Add Google DNS-over-HTTPS proxy for a full working corporate MITM-MITM-host
Add the necessary extra daemons to allow running this image behind a corporate MITM webserver with a local MITM enabled for local caching even in the absence of proper internal DNS service.
This commit is contained in:
parent
3d6fb6c0c1
commit
1bf188d23f
30
README.md
30
README.md
|
@ -89,6 +89,36 @@ others above, `CONFIG_DISABLE` prevents overwriting templated files.
|
|||
* `PROXYCHAIN_DNS`
|
||||
Default none. When set to `yes`, turns on the `proxy_dns` option for Proxychains.
|
||||
|
||||
# DNS-over-HTTPS via CoreDNS
|
||||
In some corporate environments, its not possible to get reliable DNS outbound
|
||||
service and `proxychains-ng`'s DNS support won't be able to provide for Squid4
|
||||
to actually work. To address this, configuration is included to setup and use
|
||||
CoreDNS as a routing proxy.
|
||||
|
||||
The idea of the DNS-over-HTTPS client is that it will use your local proxy and
|
||||
network access to provide DNS service to Squid4.
|
||||
|
||||
* `DNS_OVER_HTTPS`
|
||||
Default `no`. If `yes` then enables and starts the DNS_OVER_HTTPS service.
|
||||
* `DNS_OVER_HTTPS_LISTEN_ADDR`
|
||||
Default `127.0.0.153:53`. Squid doesn't support changing the port, so keep
|
||||
this in mind.
|
||||
* `DNS_OVER_HTTPS_SERVER`
|
||||
Default `https://dns.google.com/resolve`. AFAIK there's no other options for
|
||||
this at the moment.
|
||||
* `DNS_OVER_HTTPS_NO_PROXY`
|
||||
Default ``. List of DNS suffixes to *not* ever proxy via DNS_OVER_HTTPS.
|
||||
* `DNS_OVER_HTTPS_PREFIX_SERVER`
|
||||
Default ``. Normal DNS server to try resolving first against.
|
||||
* `DNS_OVER_HTTPS_SUFFIX_SERVER`
|
||||
Default ``. Normal DNS server to try resolving last against.
|
||||
|
||||
Since the DNS-over-HTTPS daemon is a separate Go binary, you may also need to
|
||||
specify your internal proxy as an upstream to allow it to contact the HTTPS
|
||||
DNS server - do this by passing the standard `http_proxy` and `https_proxy`
|
||||
parameters. Most likely these will be the same as your `PROXYCHAIN_PROXYx`
|
||||
directives (and probably only the 1).
|
||||
|
||||
# Example Usage
|
||||
The following command line will get you up and running quickly. It presumes
|
||||
you've generated a suitable CA certificate and are intending to use the proxy
|
||||
|
|
|
@ -2,6 +2,13 @@ ARG DOCKER_PREFIX=
|
|||
|
||||
FROM ${DOCKER_PREFIX}ubuntu:artful
|
||||
|
||||
ARG TRUST_CERT=
|
||||
|
||||
RUN if [ ! -z "$TRUST_CERT" ]; then \
|
||||
echo "$TRUST_CERT" > /usr/local/share/ca-certificates/build-trust.crt ; \
|
||||
update-ca-certificates ; \
|
||||
fi
|
||||
|
||||
# Normalize apt sources
|
||||
RUN cat /etc/apt/sources.list | grep -v '^#' | sed /^$/d | sort | uniq > sources.tmp.1 && \
|
||||
cat /etc/apt/sources.list | sed s/deb\ /deb-src\ /g | grep -v '^#' | sed /^$/d | sort | uniq > sources.tmp.2 && \
|
||||
|
@ -81,11 +88,33 @@ RUN git clone https://github.com/rofl0r/proxychains-ng.git /src/proxychains-ng &
|
|||
./configure --prefix=/usr --sysconfdir=/etc && \
|
||||
make -j$CONCURRENCY && make install
|
||||
|
||||
ARG URL_DOH=https://github.com/wrouesnel/dns-over-https-proxy/releases/download/v0.0.2/dns-over-https-proxy_v0.0.2_linux-amd64.tar.gz
|
||||
|
||||
RUN wget -O /tmp/doh.tgz \
|
||||
$URL_DOH && \
|
||||
tar -xvvf /tmp/doh.tgz --strip-components=1 -C /usr/local/bin/ && \
|
||||
chmod +x /usr/local/bin/dns-over-https-proxy
|
||||
|
||||
COPY squid.conf.p2 /squid.conf.p2
|
||||
COPY squid.bsh /squid.bsh
|
||||
|
||||
# Configuration environment
|
||||
ENV HTTP_PORT=3128 ICP_PORT= HTCP_PORT= MITM_PROXY= MITM_CERT= MITM_KEY= VISIBLE_HOSTNAME=docker-squid4 MAX_CACHE_SIZE=40000 MAX_OBJECT_SIZE="1536 MB" MEM_CACHE_SIZE="128 MB"
|
||||
ENV HTTP_PORT=3128 \
|
||||
ICP_PORT= \
|
||||
HTCP_PORT= \
|
||||
MITM_PROXY= \
|
||||
MITM_CERT= \
|
||||
MITM_KEY= \
|
||||
VISIBLE_HOSTNAME=docker-squid4 \
|
||||
MAX_CACHE_SIZE=40000 \
|
||||
MAX_OBJECT_SIZE="1536 MB" \
|
||||
MEM_CACHE_SIZE="128 MB" \
|
||||
DNS_OVER_HTTPS_LISTEN_ADDR="127.0.0.153:53" \
|
||||
DNS_OVER_HTTPS_SERVER="https://dns.google.com/resolve" \
|
||||
DNS_OVER_HTTPS_NO_FALLTHROUGH="" \
|
||||
DNS_OVER_HTTPS_FALLTHROUGH_STATUSES=NXDOMAIN \
|
||||
DNS_OVER_HTTPS_PREFIX_SERVER= \
|
||||
DNS_OVER_HTTPS_SUFFIX_SERVER=
|
||||
|
||||
EXPOSE 3128
|
||||
|
||||
|
|
|
@ -68,6 +68,20 @@ else
|
|||
echo "/etc/squid4/squid.conf: CONFIGURATION TEMPLATING IS DISABLED."
|
||||
fi
|
||||
|
||||
if [ "$DNS_OVER_HTTPS" = "yes" ]; then
|
||||
echo "Starting DNS-over-HTTPS proxy..."
|
||||
# TODO: find a way to tie this to the proxychains config
|
||||
dns-over-https-proxy -default "$DNS_OVER_HTTPS_SERVER" \
|
||||
-address "$DNS_OVER_HTTPS_LISTEN_ADDR" \
|
||||
-primary-dns "$DNS_OVER_HTTPS_PREFIX_SERVER" \
|
||||
-fallback-dns "$DNS_OVER_HTTPS_SUFFIX_SERVER" \
|
||||
-no-fallthrough "$(echo $DNS_OVER_HTTPS_NO_FALLTHROUGH | tr -s ' ' ',')" \
|
||||
-fallthrough-statues "$DNS_OVER_HTTPS_FALLTHROUGH_STATUSES"
|
||||
&
|
||||
echo "Adding dns_nameservers line to squid.conf..."
|
||||
echo "dns_nameservers $(echo $DNS_OVER_HTTPS_LISTEN_ADDR | cut -d':' -f1)" >> /etc/squid4/squid.conf
|
||||
fi
|
||||
|
||||
if [ ! -e /etc/squid4/squid.conf ]; then
|
||||
echo "ERROR: /etc/squid4/squid.conf does not exist. Squid will not work."
|
||||
exit 1
|
||||
|
@ -106,16 +120,16 @@ if [ "$PROXYCHAIN" = "yes" ]; then
|
|||
exit 1
|
||||
fi
|
||||
# Start squid with proxychains
|
||||
proxychains4 squid -N &
|
||||
proxychains4 -f /etc/proxychains.conf squid -N 2>&1 &
|
||||
PID=$!
|
||||
else
|
||||
# Start squid normally
|
||||
squid -N &
|
||||
squid -N 2>&1 &
|
||||
PID=$!
|
||||
fi
|
||||
|
||||
# This construct allows signals to kill the container successfully.
|
||||
trap "kill -TERM $PID" INT TERM
|
||||
trap "kill -TERM $(jobs -p)" INT TERM
|
||||
wait $PID
|
||||
wait $PID
|
||||
exit $?
|
||||
|
|
Loading…
Reference in New Issue