[DRAFT] Network update part 4: Proxies
While segregating my network I ran into a few 'issues'; certain (mostly) LAN-only services required internet access to work! As a workaround I gave them internet access (temporarily) while I figured out how to best deal with the issue.
My main requirement was being able to restrict http/s traffic based on domain (not IP). Turns out, a lot of proxies have this functionality, and after looking around for a bit I opted for tinyproxy
because:
- It's on the Debian repos
- It has low footprint
- It can do domain whitelisting
Plus, I needed to MITM SSL sites (for filtering) so I'm using stunnel
.
Deploying and configuring tinyproxy + stunnel
For deployment I simply added tinyproxy
and stunnel
to my ansible package list for the proxies
host (this host also runs apt-cacher-ng and tcpproxy), which is in the DMZ.
Tinyproxy config
User tinyproxy
Group tinyproxy
Port 8888
Timeout 600
DefaultErrorFile "/usr/share/tinyproxy/default.html"
StatFile "/usr/share/tinyproxy/stats.html"
Logfile "/var/log/tinyproxy/tinyproxy.log"
LogLevel Info
PidFile "/run/tinyproxy/tinyproxy.pid"
MaxClients 100
MinSpareServers 5
MaxSpareServers 20
StartServers 10
MaxRequestsPerChild 0
Allow 127.0.0.1
ViaProxyName "tinyproxy"
Filter "/etc/tinyproxy/filter"
FilterURLs Off
FilterExtended On
FilterDefaultDeny Yes
ConnectPort 443
ConnectPort 563
From the defaults I changed:
- Whitelist instead of Blacklist
- Enable proxy filtering
- Set the filtering to be based on domains instead of URLs
filter
file
github.com
java.sun.com
maven.apache.org
springframework.org
#FIXME
twitch
letsencrypt
Create ssl cert
openssl genrsa -out host_files/proxies/key.pem 4096
openssl req -new -x509 -key host_files/proxies/key.pem -out host_files/proxies/cert.pem -days 1826
Updating firewall
Setting HTTP proxy for other servers
I (unsuprisingly!) ran into some issues, even though in theory everything should be OK:
- Certain devices don't give a shit. Chromecast ignores the NTP server assigned by the DHCP server.
- Madsonic (service I use to self host music) requires internet access to start (!!). They are downloading
xsd
files from bothspringframework.org
,maven.apache.org
andjava.sun.com
. Without these files, Madsonic refuses to start. After this issue I'll look for another music player. - I am currently having an issue routing from
rproxy
(VLAN 20) to the physical server on it's untagged interface.- If I connect from
rproxy
(20) to server(20) then it works fine (via the linux virtual bridge, never reaches the router) - Otherwise packets are being dropped, even though the router sees them.
- If I connect from
"Fixes"
NTP for chromecast:
DNAT wifi loc:192.168.2.1 udp 123
I just map any NTP request coming from wifi
to my NTP server
Unable to route
I added IP for the physical server (VLAN 20) in /etc/hosts
for the rproxy
container, which makes it "work".
Pending issues
I left quite a lot of things with access to the internet, I'll write a follow up post detailing how I closed each one of them. For now the list is:
- Jenkins: ssh out, used to update git repos. http out: used by a Docker image to put images in S3.
- Madsonic (detailed above)
- Sonarr http out
- Twitch http out (this is a custom twitch broadcaster I wrote so I can watch the same stream all over the house)
- Router has full internet access (testing + repositories)
- Grafana is trying to reach
grafana.com
(http) looking for updates for plugins or somesuch. - Pip is broken on all hosts!
Books
cannot connect to IRC anymore.
Possible solutions
- For HTTP I'll use a simple proxy which will be in the DMZ (Also useful for pip).
- For SSH I'll simply add a
tcpproxy
instance which will map 1:1. - I'll have to investigate the IRC protocol to proxy it (and DCC) which is core for my
books
setup.