This page describes how to configure HTTPS Traffic via Proxy without authentication on a CentOS 7 Virtual Machine.
Many organizations have their internet traffic routed via proxy rather than have a direct connection from a virtual machine.
Proxy Server Secure Communication
To enable secure communication between your Proxy server and Votiro's Positive Selection® Engine, set permissions by creating an ACL that includes the following locations:
n | *.prod.votiro.com |
n | *.blob.core.windows.net |
Proxy Server Information
Before you start the procedure, determine the following information:
1. | The IP address of your Proxy server. |
2. | The Port number of the Proxy server used for HTTPS traffic. |
3. | The list of addresses/network to bypass in the no_proxy setting. |
IMPORTANT!
By default all HTTPS traffic will be routed to the proxy. We want to avoid the default routing scenario because HTTPS is used for internal traffic not to be routed to the internet.
By default, when running init cluster, several networks are created.
First node:
172.17.0.1/16 docker0
10.244.0.0/32 flannel
10.244.0.1/24 cni0
The flannel and cni networks will also be created on the second and third nodes, using different IPs in their subnet.
Second node:
10.244.1.0/32
10.244.1.1/24
Third node:
10.244.2.0/32
10.244.2.1/24
Note
All of the above networks and IP addresses will be used for internal purposes, and will need to bypass the proxy.
Procedure
Before you begin, ensure the proxy server permissions have been set on the required locations and you have gathered the required proxy server information.
To set and configure your three nodes, follow these steps:
1. | SSH to the first node in the cluster. |
2. | Modify the hosts file using command: |
vi /etc/hosts
This step is mandatory because the no_proxy parameter does not allow the use of wildcards.
3. | Add the following records: |
t | 172.17.0.1/16 docker |
t | 10.244.0.0 flannel |
t | 10.244.0.1/24 node0net |
t | 10.244.1.1/24 node1net |
t | 10.244.2.1/24 node2net |
4. | Route HTTPS traffix via Proxy to ensure the Linux OS Layer is covered by adding the following proxy settings: |
a. | Enter edit mode to /etc/environment, using the following command: |
vi /etc/environment
b. | Add the following data: |
https_proxy=http://{Proxy-Server-IP}:{Proxy Port}
no_proxy={cluster name},{node#X IP},localhost, docker,cni,flannel,node0net,node1net,node2net, 10.244.0.0,10.244.1.0,10.244.2.0
For example:
https_proxy=http://10.130.1.168:3128
no_proxy=support-va,10.130.1.163,localhost, docker,cni,flannel, node0net,node1net,node2net, 10.244.0.0,10.244.1.0,10.244.2.0
5. | Create proxy settings for the Docker layer, using the following command: |
mkdir /usr/lib/systemd/system/docker.service.d
6. | Create a new drop-in file, using the following command: |
vi /usr/lib/systemd/system/docker.service.d/http-proxy.conf
7. | Add the following data: |
[Service]
#Environment="HTTP_PROXY=http://10.130.1.168:3128/" Environment="HTTPS_PROXY=http://10.130.1.168:3128/" Environment="NO_PROXY= hostname.example.com,172.10.10.10"
8. | Reload and restart the node, using the following commands: |
sudo systemctl daemon-reload
sudo systemctl restart docker
9. | Once the node is reloaded check the settings were successfully applied, using the following command: |
sudo systemctl show --property=Environment docker
You should receive the following output:
Environment=HTTPS_PROXY=http://10.130.1.168:3128/ NO_PROXY= hostname.example.com,172.10.10.10
IMPORTANT!
Repeat Steps 1 to 9 above for the other two nodes.
Comments
0 comments
Please sign in to leave a comment.