Skip to content

Http proxy in a zone

January 1, 2009

Now that the new crossbow networking stack is in OpenSolaris I have been able to configure a transparent proxy server for the Sun Ray users. By having a zone act as the only route from the internal network the internet all the http traffic can now go through the proxy and hence benefit from the cache and all in one box.

Now all traffic from the internal network gets a default router of the squid zone’s vnic0 from dhcp and the global zone routes via in internal network that I have called dmz0 to the squid zone. The internal network is not absolutley needed as the global zone could route via the internal network but some how that does not seem such a good set up. I have the naming of the vnics not quite the way I want it but that is really just cosmetic.

Here are the virtual nics:

: pearson FSS 3 $; pfexec dladm show-vnic         
LINK         OVER         SPEED  MACADDRESS           MACADDRTYPE         VID 
vnic0        nge0         1000   2:8:20:b2:86:2       random              0 
sshnic0      rtls0        100    2:8:20:2c:d7:cf      random              0 
dmzpearson0  dmz0         0      2:8:20:ce:2e:43      random              0 
dmzsquid0    dmz0         0      2:8:20:20:a2:69      random              0 
: pearson FSS 4 $;

and this is the configuration for the zone:

: pearson FSS 8 $; pfexec zonecfg -z squid info net 
     address not specified 	
     physical: vnic0 	
     defrouter not specified 
     address not specified
     physical: rtls0
     defrouter not specified 
     address not specified
     physical: dmzsquid0
     defrouter not specified 
: pearson FSS 9 $;

Then in the zone I have ipfilter configured to handle the usual NAT and also to forward web traffic to the proxy:

: pearson FSS 10 $; pfexec zlogin squid cat /etc/ipf/ipnat.conf
# First the usual NAT entries to handle everything going out
map rtls0 -> map rtls0 ->
# These next two lines forward traffic to port 80 to the transparent
# web proxy that is running in this zone
rdr vnic0 port 80 -> port 3128 tcp
rdr dmzsquid0 port 80 -> port 3128 tcp
: pearson FSS 11 $;

Then remember to configure squid to accept the transparent proxy by adding the transparent line to the http_port option:

: pearson FSS 12 $; pfexec zlogin squid grep ^http_port /etc/squid/squid.conf
http_port 3128 transparent http_port 8080
: pearson FSS 13 $;

Finally I had to remember to use routeadm(1m) to turn on routing in the zone, which was the first time I had run that command. No more messing around with files in /etc just run “routeadm -u -e ipv4-forwarding” to enable it in the zone and I was done.

All in all the solution is pretty pleasing.


From → Solaris

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: