Add support for proxychains and fix SSL cipher selection.
This commit is contained in:
parent
811577a814
commit
b5f235eea7
29
README.md
29
README.md
|
@ -54,6 +54,35 @@ variables:
|
||||||
bind mounting the configuration file in manually instead. The certificate and SSL
|
bind mounting the configuration file in manually instead. The certificate and SSL
|
||||||
setup still runs normally.
|
setup still runs normally.
|
||||||
|
|
||||||
|
# Proxychains
|
||||||
|
By default squid in SSL MITM mode treats `cache_peer` entries quite differently.
|
||||||
|
Because squid unwraps the CONNECT statement when bumping an SSL connection, but
|
||||||
|
does not rewrap it when communicating with peers, it requires all peers to connect
|
||||||
|
with SSL as well. This breaks compatibility with simple minded proxies.
|
||||||
|
|
||||||
|
To work around this, proxychains-ng (`proxychains4` internally) is built and
|
||||||
|
included in this image. If you need to use an upstream proxy with a MITM
|
||||||
|
squid4, you should launch the image in proxychains mode which intercepts squids
|
||||||
|
direct outbound connections and redirects them via CONNECT requests. This also
|
||||||
|
adds SOCKS4 and SOCKS5 proxy support if so desired.
|
||||||
|
|
||||||
|
proxychains is configured with the following environment variables. As with the
|
||||||
|
others above, `CONFIG_DISABLE` prevents overwriting templated files.
|
||||||
|
|
||||||
|
* `PROXYCHAIN`
|
||||||
|
Default none. If set to `yes` then squid will be launched with proxychains.
|
||||||
|
You should specify some proxies when doing this.
|
||||||
|
* `PROXYCHAIN_PROXYx`
|
||||||
|
Upstream proxies to be passed to the proxy chan config file. The suffix (`x`)
|
||||||
|
determines the order in which they are templated into the configuration file.
|
||||||
|
The format is a space separated string like "http 127.0.0.1 3129"
|
||||||
|
* `PROXYCHAIN_TYPE`
|
||||||
|
Default `strict-chain`. Can be `strict-chain` or `dynamic-chain` sensibly
|
||||||
|
within this image. In `strict-chain` mode, all proxies must be up. In
|
||||||
|
`dynamic-chain` mode proxies are used in order, but skipped if down.
|
||||||
|
Disable configuration and bind a configuration file to /etc/proxychains.conf
|
||||||
|
if you need more flexibility.
|
||||||
|
|
||||||
# Example Usage
|
# Example Usage
|
||||||
The following command line will get you up and running quickly. It presumes
|
The following command line will get you up and running quickly. It presumes
|
||||||
you've generated a suitable CA certificate and are intending to use the proxy
|
you've generated a suitable CA certificate and are intending to use the proxy
|
||||||
|
|
|
@ -57,6 +57,17 @@ RUN wget -O /usr/local/bin/p2 \
|
||||||
https://github.com/wrouesnel/p2cli/releases/download/r1/p2 && \
|
https://github.com/wrouesnel/p2cli/releases/download/r1/p2 && \
|
||||||
chmod +x /usr/local/bin/p2
|
chmod +x /usr/local/bin/p2
|
||||||
|
|
||||||
|
# Clone and build proxychains-ng for SSL upstream proxying
|
||||||
|
ARG PROXYCHAINS_COMMITTISH=aea917265349880f6cc5dffc9d4afa61227fd330
|
||||||
|
|
||||||
|
RUN apt-get install -y git
|
||||||
|
|
||||||
|
RUN git clone https://github.com/rofl0r/proxychains-ng.git /src/proxychains-ng && \
|
||||||
|
cd /src/proxychains-ng && \
|
||||||
|
git checkout $PROXYCHAINS_COMMITTISH && \
|
||||||
|
./configure --prefix=/usr --sysconfdir=/etc && \
|
||||||
|
make -j$CONCURRENCY && make install
|
||||||
|
|
||||||
COPY squid.conf.p2 /squid.conf.p2
|
COPY squid.conf.p2 /squid.conf.p2
|
||||||
COPY squid.bsh /squid.bsh
|
COPY squid.bsh /squid.bsh
|
||||||
|
|
||||||
|
|
|
@ -63,7 +63,7 @@ if [ "$CONFIG_DISABLE" != "yes" ]; then
|
||||||
echo "$line" >> /etc/squid4/squid.conf
|
echo "$line" >> /etc/squid4/squid.conf
|
||||||
done
|
done
|
||||||
else
|
else
|
||||||
echo "CONFIGURATION TEMPLATING IS DISABLED."
|
echo "/etc/squid4/squid.conf: CONFIGURATION TEMPLATING IS DISABLED."
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ ! -e /etc/squid4/squid.conf ]; then
|
if [ ! -e /etc/squid4/squid.conf ]; then
|
||||||
|
@ -71,5 +71,35 @@ if [ ! -e /etc/squid4/squid.conf ]; then
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# If proxychains is requested and config templating is active
|
||||||
|
if [ "$PROXYCHAIN" = "yes" ] && [ "$CONFIG_DISABLE" != "yes" ]; then
|
||||||
|
echo "# PROXYCHAIN CONFIG FROM DOCKER" > /etc/proxychains.conf
|
||||||
|
if [ ! -z "$PROXYCHAIN_TYPE" ]; then
|
||||||
|
echo "$PROXYCHAIN_TYPE" >> /etc/proxychains.conf
|
||||||
|
else
|
||||||
|
echo "strict-chain" >> /etc/proxychains.conf
|
||||||
|
fi
|
||||||
|
echo "[ProxyList]" >> /etc/proxychains.conf
|
||||||
|
env | grep 'PROXYCHAIN_PROXY' | sort | while read proxyline; do
|
||||||
|
echo "# $proxyline " >> /etc/squid4/squid.conf
|
||||||
|
line=$(echo $proxyline | cut -d'=' -f2-)
|
||||||
|
echo "$line" >> /etc/proxychains.conf
|
||||||
|
done
|
||||||
|
else
|
||||||
|
echo "/etc/proxychains.conf : CONFIGURATION TEMPLATING IS DISABLED"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Build the configuration directories if needed
|
||||||
squid -z -N
|
squid -z -N
|
||||||
squid -N
|
|
||||||
|
if [ "$PROXYCHAIN" = "yes" ]; then
|
||||||
|
if [ ! -e /etc/proxychains.conf ]; then
|
||||||
|
echo "ERROR: /etc/proxychains.conf does not exist. Squid with proxychains will not work."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
# Start squid with proxychains
|
||||||
|
proxychains4 squid -N
|
||||||
|
else
|
||||||
|
# Start squid normally
|
||||||
|
squid -N
|
||||||
|
fi
|
||||||
|
|
|
@ -18,7 +18,7 @@ cache_mem {{MEM_CACHE_SIZE|default:"128 MB"}}
|
||||||
|
|
||||||
tls_outgoing_options capath=/etc/ssl/certs \
|
tls_outgoing_options capath=/etc/ssl/certs \
|
||||||
options=NO_SSLv3,NO_TLSv1 \
|
options=NO_SSLv3,NO_TLSv1 \
|
||||||
cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
|
cipher=ALL:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
|
||||||
|
|
||||||
http_port {{HTTP_PORT}} {% if MITM_PROXY|default:"" == "yes" %} ssl-bump \
|
http_port {{HTTP_PORT}} {% if MITM_PROXY|default:"" == "yes" %} ssl-bump \
|
||||||
generate-host-certificates=on \
|
generate-host-certificates=on \
|
||||||
|
|
Loading…
Reference in New Issue