By user12625760 on Jan 01, 2009
Now that the new crossbow networking stack is in OpenSolaris I have been able to configure a transparent proxy server for the Sun Ray users. By having a zone act as the only route from the internal network the internet all the http traffic can now go through the proxy and hence benefit from the cache and all in one box.
Now all traffic from the internal network gets a default router of the squid zone's vnic0 from dhcp and the global zone routes via in internal network that I have called dmz0 to the squid zone. The internal network is not absolutley needed as the global zone could route via the internal network but some how that does not seem such a good set up. I have the naming of the vnics not quite the way I want it but that is really just cosmetic.
Here are the virtual nics:
: pearson FSS 3 $; pfexec dladm show-vnic LINK OVER SPEED MACADDRESS MACADDRTYPE VID vnic0 nge0 1000 2:8:20:b2:86:2 random 0 sshnic0 rtls0 100 2:8:20:2c:d7:cf random 0 dmzpearson0 dmz0 0 2:8:20:ce:2e:43 random 0 dmzsquid0 dmz0 0 2:8:20:20:a2:69 random 0 : pearson FSS 4 $;
and this is the configuration for the zone:
: pearson FSS 8 $; pfexec zonecfg -z squid info net net: address not specified physical: vnic0 defrouter not specified net: address not specified physical: rtls0 defrouter not specified net: address not specified physical: dmzsquid0 defrouter not specified : pearson FSS 9 $;
Then in the zone I have ipfilter configured to handle the usual NAT and also to forward web traffic to the proxy:
: pearson FSS 10 $; pfexec zlogin squid cat /etc/ipf/ipnat.conf # # First the usual NAT entries to handle everything going out # map rtls0 192.168.1.0/24 -> 192.168.254.22/32 map rtls0 192.168.2.0/24 -> 192.168.254.22/32 # # These next two lines forward traffic to port 80 to the transparent # web proxy that is running in this zone # rdr vnic0 0.0.0.0/0 port 80 -> 127.0.0.1 port 3128 tcp rdr dmzsquid0 0.0.0.0/0 port 80 -> 127.0.0.1 port 3128 tcp : pearson FSS 11 $;
Then remember to configure squid to accept the transparent proxy by adding the transparent line to the http_port option:
: pearson FSS 12 $; pfexec zlogin squid grep \^http_port /etc/squid/squid.conf http_port 3128 transparent http_port 8080 : pearson FSS 13 $;
Finally I had to remember to use routeadm(1m) to turn on routing in the zone, which was the first time I had run that command. No more messing around with files in /etc just run "routeadm -u -e ipv4-forwarding" to enable it in the zone and I was done.
All in all the solution is pretty pleasing.