Add support for proxychains and fix SSL cipher selection.

This commit is contained in:
Will Rouesnel 2016-04-14 00:41:08 +10:00
parent 811577a814
commit b5f235eea7
4 changed files with 74 additions and 4 deletions

View File

@ -54,6 +54,35 @@ variables:
bind mounting the configuration file in manually instead. The certificate and SSL
setup still runs normally.
# Proxychains
By default squid in SSL MITM mode treats `cache_peer` entries quite differently.
Because squid unwraps the CONNECT statement when bumping an SSL connection, but
does not rewrap it when communicating with peers, it requires all peers to connect
with SSL as well. This breaks compatibility with simple minded proxies.
To work around this, proxychains-ng (`proxychains4` internally) is built and
included in this image. If you need to use an upstream proxy with a MITM
squid4, you should launch the image in proxychains mode which intercepts squids
direct outbound connections and redirects them via CONNECT requests. This also
adds SOCKS4 and SOCKS5 proxy support if so desired.
proxychains is configured with the following environment variables. As with the
others above, `CONFIG_DISABLE` prevents overwriting templated files.
* `PROXYCHAIN`
Default none. If set to `yes` then squid will be launched with proxychains.
You should specify some proxies when doing this.
* `PROXYCHAIN_PROXYx`
Upstream proxies to be passed to the proxy chan config file. The suffix (`x`)
determines the order in which they are templated into the configuration file.
The format is a space separated string like "http 127.0.0.1 3129"
* `PROXYCHAIN_TYPE`
Default `strict-chain`. Can be `strict-chain` or `dynamic-chain` sensibly
within this image. In `strict-chain` mode, all proxies must be up. In
`dynamic-chain` mode proxies are used in order, but skipped if down.
Disable configuration and bind a configuration file to /etc/proxychains.conf
if you need more flexibility.
# Example Usage
The following command line will get you up and running quickly. It presumes
you've generated a suitable CA certificate and are intending to use the proxy

View File

@ -57,6 +57,17 @@ RUN wget -O /usr/local/bin/p2 \
https://github.com/wrouesnel/p2cli/releases/download/r1/p2 && \
chmod +x /usr/local/bin/p2
# Clone and build proxychains-ng for SSL upstream proxying
ARG PROXYCHAINS_COMMITTISH=aea917265349880f6cc5dffc9d4afa61227fd330
RUN apt-get install -y git
RUN git clone https://github.com/rofl0r/proxychains-ng.git /src/proxychains-ng && \
cd /src/proxychains-ng && \
git checkout $PROXYCHAINS_COMMITTISH && \
./configure --prefix=/usr --sysconfdir=/etc && \
make -j$CONCURRENCY && make install
COPY squid.conf.p2 /squid.conf.p2
COPY squid.bsh /squid.bsh

View File

@ -63,7 +63,7 @@ if [ "$CONFIG_DISABLE" != "yes" ]; then
echo "$line" >> /etc/squid4/squid.conf
done
else
echo "CONFIGURATION TEMPLATING IS DISABLED."
echo "/etc/squid4/squid.conf: CONFIGURATION TEMPLATING IS DISABLED."
fi
if [ ! -e /etc/squid4/squid.conf ]; then
@ -71,5 +71,35 @@ if [ ! -e /etc/squid4/squid.conf ]; then
exit 1
fi
# If proxychains is requested and config templating is active
if [ "$PROXYCHAIN" = "yes" ] && [ "$CONFIG_DISABLE" != "yes" ]; then
echo "# PROXYCHAIN CONFIG FROM DOCKER" > /etc/proxychains.conf
if [ ! -z "$PROXYCHAIN_TYPE" ]; then
echo "$PROXYCHAIN_TYPE" >> /etc/proxychains.conf
else
echo "strict-chain" >> /etc/proxychains.conf
fi
echo "[ProxyList]" >> /etc/proxychains.conf
env | grep 'PROXYCHAIN_PROXY' | sort | while read proxyline; do
echo "# $proxyline " >> /etc/squid4/squid.conf
line=$(echo $proxyline | cut -d'=' -f2-)
echo "$line" >> /etc/proxychains.conf
done
else
echo "/etc/proxychains.conf : CONFIGURATION TEMPLATING IS DISABLED"
fi
# Build the configuration directories if needed
squid -z -N
if [ "$PROXYCHAIN" = "yes" ]; then
if [ ! -e /etc/proxychains.conf ]; then
echo "ERROR: /etc/proxychains.conf does not exist. Squid with proxychains will not work."
exit 1
fi
# Start squid with proxychains
proxychains4 squid -N
else
# Start squid normally
squid -N
fi

View File

@ -18,7 +18,7 @@ cache_mem {{MEM_CACHE_SIZE|default:"128 MB"}}
tls_outgoing_options capath=/etc/ssl/certs \
options=NO_SSLv3,NO_TLSv1 \
cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
cipher=ALL:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
http_port {{HTTP_PORT}} {% if MITM_PROXY|default:"" == "yes" %} ssl-bump \
generate-host-certificates=on \