在显式代理服务器中运行 CodeBuild - AWS CodeBuild
将 Squid 配置为显式代理服务器创建 CodeBuild 项目 显式代理服务器示例 squid.conf 文件

在显式代理服务器中运行 CodeBuild

要在显式代理服务器中运行 AWS CodeBuild,您必须配置代理服务器以允许或拒绝进出外部网站的流量,然后配置 HTTP_PROXYHTTPS_PROXY 环境变量。

将 Squid 配置为显式代理服务器

要将 Squid 代理服务器配置为显式,您必须对其 /etc/squid/squid.conf 文件进行以下修改:

  • 删除以下默认访问控制列表(ACL)规则。

    acl localnet src 10.0.0.0/8     
acl localnet src 172.16.0.0/12  
acl localnet src 192.168.0.0/16 
acl localnet src fc00::/7       
acl localnet src fe80::/10

    在您删除的默认 ACL 规则的位置添加以下内容。第一行允许来自您的 VPC 的请求。接下来的两行授予您的代理服务器访问 AWS CodeBuild 可能使用的目标 URL 的权限。修改最后一行中的正则表达式,以指定 AWS 区域中的 S3 存储桶或 CodeCommit 存储库。例如:

    • 如果您的源是 Amazon S3,请使用命令 acl download_src dstdom_regex .*s3\.us-west-1\.amazonaws\.com 来授权访问 us-west-1 区域中的 S3 存储桶。

    • 如果您的源是 AWS CodeCommit,请使用 git-codecommit.<your-region>.amazonaws.com 将 AWS 区域添加到允许列表中。

    acl localnet src 10.1.0.0/16 #Only allow requests from within the VPC
acl allowed_sites dstdomain .github.com #Allows to download source from GitHub
acl allowed_sites dstdomain .bitbucket.com #Allows to download source from Bitbucket
acl download_src dstdom_regex .*\.amazonaws\.com #Allows to download source from Amazon S3 or CodeCommit

  • http_access allow localnet 替换为以下项:

    http_access allow localnet allowed_sites
http_access allow localnet download_src

  • 如果您希望构建上传日志和构件,请执行以下任一操作:

    1. http_access deny all 语句之前,插入以下语句。它们允许 CodeBuild 访问 CloudWatch 和 Amazon S3。需要访问 CloudWatch,这样 CodeBuild 才能创建 CloudWatch Logs。上传构件和 Amazon S3 缓存需要访问 Amazon S3。

      • https_port 3130 cert=/etc/squid/ssl/squid.pem ssl-bump intercept
acl SSL_port port 443
http_access allow SSL_port
acl allowed_https_sites ssl::server_name .amazonaws.com
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1 all
ssl_bump peek step2 allowed_https_sites
ssl_bump splice step3 allowed_https_sites
ssl_bump terminate step2 all

      • 保存 squid.conf 后,运行以下命令:

        sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 3130
sudo service squid restart

    2. proxy 添加到您的 buildspec 文件。有关更多信息,请参阅 buildspec 语法

      version: 0.2
proxy:
  upload-artifacts: yes
  logs: yes
phases:
  build:
    commands:
      - command
注意

如果您收到一个 RequestError 超时错误,请参阅 在代理服务器中运行 CodeBuild 时出现 RequestError 超时错误

有关更多信息,请参阅本主题后面的显式代理服务器示例 squid.conf 文件

创建 CodeBuild 项目

要使用显式代理服务器运行 AWS CodeBuild,请使用您为代理服务器创建的 EC2 实例的私有 IP 地址和项目级别的端口 3128 设置 HTTP_PROXYHTTPS_PROXY 环境变量。私有 IP 地址看起来类似于 http://your-ec2-private-ip-address:3128。有关更多信息,请参阅在 AWS CodeBuild 中创建构建项目在 AWS CodeBuild 中更改构建项目设置

使用以下命令查看 Squid 代理服务器访问日志:

sudo tail -f /var/log/squid/access.log

显式代理服务器示例 squid.conf 文件

以下是为显式代理服务器配置的 squid.conf 文件的示例。

  acl localnet src 10.0.0.0/16 #Only allow requests from within the VPC
  # add all URLS to be whitelisted for download source and commands to be run in build environment
  acl allowed_sites dstdomain .github.com    #Allows to download source from github
  acl allowed_sites dstdomain .bitbucket.com #Allows to download source from bitbucket
  acl allowed_sites dstdomain ppa.launchpad.net #Allows to run apt-get in build environment
  acl download_src dstdom_regex .*\.amazonaws\.com #Allows to download source from S3 or CodeCommit
  acl SSL_ports port 443
  acl Safe_ports port 80		# http
  acl Safe_ports port 21		# ftp
  acl Safe_ports port 443		# https
  acl Safe_ports port 70		# gopher
  acl Safe_ports port 210		# wais
  acl Safe_ports port 1025-65535	# unregistered ports
  acl Safe_ports port 280		# http-mgmt
  acl Safe_ports port 488		# gss-http
  acl Safe_ports port 591		# filemaker
  acl Safe_ports port 777		# multiling http
  acl CONNECT method CONNECT
  #
  # Recommended minimum Access Permission configuration:
  #
  # Deny requests to certain unsafe ports
  http_access deny !Safe_ports
  # Deny CONNECT to other than secure SSL ports
  http_access deny CONNECT !SSL_ports
  # Only allow cachemgr access from localhost
  http_access allow localhost manager
  http_access deny manager
  # We strongly recommend the following be uncommented to protect innocent
  # web applications running on the proxy server who think the only
  # one who can access services on "localhost" is a local user
  #http_access deny to_localhost
  #
  # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
  #
  # Example rule allowing access from your local networks.
  # Adapt localnet in the ACL section to list your (internal) IP networks
  # from where browsing should be allowed
  http_access allow localnet allowed_sites
  http_access allow localnet download_src
  http_access allow localhost
  # Add this for CodeBuild to access CWL end point, caching and upload artifacts S3 bucket end point
  https_port 3130 cert=/etc/squid/ssl/squid.pem ssl-bump intercept
  acl SSL_port port 443
  http_access allow SSL_port
  acl allowed_https_sites ssl::server_name .amazonaws.com
  acl step1 at_step SslBump1
  acl step2 at_step SslBump2
  acl step3 at_step SslBump3
  ssl_bump peek step1 all
  ssl_bump peek step2 allowed_https_sites
  ssl_bump splice step3 allowed_https_sites
  ssl_bump terminate step2 all
  # And finally deny all other access to this proxy
  http_access deny all
  # Squid normally listens to port 3128
  http_port 3128
  # Uncomment and adjust the following to add a disk cache directory.
  #cache_dir ufs /var/spool/squid 100 16 256
  # Leave coredumps in the first cache dir
  coredump_dir /var/spool/squid
  #
  # Add any of your own refresh_pattern entries above these.
  #
  refresh_pattern ^ftp:		1440	20%	10080
  refresh_pattern ^gopher:	1440	0%	1440
  refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
  refresh_pattern .		0	20%	4320