Skip to content

Web Proxy

The development environment includes a Squid forward proxy deployed as a Docker container. Source: https://github.com/Sapphire-Health/squid-container.

Purpose

Many customers operate in hardened network environments where outbound internet access is heavily restricted or blocked entirely. The web proxy simulates these conditions in the dev environment so that playbooks can be tested against realistic network constraints before being run in production.

The proxy enforces an allowlist-based policy — all traffic is denied by default, and only explicitly permitted domains are reachable. This mirrors the kind of egress filtering commonly found in customer environments.

Infrastructure

The proxy is deployed as part of the Terraform dev environment (Terraform-Github-AWS) and is accessible within the dev VPC at:

10.197.0.23:3128

Managing the Container

The proxy runs on ansible01, a VM in Sapphire's NonProd AWS account (us-west-2). All docker compose commands must be run from /var/docker/squid-container on that host.

Connecting to ansible01

From a dev container, open a shell on ansible01 using AWS SSM:

aws ssm start-session --target i-0551dacff2ad8caac
bash
sudo su -

Start the proxy

cd /var/docker/squid-container
docker compose up -d

Stop the proxy

cd /var/docker/squid-container
docker compose down

Watch live logs

docker logs -f --tail 50 squid

Reload configuration without restarting

docker exec -it squid squid -k reconfigure

Clear cache and logs

rm -Rf /var/docker/squid-container/logs/*
rm -Rf /var/docker/squid-container/cache/*

Allow Lists

All allow lists are located at /var/docker/squid-container/config/lists/ on the host. After editing any list, reload the configuration for changes to take effect.

File Purpose
SharedInfra Domains accessible from the SharedInfra VPC (e.g. PowerShell Gallery, AWS S3, Sapphire Azure Storage, Red Hat)
cdn CDN domains (e.g. Cloudflare CDN)
global_allowlist Globally allowed domains across all network segments
microsoft_update Microsoft Windows Update endpoints
pki Certificate authority domains — CRL and OCSP services required for certificate validation

Host-specific ACLs

The config/hosts/ directory contains per-subnet access rules. SharedInfra.conf restricts the SharedInfra domain list to traffic originating from the SharedInfra VPC subnet (10.248.13.0/24).

To allow additional domains for a specific subnet, add a new .conf file in config/hosts/ following the same pattern:

acl <subnet_name>_Hosts src <subnet_cidr>
acl <subnet_name> dstdomain "/etc/squid/lists/<list_file>"
http_access allow <subnet_name>_Hosts <subnet_name>

Configuring Ansible to Use the Proxy

Windows Hosts

The playbooks/configure-windows-proxy.yml playbook configures Windows hosts to route traffic through the proxy. It applies the proxy settings machine-wide (not per-user) via registry policy, targeting 10.197.0.23:3128 with local addresses and AWS metadata bypassed:

proxy: 10.197.0.23:3128
bypass:
  - <local>
  - 169.254.169.254
  - '*.amazonaws.com'

This playbook is run early in the environment prep workflow (before other provisioning playbooks) so that subsequent steps that require internet access work correctly in the restricted network.

Linux Hosts

Linux playbooks that require internet access are invoked with extra_vars/proxy.yml, which sets standard HTTP proxy environment variables:

http_proxy: http://10.197.0.23:3128
https_proxy: http://10.197.0.23:3128
no_proxy: localhost,127.0.0.1,.local,.sapphire.dev,10.0.0.0/8,169.254.169.254,amazonaws.com

Pass this file to any playbook that needs outbound internet access on Linux:

ansible-playbook -e @extra_vars/proxy.yml playbooks/<playbook>.yml