Web Proxy
The development environment includes a Squid forward proxy deployed as a Docker container. Source: https://github.com/Sapphire-Health/squid-container.
Purpose
Many customers operate in hardened network environments where outbound internet access is heavily restricted or blocked entirely. The web proxy simulates these conditions in the dev environment so that playbooks can be tested against realistic network constraints before being run in production.
The proxy enforces an allowlist-based policy — all traffic is denied by default, and only explicitly permitted domains are reachable. This mirrors the kind of egress filtering commonly found in customer environments.
Infrastructure
The proxy is deployed as part of the Terraform dev environment (Terraform-Github-AWS) and is accessible within the dev VPC at:
Managing the Container
The proxy runs on ansible01, a VM in Sapphire's NonProd AWS account (us-west-2). All docker compose commands must be run from /var/docker/squid-container on that host.
Connecting to ansible01
From a dev container, open a shell on ansible01 using AWS SSM:
Start the proxy
Stop the proxy
Watch live logs
Reload configuration without restarting
Clear cache and logs
Allow Lists
All allow lists are located at /var/docker/squid-container/config/lists/ on the host. After editing any list, reload the configuration for changes to take effect.
| File | Purpose |
|---|---|
SharedInfra |
Domains accessible from the SharedInfra VPC (e.g. PowerShell Gallery, AWS S3, Sapphire Azure Storage, Red Hat) |
cdn |
CDN domains (e.g. Cloudflare CDN) |
global_allowlist |
Globally allowed domains across all network segments |
microsoft_update |
Microsoft Windows Update endpoints |
pki |
Certificate authority domains — CRL and OCSP services required for certificate validation |
Host-specific ACLs
The config/hosts/ directory contains per-subnet access rules. SharedInfra.conf restricts the SharedInfra domain list to traffic originating from the SharedInfra VPC subnet (10.248.13.0/24).
To allow additional domains for a specific subnet, add a new .conf file in config/hosts/ following the same pattern:
acl <subnet_name>_Hosts src <subnet_cidr>
acl <subnet_name> dstdomain "/etc/squid/lists/<list_file>"
http_access allow <subnet_name>_Hosts <subnet_name>
Configuring Ansible to Use the Proxy
Windows Hosts
The playbooks/configure-windows-proxy.yml playbook configures Windows hosts to route traffic through the proxy. It applies the proxy settings machine-wide (not per-user) via registry policy, targeting 10.197.0.23:3128 with local addresses and AWS metadata bypassed:
This playbook is run early in the environment prep workflow (before other provisioning playbooks) so that subsequent steps that require internet access work correctly in the restricted network.
Linux Hosts
Linux playbooks that require internet access are invoked with extra_vars/proxy.yml, which sets standard HTTP proxy environment variables:
http_proxy: http://10.197.0.23:3128
https_proxy: http://10.197.0.23:3128
no_proxy: localhost,127.0.0.1,.local,.sapphire.dev,10.0.0.0/8,169.254.169.254,amazonaws.com
Pass this file to any playbook that needs outbound internet access on Linux: