MAAS provides a way for its managed machines to use a proxy server when they need to access HTTP/HTTPS-based resources, such as the Ubuntu package archive.
There are three possible options:
- internal proxy (default)
- external proxy
- no proxy
Configuring a proxy with MAAS consists of enabling/disabling one of the above three options and enabling/disabling proxying on a specific subnet.
Two questions you may have:
MAAS provides an internal proxy server. Although it is set up to work well with APT/package requests, it is effectively an HTTP caching proxy server. If you configure the MAAS region controller as the default gateway for the machines it manages then the proxy will work transparently (on TCP port 3128). Otherwise, machines will need to access it on TCP port 8000.
By default, the proxy is available to all hosts residing in any subnet detected by MAAS, not just MAAS-managed machines. It is therefore recommended to disable access to those subnets that represent untrusted networks.
MAAS manages its proxy. So although the active configuration, located in file
/var/lib/maas/maas-proxy.conf, can be inspected, it is not to be hand-edited.
You must install the proxy on the same host as the region controller (via the ‘maas-proxy’ package).
Enabling and disabling proxying, in general, is done via a boolean option (‘true’ or ‘false’). The following command will disable proxying completely:
maas $PROFILE maas set-config name=enable_http_proxy value=false
To set an external proxy, ensure proxying is enabled (see above) and then define it:
maas $PROFILE maas set-config name=http_proxy value=$EXTERNAL_PROXY
maas $PROFILE maas set-config name=enable_http_proxy value=true maas $PROFILE maas set-config name=http_proxy value=http://squid.example.com:3128/
Enabling and disabling proxying per subnet is done via a boolean option (‘true’ or ‘false’). Here is how you can disable proxying on a per-subnet basis:
maas $PROFILE subnet update $SUBNET_CIDR allow_proxy=false
maas $PROFILE subnet update 192.168.0.0/22 allow_proxy=false
NOTE that the proxy service will still be running.