Enforce PROXY protocol in `filtering-proxy-psc` blueprint (#968)
This commit is contained in:
parent
aa69ef4fb9
commit
bcffb67e0f
|
@ -98,7 +98,7 @@ resource "google_compute_service_attachment" "service_attachment" {
|
|||
name = "psc"
|
||||
project = module.project.project_id
|
||||
region = var.region
|
||||
enable_proxy_protocol = false
|
||||
enable_proxy_protocol = true
|
||||
connection_preference = "ACCEPT_MANUAL"
|
||||
nat_subnets = [module.vpc.subnets_psc["${var.region}/psc"].self_link]
|
||||
target_service = module.squid-ilb.forwarding_rule_self_link
|
||||
|
@ -125,9 +125,13 @@ module "service-account-squid" {
|
|||
}
|
||||
|
||||
module "cos-squid" {
|
||||
source = "../../../modules/cloud-config-container/squid"
|
||||
allow = var.allowed_domains
|
||||
clients = [var.cidrs.psc]
|
||||
source = "../../../modules/cloud-config-container/squid"
|
||||
allow = var.allowed_domains
|
||||
clients = [var.cidrs.app]
|
||||
squid_config = "${path.module}/squid.conf"
|
||||
config_variables = {
|
||||
psc_cidr = var.cidrs.psc
|
||||
}
|
||||
}
|
||||
|
||||
module "squid-vm" {
|
||||
|
@ -174,7 +178,8 @@ module "squid-mig" {
|
|||
health_check_config = {
|
||||
enable_logging = true
|
||||
tcp = {
|
||||
port = 3128
|
||||
port = 3128
|
||||
proxy_header = "PROXY_V1"
|
||||
}
|
||||
}
|
||||
update_policy = {
|
||||
|
@ -204,7 +209,8 @@ module "squid-ilb" {
|
|||
health_check_config = {
|
||||
enable_logging = true
|
||||
tcp = {
|
||||
port = 3128
|
||||
port = 3128
|
||||
proxy_header = "PROXY_V1"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -0,0 +1,52 @@
|
|||
# bind to port 3128 and require PROXY protocol
|
||||
http_port 0.0.0.0:3128 require-proxy-header
|
||||
|
||||
# only proxy, don't cache
|
||||
cache deny all
|
||||
|
||||
acl ssl_ports port 443
|
||||
acl safe_ports port 80
|
||||
acl safe_ports port 443
|
||||
acl CONNECT method CONNECT
|
||||
acl to_metadata dst 169.254.169.254
|
||||
acl from_healthchecks src 130.211.0.0/22 35.191.0.0/16
|
||||
acl psc src ${psc_cidr}
|
||||
|
||||
# read client CIDR ranges from clients.txt
|
||||
acl clients src "/etc/squid/clients.txt"
|
||||
|
||||
# read allowed domains from allowlist.txt
|
||||
acl allowlist dstdomain "/etc/squid/allowlist.txt"
|
||||
|
||||
# read denied domains from denylist.txt
|
||||
acl denylist dstdomain "/etc/squid/denylist.txt"
|
||||
|
||||
# allow PROXY protocol from the PSC subnet
|
||||
proxy_protocol_access allow psc
|
||||
|
||||
# allow PROXY protocol from the LB health checks
|
||||
proxy_protocol_access allow from_healthchecks
|
||||
|
||||
# deny access to anything other than ports 80 and 443
|
||||
http_access deny !safe_ports
|
||||
|
||||
# deny CONNECT if connection is not using ssl
|
||||
http_access deny CONNECT !ssl_ports
|
||||
|
||||
# deny acccess to cachemgr
|
||||
http_access deny manager
|
||||
|
||||
# deny access to localhost through the proxy
|
||||
http_access deny to_localhost
|
||||
|
||||
# deny access to the local metadata server through the proxy
|
||||
http_access deny to_metadata
|
||||
|
||||
# deny connection from allowed clients to any denied domains
|
||||
http_access deny clients denylist
|
||||
|
||||
# allow connection from allowed clients only to the allowed domains
|
||||
http_access allow clients allowlist
|
||||
|
||||
# deny everything else
|
||||
http_access ${default_action} all
|
Loading…
Reference in New Issue