Add support for proxychains and fix SSL cipher selection.

2016-04-14 00:41:08 +10:00 · 2016-04-14 00:41:08 +10:00 · b5f235eea7
parent 811577a814
commit b5f235eea7
4 changed files with 74 additions and 4 deletions
--- a/README.md
+++ b/README.md
@ -53,7 +53,36 @@ variables:
   If set to `yes` then squid configuration templating is disabled entirely, allowing
   bind mounting the configuration file in manually instead. The certificate and SSL
   setup still runs normally.
-    
+
+# Proxychains
+By default squid in SSL MITM mode treats `cache_peer` entries quite differently.
+Because squid unwraps the CONNECT statement when bumping an SSL connection, but
+does not rewrap it when communicating with peers, it requires all peers to connect
+with SSL as well. This breaks compatibility with simple minded proxies.
+
+To work around this, proxychains-ng (`proxychains4` internally) is built and
+included in this image. If you need to use an upstream proxy with a MITM
+squid4, you should launch the image in proxychains mode which intercepts squids
+direct outbound connections and redirects them via CONNECT requests. This also
+adds SOCKS4 and SOCKS5 proxy support if so desired.
+
+proxychains is configured with the following environment variables. As with the
+others above, `CONFIG_DISABLE` prevents overwriting templated files.
+
+ * `PROXYCHAIN`
+    Default none. If set to `yes` then squid will be launched with proxychains.
+    You should specify some proxies when doing this.
+ * `PROXYCHAIN_PROXYx`
+    Upstream proxies to be passed to the proxy chan config file. The suffix (`x`)
+    determines the order in which they are templated into the configuration file.
+    The format is a space separated string like "http 127.0.0.1 3129"
+ * `PROXYCHAIN_TYPE`
+    Default `strict-chain`. Can be `strict-chain` or `dynamic-chain` sensibly
+    within this image. In `strict-chain` mode, all proxies must be up. In
+    `dynamic-chain` mode proxies are used in order, but skipped if down.
+    Disable configuration and bind a configuration file to /etc/proxychains.conf
+    if you need more flexibility.
+  
 # Example Usage
 The following command line will get you up and running quickly. It presumes
 you've generated a suitable CA certificate and are intending to use the proxy
--- a/docker-squid/Dockerfile
+++ b/docker-squid/Dockerfile
@ -57,6 +57,17 @@ RUN wget -O /usr/local/bin/p2 \
    https://github.com/wrouesnel/p2cli/releases/download/r1/p2 && \
    chmod +x /usr/local/bin/p2

+# Clone and build proxychains-ng for SSL upstream proxying
+ARG PROXYCHAINS_COMMITTISH=aea917265349880f6cc5dffc9d4afa61227fd330
+
+RUN apt-get install -y git
+
+RUN git clone https://github.com/rofl0r/proxychains-ng.git /src/proxychains-ng && \
+    cd /src/proxychains-ng && \
+    git checkout $PROXYCHAINS_COMMITTISH && \
+    ./configure --prefix=/usr --sysconfdir=/etc && \
+    make -j$CONCURRENCY && make install
+
 COPY squid.conf.p2 /squid.conf.p2
 COPY squid.bsh /squid.bsh

--- a/docker-squid/squid.bsh
+++ b/docker-squid/squid.bsh
@ -63,7 +63,7 @@ if [ "$CONFIG_DISABLE" != "yes" ]; then
        echo "$line" >> /etc/squid4/squid.conf
    done
 else
-    echo "CONFIGURATION TEMPLATING IS DISABLED."
+    echo "/etc/squid4/squid.conf: CONFIGURATION TEMPLATING IS DISABLED."
 fi

 if [ ! -e /etc/squid4/squid.conf ]; then
@ -71,5 +71,35 @@ if [ ! -e /etc/squid4/squid.conf ]; then
    exit 1
 fi

+# If proxychains is requested and config templating is active
+if [ "$PROXYCHAIN" = "yes" ] && [ "$CONFIG_DISABLE" != "yes" ]; then
+    echo "# PROXYCHAIN CONFIG FROM DOCKER" > /etc/proxychains.conf
+    if [ ! -z "$PROXYCHAIN_TYPE" ]; then
+        echo "$PROXYCHAIN_TYPE" >> /etc/proxychains.conf
+    else
+        echo "strict-chain" >> /etc/proxychains.conf
+    fi
+    echo "[ProxyList]" >> /etc/proxychains.conf
+    env | grep 'PROXYCHAIN_PROXY' | sort | while read proxyline; do
+        echo "# $proxyline " >> /etc/squid4/squid.conf
+        line=$(echo $proxyline | cut -d'=' -f2-)
+        echo "$line" >> /etc/proxychains.conf
+    done
+else
+    echo "/etc/proxychains.conf : CONFIGURATION TEMPLATING IS DISABLED"
+fi
+
+# Build the configuration directories if needed
 squid -z -N
-squid -N
+
+if [ "$PROXYCHAIN" = "yes" ]; then
+    if [ ! -e /etc/proxychains.conf ]; then
+        echo "ERROR: /etc/proxychains.conf does not exist. Squid with proxychains will not work."
+        exit 1
+    fi 
+    # Start squid with proxychains
+    proxychains4 squid -N
+else
+    # Start squid normally
+    squid -N
+fi
--- a/docker-squid/squid.conf.p2
+++ b/docker-squid/squid.conf.p2
@ -18,7 +18,7 @@ cache_mem {{MEM_CACHE_SIZE|default:"128 MB"}}

 tls_outgoing_options capath=/etc/ssl/certs \
    options=NO_SSLv3,NO_TLSv1 \
-    cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
+    cipher=ALL:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

 http_port {{HTTP_PORT}} {% if MITM_PROXY|default:"" == "yes" %} ssl-bump \
    generate-host-certificates=on \