How to: Configure DynaCenter to Access the AWS Infrastructure Through a Squid Proxy Server
Reference Number: AA-00400 Views: 1109 Created: 10-27-2016 13:56 Last Updated: 10-27-2016 13:56

Applies To:

DynaCenter 6.0 and later

Background:

When migrating servers, DynaCenter needs access to the AWS infrastructure, such as the EC2 endpoints.

In some environments, network traffic to the internet must go through a proxy, even for ports 80 and 443. In these situations, you can configure the DynaCenter instance to point to a “parent” proxy that can access the AWS infrastructure.

This article describes how to configure a DynaCenter instance to route traffic to a Squid parent proxy server that has access to the internet.

More Information:

Feature: Linking Squid into a Cache Hierarchy

Using Squid Proxy Instances for Web Service Access in Amazon VPC: An Example

Using Squid Proxy Instances for Web Service Access in Amazon VPC: Another Example with AWS CodeDeploy and Amazon CloudWatch

Using IPTables

Resolution:

Prerequisites

•  One or more Squid proxy instances that have outbound access to the internet
•  A security group that allows communication between the DynaCenter instance and the parent Squid proxy server over port 3128

Installing and Configuring Squid on the DynaCenter Instance

1.  On the DynaCenter instance, update /etc/yum.conf with the URL and port of the parent proxy or of the Elastic Load Balancer (ELB)  in front of a Squid proxy farm, by adding the following line:

proxy=http://<PROXY_PARENT>:<PROXY_PARENT_PORT>

Example:

proxy=http://internal-SF-ElasticLoad.us-east-1.elb.amazonaws.com:3128

2.  Confirm that the proxy works before proceeding by retrieving the headers from an Amazon web page:

curl -I --proxy <PROXY_PARENT>:<PROXY_PARENT_PORT> http://calculator.s3.amazonaws.com/index.html

If this test does not work, verify that the DynaCenter instance has access to the Squid instance on port 3128.

3.  Type the following command to install Squid:

sudo yum -y install squid34

4.  Type the following commands to create an SSL certificate for Squid:

sudo mkdir /etc/squid/ssl
cd /etc/squid/ssl
sudo openssl genrsa -out squid.key 2048
sudo openssl req -new -key squid.key -out squid.csr -subj "/C=XX/ST=XX/L=squid/O=squid/CN=squid"
sudo openssl x509 -req -days 3650 -in squid.csr -signkey squid.key -out squid.crt
sudo cat squid.key squid.crt > squid.pem

5.  Create an /etc/squid/squid.conf file with the following contents, replacing PROXY_PARENT and PROXY_PARENT_PORT with the appropriate values for your environment:

visible_hostname squid-gateway
http_port 3128
http_port 3129 intercept
https_port 3130 cert=/etc/squid/ssl/squid.pem ssl-bump intercept
http_access allow all
cache_peer <PROXY_PARENT> parent <PROXY_PARENT_PORT> 0 default
never_direct allow all
ssl_bump none all

Note: The cache_peer option can either specify an Elastic Load Balancer (ELB) that points to a Squid proxy farm, or it can be directed to an instance where Squid is configured.

6.  Start Squid and set it to start automatically on boot up:

service squid restart
chkconfig squid on

Configuring Iptables on the DynaCenter Instance

1.  Configure iptables as follows to redirect traffic on ports 443 and 80 to the Squid proxy server or to the ELB in front of a proxy farm:

sudo iptables -t nat -A OUTPUT -p tcp -d 127.0.0.1 -j RETURN
sudo iptables -t nat -A OUTPUT -p tcp -d 10.0.0.0/8 -j RETURN
sudo iptables -t nat -A OUTPUT -p tcp -d 169.254.169.254 -j RETURN
sudo iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 3129
sudo iptables -t nat -A OUTPUT -p tcp --dport 443 -j REDIRECT --to-port 3130
sudo service iptables save

Note: You can add additional rules to accommodate your network environment.

2.  Start iptables and set it to start automatically on boot up:

chkconfig iptables on
service iptables start