Full functionality build, producing a heavy-weight image.

Future refinement shold include scripting the build and then stripping all
ephemeral dependencies.
This commit is contained in:
Will Rouesnel 2016-03-26 21:23:11 +11:00
parent 25fd7172cc
commit 3a8b53db48
4 changed files with 205 additions and 0 deletions

44
README.md Normal file
View File

@ -0,0 +1,44 @@
# Squid4 with SSL proxying
This dockerfile builds a Squid 4.0.7 instance and includes all the necessary
tooling to run it as a MITM (man-in-the-middle) SSL proxy.
There's a number of reasons to do this - the big one being optimizing caching
and delivery of objects during docker builds which might be downloading them
from SSL protected endpoints.
It will require you to generate your own CA and set it as trusted.
The resulting docker image uses the following configuration environment
variables:
* `HTTP_PORT`
Default: `3128`
* `ICP_PORT`
If set, enables ICP on the given port for all users.
* `HTCP_PORT`
If set, enables HTCP on the given port for all users.
* `MITM_PROXY`
If set, tries to enable MITM SSL proxy functionality (requires CERT and KEY)
* `MITM_CERT`
If set, the given PEM certificate is copied and used as the CA authority for
MITM'ing connections.
* `MITM_KEY`
If set, the given PEM certificate is copied and used as the signing key for
the MITM CA.
* `VISIBLE_HOSTNAME`
Default: `docker-squid4`
Should be set to a unique value if you are chaining multiple proxy servers.
* `MAX_CACHE_SIZE`
Default: `40000`
Cache size in megabytes. The cache defaults to `/var/cache/squid4`. You
should mount a volume here to make it persistent.
* `MAX_OBJECT_SIZE`
Default `"1536 MB"`
Maximum object size to store in the cache. This is set high as one of my
typical use cases is proxying distribution images.
* `MEM_CACHE_SIZE`
Default: `"128 MB"`
Default memory cache size. I've no real clue what this should be, but RAM
is plentiful so I like to keep it fairly large.

68
docker-squid/Dockerfile Normal file
View File

@ -0,0 +1,68 @@
FROM debian:jessie
RUN sed s:deb:deb-src: /etc/apt/sources.list >> /etc/apt/sources.list
RUN apt-get update && apt-get build-dep -y squid3 && apt-get install -y wget tar xz-utils libssl-dev
RUN mkdir /src \
&& cd /src \
&& wget http://www.squid-cache.org/Versions/v4/squid-4.0.7.tar.xz \
&& tar -xvvf squid-4.0.7.tar.xz
RUN cd /src/squid-4.0.7 && \
./configure \
--prefix=/usr \
--datadir=/usr/share/squid4 \
--sysconfdir=/etc/squid4 \
--localstatedir=/var \
--mandir=/usr/share/man \
--enable-inline \
--enable-async-io=8 \
--enable-storeio="ufs,aufs,diskd,rock" \
--enable-removal-policies="lru,heap" \
--enable-delay-pools \
--enable-cache-digests \
--enable-underscores \
--enable-icap-client \
--enable-follow-x-forwarded-for \
--enable-auth-basic="DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB" \
--enable-auth-digest="file,LDAP" \
--enable-auth-negotiate="kerberos,wrapper" \
--enable-auth-ntlm="fake" \
--enable-external-acl-helpers="file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group" \
--enable-url-rewrite-helpers="fake" \
--enable-eui \
--enable-esi \
--enable-icmp \
--enable-zph-qos \
--with-openssl \
--enable-ssl \
--enable-ssl-crtd \
--disable-translation \
--with-swapdir=/var/spool/squid4 \
--with-logdir=/var/log/squid4 \
--with-pidfile=/var/run/squid4.pid \
--with-filedescriptors=65536 \
--with-large-files \
--with-default-user=proxy
ARG CONCURRENCY=1
RUN cd /src/squid-4.0.7 && \
make -j$CONCURRENCY && \
make install
# Download p2cli dependency
RUN wget -O /usr/local/bin/p2 \
https://github.com/wrouesnel/p2cli/releases/download/r1/p2 && \
chmod +x /usr/local/bin/p2
COPY squid.conf.p2 /squid.conf.p2
COPY squid.bsh /squid.bsh
# Configuration environment
ENV HTTP_PORT=3128 ICP_PORT= HTCP_PORT= MITM_PROXY= MITM_CERT= MITM_KEY= VISIBLE_HOSTNAME=docker-squid4 MAX_CACHE_SIZE=40000 MAX_OBJECT_SIZE="1536 MB" MEM_CACHE_SIZE="128 MB"
EXPOSE 3128
CMD /squid.bsh

49
docker-squid/squid.bsh Executable file
View File

@ -0,0 +1,49 @@
#!/bin/bash
# Setup the ssl_cert directory
if [ ! -d /etc/squid4/ssl_cert ]; then
mkdir /etc/squid4/ssl_cert
fi
chown -R proxy:proxy /etc/squid4
chmod 700 /etc/squid4/ssl_cert
# Setup the squid cache directory
if [ ! -d /var/cache/squid4 ]; then
mkdir -p /var/cache/squid4
fi
chown -R proxy: /var/cache/squid4
chmod -R 750 /var/cache/squid4
if [ ! -z $MITM_KEY ]; then
echo "Copying $MITM_KEY as MITM key..."
cp $MITM_KEY /etc/squid4/ssl_cert/mitm.pem
chown root:proxy /etc/squid4/ssl_cert/mitm.pem
fi
if [ ! -z $MITM_CERT ]; then
echo "Copying $MITM_CERT as MITM CA..."
cp $MITM_CERT /etc/squid4/ssl_cert/mitm.crt
chown root:proxy /etc/squid4/ssl_cert/mitm.crt
fi
if [ -z $MITM_CERT ] || [ -z $MITM_KEY ]; then
echo "Must specify $MITM_CERT AND $MITM_KEY." 1>&2
exit 1
fi
chown proxy: /dev/stdout
chown proxy: /dev/stderr
# Initialize the certificates database
/usr/libexec/security_file_certgen -c -s /var/lib/ssl_db
chown -R proxy: /var/lib/ssl_db
#ssl_crtd -c -s
#ssl_db
# Set the configuration
p2 -t /squid.conf.p2 > /etc/squid4/squid.conf
squid -z -N
squid -N

View File

@ -0,0 +1,44 @@
# TEMPLATED CONFIGURATION FILE. UPDATED ON EACH RUN.
# Default all logs to stdout and stderr
logfile_rotate 0
access_log stdio:/dev/stdout combined
cache_store_log stdio:/dev/stdout
cache_log /dev/stderr
netdb_filename stdio:/var/cache/squid4/netdb.state
# Visible hostname to allow multi-squid
visible_hostname {{VISIBLE_HOSTNAME|default:"docker-squid4"}}
# Cache directory is fixed since we'll bind mount.
cache_dir aufs /var/cache/squid4 {{MAX_CACHE_SIZE|default:"40000"}} 16 256
maximum_object_size {{MAX_OBJECT_SIZE|default:"1536 MB"}}
cache_mem {{MEM_CACHE_SIZE|default:"128 MB"}}
tls_outgoing_options capath=/etc/ssl/certs \
options=NO_SSLv3,NO_TLSv1 \
cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
http_port {{HTTP_PORT}} {% if MITM_PROXY|default:"" == "yes" %} ssl-bump \
generate-host-certificates=on \
dynamic_cert_mem_cache_size=4MB \
cert=/etc/squid4/ssl_cert/mitm.crt \
key=/etc/squid4/ssl_cert/mitm.pem
{% endif %}
{% if MITM_PROXY|default:"" == "yes" %}
ssl_bump server-first all
{% endif %}
{% if ICP_PORT|default:"" != "" %}
icp_port {{ICP_PORT}}
icp_access allow all
{% endif %}
{% if HTCP_PORT|default:"" != "" %}
htcp_port {{HTCP_PORT}}
htcp_access allow all
{% endif %}
http_access allow all