This example repositories deploys an intercepting Squid Proxy as an internet gateway. As a result, you can whitelist traffic based on host names.
The default internet route directs internet traffic through the Squid Proxy. Squid Proxy intercepts the traffic to allow and/or deny requests to certain host names.
-
Internet route override
resource "google_compute_route" "example_gateway_internet" { project = var.project_id name = "${google_compute_network.example.name}-gateway-internet" dest_range = "0.0.0.0/0" network = google_compute_network.example.id next_hop_ilb = google_compute_forwarding_rule.gateway.id priority = 900 }
-
HTTP/S traffic interception
Allow traffic forwarding by Squid Proxy:
resource "google_compute_instance_template" "gateway" { project = var.project_id region = "europe-west1" name_prefix = "gateway-${random_id.id.hex}-" # NOTE: IpForwarding is required to intercept traffic can_ip_forward = true ... }
Redirect traffic to Squid Proxy:
iptables -t nat -A PREROUTING -s ${load_balancer_ip} -p tcp --dport 80 -j ACCEPT iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3129 iptables -t nat -A POSTROUTING -j MASQUERADE iptables -t mangle -A PREROUTING -p tcp --dport 3129 -j DROP iptables -t nat -A PREROUTING -s ${load_balancer_ip} -p tcp --dport 443 -j ACCEPT iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 3130 iptables -t nat -A POSTROUTING -j MASQUERADE iptables -t mangle -A PREROUTING -p tcp --dport 3130 -j DROP
-
Whitelist specification
xebia.com .google.com
-
Whitelist enforcement
acl http_proxy myportname 3129 acl http_allow dstdomain "/etc/squid/allowlist.txt" acl https_proxy myportname 3129 acl step3 at_step SslBump3 acl ssl_allow ssl::server_name "/etc/squid/allowlist.txt" http_access deny http_proxy !http_allow http_access deny step3 https_proxy !ssl_allow
Use Terraform to deploy the example setup.
-
Set the required Terraform variables
-
Deploy the example infrastructure
cd terraform terraform init terraform apply
-
Try it for yourself
Log in to the client VM:
gcloud compute ssh client --tunnel-through-iap --project <project_id>
Browse a whitelisted web page:
curl https://xebia.com/
Browse a blacklisted web page:
curl https://example.com/
Use Terraform to destroy the example setup.
-
Set the required Terraform variables
-
Destroy the example infrastructure
cd terraform terraform init terraform destroy