Implementing SafeSquid on Cloud

Implementing SafeSquid on Cloud

Background

The SafeSquid proxy server is a native x86_64 Linux network service application.
The software is distributed as a “tar-ball”package. It can thus be deployed on an appropriate Linux based host platform.
Efficient performance installation and configuration of a few other co-resident system applications and libraries.
The SafeSquid proxy server and the other applications co-resident on the host platform can generate lots of files.
This can endanger the proxy service if the disk runs out of space.
It is therefore advisable to create appropriate disk partitions for application safety and long-term reliability.
SafeSquid Appliance Builder (SAB) enables easy installation of SafeSquid SWG.
It is an optimized version of Ubuntu 18.04 x86_64 mini-install ISO to provide automatic setup of all the necessary files and services, besides optimum disk-partitioning.
The SAB installer automatically fetches the tar-ball and deploys SafeSquid towards the end of its execution.

Installing on a Cloud PaaS such as Azure

You cannot setup SafeSquid using SAB on a PaaS such as Azure that does not allow upload of custom ISO file.
You can download the SafeSquid tar-ball and use it to manually setup on a virtual guest created on such PaaS.
However, the other optimizations done by the SAB, require substantial effort, and disk partitioning remains unoptimized.
Most importantly, implementing the optimum disk partitioning recipe can be most frustrating for a first-timer.
Logs, caching objects, and various other files created in runtime by SafeSquid and other Linux applications and processes, can consume disk space, leading to performance degradation, or even application failure.
The SAB creates custom partitions using LVM, ensuring isolation of files in logical volumes, and enables easy addition of storage to extend any partition when need arises.

Using Cloud-Init

Most PaaS providers such as Azure, enable users to customize their O/S setup via cloud-init. Cloud-init enables partition customization, thus mitigates our key concern.

Deploying SafeSquid in Microsoft Azure

Access your Microsoft Azure dashboard at https://portal.azure.com/#home
accessing azure portal
clicking on hamburger icon in azure portal
selecting virtual machines option
clicking on create
selecting azure virtual machine

Basic

basics of creating a virtual machine
selecting your resource group
entering a new name for your virtual machine
selecting region which is closet to your location
selecting availability options which meets your requirements
selecting security type
clicking on image and selecting ubuntu 18.04
clicking on configure VM generation, selecting generation, clicking on apply to select and continue
showing VM size
clicking on the down arrow to see all the available CPU and RAM options
selecting the appropriate hardware as per safesquid requirement and clicking on select to continue
entering the username, and selecting SSH public key source
you can also use existing public key for SSH authentication and pasting the public key in the box
showing that you can also use password based authentication to access your VM
clicking on allow selected port and selecting inbound port 22 for SSH

Disks

showing that if you wish you can encryption on your data store on azure's managed disks
minimum size of the disk should be at least 16 GB. selecting the disk size and clicking on OK to continue

Networking

selecting your subnet
selecting public IP
if you wish to set NIC network security group select advance. selecting your network security group
selecting inbound ports 22 for SSh
selecting the type of load balancer from load balancing options

Management

showing that for demonstration we are keeping management settings to default

Monitoring

showing that you can enable system alerts for your VM. clicking on configure to create custom alerts
setting the conditions for alerts. choosing the method for notifying administrator. clicking on save to set alerts and continue
showing how to enable OS guest diagnostics to get metrics every minute for your virtual machine. you can use them to create alerts and stay informed on your applications
selecting name of your account. selecting the storage kind. selecting replication type. clicking on OK to create storage account and continue

Advanced

Cloud-init Setup Script

Please click on the link below to find Cloud-init Script

Custom Logical Volume

Default values for the logical volume is set to minimum disk space required for each partition. Note: the given values for the disk sizes are in megabytes. Update the (--size, “512”) part of the command with the required disk size as per your requirements. For example: Update the size of /var/lib/safesquid from 1GB to 3 GB
Update
  1. - [ lvcreate, --size, '1024', --name, /dev/azure-vg/var+lib+safesquid, azure-vg ]
to
  1. - [ lvcreate, --size, '3072', --name, /dev/azure-vg/var+lib+safesquid, azure-vg ]
Minimum disk space required to create disk partition is a minimum of 16GB. When using disk with storage capacity more the 250GB, refer to the recommended maximum disk space. Recommended maximum disk space required for SafeSquid partition are
  1. 4096 - /opt/safesquid

  3. 4096 - /usr/local/safesquid

  5. 8192 - /var/lib/safesquid

  7. 8192 - /var/www/safesquid
Allotting space more than recommended maximum disk space for mentioned partitions may not be optimal. Directories /var/db/safesquid, /var/cache/safesquid and /var/log/safesquid, does not have maximum disk size. You can set maximum disk size for each partition as required
showing mentioned disk partitons are minimum size required by each partion. updating the size of disk partitions as required

Tags

Review+Create

Review and create
clicking on download private key and create resource to download your private key and create resourceswaiting for the deployment process
clicking on serial console
waiting for few moments to complete the safesquid installation process to finishusing the username and password to login
clicking on connect and clicking on SSH
SSH into your VM
showing safesquid CLI

Validation

  1.  root@azure:~# netstat -lntp
  2.  root@azure:~# /etc/init.d/safesquid status
  3.  root@azure:~lsblk
validating using check for listening ports . checking for safesquid service status. validating custom partitions

Allowing inbound traffic from port 8080

By default, inbound connections to port 8080 is denied for security reasons. To access proxy service, you'll need to allow port 8080 in Azure.
selecting my IP address for source or you can mention custom IP address to allow access to port 8080
setting priority as 310. adding profile name and description. clickong on add to save and continue
allowing rule for port 8080 has been allowed for the mentioned source IP
setting the proxy in the browser
Access SafeSquid's web interface http://safesquid.cfg/




    • Related Articles

    • Setup Cloud Restore

      Overview A disaster can strike at any time, it may due to network or system failure. Any outage may lead to losing your configuration and SSL certificates. Process to rework and resume your last configuration is very much time-consuming unless you ...

    • Deploying SafeSquid in Microsoft Azure

      Deploying SafeSquid in Microsoft Azure Overview This document provides a comprehensive, step-by-step guide for installing SafeSquid on a Microsoft Azure server using a cloud-init script. This document covers the entire installation process, including ...

    • How to Setup Configuration Sync in a SafeSquid Proxy Cluster

      Overview The lack of configuration synchronization in proxy clusters presents notable challenges. Inconsistencies across proxy servers without automated sync can lead to errors, system vulnerabilities, and inefficient performance. Each server ...

    • Integrate OpenLDAP With SafeSquid

      Overview Here I am integrating my Active Directory with following information. IP Address: 192.168.247.10 Domain of Active Directory: safesquid.net Base Dn : dc=safesquid,dc=net User Name: cn=admin,dc=safesquid,dc=net See more about Integrate LDAP ...

    • Deploy SafeSquid Behind Corporate Proxy

      Overview Use SafeSquid in front of the corporate proxy. A simple configuration in SafeSquid server, will forward all client requests to the forward proxy i.e. Parent Proxy. Example scenarios: Here am using two proxy servers as SafeSquid only My ...