncomment("acl ATLAS_FRONTIER")
insertline("^# http_access deny !RESTRICT_DEST", "http_access allow MAJOR_CVMFS")
insertline("^# http_access deny !RESTRICT_DEST", "http_access allow ATLAS_FRONTIER")
setoption("acl NET_LOCAL src", "192.168.0.0/16")
Note that this will allow connections that are either:
- from the specified NET_LOCAL subnet(s) to anywhere
- or, from anywhere to a CVMFS or Frontier server