Skip to content

Enforce PROXY protocol in filtering-proxy-psc blueprint #968

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Nov 15, 2022
Merged

Enforce PROXY protocol in filtering-proxy-psc blueprint #968

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
8c6ddac
Enforce PROXY protocol in `filtering-proxy-psc` blueprint
kunzese Nov 11, 2022
c55245f
Merge branch 'master' into kunzese/enforce-proxy-protocol
kunzese Nov 14, 2022
3aff154
Merge branch 'master' into kunzese/enforce-proxy-protocol
kunzese Nov 15, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 12 additions & 6 deletions blueprints/networking/filtering-proxy-psc/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,7 +98,7 @@ resource "google_compute_service_attachment" "service_attachment" {
name = "psc"
project = module.project.project_id
region = var.region
enable_proxy_protocol = false
enable_proxy_protocol = true
connection_preference = "ACCEPT_MANUAL"
nat_subnets = [module.vpc.subnets_psc["${var.region}/psc"].self_link]
target_service = module.squid-ilb.forwarding_rule_self_link
Expand All @@ -125,9 +125,13 @@ module "service-account-squid" {
}

module "cos-squid" {
source = "../../../modules/cloud-config-container/squid"
allow = var.allowed_domains
clients = [var.cidrs.psc]
source = "../../../modules/cloud-config-container/squid"
allow = var.allowed_domains
clients = [var.cidrs.app]
squid_config = "${path.module}/squid.conf"
config_variables = {
psc_cidr = var.cidrs.psc
}
}

module "squid-vm" {
Expand Down Expand Up @@ -174,7 +178,8 @@ module "squid-mig" {
health_check_config = {
enable_logging = true
tcp = {
port = 3128
port = 3128
proxy_header = "PROXY_V1"
}
}
update_policy = {
Expand Down Expand Up @@ -204,7 +209,8 @@ module "squid-ilb" {
health_check_config = {
enable_logging = true
tcp = {
port = 3128
port = 3128
proxy_header = "PROXY_V1"
}
}
}
52 changes: 52 additions & 0 deletions blueprints/networking/filtering-proxy-psc/squid.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
# bind to port 3128 and require PROXY protocol
http_port 0.0.0.0:3128 require-proxy-header

# only proxy, don't cache
cache deny all

acl ssl_ports port 443
acl safe_ports port 80
acl safe_ports port 443
acl CONNECT method CONNECT
acl to_metadata dst 169.254.169.254
acl from_healthchecks src 130.211.0.0/22 35.191.0.0/16
acl psc src ${psc_cidr}

# read client CIDR ranges from clients.txt
acl clients src "/etc/squid/clients.txt"

# read allowed domains from allowlist.txt
acl allowlist dstdomain "/etc/squid/allowlist.txt"

# read denied domains from denylist.txt
acl denylist dstdomain "/etc/squid/denylist.txt"

# allow PROXY protocol from the PSC subnet
proxy_protocol_access allow psc

# allow PROXY protocol from the LB health checks
proxy_protocol_access allow from_healthchecks

# deny access to anything other than ports 80 and 443
http_access deny !safe_ports

# deny CONNECT if connection is not using ssl
http_access deny CONNECT !ssl_ports

# deny acccess to cachemgr
http_access deny manager

# deny access to localhost through the proxy
http_access deny to_localhost

# deny access to the local metadata server through the proxy
http_access deny to_metadata

# deny connection from allowed clients to any denied domains
http_access deny clients denylist

# allow connection from allowed clients only to the allowed domains
http_access allow clients allowlist

# deny everything else
http_access ${default_action} all