# Web proxy setup on NP04 ###### tags: `sysadmin` `DAQ` `DUNE-DAQ` NP04 servers do not have public internet access. This causes inconvinience to developers when cloning Git repos, obtaining kerberos ticket in the FNAL.GOV realm, copy files from servers at Fermilab etc. In order to gain access to offsite locations outside of CERN, a web proxy provided by Squid is set up on `np04-web-proxy.cern.ch`. This is a virtual machine on the CERN openstack platform, running CentOS 8 previously, and now CentOS Stream 8. An nginx reverse proxy pointing to Fermilab's KDC is also set up on this VM. So developers can obtain a Kerberos ticket on NP04 clusters. ## Squid proxy * The following configuration file is used for this web proxy service. Installation steps are as simple as `dnf install -y squid`, followed by modifying the configuration file, and use `systemctl` to enable and start the service. ```shell= [root@np04-web-proxy ~]# cat /etc/squid/squid.conf acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl SSL_ports port 9443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl allowed_ips src 10.73.138.0/24 acl allowed_ips src 10.73.136.0/24 http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access allow localnet http_access allow localhost http_access allow allowed_ips http_access deny all #http_port 0.0.0.0:3128 http_port 3128 #http_port 3128 ssl-bump \ # cert=/etc/squid/certs/squid-ca-cert-key.pem \ # generate-host-certificates=on dynamic_cert_mem_cache_size=20MB #https_port 3129 intercept ssl-bump \ # cert=/etc/squid/certs/squid-ca-cert-key.pem \ # generate-host-certificates=on dynamic_cert_mem_cache_size=20MB #sslcrtd_program /usr/lib64/squid/security_file_certgen -s /var/lib/ssl_db -M 20MB #acl step1 at_step SslBump1 #ssl_bump peek step1 #ssl_bump bump all #ssl_bump splice all coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 ``` * I turned on SSL encryption initially with `ssl-bump`; but that was later dropped off as it was trobluesome and somewhat unnecessary. * Once the proxy service is running, source `~np04daq/bin/web_proxu.sh` or set up the following environment variables to utilize it. ```shell= export HTTP_PROXY=http://np04-web-proxy.cern.ch:3128 export HTTPS_PROXY=http://np04-web-proxy.cern.ch:3128 export NO_PROXY=".cern.ch" export http_proxy=http://np04-web-proxy.cern.ch:3128 export https_proxy=http://np04-web-proxy.cern.ch:3128 export no_proxy=".cern.ch" [pding@np04-srv-009 ~]$ ``` ## Nginx reverse proxy * Installation steps are similar as those for `squid`. The configuraiton file needs the following modification. Add the following lines to the end of `/etc/nginx/nginx.conf`. Then use `systemctl` to enable and start the service. ```shell= stream{ error_log /var/log/nginx/stream_error.log debug; server { listen 88; proxy_pass krb-fnal-2.fnal.gov:88; } server { listen 749; proxy_pass krb-fnal-admin.fnal.gov:749 } } ``` * Once the reverse proxy is running, modify the `krb5.conf` to take advantage of it. In the section of `FNAL.GOV`, modify the values of the `admin_server`, and `kdc` with the reverse proxy server and port. ```shell= FNAL.GOV = { default_domain = fnal.gov admin_server = np04-web-proxy.cern.ch:749 kdc = np04-web-proxy.cern.ch:88 } ```