Develop

gcp/.gitattributes

@@ -0,0 +1 @@
+text eol=lf

gcp/config/config.tpl

@@ -0,0 +1,109 @@
+#!/bin/bash
+
+set -x # Debug
+set -e # Strict exit codes
+
+echo "Applying system patches"
+apt-get update
+sudo apt-get upgrade -y
+ufw disable
+
+echo "disabling iptables manual configuration"
+echo iptables-persistent iptables-persistent/autosave_v4 boolean true | sudo debconf-set-selections
+echo iptables-persistent iptables-persistent/autosave_v6 boolean true | sudo debconf-set-selections
+
+echo "Installing Ops Agent"
+curl -sSO https://dl.google.com/cloudagents/add-google-cloud-ops-agent-repo.sh
+bash add-google-cloud-ops-agent-repo.sh --also-install
+
+echo "installing squid proxy server"
+apt-get update
+apt-get install squid3 libvirt-daemon-system apache2-utils iptables-persistent -y
+
+echo "configuring squid whitelists"
+
+echo "169.254.169.254 metadata.google.internal" >> /etc/hosts
+
+cat <<EOF > /etc/squid/dst_whitelist.txt
+${whitelist}
+EOF
+
+cat <<EOF > /etc/squid/src_whitelist.txt
+metadata.google.internal
+EOF
+
+echo "squid configuration"
+cat <<EOF > /etc/squid/squid.conf
+${squid_config}
+EOF
+
+echo "environment variables config"
+SQUID_SERVER="192.168.1.1"
+# Interface connected to Internet
+INTERNET="eth0"
+# Interface connected to LAN
+LAN_IN="eth1"
+# Squid port
+SQUID_PORT="3128"
+# Clean old firewall
+
+# echo "configuring iptables"
+# iptables -F
+# iptables -X
+# iptables -t nat -F
+# iptables -t nat -X
+# iptables -t mangle -F
+# iptables -t mangle -X
+# echo 1 > /proc/sys/net/ipv4/ip_forward
+
+# echo  "Setting default filter policy"
+# iptables -P INPUT DROP
+# iptables -P OUTPUT ACCEPT
+# iptables -A INPUT -i lo -j ACCEPT
+# iptables -A OUTPUT -o lo -j ACCEPT
+# # Allow UDP, DNS and Passive FTP
+# iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
+# # set this system as a router for Rest of LAN
+# iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
+# iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
+# # unlimited access to LAN
+# iptables -A INPUT -i $LAN_IN -j ACCEPT
+# iptables -A OUTPUT -o $LAN_IN -j ACCEPT
+# # DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
+# iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
+# iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
+# # DROP everything and Log it
+# iptables -A INPUT -j LOG
+# iptables -A INPUT -j DROP
+
+echo "restarting squid"
+service squid restart
+
+echo "saving iptables"
+/sbin/iptables-save
+
+echo "Configure Ops Agent log streams"
+# TODO
+
+echo "Healthcheck API"
+# TODO
+
+
+SQUID_SERVER="127.0.0.1"
+# Interface connected to Internet
+INTERNET="ens4"
+# Interface connected to LAN
+LAN_IN="lo"
+# Squid port
+SQUID_PORT="3128"
+# Clean old firewall
+systemctl start libvirtd
+
+
+echo "environment variables config"
+echo "Configure Ops Agent log streams"
+# TODO
+
+echo "Healthcheck API"
+# TODO
+

gcp/config/squid.tpl

@@ -0,0 +1,29 @@
+hosts_file /etc/hosts
+acl all src 0.0.0.0/0.0.0.0
+acl localhost src 127.0.0.1/255.255.255.255
+acl to_localhost dst 127.0.0.0/8
+acl CONNECT method CONNECT
+
+# connection to http, https and ssl
+acl Safe_ports port 80
+acl Safe_ports port 443
+acl SSL_ports port 22
+
+acl src_whitelist srcdomain "/etc/squid/src_whitelist.txt"
+acl dst_whitelist dstdomain "/etc/squid/dst_whitelist.txt"
+acl lan src ${cidr}
+acl my_phisical src 31.182.219.133
+
+http_access allow src_whitelist
+http_access allow dst_whitelist
+http_access allow CONNECT
+http_access deny CONNECT !SSL_ports
+http_access deny !Safe_ports
+
+http_access allow localhost
+http_access allow lan
+http_access allow my_phisical
+http_access deny all
+http_reply_access allow all
+http_port 3128 transparent
+coredump_dir /var/spool/squid

gcp/config/whitelist.txt

@@ -0,0 +1,2 @@
+metadata.google.internal
+www.google.com

gcp/ilb.tf

@@ -2,16 +2,14 @@
 resource "google_compute_forwarding_rule" "egress_filter_forwarding_rule" {
   name            = "egress-filter-forwarding-rule"
   backend_service = google_compute_region_backend_service.egress_filter_backend.id
-
   region = var.region
-
   ip_protocol           = "TCP"
   load_balancing_scheme = "INTERNAL"
   all_ports             = true
   allow_global_access   = true
-
-  network    = var.vpc_name
-  subnetwork = var.subnet_name
+  project               = var.project
+  network               = var.vpc_name
+  subnetwork            = var.subnet_name
 }
 
 # backend service
@@ -39,6 +37,6 @@ resource "google_compute_region_health_check" "egress_filter" {
   unhealthy_threshold = 10
 
   tcp_health_check {
-	port = 8080
+    port = 80
   }
 }

gcp/images.tf

@@ -5,8 +5,8 @@ data "packer_version" "version" {}
 data "packer_files" "packer_config_dir" {
   directory = "${path.module}/packer"
 }
-data "packer_files" "vm_config_files"{
-    directory = "${path.module}/config"
+data "packer_files" "vm_config_files" {
+  directory = "${path.module}/config"
 }
 
 
@@ -36,5 +36,6 @@ output "packer_version" {
 }
 
 output "image_id" {
-  value  = packer_image.solid_proxy_image.id
+  value = packer_image.solid_proxy_image.id
 }
+

gcp/main.tf

@@ -1,3 +1,27 @@
+
+data "google_compute_subnetwork" "subnet" {
+  name    = var.subnet_name
+  region  = var.region
+  project = var.project
+}
+data "template_file" "squid_config" {
+  template = file("${path.module}/config/squid.tpl")
+  vars = {
+    cidr = data.google_compute_subnetwork.subnet.ip_cidr_range
+  }
+}
+
+data "template_file" "startup_script" {
+  template = file("${path.module}/config/config.tpl")
+  vars = {
+    squid_config = data.template_file.squid_config.rendered
+    whitelist    = file("${path.module}/config/whitelist.txt")
+  }
+}
+output "startup_script" {
+  value = data.template_file.startup_script.rendered
+}
+
 resource "google_compute_instance_template" "egress_filter" {
   project      = var.project
   name_prefix  = "${local.prefix}egress-filter"
@@ -14,15 +38,15 @@ resource "google_compute_instance_template" "egress_filter" {
 
     auto_delete = false
 
-    source_image = "packer-1663596114"
+    source_image = "ubuntu-1804-bionic-arm64-v20221201"
     # TODO KMS support
     # disk_encryption_key {
     # }
   }
 
   network_interface {
     network    = var.vpc_name
-    subnetwork = var.subnet_name
+    subnetwork = data.google_compute_subnetwork.subnet.self_link
   }
 
   can_ip_forward = true
@@ -32,9 +56,7 @@ resource "google_compute_instance_template" "egress_filter" {
 
   metadata = {
     # TODO - base image from packer or with startup script
-    startup-script = templatefile("${path.module}/config/startup.sh", {
-
-    })
+    startup-script = data.template_file.startup_script.rendered
   }
 
   # TODO
@@ -60,13 +82,17 @@ resource "google_compute_region_instance_group_manager" "egress_filter" {
   name = "egress-filter-igm"
 
   base_instance_name = "egress-filter"
-  region = var.region
+  region             = var.region
 
-  target_pools = [ google_compute_target_pool.egress_filter.id ]
+  target_pools = [google_compute_target_pool.egress_filter.id]
 
   version {
     instance_template = google_compute_instance_template.egress_filter.id
   }
+  named_port {
+    name = "http"
+    port = 80
+  }
 }
 
 resource "google_compute_target_pool" "egress_filter" {
@@ -81,7 +107,7 @@ resource "google_compute_region_autoscaler" "egress_filter" {
   target = google_compute_region_instance_group_manager.egress_filter.id
 
   autoscaling_policy {
-    mode = var.autoscaling_mode
+    mode            = var.autoscaling_mode
     max_replicas    = var.autoscaling_max_replicas
     min_replicas    = var.autoscaling_min_replicas
     cooldown_period = var.autoscaling_cooldown_period
@@ -91,3 +117,4 @@ resource "google_compute_region_autoscaler" "egress_filter" {
     }
   }
 }
+