Enforce PROXY protocol in `filtering-proxy-psc` blueprint (#968)
This commit is contained in:
parent
aa69ef4fb9
commit
bcffb67e0f
|
@ -98,7 +98,7 @@ resource "google_compute_service_attachment" "service_attachment" {
|
||||||
name = "psc"
|
name = "psc"
|
||||||
project = module.project.project_id
|
project = module.project.project_id
|
||||||
region = var.region
|
region = var.region
|
||||||
enable_proxy_protocol = false
|
enable_proxy_protocol = true
|
||||||
connection_preference = "ACCEPT_MANUAL"
|
connection_preference = "ACCEPT_MANUAL"
|
||||||
nat_subnets = [module.vpc.subnets_psc["${var.region}/psc"].self_link]
|
nat_subnets = [module.vpc.subnets_psc["${var.region}/psc"].self_link]
|
||||||
target_service = module.squid-ilb.forwarding_rule_self_link
|
target_service = module.squid-ilb.forwarding_rule_self_link
|
||||||
|
@ -125,9 +125,13 @@ module "service-account-squid" {
|
||||||
}
|
}
|
||||||
|
|
||||||
module "cos-squid" {
|
module "cos-squid" {
|
||||||
source = "../../../modules/cloud-config-container/squid"
|
source = "../../../modules/cloud-config-container/squid"
|
||||||
allow = var.allowed_domains
|
allow = var.allowed_domains
|
||||||
clients = [var.cidrs.psc]
|
clients = [var.cidrs.app]
|
||||||
|
squid_config = "${path.module}/squid.conf"
|
||||||
|
config_variables = {
|
||||||
|
psc_cidr = var.cidrs.psc
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
module "squid-vm" {
|
module "squid-vm" {
|
||||||
|
@ -174,7 +178,8 @@ module "squid-mig" {
|
||||||
health_check_config = {
|
health_check_config = {
|
||||||
enable_logging = true
|
enable_logging = true
|
||||||
tcp = {
|
tcp = {
|
||||||
port = 3128
|
port = 3128
|
||||||
|
proxy_header = "PROXY_V1"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
update_policy = {
|
update_policy = {
|
||||||
|
@ -204,7 +209,8 @@ module "squid-ilb" {
|
||||||
health_check_config = {
|
health_check_config = {
|
||||||
enable_logging = true
|
enable_logging = true
|
||||||
tcp = {
|
tcp = {
|
||||||
port = 3128
|
port = 3128
|
||||||
|
proxy_header = "PROXY_V1"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,52 @@
|
||||||
|
# bind to port 3128 and require PROXY protocol
|
||||||
|
http_port 0.0.0.0:3128 require-proxy-header
|
||||||
|
|
||||||
|
# only proxy, don't cache
|
||||||
|
cache deny all
|
||||||
|
|
||||||
|
acl ssl_ports port 443
|
||||||
|
acl safe_ports port 80
|
||||||
|
acl safe_ports port 443
|
||||||
|
acl CONNECT method CONNECT
|
||||||
|
acl to_metadata dst 169.254.169.254
|
||||||
|
acl from_healthchecks src 130.211.0.0/22 35.191.0.0/16
|
||||||
|
acl psc src ${psc_cidr}
|
||||||
|
|
||||||
|
# read client CIDR ranges from clients.txt
|
||||||
|
acl clients src "/etc/squid/clients.txt"
|
||||||
|
|
||||||
|
# read allowed domains from allowlist.txt
|
||||||
|
acl allowlist dstdomain "/etc/squid/allowlist.txt"
|
||||||
|
|
||||||
|
# read denied domains from denylist.txt
|
||||||
|
acl denylist dstdomain "/etc/squid/denylist.txt"
|
||||||
|
|
||||||
|
# allow PROXY protocol from the PSC subnet
|
||||||
|
proxy_protocol_access allow psc
|
||||||
|
|
||||||
|
# allow PROXY protocol from the LB health checks
|
||||||
|
proxy_protocol_access allow from_healthchecks
|
||||||
|
|
||||||
|
# deny access to anything other than ports 80 and 443
|
||||||
|
http_access deny !safe_ports
|
||||||
|
|
||||||
|
# deny CONNECT if connection is not using ssl
|
||||||
|
http_access deny CONNECT !ssl_ports
|
||||||
|
|
||||||
|
# deny acccess to cachemgr
|
||||||
|
http_access deny manager
|
||||||
|
|
||||||
|
# deny access to localhost through the proxy
|
||||||
|
http_access deny to_localhost
|
||||||
|
|
||||||
|
# deny access to the local metadata server through the proxy
|
||||||
|
http_access deny to_metadata
|
||||||
|
|
||||||
|
# deny connection from allowed clients to any denied domains
|
||||||
|
http_access deny clients denylist
|
||||||
|
|
||||||
|
# allow connection from allowed clients only to the allowed domains
|
||||||
|
http_access allow clients allowlist
|
||||||
|
|
||||||
|
# deny everything else
|
||||||
|
http_access ${default_action} all
|
Loading…
Reference in New Issue