zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Enforce PROXY protocol in `filtering-proxy-psc` blueprint (#968)

This commit is contained in:
Sebastian Kunze 2022-11-15 08:18:57 +01:00 committed by GitHub
parent aa69ef4fb9
commit bcffb67e0f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 64 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
blueprints/networking/filtering-proxy-psc/main.tf
View File

@ -98,7 +98,7 @@ resource "google_compute_service_attachment" "service_attachment" {
name = "psc" name = "psc"
project = module.project.project_id project = module.project.project_id
region = var.region region = var.region
enable_proxy_protocol = false enable_proxy_protocol = true
connection_preference = "ACCEPT_MANUAL" connection_preference = "ACCEPT_MANUAL"
nat_subnets = [module.vpc.subnets_psc["${var.region}/psc"].self_link] nat_subnets = [module.vpc.subnets_psc["${var.region}/psc"].self_link]
target_service = module.squid-ilb.forwarding_rule_self_link target_service = module.squid-ilb.forwarding_rule_self_link
@ -125,9 +125,13 @@ module "service-account-squid" {
} }
module "cos-squid" { module "cos-squid" {
source = "../../../modules/cloud-config-container/squid" source = "../../../modules/cloud-config-container/squid"
allow = var.allowed_domains allow = var.allowed_domains
clients = [var.cidrs.psc] clients = [var.cidrs.app]
squid_config = "${path.module}/squid.conf"
config_variables = {
psc_cidr = var.cidrs.psc
}
} }
module "squid-vm" { module "squid-vm" {
@ -174,7 +178,8 @@ module "squid-mig" {
health_check_config = { health_check_config = {
enable_logging = true enable_logging = true
tcp = { tcp = {
port = 3128 port = 3128
proxy_header = "PROXY_V1"
} }
} }
update_policy = { update_policy = {
@ -204,7 +209,8 @@ module "squid-ilb" {
health_check_config = { health_check_config = {
enable_logging = true enable_logging = true
tcp = { tcp = {
port = 3128 port = 3128
proxy_header = "PROXY_V1"
} }
} }
} }

52
blueprints/networking/filtering-proxy-psc/squid.conf Normal file
View File

@ -0,0 +1,52 @@
# bind to port 3128 and require PROXY protocol
http_port 0.0.0.0:3128 require-proxy-header
# only proxy, don't cache
cache deny all
acl ssl_ports port 443
acl safe_ports port 80
acl safe_ports port 443
acl CONNECT method CONNECT
acl to_metadata dst 169.254.169.254
acl from_healthchecks src 130.211.0.0/22 35.191.0.0/16
acl psc src ${psc_cidr}
# read client CIDR ranges from clients.txt
acl clients src "/etc/squid/clients.txt"
# read allowed domains from allowlist.txt
acl allowlist dstdomain "/etc/squid/allowlist.txt"
# read denied domains from denylist.txt
acl denylist dstdomain "/etc/squid/denylist.txt"
# allow PROXY protocol from the PSC subnet
proxy_protocol_access allow psc
# allow PROXY protocol from the LB health checks
proxy_protocol_access allow from_healthchecks
# deny access to anything other than ports 80 and 443
http_access deny !safe_ports
# deny CONNECT if connection is not using ssl
http_access deny CONNECT !ssl_ports
# deny acccess to cachemgr
http_access deny manager
# deny access to localhost through the proxy
http_access deny to_localhost
# deny access to the local metadata server through the proxy
http_access deny to_metadata
# deny connection from allowed clients to any denied domains
http_access deny clients denylist
# allow connection from allowed clients only to the allowed domains
http_access allow clients allowlist
# deny everything else
http_access ${default_action} all