Network update part 4: Proxies
While segregating my network I ran into a few 'issues'; certain (mostly) LAN-only services required internet access to work! As a workaround I gave them internet access (temporarily) while I figured out how to best deal with the issue.
My main requirement was being able to restrict http/s traffic based on domain (not IP). Turns out, a lot of proxies have this functionality, and after looking around for a bit I opted for
- It's on the Debian repos
- It has low footprint
- It can do domain whitelisting
Plus, I needed to MITM SSL sites (for filtering) so I'm using
Deploying and configuring tinyproxy + stunnel
For deployment I simply added
to my ansible package list for the
host (this host also runs apt-cacher-ng and tcpproxy), which is in the DMZ.
User tinyproxy Group tinyproxy Port 8888 Timeout 600 DefaultErrorFile "/usr/share/tinyproxy/default.html" StatFile "/usr/share/tinyproxy/stats.html" Logfile "/var/log/tinyproxy/tinyproxy.log" LogLevel Info PidFile "/run/tinyproxy/tinyproxy.pid" MaxClients 100 MinSpareServers 5 MaxSpareServers 20 StartServers 10 MaxRequestsPerChild 0 Allow 127.0.0.1 ViaProxyName "tinyproxy" Filter "/etc/tinyproxy/filter" FilterURLs Off FilterExtended On FilterDefaultDeny Yes ConnectPort 443 ConnectPort 563
From the defaults I changed:
- Whitelist instead of Blacklist
- Enable proxy filtering
- Set the filtering to be based on domains instead of URLs
github.com java.sun.com maven.apache.org springframework.org #FIXME twitch letsencrypt
Create ssl cert
openssl genrsa -out host_files/proxies/key.pem 4096 openssl req -new -x509 -key host_files/proxies/key.pem -out host_files/proxies/cert.pem -days 1826
Setting HTTP proxy for other servers
I (unsuprisingly!) ran into some issues, even though in theory everything should be OK:
- Certain devices don't give a shit. Chromecast ignores the NTP server assigned by the DHCP server.
Madsonic (service I use to self host music) requires internet access to start (!!). They are downloading
xsdfiles from both
java.sun.com. Without these files, Madsonic refuses to start. After this issue I'll look for another music player.
I am currently having an issue routing from
rproxy(VLAN 20) to the physical server on it's untagged interface.
If I connect from
rproxy(20) to server(20) then it works fine (via the linux virtual bridge, never reaches the router)
- Otherwise packets are being dropped, even though the router sees them.
- If I connect from
NTP for chromecast:
DNAT wifi loc:192.168.2.1 udp 123
I just map any NTP request coming from
to my NTP server
Unable to route
I added IP for the physical server (VLAN 20) in
container, which makes it "work".
I left quite a lot of things with access to the internet, I'll write a follow up post detailing how I closed each one of them. For now the list is:
- Jenkins: ssh out, used to update git repos. http out: used by a Docker image to put images in S3.
- Madsonic (detailed above)
- Sonarr http out
- Twitch http out (this is a custom twitch broadcaster I wrote so I can watch the same stream all over the house)
- Router has full internet access (testing + repositories)
Grafana is trying to reach
grafana.com(http) looking for updates for plugins or somesuch.
- Pip is broken on all hosts!
Bookscannot connect to IRC anymore.
- For HTTP I'll use a simple proxy which will be in the DMZ (Also useful for pip).
For SSH I'll simply add a
tcpproxyinstance which will map 1:1.
I'll have to investigate the IRC protocol to proxy it (and DCC) which is core for my