How to Enable Squid through SCS with Internet Access
Set SELinux to
permissive
mode in the/etc/selinux/config
file.
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
Change SELinux to permissive mode from the command line:
setenforce 0
Create a log directory for Squid:
mkdir /var/log/squid
chmod 777 /var/log/squid
Create the
/etc/squid
and/var/spool/squid
directories:
mkdir /etc/squid
mkdir /var/spool/squid/cache -p
Create the
/etc/squid/squid.conf
file and configure it as needed.
cache_peer connect to parent proxy server
Update local storage network subnet
Note: If the password contains characters have special meanings in URLs (like ‘#
', '&
', '?
', etc.), ensure the special characters are URL-encoded and must be encoded to be represented correctly.
#
# Recommended minimum configuration:
#
# Define your parent Squid proxy
# cache_peer 172.16.33.250 parent 3128 7 no-query login=csadmin:caringo no-digest no-netdb-exchange prefer_direct off never_direct allow all # tls sslcert=/etc/squid/ssl/parent_rootCA1.pem
# cache_peer 172.16.33.250 parent 3128 0 no-query login=admin:datacore no-digest no-netdb-exchange prefer_direct off never_direct allow all
cache_peer 172.16.33.250 parent 3128 7 no-query login=admin:datacore prefer_direct off ssl sslflags=DONT_VERIFY_PEER # ssl sslcert=/etc/squid/root-CA.pem
never_direct allow all
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
acl localnet src 172.16.0.0/16 # RFC 1918 local storage network (LAN)
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
# http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
# http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# This default configuration only allows localhost requests because a more
# permissive Squid installation could introduce new attack vectors into the
# network by proxying external TCP connections to unprotected services.
http_access allow localhost
# The two deny rules below are unnecessary in this default configuration
# because they are followed by a "deny all" rule. However, they may become
# critically important when you start allowing external requests below them.
# Protect web applications running on the same server as Squid. They often
# assume that only local users can access them at "localhost" ports.
# http_access deny to_localhost
# Protect cloud servers that provide local users with sensitive info about
# their server via certain well-known link-local (a.k.a. APIPA) addresses.
# http_access deny to_linklocal
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# For example, to allow access from your local networks, you may uncomment the
# following rule (and/or add rules that match your definition of "local"):
# http_access allow localnet
# And finally deny all other access to this proxy
# http_access deny all
# http_access allow all
http_access allow localnet
http_access allow localhost
http_access deny all
# Squid normally listens to port 3128
http_port 3128
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/cache/squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
Run the following command to download the Squid container and run it using Podman:
podman run -d --name squid-container --restart on-failure --rm --security-opt seccomp=unconfined -e TZ=UTC -p 3128:3128 -v /etc/squid/squid.conf:/etc/squid/squid.conf -v /var/spool/squid/cache:/var/spool/squid -v /var/log/squid:/var/log/squid/ -v /etc/squid/root-CA.pem:/etc/squid/root-CA.pem ubuntu/squid:4.10-20.04_beta
Update
/etc/firewalld/zones/swarm_site.xml
to allow access Squid on SCS Storage network on port3128
<?xml version="1.0" encoding="utf-8"?>
<zone>
<service name="tftp"/>
<service name="ntp"/>
<service name="ssh"/>
<service name="dhcp"/>
<port protocol="udp" port="69"/>
<port protocol="tcp" port="8095"/>
<port protocol="tcp" port="9000"/>
<port protocol="tcp" port="514"/>
<port protocol="udp" port="514"/>
<port protocol="tcp" port="9100"/>
<port protocol="tcp" port="3128"/>
</zone>
Reload Firewall rules
firewall-cmd --reload
Test Squid’s internet access by running a curl command:
curl -iLv -x "http://<scs_storage_ip>:3128" https://swarm.phonehome.datacore.com:443/castor/report
Offline Installation of Ubuntu/Squid
Export the
ubuntu.squid.4.10.tar
container tarball:
podman save -o ubuntu.squid.4.10.tar docker.io/ubuntu/squid:4.10-20.04_beta
Copy the tarball to SCS (e.g.
/root/dist/ubuntu.squid.4.10.tar
)Set SELinux to permissive mode in
/etc/selinux/config
file (it not already done).
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
Change SELinux to permissive mode from the command line (if not already done):
setenforce 0
Load the ubuntu/squid container image to Podman:
podman image load -i /root/datacore/ubuntu.squid.4.10.tar
Create the necessary directories on SCS:
mkdir /etc/squid
mkdir /var/log/squid
mkdir /var/spool/squid/cache -p
Grant permissions for Squid to output logs to
/var/log/squid/access.log
:
chmod -R 777 /var/log/squid
Create or update the
/etc/squid/squid.conf
file as needed.Update /etc/squid/squid.conf with Parent Proxy IP, Port and correct storage subnet.
Update
/etc/firewalld/zones/swarm_site.xml
to allow access Squid on SCS Storage network on port3128
<?xml version="1.0" encoding="utf-8"?>
<zone>
<service name="tftp"/>
<service name="ntp"/>
<service name="ssh"/>
<service name="dhcp"/>
<port protocol="udp" port="69"/>
<port protocol="tcp" port="8095"/>
<port protocol="tcp" port="9000"/>
<port protocol="tcp" port="514"/>
<port protocol="udp" port="514"/>
<port protocol="tcp" port="9100"/>
<port protocol="tcp" port="3128"/>
</zone>
Reload Firewall rules
firewall-cmd --reload
Run the following command to start the Squid container:
podman run -d --name squid-container --restart on-failure --rm --security-opt seccomp=unconfined -e TZ=UTC -p 3128:3128 -v /etc/squid/squid.conf:/etc/squid/squid.conf -v /var/spool/squid/cache:/var/spool/squid -v /var/log/squid:/var/log/squid/ ubuntu/squid:4.10-20.04_beta
Adding Squid Container to systemd to ensure start on system boot
To create a
systemd
service for Squid container (/etc/systemd/system/squid-container.service
), use thepodman generate systemd
command:
podman generate systemd --new --name squid-container > /etc/systemd/system/squid-container.service
Stop Squid container from Podman
podman stop squid-container
Enable and start the service:
systemctl enable --now squid-container
Verify the status of the Squid container service:
systemctl status squid-container
Related content
© DataCore Software Corporation. · https://www.datacore.com · All rights reserved.