Skip to content

Instantly share code, notes, and snippets.

@johnsimcall

johnsimcall/Approved_Sites.txt

Last active October 20, 2023 21:33
Show Gist options
  • Save johnsimcall/bc0889055da7df861692a8e55bee9e7d to your computer and use it in GitHub Desktop.
Save johnsimcall/bc0889055da7df861692a8e55bee9e7d to your computer and use it in GitHub Desktop.
Download ZIP
Setup a restrictive Squid proxy
Raw
Approved_Sites.txt
## /etc/squid/Approved_Sites.txt
# if you're installing OpenShift with vSphere integrations, put your vCenter FQDN/address in here too
# the OpenShift Machine API Operator will use the defined cluster proxy when creating Worker nodes/VMs
vcenter.example.com
# https://docs.openshift.com/container-platform/4.11/installing/install_config/configuring-firewall.html
# https://access.redhat.com/articles/3638561
.quay.io # allows cdn.quay.io
.redhat.io # allows registry.redhat.io
.redhat.com # allows sso.redhat.com for authentication
.openshift.com # allows `oc`, `openshift-install`, and .ISO images
# other helpful resources
.github.com # the OCP update graph and ACM's ClusterImageSets are pulled from here
registry.k8s.io # used by `nfs-subdir-external-provisioner`
.docker.io # may be helpful
Raw
squid.conf
## /etc/squid/squid.conf
# check that your workstation IP and the OpenShift Node IPs are allowed to use the proxy
# add them at the END of the "acl localnet src ..." section if they're not already allowed
acl localnet src 123.45.67.0/24
# only allow connections to approved sites
# add the lines below AFTER the "acl CONNECT method CONNECT" line in your config file
acl Approved_Sites dstdomain "/etc/squid/Approved_Sites.txt"
http_access deny !Approved_Sites
http_access allow Approved_Sites
@johnsimcall
Copy link
Author

Here are a few ways to use curl and podman/docker to confirm the proxy works:

curl always tricks me because it doesn't care about the upper-case HTTP_PROXY=... environment variable, but it will respect the lower-case http_proxy=... environment variable or command-line arguments. Here are a few ways to use curl to confirm your proxy is working.

curl --proxy-user username:password --proxy 192.168.0.99:3128 --head redhat.com
curl -U username:password -x 192.168.0.99:3128 -I redhat.com

export http_proxy=http://username:[email protected]:3128
curl -I redhat.com

podman/docker usually doesn't care about the HTTP_PROXY=... environment variable because it's usually pulling from an HTTPS location. So we have to export either HTTPS_PROXY=... or https_proxy=... instead. Ugh!

export HTTPS_PROXY=http://username:[email protected]:3128
podman pull registry.access.redhat.com/ubi8

export https_proxy=http://username:[email protected]:3128
podman pull registry.access.redhat.com/ubi8

I usually apply brute force like this to workaround these frustrating issues

export http_proxy=http://username:[email protected]:3128
export HTTP_PROXY=$http_proxy HTTPS_PROXY=$http_proxy https_proxy=$http_proxy
curl -I redhat.com
podman pull registry.access.redhat.com/ubi8

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment