Fix the proxy config

Simplify
Fix
2026-03-07 02:03:07 +08:00 · 2026-01-29 08:55:40 -08:00 · 2026-01-29 08:52:36 -08:00 · 2026-01-29 08:41:53 -08:00
1 changed files with 128 additions and 68 deletions
--- a/.github/workflows/workflow.yml
+++ b/.github/workflows/workflow.yml
@ -91,29 +91,45 @@ jobs:
    container:
      image: ubuntu:latest
      options: --privileged
-    services:
-      squid-proxy:
-        image: ubuntu/squid:latest
-        ports:
-          - 3128:3128
-    env:
-      http_proxy: http://squid-proxy:3128
-      https_proxy: http://squid-proxy:3128
    steps:
    - name: Checkout
      uses: actions/checkout@v5
-    - name: Install dependencies
+    - name: Install dependencies and setup Squid proxy
      run: |
        apt-get update
-        apt-get install -y iptables dnsutils curl jq ipset
+        apt-get install -y iptables dnsutils curl jq ipset squid
+        
+        # Configure squid for forward proxy
+        cat >> /etc/squid/squid.conf << 'EOF'
+        # Allow all traffic through proxy
+        http_access allow all
+        # Enable SSL bumping for HTTPS CONNECT
+        http_port 3128
+        EOF
+        
+        # Start squid
+        service squid start
+        sleep 2
+        
+        # Verify squid is running
+        if service squid status; then
+          echo "Squid proxy started successfully"
+        else
+          echo "Failed to start squid"
+          cat /var/log/squid/cache.log
+          exit 1
+        fi
    - name: Fetch GitHub meta and configure firewall
+      env:
+        http_proxy: http://127.0.0.1:3128
+        https_proxy: http://127.0.0.1:3128
      run: |
        # Fetch GitHub meta API to get all IP ranges
        echo "Fetching GitHub meta API..."
        curl -sS https://api.github.com/meta > /tmp/github-meta.json

-        # Get squid-proxy IP address
-        PROXY_IP=$(getent hosts squid-proxy | awk '{ print $1 }')
+        # Proxy is on localhost
+        PROXY_IP="127.0.0.1"
        echo "Proxy IP: $PROXY_IP"

        # Allow established connections
@ -159,10 +175,15 @@ jobs:
          iptables -I OUTPUT 1 -d "$ip" -p tcp --dport 443 -j REJECT
        done

-        # Block productionresultssa*.blob.core.windows.net (cache blob storage)
-        # We block ALL blob.core.windows.net traffic since we can't easily enumerate all storage accounts
-        # The proxy will handle these requests
-        echo "Note: *.blob.core.windows.net traffic will be blocked and must go through proxy"
+        # Block known blob storage endpoints used by cache
+        # Resolve and block common productionresultssa*.blob.core.windows.net endpoints
+        for i in 0 1 2 3 4 5 6 7 8 9 10 11 12; do
+          BLOB_HOST="productionresultssa${i}.blob.core.windows.net"
+          for ip in $(getent ahosts "$BLOB_HOST" 2>/dev/null | awk '{print $1}' | sort -u); do
+            echo "Blocking direct access to $BLOB_HOST: $ip"
+            iptables -I OUTPUT 1 -d "$ip" -p tcp --dport 443 -j REJECT
+          done
+        done

        # Block all other outbound HTTP/HTTPS traffic
        iptables -A OUTPUT -p tcp --dport 80 -j REJECT
@ -173,12 +194,15 @@ jobs:
        echo ""
        echo "ipset github-ips contains $(ipset list github-ips | grep -c '^[0-9]') entries"
    - name: Verify proxy enforcement
+      env:
+        http_proxy: http://127.0.0.1:3128
+        https_proxy: http://127.0.0.1:3128
      run: |
        echo "=== Testing proxy enforcement ==="

        # Test 1: Direct connection to github.com should work (it's in allowed IPs)
        echo "Test 1: Direct connection to github.com (should SUCCEED - GitHub IP allowed)"
-        if curl --connect-timeout 5 --max-time 10 --noproxy '*' -sS https://api.github.com/zen 2>/dev/null; then
+        if curl --connect-timeout 5 --max-time 10 --noproxy '*' -sSf -o /dev/null https://api.github.com/zen 2>/dev/null; then
          echo "✓ Direct GitHub API access works (expected)"
        else
          echo "✗ Direct GitHub API access failed (unexpected but not critical)"
@ -187,7 +211,7 @@ jobs:
        # Test 2: Direct connection to blob storage should FAIL
        echo ""
        echo "Test 2: Direct connection to blob storage (should FAIL - must use proxy)"
-        if curl --connect-timeout 5 --max-time 10 --noproxy '*' -sS https://productionresultssa0.blob.core.windows.net 2>/dev/null; then
+        if curl --connect-timeout 5 --max-time 10 --noproxy '*' -sSf -o /dev/null https://productionresultssa0.blob.core.windows.net 2>/dev/null; then
          echo "✗ ERROR: Direct blob storage connection succeeded but should have been blocked!"
          exit 1
        else
@ -197,14 +221,19 @@ jobs:
        # Test 3: Connection through proxy should work
        echo ""
        echo "Test 3: Connection through proxy to blob storage (should SUCCEED)"
-        if curl --connect-timeout 5 --max-time 10 -sS https://productionresultssa0.blob.core.windows.net 2>&1 | head -5; then
-          echo "✓ Proxy connection works (expected - even if 4xx/5xx response, connection succeeded)"
+        # Using proxy (from env vars), we should be able to connect even if we get an HTTP error
+        HTTP_CODE=$(curl --connect-timeout 5 --max-time 10 -sS -o /dev/null -w "%{http_code}" https://productionresultssa0.blob.core.windows.net 2>/dev/null || echo "000")
+        if [ "$HTTP_CODE" != "000" ]; then
+          echo "✓ Proxy connection works (HTTP $HTTP_CODE - connection succeeded through proxy)"
        else
          echo "Note: Proxy connection may have failed, but that's OK if it's not a network block"
        fi
    - name: Generate files
      run: __tests__/create-cache-files.sh proxy test-cache
    - name: Save cache
+      env:
+        http_proxy: http://127.0.0.1:3128
+        https_proxy: http://127.0.0.1:3128
      uses: ./
      with:
        key: test-proxy-${{ github.run_id }}
@ -213,28 +242,24 @@ jobs:
      run: |
        echo "=== Verifying cache traffic went through proxy ==="
        
-        # Get the squid container ID
-        SQUID_CONTAINER=$(docker ps --filter "ancestor=ubuntu/squid:latest" --format "{{.ID}}" | head -1)
-        
-        if [ -z "$SQUID_CONTAINER" ]; then
-          SQUID_CONTAINER=$(docker ps --format "{{.ID}}\t{{.Image}}" | grep squid | cut -f1)
-        fi
+        # Read squid access log directly
+        SQUID_LOG="/var/log/squid/access.log"
        
        # Initialize summary
        echo "## 🔒 Proxy Traffic Verification - Cache Save" >> $GITHUB_STEP_SUMMARY
        echo "" >> $GITHUB_STEP_SUMMARY
        
-        if [ -n "$SQUID_CONTAINER" ]; then
-          echo "Found Squid container: $SQUID_CONTAINER"
+        if [ -f "$SQUID_LOG" ]; then
+          echo "Found Squid access log at: $SQUID_LOG"
          
          # Get the full access log
-          ACCESS_LOG=$(docker exec "$SQUID_CONTAINER" cat /var/log/squid/access.log 2>/dev/null || echo "")
+          ACCESS_LOG=$(cat "$SQUID_LOG" 2>/dev/null || echo "")
          
          # Extract traffic details
          RESULTS_RECEIVER_LINES=$(echo "$ACCESS_LOG" | grep -i "results-receiver" || true)
          BLOB_LINES=$(echo "$ACCESS_LOG" | grep -i "blob.core.windows.net" || true)
-          RESULTS_RECEIVER_COUNT=$(echo "$ACCESS_LOG" | grep -ci "results-receiver" || echo "0")
-          BLOB_COUNT=$(echo "$ACCESS_LOG" | grep -ci "blob.core.windows.net" || echo "0")
+          RESULTS_RECEIVER_COUNT=$(echo "$ACCESS_LOG" | grep -ci "results-receiver" 2>/dev/null || echo "0")
+          BLOB_COUNT=$(echo "$ACCESS_LOG" | grep -ci "blob.core.windows.net" 2>/dev/null || echo "0")
          
          # Build summary table
          echo "### 📊 Traffic Summary" >> $GITHUB_STEP_SUMMARY
@ -315,10 +340,15 @@ jobs:
          echo "Blob storage requests: $BLOB_COUNT"
          echo "Verification status: $VERIFY_STATUS"
        else
-          echo "⚠️ **WARNING**: Could not access Squid proxy container logs" >> $GITHUB_STEP_SUMMARY
+          echo "⚠️ **WARNING**: Could not find Squid access log at $SQUID_LOG" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "This may occur when service containers are isolated from the job container." >> $GITHUB_STEP_SUMMARY
-          echo "Could not access squid container logs"
+          echo "Checking squid log directory..." >> $GITHUB_STEP_SUMMARY
+          echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
+          ls -la /var/log/squid/ 2>&1 >> $GITHUB_STEP_SUMMARY || echo "Directory not found" >> $GITHUB_STEP_SUMMARY
+          echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
+          
+          echo "Could not find squid access log"
+          ls -la /var/log/squid/ 2>&1 || echo "Directory /var/log/squid not found"
        fi

  test-proxy-restore:
@ -327,29 +357,45 @@ jobs:
    container:
      image: ubuntu:latest
      options: --privileged
-    services:
-      squid-proxy:
-        image: ubuntu/squid:latest
-        ports:
-          - 3128:3128
-    env:
-      http_proxy: http://squid-proxy:3128
-      https_proxy: http://squid-proxy:3128
    steps:
    - name: Checkout
      uses: actions/checkout@v5
-    - name: Install dependencies
+    - name: Install dependencies and setup Squid proxy
      run: |
        apt-get update
-        apt-get install -y iptables dnsutils curl jq ipset
+        apt-get install -y iptables dnsutils curl jq ipset squid
+        
+        # Configure squid for forward proxy
+        cat >> /etc/squid/squid.conf << 'EOF'
+        # Allow all traffic through proxy
+        http_access allow all
+        # Enable SSL bumping for HTTPS CONNECT
+        http_port 3128
+        EOF
+        
+        # Start squid
+        service squid start
+        sleep 2
+        
+        # Verify squid is running
+        if service squid status; then
+          echo "Squid proxy started successfully"
+        else
+          echo "Failed to start squid"
+          cat /var/log/squid/cache.log
+          exit 1
+        fi
    - name: Fetch GitHub meta and configure firewall
+      env:
+        http_proxy: http://127.0.0.1:3128
+        https_proxy: http://127.0.0.1:3128
      run: |
        # Fetch GitHub meta API to get all IP ranges
        echo "Fetching GitHub meta API..."
        curl -sS https://api.github.com/meta > /tmp/github-meta.json

-        # Get squid-proxy IP address
-        PROXY_IP=$(getent hosts squid-proxy | awk '{ print $1 }')
+        # Proxy is on localhost
+        PROXY_IP="127.0.0.1"
        echo "Proxy IP: $PROXY_IP"

        # Allow established connections
@ -395,10 +441,15 @@ jobs:
          iptables -I OUTPUT 1 -d "$ip" -p tcp --dport 443 -j REJECT
        done

-        # Block productionresultssa*.blob.core.windows.net (cache blob storage)
-        # We block ALL blob.core.windows.net traffic since we can't easily enumerate all storage accounts
-        # The proxy will handle these requests
-        echo "Note: *.blob.core.windows.net traffic will be blocked and must go through proxy"
+        # Block known blob storage endpoints used by cache
+        # Resolve and block common productionresultssa*.blob.core.windows.net endpoints
+        for i in 0 1 2 3 4 5 6 7 8 9 10 11 12; do
+          BLOB_HOST="productionresultssa${i}.blob.core.windows.net"
+          for ip in $(getent ahosts "$BLOB_HOST" 2>/dev/null | awk '{print $1}' | sort -u); do
+            echo "Blocking direct access to $BLOB_HOST: $ip"
+            iptables -I OUTPUT 1 -d "$ip" -p tcp --dport 443 -j REJECT
+          done
+        done

        # Block all other outbound HTTP/HTTPS traffic
        iptables -A OUTPUT -p tcp --dport 80 -j REJECT
@ -409,12 +460,15 @@ jobs:
        echo ""
        echo "ipset github-ips contains $(ipset list github-ips | grep -c '^[0-9]') entries"
    - name: Verify proxy enforcement
+      env:
+        http_proxy: http://127.0.0.1:3128
+        https_proxy: http://127.0.0.1:3128
      run: |
        echo "=== Testing proxy enforcement ==="

        # Test 1: Direct connection to github.com should work (it's in allowed IPs)
        echo "Test 1: Direct connection to github.com (should SUCCEED - GitHub IP allowed)"
-        if curl --connect-timeout 5 --max-time 10 --noproxy '*' -sS https://api.github.com/zen 2>/dev/null; then
+        if curl --connect-timeout 5 --max-time 10 --noproxy '*' -sSf -o /dev/null https://api.github.com/zen 2>/dev/null; then
          echo "✓ Direct GitHub API access works (expected)"
        else
          echo "✗ Direct GitHub API access failed (unexpected but not critical)"
@ -423,7 +477,7 @@ jobs:
        # Test 2: Direct connection to blob storage should FAIL
        echo ""
        echo "Test 2: Direct connection to blob storage (should FAIL - must use proxy)"
-        if curl --connect-timeout 5 --max-time 10 --noproxy '*' -sS https://productionresultssa0.blob.core.windows.net 2>/dev/null; then
+        if curl --connect-timeout 5 --max-time 10 --noproxy '*' -sSf -o /dev/null https://productionresultssa0.blob.core.windows.net 2>/dev/null; then
          echo "✗ ERROR: Direct blob storage connection succeeded but should have been blocked!"
          exit 1
        else
@ -433,12 +487,17 @@ jobs:
        # Test 3: Connection through proxy should work
        echo ""
        echo "Test 3: Connection through proxy to blob storage (should SUCCEED)"
-        if curl --connect-timeout 5 --max-time 10 -sS https://productionresultssa0.blob.core.windows.net 2>&1 | head -5; then
-          echo "✓ Proxy connection works (expected - even if 4xx/5xx response, connection succeeded)"
+        # Using proxy (from env vars), we should be able to connect even if we get an HTTP error
+        HTTP_CODE=$(curl --connect-timeout 5 --max-time 10 -sS -o /dev/null -w "%{http_code}" https://productionresultssa0.blob.core.windows.net 2>/dev/null || echo "000")
+        if [ "$HTTP_CODE" != "000" ]; then
+          echo "✓ Proxy connection works (HTTP $HTTP_CODE - connection succeeded through proxy)"
        else
          echo "Note: Proxy connection may have failed, but that's OK if it's not a network block"
        fi
    - name: Restore cache
+      env:
+        http_proxy: http://127.0.0.1:3128
+        https_proxy: http://127.0.0.1:3128
      uses: ./
      with:
        key: test-proxy-${{ github.run_id }}
@ -447,28 +506,24 @@ jobs:
      run: |
        echo "=== Verifying cache restore traffic went through proxy ==="
        
-        # Get the squid container ID
-        SQUID_CONTAINER=$(docker ps --filter "ancestor=ubuntu/squid:latest" --format "{{.ID}}" | head -1)
-        
-        if [ -z "$SQUID_CONTAINER" ]; then
-          SQUID_CONTAINER=$(docker ps --format "{{.ID}}\t{{.Image}}" | grep squid | cut -f1)
-        fi
+        # Read squid access log directly
+        SQUID_LOG="/var/log/squid/access.log"
        
        # Initialize summary
        echo "## 🔒 Proxy Traffic Verification - Cache Restore" >> $GITHUB_STEP_SUMMARY
        echo "" >> $GITHUB_STEP_SUMMARY
        
-        if [ -n "$SQUID_CONTAINER" ]; then
-          echo "Found Squid container: $SQUID_CONTAINER"
+        if [ -f "$SQUID_LOG" ]; then
+          echo "Found Squid access log at: $SQUID_LOG"
          
          # Get the full access log
-          ACCESS_LOG=$(docker exec "$SQUID_CONTAINER" cat /var/log/squid/access.log 2>/dev/null || echo "")
+          ACCESS_LOG=$(cat "$SQUID_LOG" 2>/dev/null || echo "")
          
          # Extract traffic details
          RESULTS_RECEIVER_LINES=$(echo "$ACCESS_LOG" | grep -i "results-receiver" || true)
          BLOB_LINES=$(echo "$ACCESS_LOG" | grep -i "blob.core.windows.net" || true)
-          RESULTS_RECEIVER_COUNT=$(echo "$ACCESS_LOG" | grep -ci "results-receiver" || echo "0")
-          BLOB_COUNT=$(echo "$ACCESS_LOG" | grep -ci "blob.core.windows.net" || echo "0")
+          RESULTS_RECEIVER_COUNT=$(echo "$ACCESS_LOG" | grep -ci "results-receiver" 2>/dev/null || echo "0")
+          BLOB_COUNT=$(echo "$ACCESS_LOG" | grep -ci "blob.core.windows.net" 2>/dev/null || echo "0")
          
          # Build summary table
          echo "### 📊 Traffic Summary" >> $GITHUB_STEP_SUMMARY
@ -548,10 +603,15 @@ jobs:
          echo "Blob storage requests: $BLOB_COUNT"
          echo "Verification status: $VERIFY_STATUS"
        else
-          echo "⚠️ **WARNING**: Could not access Squid proxy container logs" >> $GITHUB_STEP_SUMMARY
+          echo "⚠️ **WARNING**: Could not find Squid access log at $SQUID_LOG" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "This may occur when service containers are isolated from the job container." >> $GITHUB_STEP_SUMMARY
-          echo "Could not access squid container logs"
+          echo "Checking squid log directory..." >> $GITHUB_STEP_SUMMARY
+          echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
+          ls -la /var/log/squid/ 2>&1 >> $GITHUB_STEP_SUMMARY || echo "Directory not found" >> $GITHUB_STEP_SUMMARY
+          echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
+          
+          echo "Could not find squid access log"
+          ls -la /var/log/squid/ 2>&1 || echo "Directory /var/log/squid not found"
        fi
    - name: Verify cache
      run: __tests__/verify-cache-files.sh proxy test-cache
Author	SHA1	Message	Date
Bassem Dghaidi	d59cb79a26	Fix the proxy config	2026-01-29 08:55:40 -08:00
Bassem Dghaidi	d19411273c	Simplify	2026-01-29 08:52:36 -08:00
Bassem Dghaidi	eaa29f93a6	Fix	2026-01-29 08:41:53 -08:00