Setting Up Forward Proxy via Squid
Setting Up Forward Proxy via Squid
The aim of this article is about setting up a forward proxy for our VLAN with private IP’s. First of all, I’m not a network guru, I have mostly development background. So please excuse me if I use a cringe term in this article about network.
I have 5 VM’s in the same VLAN but I don’t want 3 of those VM’s to have a public IP. Because I am paying 50 cents per public IPv4 address to my cloud provider and the cost of a vSwitch with public IP was dear. Without a public IP address, I could not connect those VM’s to the internet and could not even run “apt-get update”. So what did I do to solve this issue once and for all? Instead of paying for €1,5 for 3 IPv4 addresses right now, I am paying €5 for a proxy server. Genius, right?
Let’s have some action here.
I will not be exposing informations about my production network in this article, but I will be explaining my steps on a lab environment from the same cloud provider. I took reference from GCP documents after some research and everything is working fine by me.
First of all, I am creating 2 VM instances at the same location. Let’s call them proxy-server and private-server. As the names suggest, I don’t want private-server to be exposed to the internet but still want internet connection when needed (for package updates etc..). That’s where the proxy-server kicks in. I’ll configure the proxy-server first. Then the private-server. I’ll be skipping all firewall configurations and VM creations as it would differentiate between cloud providers.
First I create a VLAN at my cloud provider with 10.0.0.0/16 network and assign my VMs to this VLAN at 10.0.0.0/24 subnet.
I log in to my proxy-server via SSH. If the prompt asks “Are you sure you want to continue connecting?” write yes.
ssh root@95.217.128.68
Since I am using CentOS, my package manager would be yum. If you are using any other distros, you should check your package managers installation commands. There are others like apt, zypper etc..
I start by upgrading my currently installed packages.
yum update -y
This might take a while depending on how outdated your OS image is. After update is finished, type:
yum install squid -y
Now we will be configuring our server to accept or deny some common protocols via VLAN and forward them to the internet.
sudo sed -i 's:#\(http_access allow localnet\):\1:' /etc/squid/squid.conf ## accept http protocols "from" the local network (VLAN)
sudo sed -i 's:#\(http_access deny to_localhost\):\1:' /etc/squid/squid.conf ## deny http protocolsthat comes "to" our proxy server
sudo sed -i 's:#\(acl localnet src 10.0.0.0/24.*\):\1:' /etc/squid/squid.conf ## identifying local network starting address and netmask
As GCP document suggests, I should add all private reserved network addresses. But I don’t have that big of a network. So 10.0.0.0/24 is more than enough for me. But if you’d like to go as it writes, instead of the last line, enter these:
sudo sed -i 's:#\(acl localnet src 10.0.0.0/8.*\):\1:' /etc/squid/squid.conf ## from 10.0.0.1 to 10.255.255.254
sudo sed -i 's:#\(acl localnet src 172.16.0.0/12.*\):\1:' /etc/squid/squid.conf ## from 172.16.0.1 to 172.31.255.254
sudo sed -i 's:#\(acl localnet src 192.168.0.0/16.*\):\1:' /etc/squid/squid.conf ## from 192.168.0.1 to 192.168.255.254
And if you are fond of IPv6
sudo sed -i 's:#\(acl localnet src fc00\:\:/7.*\):\1:' /etc/squid/squid.conf
sudo sed -i 's:#\(acl localnet src fe80\:\:/10.*\):\1:' /etc/squid/squid.conf
Some more configuration to prevent proxy to access metadata server.
sudo tee -a /etc/squid/squid.conf <<'EOF'
acl to_metadata dst 169.254.169.254
http_access deny to_metadata
EOF
Now we can start our squid service. Then we are done with our proxy-server.
sudo service squid start
As default Squid uses 3128 port in our proxy server. So, to determine if I am allowed to make a connection through Squid, I should use that port as well. You can reach all configuration options for Squid by
cat /etc/squid/squid.conf ## if you just want to display the configuration file
nano /etc/squid/squid.conf ## if you want to edit file manually
Since our private-server is not reachable from the internet, we have to use our proxy server (has internet access and in the same VLAN) to ssh into it. While in proxy-server type:
ssh 10.0.0.2
Or whatever your private IP is in the VLAN.
Now we should tell our private server to manage it’s connections through our proxy server. First become admin.
sudo -s ## become sudo first
yum update ## to see that instance has no access to the internet. not really neccessary
Now forward some common protocols to the proxy server.
## instead of 10.0.0.3, write your proxy's IP address
echo "export http_proxy=\"10.0.0.3:3128\"" >> /etc/profile.d/proxy.sh ## forward http
echo "export https_proxy=\"10.0.0.3:3128\"" >> /etc/profile.d/proxy.sh ## forward https
echo "export ftp_proxy=\"10.0.0.3:3128\"" >> /etc/profile.d/proxy.sh ## forward ftp
If you want to exclude any address in this private server to block it from accessing use no_proxy tag. This should block the server from accessing any of the comma seperated addresses. This might be our metadata server, any internal VM, any VM from the same subnet even etc.. You can use (public or private) DNS names or any IP addresses and seperate them with commas. I don’t need that kind of a setting but suit yourselves.
echo "export no_proxy=169.254.169.254,metadata,metadata.google.internal" >> /etc/profile.d/proxy.sh
Now we backup sudoers file and refresh env variables.
cp /etc/sudoers /tmp/sudoers.new
chmod 640 /tmp/sudoers.new
echo "Defaults env_keep += \"ftp_proxy http_proxy https_proxy no_proxy"\" >>/tmp/sudoers.new
chmod 440 /tmp/sudoers.new
visudo -c -f /tmp/sudoers.new && cp /tmp/sudoers.new /etc/sudoers
Now if you logout and ssh into the VM again, you can see “yum update” will work now. Even though our private server has no direct access to the internet, it can use another server in the same VLAN as a proxy to have access.
I hope this article helps you out.
For more information: http://www.squid-cache.org/