Thursday Jan 01, 2009

Http proxy in a zone

Now that the new crossbow networking stack is in OpenSolaris I have been able to configure a transparent proxy server for the Sun Ray users. By having a zone act as the only route from the internal network the internet all the http traffic can now go through the proxy and hence benefit from the cache and all in one box.


Now all traffic from the internal network gets a default router of the squid zone's vnic0 from dhcp and the global zone routes via in internal network that I have called dmz0 to the squid zone. The internal network is not absolutley needed as the global zone could route via the internal network but some how that does not seem such a good set up. I have the naming of the vnics not quite the way I want it but that is really just cosmetic.

Here are the virtual nics:

: pearson FSS 3 $; pfexec dladm show-vnic        
LINK         OVER         SPEED  MACADDRESS           MACADDRTYPE         VID
vnic0        nge0         1000   2:8:20:b2:86:2       random              0
sshnic0      rtls0        100    2:8:20:2c:d7:cf      random              0
dmzpearson0  dmz0         0      2:8:20:ce:2e:43      random              0
dmzsquid0    dmz0         0      2:8:20:20:a2:69      random              0
: pearson FSS 4 $; 

and this is the configuration for the zone:

: pearson FSS 8 $; pfexec zonecfg -z squid info net
net:
	address not specified
	physical: vnic0
	defrouter not specified
net:
	address not specified
	physical: rtls0
	defrouter not specified
net:
	address not specified
	physical: dmzsquid0
	defrouter not specified
: pearson FSS 9 $; 

Then in the zone I have ipfilter configured to handle the usual NAT and also to forward web traffic to the proxy:

: pearson FSS 10 $; pfexec zlogin squid cat /etc/ipf/ipnat.conf   
#
# First the usual NAT entries to handle everything going out
#
map rtls0 192.168.1.0/24 -> 192.168.254.22/32
map rtls0 192.168.2.0/24 -> 192.168.254.22/32
#
# These next two lines forward traffic to port 80 to the transparent
# web proxy that is running in this zone
#
rdr vnic0 0.0.0.0/0 port 80 -> 127.0.0.1 port 3128 tcp
rdr dmzsquid0 0.0.0.0/0 port 80 -> 127.0.0.1 port 3128 tcp
: pearson FSS 11 $; 

Then remember to configure squid to accept the transparent proxy by adding the transparent line to the http_port option:

: pearson FSS 12 $; pfexec zlogin squid grep \^http_port /etc/squid/squid.conf
http_port 3128 transparent
http_port 8080
: pearson FSS 13 $;

Finally I had to remember to use routeadm(1m) to turn on routing in the zone, which was the first time I had run that command. No more messing around with files in /etc just run "routeadm -u -e ipv4-forwarding" to enable it in the zone and I was done.

All in all the solution is pretty pleasing.

Tuesday Jan 16, 2007

Squid

I have finally installed a transparent caching server on the home server. Mainly as it provides an easy way to block unsuitable sites from the kids.

Adding these lines to ipnat.conf, recall my internal network is nge0 and the internet lives on rtls0

rdr nge0 0.0.0.0/0 port 80 -> 127.0.0.1 port 8080 tcp

The proxy server is listening on port 8080.


Then taking the source to squid which I built with these options:


CC=cc ./configure --prefix=/opt/squid --enable-ipf-transparent --enable-ssl

Whilst I could have used the package from blastwave.org I would like to wean the system off blastwave packages as they pull in lots of duplicated libraries when used on Solaris 10 or as in my case Nevada.


The squid cache is being stored in it's own ZFS file system /tank/squid/cache as you would expect however thanks to the way I have laid out the file systems it does snapshotted so it won't chew through disk.


Then using the work that Trev has done I now have a working manifest and start script.


Tags:

About

This is the old blog of Chris Gerhard. It has mostly moved to http://chrisgerhard.wordpress.com

Search

Archives
« April 2014
MonTueWedThuFriSatSun
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
    
       
Today