boonkeato/openshift-squid.md

## openshift-squid.md

      
    Raw
  

              openshift-squid.md
            
          
    boonkeato/openshift-squid:1.0


Introduction
Getting started

Installation
Quickstart
Command-line arguments
Configuration
Usage
Logs


Troubleshooting in Docker

Shell Access


Openshift

ConfigMap
Deployment Config
Service
How to add proxy server to your Java application on Openshift


Introduction

This project is modified from the popular sameersbn/docker-squid repo. While using the repo as is for my POC i faced issues with Openshift's Security Context Contraints (SCC) on my cluster which forces the POD to run into crashloop. This roadblock prompted me to modify the Dockerfile as well as the squid.conf to make it non-root user friendly.
Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator.
Getting started

Installation

Unfortunately this docker image is not published in any docker registry. You will need to build the image yourself. The Dockerfile and other templates are available in the following repo:

Github repo: https://github.com/boonkeato/openshift-squid

docker build -t boonkeato/openshift-squid:1.0 .
Quickstart

Start Squid locally easily using Docker Compose:
docker-compose up
Reference template: docker-compose.yml
Command-line arguments

You can customize the launch command of the Squid server by specifying arguments to squid on the docker run command. For example the following command prints the help menu of squid command:
docker run --name openshift-squid -it --rm \
  --publish 3128:3128 \
  --volume compose-conf:/etc/squid \
  boonkeato/openshift-squid:1.0 -h
If you are using the docker-compose.yml, it mounts the compose-conf folder to etc/squid automatically
Configuration

Squid is a full featured caching proxy server and a large number of configuration parameters. To configure Squid as per your requirements mount your custom configuration at /etc/squid/squid.conf.
docker run --name squid -d --restart=always \
  --publish 3128:3128 \
  --volume /path/to/squid.conf:/etc/squid/squid.conf \
  boonkeato/openshift-squid:1.0
Alternatively, if you are using docker-compose.yml, the you can make the configuration changes in squid.conf which is located in the compose-conf folder
Usage

Configure your web browser network/connection settings to use the proxy server which is available at 172.17.0.1:3128
To use Squid in your Docker containers add the following line to your Dockerfile.
ENV http_proxy=http://172.17.0.1:3128 \
    https_proxy=http://172.17.0.1:3128 \
    ftp_proxy=http://172.17.0.1:3128
For Java applications, and if you are using Apache HTTPClient and ServiceWrapper's RestService, you can proxy your outbound connection through squid by introducing the following JAVA_OPTS
-Dhttp.proxyhost=<squid proxy ip>
-Dhttp.proxyport=3128
-Dhttps.proxyhost=<squid proxy ip>
-Dhttps.proxyport=3128 
Troubleshooting in Docker

Shell Access

For debugging and maintenance purposes you may want access the containers shell. There are 2 ways of invoking a shell for troubleshooting:
via Docker Compose

docker-compose run squid bash
via Docker run

docker run --rm -it 407 bash
Where 407 is the first 3 characters of image id
Openshift

boonkeato/openshift-squid docker image supports running on openshift as a non-root user. Please note that you will need to publish the docker image to appcanvas' docker registry in order for this to work.
ConfigMap

apiVersion: v1
kind: ConfigMap
metadata:
  name: proxy-configmap
data:
  squid.conf: |-
    http_port 3128

    acl SSL_ports port 443
    acl CONNECT method CONNECT

    http_access deny CONNECT !SSL_ports
    http_access allow localhost manager
    http_access deny manager
    http_access allow all

    coredump_dir /var/spool/squid
    pid_filename /var/run/squid/squid.pid
Reference: configmap.yml

Mounts the squid.conf into the /etc/squid folder within the container
If the https server you are connecting to does not run on port 443, you will need to include the port (8088 in the case below) in the configmap above as such:

acl SSL_ports port 443 8088


Important to note about pid_filename

/var/run is owned by root user and by default Squid will create squid.pid in this folder.
Since pods on openshift will not execute with root user, we need to change the pid_filename location to a directory we can write to. Otherwise we got permission error: /var/run/squid.pid: (13) Permission denied


Deployment Config

apiVersion: apps.openshift.io/v1
kind: DeploymentConfig
metadata:
  name: squid
spec:
  replicas: 1
  selector:
    app: squid
  template:
    metadata:
      labels:
        app: squid
    spec:
      volumes:
        - name: proxy-config
          configMap:
            name: proxy-configmap
        - name: data
          emptyDir: {}
      containers:
        - name: squid
          image: boonkeato/openshift-squid:1.0
          imagePullPolicy: IfNotPresent
          ports:
            - containerPort: 3128
              protocol: TCP
          volumeMounts:
            - name: proxy-config
              mountPath: /etc/squid
            - name: data
              mountPath: /var/spool/squid
Reference: deploymentconfig.yml

In the example above, the image url is pointing at the boonkeato/openshift-squid:1.0. Update this accordingly

Service

apiVersion: v1
kind: Service
metadata:
  name: squid-proxy-svc
spec:
  ports:
    - port: 3128
      protocol: TCP
      targetPort: 3128
  selector:
    app: squid
Reference: service.yml
How to add proxy server to your Java application on Openshift

Assuming you are exposing JAVA_OPTS environment variable in your application, you can add proxy server settings by introducing the following system properties in JAVA_OPTS environment variable:

-Dhttp.proxyhost=squid-proxy-svc -Dhttp.proxyport=3128
-Dhttps.proxyhost=squid-proxy-svc -Dhttps.proxyport=3128