Thursday Jan 01, 2009

Http proxy in a zone

Now that the new crossbow networking stack is in OpenSolaris I have been able to configure a transparent proxy server for the Sun Ray users. By having a zone act as the only route from the internal network the internet all the http traffic can now go through the proxy and hence benefit from the cache and all in one box.


Now all traffic from the internal network gets a default router of the squid zone's vnic0 from dhcp and the global zone routes via in internal network that I have called dmz0 to the squid zone. The internal network is not absolutley needed as the global zone could route via the internal network but some how that does not seem such a good set up. I have the naming of the vnics not quite the way I want it but that is really just cosmetic.

Here are the virtual nics:

: pearson FSS 3 $; pfexec dladm show-vnic        
LINK         OVER         SPEED  MACADDRESS           MACADDRTYPE         VID
vnic0        nge0         1000   2:8:20:b2:86:2       random              0
sshnic0      rtls0        100    2:8:20:2c:d7:cf      random              0
dmzpearson0  dmz0         0      2:8:20:ce:2e:43      random              0
dmzsquid0    dmz0         0      2:8:20:20:a2:69      random              0
: pearson FSS 4 $; 

and this is the configuration for the zone:

: pearson FSS 8 $; pfexec zonecfg -z squid info net
net:
	address not specified
	physical: vnic0
	defrouter not specified
net:
	address not specified
	physical: rtls0
	defrouter not specified
net:
	address not specified
	physical: dmzsquid0
	defrouter not specified
: pearson FSS 9 $; 

Then in the zone I have ipfilter configured to handle the usual NAT and also to forward web traffic to the proxy:

: pearson FSS 10 $; pfexec zlogin squid cat /etc/ipf/ipnat.conf   
#
# First the usual NAT entries to handle everything going out
#
map rtls0 192.168.1.0/24 -> 192.168.254.22/32
map rtls0 192.168.2.0/24 -> 192.168.254.22/32
#
# These next two lines forward traffic to port 80 to the transparent
# web proxy that is running in this zone
#
rdr vnic0 0.0.0.0/0 port 80 -> 127.0.0.1 port 3128 tcp
rdr dmzsquid0 0.0.0.0/0 port 80 -> 127.0.0.1 port 3128 tcp
: pearson FSS 11 $; 

Then remember to configure squid to accept the transparent proxy by adding the transparent line to the http_port option:

: pearson FSS 12 $; pfexec zlogin squid grep \^http_port /etc/squid/squid.conf
http_port 3128 transparent
http_port 8080
: pearson FSS 13 $;

Finally I had to remember to use routeadm(1m) to turn on routing in the zone, which was the first time I had run that command. No more messing around with files in /etc just run "routeadm -u -e ipv4-forwarding" to enable it in the zone and I was done.

All in all the solution is pretty pleasing.

Tuesday Jan 18, 2005

More proxy configuration

Seeing this posting about changing proxy configurations depending on location reminded me that there are many ways to skin a cat. This one has worked ever since Netscape started supporting PAC files for proxy configuration, first on my home system, then my laptop and now everywhere. It relies on me always creating an ssh tunnel to the proxy server, well you would wouldn't you so that you can get all that HTML compressed.

Since JDS on Solaris 10 supports the use of the automatic proxy configuration as well this now works just perfectly for all the clients that will use the defaults.

Whilst not the fastest way, as it involves a name service look up before it connects to the web site it is very functional, ie it works:

function FindProxyForURL(url, host) {
	if (isResolvable(host)) {
		return "DIRECT";
	} else {
		return "PROXY localhost:8080; ";
	}
}
About

This is the old blog of Chris Gerhard. It has mostly moved to http://chrisgerhard.wordpress.com

Search

Archives
« April 2014
MonTueWedThuFriSatSun
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
    
       
Today