Add support for proxychains and fix SSL cipher selection.
This commit is contained in:
parent
811577a814
commit
b5f235eea7
29
README.md
29
README.md
|
@ -54,6 +54,35 @@ variables:
|
|||
bind mounting the configuration file in manually instead. The certificate and SSL
|
||||
setup still runs normally.
|
||||
|
||||
# Proxychains
|
||||
By default squid in SSL MITM mode treats `cache_peer` entries quite differently.
|
||||
Because squid unwraps the CONNECT statement when bumping an SSL connection, but
|
||||
does not rewrap it when communicating with peers, it requires all peers to connect
|
||||
with SSL as well. This breaks compatibility with simple minded proxies.
|
||||
|
||||
To work around this, proxychains-ng (`proxychains4` internally) is built and
|
||||
included in this image. If you need to use an upstream proxy with a MITM
|
||||
squid4, you should launch the image in proxychains mode which intercepts squids
|
||||
direct outbound connections and redirects them via CONNECT requests. This also
|
||||
adds SOCKS4 and SOCKS5 proxy support if so desired.
|
||||
|
||||
proxychains is configured with the following environment variables. As with the
|
||||
others above, `CONFIG_DISABLE` prevents overwriting templated files.
|
||||
|
||||
* `PROXYCHAIN`
|
||||
Default none. If set to `yes` then squid will be launched with proxychains.
|
||||
You should specify some proxies when doing this.
|
||||
* `PROXYCHAIN_PROXYx`
|
||||
Upstream proxies to be passed to the proxy chan config file. The suffix (`x`)
|
||||
determines the order in which they are templated into the configuration file.
|
||||
The format is a space separated string like "http 127.0.0.1 3129"
|
||||
* `PROXYCHAIN_TYPE`
|
||||
Default `strict-chain`. Can be `strict-chain` or `dynamic-chain` sensibly
|
||||
within this image. In `strict-chain` mode, all proxies must be up. In
|
||||
`dynamic-chain` mode proxies are used in order, but skipped if down.
|
||||
Disable configuration and bind a configuration file to /etc/proxychains.conf
|
||||
if you need more flexibility.
|
||||
|
||||
# Example Usage
|
||||
The following command line will get you up and running quickly. It presumes
|
||||
you've generated a suitable CA certificate and are intending to use the proxy
|
||||
|
|
|
@ -57,6 +57,17 @@ RUN wget -O /usr/local/bin/p2 \
|
|||
https://github.com/wrouesnel/p2cli/releases/download/r1/p2 && \
|
||||
chmod +x /usr/local/bin/p2
|
||||
|
||||
# Clone and build proxychains-ng for SSL upstream proxying
|
||||
ARG PROXYCHAINS_COMMITTISH=aea917265349880f6cc5dffc9d4afa61227fd330
|
||||
|
||||
RUN apt-get install -y git
|
||||
|
||||
RUN git clone https://github.com/rofl0r/proxychains-ng.git /src/proxychains-ng && \
|
||||
cd /src/proxychains-ng && \
|
||||
git checkout $PROXYCHAINS_COMMITTISH && \
|
||||
./configure --prefix=/usr --sysconfdir=/etc && \
|
||||
make -j$CONCURRENCY && make install
|
||||
|
||||
COPY squid.conf.p2 /squid.conf.p2
|
||||
COPY squid.bsh /squid.bsh
|
||||
|
||||
|
|
|
@ -63,7 +63,7 @@ if [ "$CONFIG_DISABLE" != "yes" ]; then
|
|||
echo "$line" >> /etc/squid4/squid.conf
|
||||
done
|
||||
else
|
||||
echo "CONFIGURATION TEMPLATING IS DISABLED."
|
||||
echo "/etc/squid4/squid.conf: CONFIGURATION TEMPLATING IS DISABLED."
|
||||
fi
|
||||
|
||||
if [ ! -e /etc/squid4/squid.conf ]; then
|
||||
|
@ -71,5 +71,35 @@ if [ ! -e /etc/squid4/squid.conf ]; then
|
|||
exit 1
|
||||
fi
|
||||
|
||||
# If proxychains is requested and config templating is active
|
||||
if [ "$PROXYCHAIN" = "yes" ] && [ "$CONFIG_DISABLE" != "yes" ]; then
|
||||
echo "# PROXYCHAIN CONFIG FROM DOCKER" > /etc/proxychains.conf
|
||||
if [ ! -z "$PROXYCHAIN_TYPE" ]; then
|
||||
echo "$PROXYCHAIN_TYPE" >> /etc/proxychains.conf
|
||||
else
|
||||
echo "strict-chain" >> /etc/proxychains.conf
|
||||
fi
|
||||
echo "[ProxyList]" >> /etc/proxychains.conf
|
||||
env | grep 'PROXYCHAIN_PROXY' | sort | while read proxyline; do
|
||||
echo "# $proxyline " >> /etc/squid4/squid.conf
|
||||
line=$(echo $proxyline | cut -d'=' -f2-)
|
||||
echo "$line" >> /etc/proxychains.conf
|
||||
done
|
||||
else
|
||||
echo "/etc/proxychains.conf : CONFIGURATION TEMPLATING IS DISABLED"
|
||||
fi
|
||||
|
||||
# Build the configuration directories if needed
|
||||
squid -z -N
|
||||
|
||||
if [ "$PROXYCHAIN" = "yes" ]; then
|
||||
if [ ! -e /etc/proxychains.conf ]; then
|
||||
echo "ERROR: /etc/proxychains.conf does not exist. Squid with proxychains will not work."
|
||||
exit 1
|
||||
fi
|
||||
# Start squid with proxychains
|
||||
proxychains4 squid -N
|
||||
else
|
||||
# Start squid normally
|
||||
squid -N
|
||||
fi
|
||||
|
|
|
@ -18,7 +18,7 @@ cache_mem {{MEM_CACHE_SIZE|default:"128 MB"}}
|
|||
|
||||
tls_outgoing_options capath=/etc/ssl/certs \
|
||||
options=NO_SSLv3,NO_TLSv1 \
|
||||
cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
|
||||
cipher=ALL:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
|
||||
|
||||
http_port {{HTTP_PORT}} {% if MITM_PROXY|default:"" == "yes" %} ssl-bump \
|
||||
generate-host-certificates=on \
|
||||
|
|
Loading…
Reference in New Issue