# 配置透明代理，支援http與https

node1 eth0 內網10.37.129.5
node2 eth1 內網10.37.129.3
      eth0 外網10.211.55.19

# 1、在node1
route add default gw 10.37.129.3 dev eth0

# 2、在node2
yum  install iptables -y
iptables -F
iptables -F -t nat
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-ports 3128
iptables 
 
-t nat -A PREROUTING -i eth1 -p udp --dport 443 -j REDIRECT --to-ports 3129
iptables -t nat -A POSTROUTING -o eth0 -s 10.37.129.0/24 -j MASQUERADE


# 3、在node2
安裝squid,本例採用版本3.5.20，作業系統CentOS Linux release 7.3.1611 (Core) 

# 4、在node2修改/etc/squid/squid.conf
acl localnet src 10.0.0.0/8    # RFC1918 possible internal network
 

acl localnet src 172.16.0.0/12    # RFC1918 possible internal network
acl localnet src 192.168.0.0/16    # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 
 
80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access allow all
http_port 3128 transparent
coredump_dir /var/spool/squid
refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern .        0    20%    4320
dns_v4_first on
cache_mem 99 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 8192 KB
minimum_object_size 0 KB
maximum_object_size_in_memory 4096 KB
memory_replacement_policy lru
http_port 3129 intercept # 這一行很關鍵

# 5、在node2啟動服務
systemctl restart squid


# 6、在node1啟動pod測試
# alpine.yaml檔案如下
apiVersion: apps/v1
kind: Deployment
metadata:
  creationTimestamp: null
  labels:
    app: test
  name: test
spec:
  replicas: 1
  selector:
    matchLabels:
      app: test
  strategy: {}
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: test
    spec:
      containers:
      - image: alpine
        imagePullPolicy: IfNotPresent
        name: alpine
        args: ["sleep","36000"]
status: {}


# 啟動pod
kubectl apply -f alpine.yaml


# 進入pod測試
kubectl exec -ti xxxx -- sh
$ apk add curl
$ curl https://www.baidu.com