Using a proxy server for CBRS connectivity

Proxy Suggestions for CBRS connectivity

We recommend against using cnMaestro on-premises as a proxy for cbrs connectivity. Normally, upgrades to cnMaestro that result in a small amount of downtime do not impact network devices under management. In the case of cbrs they do, and even a brief outage of the proxy during upgrade will result in network outages.

External proxy requirements

If you already use a forward proxy in your network, its best to use this rather than setting up a new one. Connections will be made using http CONNECT to, your proxy will need to allow this. A TLS intercepting proxy (like some security gateways) will break connectivity.

Squid as external proxy

The following configuration will work for an external proxy config if needed, but does not offer high-availability and may not be in line with your network standards. Weve tested this on fresh installs of:

  • Ubuntu 20.04 / Squid Cache: Version 4.10
  • Centos 7 / Squid Cache: Version 3.5.20

Though they should work on your distro just fine as well.

## While this config may work for your use case, we encourage you to
## follow your own best practices and modify this file for
## your network.
## Tested on squid version 4.10

## This localnet ACL is not useful unless you want to use
## this proxy for anything other than a cbrs proxy.
#acl localnet src   # RFC1918 possible internal network
#acl localnet src  # RFC1918 possible internal network
#acl localnet src # RFC1918 possible internal network
#acl localnet src fc00::/7       # RFC 4193 local private network range
#acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

## This cbrs ACL limits connections to
## only.
acl cbrs dstdomain
## Updates require access to destinations under
## This is a separate ACL for readability, but can be combined with the cbrs
## ACL if preferred.
acl cloud dstdomain

## This group blocks http CONNECT to non-standard https ports
acl SSL_Ports port 443             
acl CONNECT method CONNECT         
http_access deny CONNECT !SSL_Ports 

## Allow access only to the sas and cloud acls. Add your own ACLs here if
## needed                            
http_access allow CONNECT cbrs
http_access allow CONNECT cloud
http_access deny all                               
## We dont need any cache for proxying cbrs traffic
cache deny all

## Port config, change this to suit your requirements
http_port 3128

HA for squid external proxy

Since a standalone proxy is a single point of failure, we recommend using an HA setup for squid. This can be done fairly simply using pacemaker or drdb.


This has been updated to include http connect traffic under which is needed for updates - thanks @CambiumEvan for catching this!

1 Like