On 4/11/21 12:46 PM, Francois wrote: > I am running my development tools and VMs in a dedicated network > namespace on my laptop (through Linux "netns"), so they are fully > isolated from the rest of my network. I would like to set-up a proxy > so that if there is a need to connect to the outside, I could set-up > some fine grained ACL to open some very specific HTTP traffic. For > this to work with Squid, there must be a socket opened within the > namespace, while Squid is still running on the default namespace. > > This can be achieved without modifying the code by using socat for > example, where a socat running within the namespace sends traffic to a > Unix socket, and another socat outside the namespace, reads from the > Unix socket, and sends the traffic to Squid... it's quite some > plumbing effort, and Squid won't be able to know from which VM the > traffic originates (the X-Forwarded-For is localhost) > > Seeing that HAProxy implemented something > (https://github.com/haproxy/haproxy/commit/b3e54fe387c7c1ea750f39d3029672d640c499f9) > so that the process moves into the namespace just for the time of the > socket creation, I came up with a similar change for Squid > (https://github.com/freedge/squid/commit/a778666d8f4760448e29e4a0cc75dcd305b40d02). Thank you for a detailed explanation of your use case and sample code. > As this is a Linux only change, and also the community lived without > it so far, I am sending this mail to see if there is any interest in > this feature, if there was ever any request for it in the past? I cannot answer your questions, but I can tell you that, IMO, quality namespace support should be accepted by the Squid Project. I hope others will chime in regarding its usefulness to them. The feature should probably be configured at least on a listening port basis (rather than globally) and implementation would have to to meet modern Squid requirements (failing on error, C++, etc.). Your sample code could be a good starting point. Cheers, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
