k8s isolated pod proxy setup
you need to disable intranet access with NetworkPolicy
find more info about intranet ranges here:
https://github.com/langgenius/dify/blob/main/docker/ssrf_proxy/squid.conf.template
http://www.squid-cache.org/Doc/config/acl/
1 | apiVersion: networking.k8s.io/v1 |
if you do not want to use tun
routing and rely on application specific proxy adaptors, you can export
environment variables at:
/etc/profile
or/etc/profile.d/proxy.sh
~/.bashrc
use clash tun mode by config.yaml
1 | interface-name: en0 # 与 `tun.auto-detect-interface` 冲突 |
ref:
https://clash.wiki/premium/tun-device.html
by the most you would create a tun
device, then route all traffic to the device after you have installed necessary softwares.
1 | ip tuntap add mode tun dev tun0 |
you need to use the default gateway otherwise you will not be able to reach the dns.
the default gateway will differ from nodes. it is recommended to fetch it from ip route
for ubuntu containers you would run apt install iproute2
first
1 | DNS_IP=8.8.8.8 |
then launch tun2socks
1 | ./tun2socks -interface $DEFAULT_NET_DEVICE -device tun://tun0 -proxy <proxy_protocol>://<proxy_address> |
to disable the tun network you can run:
1 | ip route delete default dev tun0 |
you need to configure the dnsPolicy
to None
in manifest otherwise it would add the cluster dns ip to /etc/resolv.conf
, slowing down the lookup process and making it very hard to change during the runtime.
not every domain shall be reached via public proxies, unless it is graranteed to not be discovered by the gfw.
the full network isolation scheme can be shown below:
1 | internet interface |