|
| 1 | +# Testing the Appliance behind HTTP Proxy |
| 2 | + |
| 3 | +This guide is meant for developers who want to test the Appliance behind an HTTP proxy. |
| 4 | + |
| 5 | +## Prerequisites |
| 6 | + |
| 7 | +VirtualBox with configured Host-only Network (File -> Tools -> Network manager). In this guide I use vboxnet0 with IP network 192.168.56.0/24 |
| 8 | + |
| 9 | +### DNS |
| 10 | +DNS server running on same host as VirtualBox. DNSMASQ with config `/etc/dnsmasq.conf`: |
| 11 | +```conf |
| 12 | +interface=vboxnet0 # VirtualBox host-only interface name |
| 13 | +listen-address=192.168.56.1 # Host-only IP |
| 14 | +bind-interfaces |
| 15 | +server=192.168.1.1 # Upstream DNS |
| 16 | +``` |
| 17 | +will do the trick. |
| 18 | + |
| 19 | +### HTTP Proxy |
| 20 | +And finally Squid proxy server. I used squid-5.7-2+deb12u2 on Debian Bookworm and tested with CZERTAINLY v 2.15.1. With following config `/etc/squid/conf.d/vboxnet0.conf`: |
| 21 | + |
| 22 | +```conf |
| 23 | +# Allow access from your host-only network (e.g., 192.168.56.0/24) |
| 24 | +acl hostonlynet src 192.168.56.0/24 |
| 25 | +
|
| 26 | +# Debian package system - needed for system updates |
| 27 | +acl debian_packages dstdomain deb.debian.org security.debian.org |
| 28 | +# 3Key Resources - debian package + oci helm charts |
| 29 | +acl 3key_resources dstdomain deb.czertainly.com harbor.3key.company |
| 30 | +# Resources for helm package + helm diff plugin |
| 31 | +# https://github.com/CZERTAINLY/ansible-role-helm/blob/develop/tasks/helm.yml#L28 |
| 32 | +# https://github.com/CZERTAINLY/ansible-role-helm/blob/develop/tasks/helm_diff.yml#L13 |
| 33 | +acl helm_resources dstdom_regex ^packages.buildkite.com$ ^github.com$ ^release-assets.githubusercontent.com$ cloudfront.net$ |
| 34 | +# Resources for Docker needed by RKE2, cert-manager and CZERTAINLY |
| 35 | +acl docker_resources dstdomain index.docker.io auth.docker.io production.cloudflare.docker.com registry-1.docker.io |
| 36 | +# Resources for RKE2 |
| 37 | +acl rke2_resources dstdomain get.rke2.io update.rke2.io |
| 38 | +# Resources for local-path-provisioner |
| 39 | +# docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com:443 seems like crazy name |
| 40 | +# that is why are using regex. |
| 41 | +acl local_path_resources dstdom_regex ^raw\.githubusercontent\.com$ ^docker-images-prod\..*\.cloudflarestorage\.com$ |
| 42 | +# Resources for cert-manager - images are at cdn01.quay.io I rather use regex. |
| 43 | +acl cert_mananager_resources dstdom_regex ^charts\.jetstack\.io$ ^quay\.io$ ^cdn.*\.quay\.io$ |
| 44 | +
|
| 45 | +# Access rules: Only allow source from hostonlynet to allowed_domains |
| 46 | +http_access allow hostonlynet debian_packages |
| 47 | +http_access allow hostonlynet 3key_resources |
| 48 | +http_access allow hostonlynet helm_resources |
| 49 | +http_access allow hostonlynet docker_resources |
| 50 | +http_access allow hostonlynet rke2_resources |
| 51 | +http_access allow hostonlynet local_path_resources |
| 52 | +http_access allow hostonlynet cert_mananager_resources |
| 53 | +
|
| 54 | +# Deny all other traffic from hostonlynet |
| 55 | +http_access deny hostonlynet |
| 56 | +
|
| 57 | +# Usual final deny all |
| 58 | +http_access deny all |
| 59 | +``` |
| 60 | + |
| 61 | +## Appliance testing |
| 62 | + |
| 63 | +Exec appliance, gain root and manually do following tasks. |
| 64 | + |
| 65 | +Configure DNS Server as Host-only adapter doesn't provide any: |
| 66 | +``` |
| 67 | +echo "nameserver 192.168.56.1" > /etc/resolv.conf |
| 68 | +``` |
| 69 | + |
| 70 | +Add default route (without it rke2 install fails): |
| 71 | +``` |
| 72 | +echo '#!/bin/sh |
| 73 | +
|
| 74 | +ip route add default via 192.168.56.1 dev eth0 |
| 75 | +exit 0 |
| 76 | +' > /etc/network/if-up.d/eth0-poststart |
| 77 | +chmod +x /etc/network/if-up.d/eth0-poststart |
| 78 | +``` |
| 79 | + |
| 80 | +Configure HTTP proxy using TUI to use https://192.168.56.1:3128/ |
| 81 | + |
| 82 | +Reboot to make sure changes take effect. |
| 83 | + |
| 84 | +**Commence testing behind the HTTP proxy.** |
0 commit comments