This is the fourth day of my participation in the August Text Challenge.More challenges in August

Those of you who have worked in o&M services must have personal experience: when you provide o&M support to the government, large enterprises and public institutions, you find that their servers often have strict security management mechanisms, especially restricted access to the Internet. This brings a lot of inconvenience to operation and maintenance work.

For example, the server needs to access Github, and the Yum repository installs some software. If you can’t access Github, installing the software takes a lot of time and effort.

In the face of this, is there a way to achieve the desired network access through some technical compliance?

Of course there is, first look at the overall idea below.

The overall train of thought

Technology aside. Let’s review some similar examples from our own lives:

A healthy person, he can go out to complete all kinds of things related to food, clothing, shelter and transportation. If he is ill and confined to a bed or ward or hospital, then he is not free to go outside his sphere of movement. But under special circumstances, must leave outside the activity space, how should do?

The answer is simple: Entrust it to someone who is healthy and free to act.

Can we use this delegation mechanism as a solution to the problem of private cloud servers accessing the Internet?

Completely can, because in the computer technology, there is a more mature technical scheme: agent service. It is one of the best practices for addressing such scenarios.

In our current case, we need to accomplish our goal in three steps:

  1. Compliance to
  2. Proxy Service Establishment (Public cloud server)
  3. Setting up the Local Proxy (private Cloud Server)

Compliance to

The use of proxy services must first ensure compliance. On the one hand, it conforms to the network management norms of the unit, and on the other hand, it complies with the relevant national laws and regulations.

  1. Apply to the network administrator for the reason and scope of using the proxy service and get approval
  2. Carefully check access to proxy services to ensure compliance with national network laws and regulations

The country has strict legal requirements for overseas network access. Please ensure 100% compliance

Proxy service setup

There are no agency services available for purchase in the market due to compliance control issues. Therefore, you need to set up your own proxy service.

The specific steps are as follows:

  1. Purchase a cloud server with normal Internet access (referred to as “public cloud server”)

    Minimum configuration (for example, 1G memory for 1 core, 100M bandwidth by volume mode)

  2. Log in to the cloud server using SSH and run the following command to set up the basic environment

    curl -fsSL https://get.docker.com -o get-docker.sh && sh get-docker.sh curl -L "Https://github.com/docker/compose/releases/download/1.29.0/docker- compose - $(uname - s) - $(uname -m)" - o /usr/local/bin/docker-compose sudo chmod +x /usr/local/bin/docker-compose ln -sf /usr/local/bin/docker-compose /usr/bin sudo systemctl start dockerCopy the code

  3. Run the following command to download tinyProxy to the local PC

    git clone --depth=1 https://github.com/Websoft9/docker-tinyproxy
Copy the code

  4. Modify the following two parameters in the. Env_all file in the software directory as required

    BINDIP=35.129.77.19 # Whitelist IP APP_PORT=9094 # proxy portCopy the code

    BINDIP represents the public IP address (whitelist) of your private cloud server. If this parameter is set, it indicates that it can use proxy service. If this parameter is not set, it cannot use proxy service

  5. Log in to the cloud server console and enable the port for which APP_PORT is specified, for example, TCP:9094

  6. The local browser visits http://IP address of the public cloud server :9094. If the following information is displayed, the proxy server is successfully set up.

    Access denied
The administrator of this proxy has not configured it to service requests from your host.
Generated by tinyproxy version 1.10.0.
Copy the code

Setting the Local Proxy

Next we set up the local proxy on the private cloud server. We can set up a global proxy for Linux systems, and we can set up a general proxy for specific software (most mature software, support proxy Settings).

Assume that the IP address of the proxy server is 111.99.190.142 and the port number is 9094

The global agent

  1. Log in to the private cloud server and run the following command to create a proxy profile

    touch /etc/profile.d/proxy.sh
Copy the code

  2. Copy the following code to the proxy.sh file and modify the export Proxy field as required

    Export proxy="111.99.190.142:9094" export http_proxy=$proxy export https_proxy=$proxy export Ftp_proxy =$proxy export no_proxy="localhost, 127.0.0.1, ::1"Copy the code

  3. After saving the configuration, restart the Shell terminal for the proxy to take effect

The local agent

You can also set up an agent for a specific software. Git, Docker, and Yum are used as examples.

Git

Run the following command using SSH (the IP address and port number of the proxy service can be changed as required) :

Git config --global https.proxy 111.99.190.142:9094 git config --global https.proxy 111.99.190.142:9094Copy the code

Docker

Modify the Docker system services file/etc/systemd/system/Docker. Service

[Service] Environment = "HTTP_PROXY = 111.99.190.142:9094 / Environment" = "HTTPS_PROXY = 111.99.190.142:9094 /"Copy the code

The modification takes effect after the Docker service is restarted

Yum

Modify /etc/yom.conf to add the following code (the IP and port of the proxy service can be changed as required)

The proxy = 111.99.190.142:9094Copy the code

conclusion

Delegating versus delegating is a simple, effective and widely used basic architectural philosophy approach in technology. Hope readers can draw inferences from one example and use it flexibly.

This article is originally published by Websoft9.