[squid-users] Squid within a network namespace
rousskov at measurement-factory.com
Mon Apr 12 16:13:14 UTC 2021
On 4/11/21 12:46 PM, Francois wrote:
> I am running my development tools and VMs in a dedicated network
> namespace on my laptop (through Linux "netns"), so they are fully
> isolated from the rest of my network. I would like to set-up a proxy
> so that if there is a need to connect to the outside, I could set-up
> some fine grained ACL to open some very specific HTTP traffic. For
> this to work with Squid, there must be a socket opened within the
> namespace, while Squid is still running on the default namespace.
> This can be achieved without modifying the code by using socat for
> example, where a socat running within the namespace sends traffic to a
> Unix socket, and another socat outside the namespace, reads from the
> Unix socket, and sends the traffic to Squid... it's quite some
> plumbing effort, and Squid won't be able to know from which VM the
> traffic originates (the X-Forwarded-For is localhost)
> Seeing that HAProxy implemented something
> so that the process moves into the namespace just for the time of the
> socket creation, I came up with a similar change for Squid
Thank you for a detailed explanation of your use case and sample code.
> As this is a Linux only change, and also the community lived without
> it so far, I am sending this mail to see if there is any interest in
> this feature, if there was ever any request for it in the past?
I cannot answer your questions, but I can tell you that, IMO, quality
namespace support should be accepted by the Squid Project. I hope others
will chime in regarding its usefulness to them.
The feature should probably be configured at least on a listening port
basis (rather than globally) and implementation would have to to meet
modern Squid requirements (failing on error, C++, etc.). Your sample
code could be a good starting point.
More information about the squid-users