Add support for proxychains and fix SSL cipher selection.
This commit is contained in:
		
							parent
							
								
									811577a814
								
							
						
					
					
						commit
						b5f235eea7
					
				
							
								
								
									
										29
									
								
								README.md
								
								
								
								
							
							
						
						
									
										29
									
								
								README.md
								
								
								
								
							|  | @ -54,6 +54,35 @@ variables: | ||||||
|    bind mounting the configuration file in manually instead. The certificate and SSL |    bind mounting the configuration file in manually instead. The certificate and SSL | ||||||
|    setup still runs normally. |    setup still runs normally. | ||||||
| 
 | 
 | ||||||
|  | # Proxychains | ||||||
|  | By default squid in SSL MITM mode treats `cache_peer` entries quite differently. | ||||||
|  | Because squid unwraps the CONNECT statement when bumping an SSL connection, but | ||||||
|  | does not rewrap it when communicating with peers, it requires all peers to connect | ||||||
|  | with SSL as well. This breaks compatibility with simple minded proxies. | ||||||
|  | 
 | ||||||
|  | To work around this, proxychains-ng (`proxychains4` internally) is built and | ||||||
|  | included in this image. If you need to use an upstream proxy with a MITM | ||||||
|  | squid4, you should launch the image in proxychains mode which intercepts squids | ||||||
|  | direct outbound connections and redirects them via CONNECT requests. This also | ||||||
|  | adds SOCKS4 and SOCKS5 proxy support if so desired. | ||||||
|  | 
 | ||||||
|  | proxychains is configured with the following environment variables. As with the | ||||||
|  | others above, `CONFIG_DISABLE` prevents overwriting templated files. | ||||||
|  | 
 | ||||||
|  |  * `PROXYCHAIN` | ||||||
|  |     Default none. If set to `yes` then squid will be launched with proxychains. | ||||||
|  |     You should specify some proxies when doing this. | ||||||
|  |  * `PROXYCHAIN_PROXYx` | ||||||
|  |     Upstream proxies to be passed to the proxy chan config file. The suffix (`x`) | ||||||
|  |     determines the order in which they are templated into the configuration file. | ||||||
|  |     The format is a space separated string like "http 127.0.0.1 3129" | ||||||
|  |  * `PROXYCHAIN_TYPE` | ||||||
|  |     Default `strict-chain`. Can be `strict-chain` or `dynamic-chain` sensibly | ||||||
|  |     within this image. In `strict-chain` mode, all proxies must be up. In | ||||||
|  |     `dynamic-chain` mode proxies are used in order, but skipped if down. | ||||||
|  |     Disable configuration and bind a configuration file to /etc/proxychains.conf | ||||||
|  |     if you need more flexibility. | ||||||
|  |    | ||||||
| # Example Usage | # Example Usage | ||||||
| The following command line will get you up and running quickly. It presumes | The following command line will get you up and running quickly. It presumes | ||||||
| you've generated a suitable CA certificate and are intending to use the proxy | you've generated a suitable CA certificate and are intending to use the proxy | ||||||
|  |  | ||||||
|  | @ -57,6 +57,17 @@ RUN wget -O /usr/local/bin/p2 \ | ||||||
|     https://github.com/wrouesnel/p2cli/releases/download/r1/p2 && \ |     https://github.com/wrouesnel/p2cli/releases/download/r1/p2 && \ | ||||||
|     chmod +x /usr/local/bin/p2 |     chmod +x /usr/local/bin/p2 | ||||||
| 
 | 
 | ||||||
|  | # Clone and build proxychains-ng for SSL upstream proxying | ||||||
|  | ARG PROXYCHAINS_COMMITTISH=aea917265349880f6cc5dffc9d4afa61227fd330 | ||||||
|  | 
 | ||||||
|  | RUN apt-get install -y git | ||||||
|  | 
 | ||||||
|  | RUN git clone https://github.com/rofl0r/proxychains-ng.git /src/proxychains-ng && \ | ||||||
|  |     cd /src/proxychains-ng && \ | ||||||
|  |     git checkout $PROXYCHAINS_COMMITTISH && \ | ||||||
|  |     ./configure --prefix=/usr --sysconfdir=/etc && \ | ||||||
|  |     make -j$CONCURRENCY && make install | ||||||
|  | 
 | ||||||
| COPY squid.conf.p2 /squid.conf.p2 | COPY squid.conf.p2 /squid.conf.p2 | ||||||
| COPY squid.bsh /squid.bsh | COPY squid.bsh /squid.bsh | ||||||
| 
 | 
 | ||||||
|  |  | ||||||
|  | @ -63,7 +63,7 @@ if [ "$CONFIG_DISABLE" != "yes" ]; then | ||||||
|         echo "$line" >> /etc/squid4/squid.conf |         echo "$line" >> /etc/squid4/squid.conf | ||||||
|     done |     done | ||||||
| else | else | ||||||
|     echo "CONFIGURATION TEMPLATING IS DISABLED." |     echo "/etc/squid4/squid.conf: CONFIGURATION TEMPLATING IS DISABLED." | ||||||
| fi | fi | ||||||
| 
 | 
 | ||||||
| if [ ! -e /etc/squid4/squid.conf ]; then | if [ ! -e /etc/squid4/squid.conf ]; then | ||||||
|  | @ -71,5 +71,35 @@ if [ ! -e /etc/squid4/squid.conf ]; then | ||||||
|     exit 1 |     exit 1 | ||||||
| fi | fi | ||||||
| 
 | 
 | ||||||
|  | # If proxychains is requested and config templating is active | ||||||
|  | if [ "$PROXYCHAIN" = "yes" ] && [ "$CONFIG_DISABLE" != "yes" ]; then | ||||||
|  |     echo "# PROXYCHAIN CONFIG FROM DOCKER" > /etc/proxychains.conf | ||||||
|  |     if [ ! -z "$PROXYCHAIN_TYPE" ]; then | ||||||
|  |         echo "$PROXYCHAIN_TYPE" >> /etc/proxychains.conf | ||||||
|  |     else | ||||||
|  |         echo "strict-chain" >> /etc/proxychains.conf | ||||||
|  |     fi | ||||||
|  |     echo "[ProxyList]" >> /etc/proxychains.conf | ||||||
|  |     env | grep 'PROXYCHAIN_PROXY' | sort | while read proxyline; do | ||||||
|  |         echo "# $proxyline " >> /etc/squid4/squid.conf | ||||||
|  |         line=$(echo $proxyline | cut -d'=' -f2-) | ||||||
|  |         echo "$line" >> /etc/proxychains.conf | ||||||
|  |     done | ||||||
|  | else | ||||||
|  |     echo "/etc/proxychains.conf : CONFIGURATION TEMPLATING IS DISABLED" | ||||||
|  | fi | ||||||
|  | 
 | ||||||
|  | # Build the configuration directories if needed | ||||||
| squid -z -N | squid -z -N | ||||||
| squid -N | 
 | ||||||
|  | if [ "$PROXYCHAIN" = "yes" ]; then | ||||||
|  |     if [ ! -e /etc/proxychains.conf ]; then | ||||||
|  |         echo "ERROR: /etc/proxychains.conf does not exist. Squid with proxychains will not work." | ||||||
|  |         exit 1 | ||||||
|  |     fi  | ||||||
|  |     # Start squid with proxychains | ||||||
|  |     proxychains4 squid -N | ||||||
|  | else | ||||||
|  |     # Start squid normally | ||||||
|  |     squid -N | ||||||
|  | fi | ||||||
|  |  | ||||||
|  | @ -18,7 +18,7 @@ cache_mem {{MEM_CACHE_SIZE|default:"128 MB"}} | ||||||
| 
 | 
 | ||||||
| tls_outgoing_options capath=/etc/ssl/certs \ | tls_outgoing_options capath=/etc/ssl/certs \ | ||||||
|     options=NO_SSLv3,NO_TLSv1 \ |     options=NO_SSLv3,NO_TLSv1 \ | ||||||
|     cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS |     cipher=ALL:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS | ||||||
| 
 | 
 | ||||||
| http_port {{HTTP_PORT}} {% if MITM_PROXY|default:"" == "yes" %} ssl-bump \ | http_port {{HTTP_PORT}} {% if MITM_PROXY|default:"" == "yes" %} ssl-bump \ | ||||||
|     generate-host-certificates=on \ |     generate-host-certificates=on \ | ||||||
|  |  | ||||||
		Loading…
	
		Reference in New Issue