diff --git a/README.md b/README.md index d5e59c9..145d1f9 100644 --- a/README.md +++ b/README.md @@ -53,7 +53,36 @@ variables: If set to `yes` then squid configuration templating is disabled entirely, allowing bind mounting the configuration file in manually instead. The certificate and SSL setup still runs normally. - + +# Proxychains +By default squid in SSL MITM mode treats `cache_peer` entries quite differently. +Because squid unwraps the CONNECT statement when bumping an SSL connection, but +does not rewrap it when communicating with peers, it requires all peers to connect +with SSL as well. This breaks compatibility with simple minded proxies. + +To work around this, proxychains-ng (`proxychains4` internally) is built and +included in this image. If you need to use an upstream proxy with a MITM +squid4, you should launch the image in proxychains mode which intercepts squids +direct outbound connections and redirects them via CONNECT requests. This also +adds SOCKS4 and SOCKS5 proxy support if so desired. + +proxychains is configured with the following environment variables. As with the +others above, `CONFIG_DISABLE` prevents overwriting templated files. + + * `PROXYCHAIN` + Default none. If set to `yes` then squid will be launched with proxychains. + You should specify some proxies when doing this. + * `PROXYCHAIN_PROXYx` + Upstream proxies to be passed to the proxy chan config file. The suffix (`x`) + determines the order in which they are templated into the configuration file. + The format is a space separated string like "http 127.0.0.1 3129" + * `PROXYCHAIN_TYPE` + Default `strict-chain`. Can be `strict-chain` or `dynamic-chain` sensibly + within this image. In `strict-chain` mode, all proxies must be up. In + `dynamic-chain` mode proxies are used in order, but skipped if down. + Disable configuration and bind a configuration file to /etc/proxychains.conf + if you need more flexibility. + # Example Usage The following command line will get you up and running quickly. It presumes you've generated a suitable CA certificate and are intending to use the proxy diff --git a/docker-squid/Dockerfile b/docker-squid/Dockerfile index 07ad528..d91f830 100644 --- a/docker-squid/Dockerfile +++ b/docker-squid/Dockerfile @@ -57,6 +57,17 @@ RUN wget -O /usr/local/bin/p2 \ https://github.com/wrouesnel/p2cli/releases/download/r1/p2 && \ chmod +x /usr/local/bin/p2 +# Clone and build proxychains-ng for SSL upstream proxying +ARG PROXYCHAINS_COMMITTISH=aea917265349880f6cc5dffc9d4afa61227fd330 + +RUN apt-get install -y git + +RUN git clone https://github.com/rofl0r/proxychains-ng.git /src/proxychains-ng && \ + cd /src/proxychains-ng && \ + git checkout $PROXYCHAINS_COMMITTISH && \ + ./configure --prefix=/usr --sysconfdir=/etc && \ + make -j$CONCURRENCY && make install + COPY squid.conf.p2 /squid.conf.p2 COPY squid.bsh /squid.bsh diff --git a/docker-squid/squid.bsh b/docker-squid/squid.bsh index 49fe181..ec3b09c 100755 --- a/docker-squid/squid.bsh +++ b/docker-squid/squid.bsh @@ -63,7 +63,7 @@ if [ "$CONFIG_DISABLE" != "yes" ]; then echo "$line" >> /etc/squid4/squid.conf done else - echo "CONFIGURATION TEMPLATING IS DISABLED." + echo "/etc/squid4/squid.conf: CONFIGURATION TEMPLATING IS DISABLED." fi if [ ! -e /etc/squid4/squid.conf ]; then @@ -71,5 +71,35 @@ if [ ! -e /etc/squid4/squid.conf ]; then exit 1 fi +# If proxychains is requested and config templating is active +if [ "$PROXYCHAIN" = "yes" ] && [ "$CONFIG_DISABLE" != "yes" ]; then + echo "# PROXYCHAIN CONFIG FROM DOCKER" > /etc/proxychains.conf + if [ ! -z "$PROXYCHAIN_TYPE" ]; then + echo "$PROXYCHAIN_TYPE" >> /etc/proxychains.conf + else + echo "strict-chain" >> /etc/proxychains.conf + fi + echo "[ProxyList]" >> /etc/proxychains.conf + env | grep 'PROXYCHAIN_PROXY' | sort | while read proxyline; do + echo "# $proxyline " >> /etc/squid4/squid.conf + line=$(echo $proxyline | cut -d'=' -f2-) + echo "$line" >> /etc/proxychains.conf + done +else + echo "/etc/proxychains.conf : CONFIGURATION TEMPLATING IS DISABLED" +fi + +# Build the configuration directories if needed squid -z -N -squid -N + +if [ "$PROXYCHAIN" = "yes" ]; then + if [ ! -e /etc/proxychains.conf ]; then + echo "ERROR: /etc/proxychains.conf does not exist. Squid with proxychains will not work." + exit 1 + fi + # Start squid with proxychains + proxychains4 squid -N +else + # Start squid normally + squid -N +fi diff --git a/docker-squid/squid.conf.p2 b/docker-squid/squid.conf.p2 index 1f6a49d..a9f5537 100644 --- a/docker-squid/squid.conf.p2 +++ b/docker-squid/squid.conf.p2 @@ -18,7 +18,7 @@ cache_mem {{MEM_CACHE_SIZE|default:"128 MB"}} tls_outgoing_options capath=/etc/ssl/certs \ options=NO_SSLv3,NO_TLSv1 \ - cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS + cipher=ALL:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS http_port {{HTTP_PORT}} {% if MITM_PROXY|default:"" == "yes" %} ssl-bump \ generate-host-certificates=on \