/
How to Enable Squid through SCS with Internet Access

How to Enable Squid through SCS with Internet Access

Owned by Milton Suen
Last updated: Sept 26, 2023
5 min read

  1. Set SELinux to permissive mode in the /etc/selinux/config file.

# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=permissive # SELINUXTYPE= can take one of three values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted

  1. Change SELinux to permissive mode from the command line:

setenforce 0

  1. Create a log directory for Squid:

mkdir /var/log/squid chmod 777 /var/log/squid

  1. Create the /etc/squid and /var/spool/squid directories:

mkdir /etc/squid mkdir /var/spool/squid/cache -p

  1. Create the /etc/squid/squid.conf file and configure it as needed.

  • cache_peer connect to parent proxy server

  • Update local storage network subnet

Note: If the password contains characters have special meanings in URLs (like ‘#', '&', '?', etc.), ensure the special characters are URL-encoded and must be encoded to be represented correctly.

# # Recommended minimum configuration: # # Define your parent Squid proxy # cache_peer 172.16.33.250 parent 3128 7 no-query login=csadmin:caringo no-digest no-netdb-exchange prefer_direct off never_direct allow all # tls sslcert=/etc/squid/ssl/parent_rootCA1.pem # cache_peer 172.16.33.250 parent 3128 0 no-query login=admin:datacore no-digest no-netdb-exchange prefer_direct off never_direct allow all cache_peer 172.16.33.250 parent 3128 7 no-query login=admin:datacore prefer_direct off ssl sslflags=DONT_VERIFY_PEER # ssl sslcert=/etc/squid/root-CA.pem never_direct allow all # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN) acl localnet src 172.16.0.0/16 # RFC 1918 local storage network (LAN) acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http # # Recommended minimum Access Permission configuration: # # Deny requests to certain unsafe ports # http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports # http_access deny CONNECT !SSL_ports # Only allow cachemgr access from localhost http_access allow localhost manager http_access deny manager # This default configuration only allows localhost requests because a more # permissive Squid installation could introduce new attack vectors into the # network by proxying external TCP connections to unprotected services. http_access allow localhost # The two deny rules below are unnecessary in this default configuration # because they are followed by a "deny all" rule. However, they may become # critically important when you start allowing external requests below them. # Protect web applications running on the same server as Squid. They often # assume that only local users can access them at "localhost" ports. # http_access deny to_localhost # Protect cloud servers that provide local users with sensitive info about # their server via certain well-known link-local (a.k.a. APIPA) addresses. # http_access deny to_linklocal # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # # For example, to allow access from your local networks, you may uncomment the # following rule (and/or add rules that match your definition of "local"): # http_access allow localnet # And finally deny all other access to this proxy # http_access deny all # http_access allow all http_access allow localnet http_access allow localhost http_access deny all # Squid normally listens to port 3128 http_port 3128 # Uncomment and adjust the following to add a disk cache directory. #cache_dir ufs /var/cache/squid 100 16 256 # Leave coredumps in the first cache dir coredump_dir /var/cache/squid # # Add any of your own refresh_pattern entries above these. # refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320

  1. Run the following command to download the Squid container and run it using Podman:

podman run -d --name squid-container --restart on-failure --rm --security-opt seccomp=unconfined -e TZ=UTC -p 3128:3128 -v /etc/squid/squid.conf:/etc/squid/squid.conf -v /var/spool/squid/cache:/var/spool/squid -v /var/log/squid:/var/log/squid/ -v /etc/squid/root-CA.pem:/etc/squid/root-CA.pem ubuntu/squid:4.10-20.04_beta

  1. Update /etc/firewalld/zones/swarm_site.xml to allow access Squid on SCS Storage network on port 3128

<?xml version="1.0" encoding="utf-8"?> <zone> <service name="tftp"/> <service name="ntp"/> <service name="ssh"/> <service name="dhcp"/> <port protocol="udp" port="69"/> <port protocol="tcp" port="8095"/> <port protocol="tcp" port="9000"/> <port protocol="tcp" port="514"/> <port protocol="udp" port="514"/> <port protocol="tcp" port="9100"/> <port protocol="tcp" port="3128"/> </zone>

  1. Reload Firewall rules

firewall-cmd --reload

  1. Test Squid’s internet access by running a curl command:

curl -iLv -x "http://<scs_storage_ip>:3128" https://swarm.phonehome.datacore.com:443/castor/report

 

Offline Installation of Ubuntu/Squid

  1. Export the ubuntu.squid.4.10.tar container tarball:

podman save -o ubuntu.squid.4.10.tar docker.io/ubuntu/squid:4.10-20.04_beta

  1. Copy the tarball to SCS (e.g. /root/dist/ubuntu.squid.4.10.tar)

  2. Set SELinux to permissive mode in /etc/selinux/config file (it not already done).

# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=permissive # SELINUXTYPE= can take one of three values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted

  1. Change SELinux to permissive mode from the command line (if not already done):

setenforce 0

  1. Load the ubuntu/squid container image to Podman:

podman image load -i /root/datacore/ubuntu.squid.4.10.tar

  1. Create the necessary directories on SCS:

mkdir /etc/squid mkdir /var/log/squid mkdir /var/spool/squid/cache -p

  1. Grant permissions for Squid to output logs to /var/log/squid/access.log:

chmod -R 777 /var/log/squid

  1. Create or update the /etc/squid/squid.conf file as needed.

  2. Update /etc/squid/squid.conf with Parent Proxy IP, Port and correct storage subnet.

  3. Update /etc/firewalld/zones/swarm_site.xml to allow access Squid on SCS Storage network on port 3128

<?xml version="1.0" encoding="utf-8"?> <zone> <service name="tftp"/> <service name="ntp"/> <service name="ssh"/> <service name="dhcp"/> <port protocol="udp" port="69"/> <port protocol="tcp" port="8095"/> <port protocol="tcp" port="9000"/> <port protocol="tcp" port="514"/> <port protocol="udp" port="514"/> <port protocol="tcp" port="9100"/> <port protocol="tcp" port="3128"/> </zone>

  1. Reload Firewall rules

firewall-cmd --reload

  1. Run the following command to start the Squid container:

podman run -d --name squid-container --restart on-failure --rm --security-opt seccomp=unconfined -e TZ=UTC -p 3128:3128 -v /etc/squid/squid.conf:/etc/squid/squid.conf -v /var/spool/squid/cache:/var/spool/squid -v /var/log/squid:/var/log/squid/ ubuntu/squid:4.10-20.04_beta

 

Adding Squid Container to systemd to ensure start on system boot

  1. To create a systemd service for Squid container (/etc/systemd/system/squid-container.service), use the podman generate systemd command:

podman generate systemd --new --name squid-container > /etc/systemd/system/squid-container.service

  1. Stop Squid container from Podman

podman stop squid-container

  1. Enable and start the service:

systemctl enable --now squid-container

  1. Verify the status of the Squid container service:

systemctl status squid-container

Related content

© DataCore Software Corporation. · https://www.datacore.com · All rights reserved.