Using and testing HTTP proxy in PKS
search cancel

Using and testing HTTP proxy in PKS

book

Article ID: 298506

calendar_today

Updated On:

Products

VMware Tanzu Kubernetes Grid Integrated Edition

Issue/Introduction

By following this procedure, you can quickly setup an HTTP or HTTPS proxy and use it in a PKS foundation running on NSX-T. This will run within a Docker container (courtesy of Sameer Naik). It can be used for testing and validation purposes.

Environment


Resolution

Follow the below steps to setup, configure, and test an HTTP or HTTPS proxy for PKS deployments running on NSX-T:

Setup the proxy

1. Install PKS 1.2 or greater and confirm that it is properly running on NSX-T. 

2. Deploy a Squid proxy container and install it on the  Operations (Ops) Manager VM.

3. Login to your Ops Manager VM

4. Run the following commands to Install Docker and apache2-utils. 
sudo -i
apt update
apt install docker.io apache2-utils
5. Start the Docker daemon 
service docker start
6. Create a Squid directory: 
mkdir -p /etc/squid 
7. Create a /etc/squid/squid.conf file. 
cat > /etc/squid/squid.conf
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwords
auth_param basic realm proxy
acl authenticated proxy_auth REQUIRED
http_access allow authenticated
acl localnet src 10.0.0.0/8    # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128
coredump_dir /var/spool/squid
refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
refresh_pattern .        0    20%    4320
visible_hostname bosh-proxy
access_log /var/log/squid/access.log squid
cache_store_log /var/log/squid/store.log
8. Create an account that can access the proxy server. Enter the password to assign. Note down the values of proxy-username and proxy-password for future use by the PKS tile. 
htpasswd -c /etc/squid/passwords SOME_PROXY_USER
9. Run the Squid Docker image: 
docker run --name squid -d --restart=always --publish 3128:3128 --volume /etc/squid/squid.conf:/etc/squid/squid.conf --volume /etc/squid/passwords:/etc/squid/passwords --volume /srv/docker/squid/cache:/var/spool/squid sameersbn/squid:3.5.27
10. Note down the IP address of where the Docker daemon is running for future use by the PKS tile.
`docker ps` will show similar to: 
CONTAINER ID        IMAGE                    COMMAND                 CREATED             STATUS              PORTS                    NAMES
9b24bcb11bf0        sameersbn/squid:3.5.27   "/sbin/entrypoint.sh"   2 months ago        Up 2 months         0.0.0.0:3128->3128/tcp   squid
The VM will show the following process: 
/usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 3128 -container-ip YOUR-CONTAINER-IP -container-port 3128

Testing the proxy

1. Test HTTPS proxying with the following command to get an HTTP response.  
$ https_proxy=http://<proxy-username>:<proxy-password>@<ip_address>:3128 curl -v https://www.google.com
2. Test HTTP proxying with the following command to get an HTTP response. 
$ http_proxy=http://<proxy-username>:<proxy-password>@<ip_address>:3128 curl -v http://www.google.com

Configure your PKS on NSX-T Networking tile to use the proxy above

Refer to the section on using proxies with PKS on NSX-T in https://docs.pivotal.io/runtimes/pks/1-2/proxies.html to use the test Proxy you just deployed.

The following are example values for PKS Tile > Settings > Networking > HTTP/HTTPS Proxy:
  • HTTP Proxy URL: http://YOUR-CONTAINER-IP:3128
  • HTTP Proxy Credentials: <values created from above>
  • HTTPS Proxy URL: http://YOUR-CONTAINER-IP:3128

Troubleshooting the Squid proxy

You can look at the Squid logs off the Docker container by running the following command: 
docker exec -it squid ls -latr /var/log/squid/
total 20
drwxr-xr-x 1 root  root  4096 Jul 13  2018 ..
-rw-r----- 1 proxy proxy    0 Apr  1 20:59 store.log
drwxr-xr-x 1 proxy proxy 4096 Apr  1 20:59 .
-rw-r----- 1 proxy proxy 2453 Apr  1 21:00 cache.log
-rw-r----- 1 proxy proxy  113 Apr  1 21:00 access.log
To see more, use the 'tail -f' command: 
docker exec -it squid tail -f /var/log/squid/access.log


Additional Information

For additional information, refer to the following link: 

Powered by Wolken Software