-
-
Save alyfantisd/c6b45d5a506b57c66474bb43630284f2 to your computer and use it in GitHub Desktop.
Setup a restrictive Squid proxy
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## /etc/squid/Approved_Sites.txt | |
| # put your vCenter FQDN/address in here too, if OpenShift is creating it's own VMs | |
| # the OpenShift Machine API Operator will use the proxy when creating Worker nodes/VMs | |
| vcenter.example.com | |
| # required for OpenShift installation and samples catalog | |
| # https://docs.openshift.com/container-platform/4.11/installing/install_config/configuring-firewall.html | |
| # https://access.redhat.com/articles/3638561 | |
| .quay.io #allows cdn.quay.io | |
| .redhat.io #allows registry.redhat.io | |
| .redhat.com #allows sso.redhat.com for authentication | |
| .openshift.com #allows `oc`, `openshift-install`, and .ISO images | |
| k8s.gcr.io #used by `nfs-subdir-external-provisioner` | |
| .docker.io #generally helpful |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## /etc/squid/squid.conf | |
| # check that your OpenShift Node IPs are within the ranges allowed by "acl localnet src ..." | |
| # add them to the acl if they're not already allowed | |
| acl localnet src 123.45.67.0/24 | |
| # only allow connections to approved sites | |
| # add after the "acl CONNECT method CONNECT" line | |
| acl Approved_Sites dstdomain "/etc/squid/Approved_Sites.txt" | |
| http_access deny !Approved_Sites | |
| http_access allow Approved_Sites |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment