Enforce PROXY protocol in filtering-proxy-psc blueprint (#968)

GoogleCloudPlatform · Nov 15, 2022 · bcffb67 · bcffb67
1 parent aa69ef4
commit bcffb67
Show file tree

Hide file tree

Showing 2 changed files with 64 additions and 6 deletions.
diff --git a/blueprints/networking/filtering-proxy-psc/main.tf b/blueprints/networking/filtering-proxy-psc/main.tf
@@ -98,7 +98,7 @@ resource "google_compute_service_attachment" "service_attachment" {
   name                  = "psc"
   project               = module.project.project_id
   region                = var.region
-  enable_proxy_protocol = false
+  enable_proxy_protocol = true
   connection_preference = "ACCEPT_MANUAL"
   nat_subnets           = [module.vpc.subnets_psc["${var.region}/psc"].self_link]
   target_service        = module.squid-ilb.forwarding_rule_self_link
@@ -125,9 +125,13 @@ module "service-account-squid" {
 }
 
 module "cos-squid" {
-  source  = "../../../modules/cloud-config-container/squid"
-  allow   = var.allowed_domains
-  clients = [var.cidrs.psc]
+  source       = "../../../modules/cloud-config-container/squid"
+  allow        = var.allowed_domains
+  clients      = [var.cidrs.app]
+  squid_config = "${path.module}/squid.conf"
+  config_variables = {
+    psc_cidr = var.cidrs.psc
+  }
 }
 
 module "squid-vm" {
@@ -174,7 +178,8 @@ module "squid-mig" {
   health_check_config = {
     enable_logging = true
     tcp = {
-      port = 3128
+      port         = 3128
+      proxy_header = "PROXY_V1"
     }
   }
   update_policy = {
@@ -204,7 +209,8 @@ module "squid-ilb" {
   health_check_config = {
     enable_logging = true
     tcp = {
-      port = 3128
+      port         = 3128
+      proxy_header = "PROXY_V1"
     }
   }
 }
diff --git a/blueprints/networking/filtering-proxy-psc/squid.conf b/blueprints/networking/filtering-proxy-psc/squid.conf
@@ -0,0 +1,52 @@
+# bind to port 3128 and require PROXY protocol
+http_port 0.0.0.0:3128 require-proxy-header
+
+# only proxy, don't cache
+cache deny all
+
+acl ssl_ports port 443
+acl safe_ports port 80
+acl safe_ports port 443
+acl CONNECT method CONNECT
+acl to_metadata dst 169.254.169.254
+acl from_healthchecks src 130.211.0.0/22 35.191.0.0/16
+acl psc src ${psc_cidr}
+
+# read client CIDR ranges from clients.txt
+acl clients src "/etc/squid/clients.txt"
+
+# read allowed domains from allowlist.txt
+acl allowlist dstdomain "/etc/squid/allowlist.txt"
+
+# read denied domains from denylist.txt
+acl denylist dstdomain "/etc/squid/denylist.txt"
+
+# allow PROXY protocol from the PSC subnet
+proxy_protocol_access allow psc
+
+# allow PROXY protocol from the LB health checks
+proxy_protocol_access allow from_healthchecks
+
+# deny access to anything other than ports 80 and 443
+http_access deny !safe_ports
+
+# deny CONNECT if connection is not using ssl
+http_access deny CONNECT !ssl_ports
+
+# deny acccess to cachemgr
+http_access deny manager
+
+# deny access to localhost through the proxy
+http_access deny to_localhost
+
+# deny access to the local metadata server through the proxy
+http_access deny to_metadata
+
+# deny connection from allowed clients to any denied domains
+http_access deny clients denylist
+
+# allow connection from allowed clients only to the allowed domains
+http_access allow clients allowlist
+
+# deny everything else
+http_access ${default_action} all