From 1acb2e202d4329faa2331bcae469297471e62b97 Mon Sep 17 00:00:00 2001 From: Giles Bradshaw Date: Thu, 6 Aug 2020 03:25:56 +0100 Subject: [PATCH 01/50] . --- .drone/drone-home.jsonnet | 8 ++++---- .drone/drone-home.yml | 24 ------------------------ 2 files changed, 4 insertions(+), 28 deletions(-) diff --git a/.drone/drone-home.jsonnet b/.drone/drone-home.jsonnet index b8459d7..7eb4ee8 100644 --- a/.drone/drone-home.jsonnet +++ b/.drone/drone-home.jsonnet @@ -12,11 +12,11 @@ local publicSecrets = import 'lib/public-secrets.libsonnet'; disable: false, depth: 0, }, - trigger: { + /*trigger: { event: [ 'tag', ], - }, + },*/ services: [ images.docker { privileged: true, @@ -49,7 +49,7 @@ local publicSecrets = import 'lib/public-secrets.libsonnet'; '/stack/squid' ), images.wait(15), - images.docker { + /*images.docker { name +: 'build docker image:', environment +: environment.environmentSecrets([ 'LOCAL_DOCKER_REGISTRY', @@ -71,7 +71,7 @@ local publicSecrets = import 'lib/public-secrets.libsonnet'; 'docker push $${LOCAL_DOCKER_REGISTRY}squid', 'docker logout $${LOCAL_DOCKER_REGISTRY}', ], - }, + },*/ compose([ environment.envSet('local-docker-registry'), environment.envSet('local-registry-password'), diff --git a/.drone/drone-home.yml b/.drone/drone-home.yml index 1290dda..3cc0611 100644 --- a/.drone/drone-home.yml +++ b/.drone/drone-home.yml @@ -29,26 +29,6 @@ steps: commands: - sleep 15 -- name: "dockerbuild docker image:" - image: docker:dind - commands: - - set -e - - pwd - - sleep 15 - - cd docker - - docker login $${LOCAL_DOCKER_REGISTRY} --username client --password "$${LOCAL_REGISTRY_PASSWORD}" - - docker build . -t $${LOCAL_DOCKER_REGISTRY}squid - - docker push $${LOCAL_DOCKER_REGISTRY}squid - - docker logout $${LOCAL_DOCKER_REGISTRY} - environment: - LOCAL_DOCKER_REGISTRY: - from_secret: local-docker-registry - LOCAL_REGISTRY_PASSWORD: - from_secret: local-registry-password - volumes: - - name: dockersock - path: /var/run - - name: deploy squid image: appleboy/drone-ssh settings: @@ -105,8 +85,4 @@ volumes: host: path: /etc/docker/certs.d -trigger: - event: - - tag - ... From c7a800fd75c352a693a44a7b94d1864087540a0b Mon Sep 17 00:00:00 2001 From: Giles Bradshaw Date: Thu, 6 Aug 2020 10:06:26 +0100 Subject: [PATCH 02/50] test: try https_prox --- .drone/drone-home.jsonnet | 4 ++-- .drone/drone-home.yml | 2 -- docker-compose.yml | 1 + docker/squid.intercept.conf | 1 + 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.drone/drone-home.jsonnet b/.drone/drone-home.jsonnet index 7eb4ee8..ef1c4e7 100644 --- a/.drone/drone-home.jsonnet +++ b/.drone/drone-home.jsonnet @@ -83,8 +83,8 @@ local publicSecrets = import 'lib/public-secrets.libsonnet'; 'set -e', "docker network prune -f", "cd /stack/squid/myCA", - 'openssl genrsa -out CA_key.pem 2048', - 'openssl req -x509 -days 600 -new -nodes -key CA_key.pem -out CA_crt.pem -extensions v3_ca -config openssl.cnf -subj "/C=US/ST=California/L=Mountain View/O=Google/OU=Enterprise/CN=MyCA"', + //'openssl genrsa -out CA_key.pem 2048', + //'openssl req -x509 -days 600 -new -nodes -key CA_key.pem -out CA_crt.pem -extensions v3_ca -config openssl.cnf -subj "/C=US/ST=California/L=Mountain View/O=Google/OU=Enterprise/CN=MyCA"', 'cd ..', "docker stack rm squid", "sleep 60", diff --git a/.drone/drone-home.yml b/.drone/drone-home.yml index 3cc0611..06ee2c2 100644 --- a/.drone/drone-home.yml +++ b/.drone/drone-home.yml @@ -50,8 +50,6 @@ steps: - set -e - docker network prune -f - cd /stack/squid/myCA - - openssl genrsa -out CA_key.pem 2048 - - openssl req -x509 -days 600 -new -nodes -key CA_key.pem -out CA_crt.pem -extensions v3_ca -config openssl.cnf -subj "/C=US/ST=California/L=Mountain View/O=Google/OU=Enterprise/CN=MyCA" - cd .. - docker stack rm squid - sleep 60 diff --git a/docker-compose.yml b/docker-compose.yml index 97251be..ffeb08d 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -15,6 +15,7 @@ services: - ./myCA/CA_key.pem:/apps/CA_key.pem ports: - 3128:3128 + - 3129:3129 networks: - appnet - externalnet diff --git a/docker/squid.intercept.conf b/docker/squid.intercept.conf index 06f5e2e..440d04e 100644 --- a/docker/squid.intercept.conf +++ b/docker/squid.intercept.conf @@ -29,6 +29,7 @@ htcp_access deny all visible_hostname git.local-domain http_port 3128 ssl-bump generate-host-certificates=on cert=/apps/CA_crt.pem key=/apps/CA_key.pem options=NO_SSLv3 dhparams=/apps/dhparam.pem +https_port 3129 ssl-bump generate-host-certificates=on cert=/apps/CA_crt.pem key=/apps/CA_key.pem options=NO_SSLv3 dhparams=/apps/dhparam.pem always_direct allow all acl excluded_sites ssl::server_name .wellsfargo.com From 415e1f75df1446b9dd705a4e6410d0b838abc25e Mon Sep 17 00:00:00 2001 From: Giles Bradshaw Date: Thu, 6 Aug 2020 10:16:20 +0100 Subject: [PATCH 03/50] test: allow ssl v3 --- docker/squid.intercept.conf | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docker/squid.intercept.conf b/docker/squid.intercept.conf index 440d04e..0a0fe29 100644 --- a/docker/squid.intercept.conf +++ b/docker/squid.intercept.conf @@ -28,8 +28,9 @@ htcp_access deny all visible_hostname git.local-domain -http_port 3128 ssl-bump generate-host-certificates=on cert=/apps/CA_crt.pem key=/apps/CA_key.pem options=NO_SSLv3 dhparams=/apps/dhparam.pem -https_port 3129 ssl-bump generate-host-certificates=on cert=/apps/CA_crt.pem key=/apps/CA_key.pem options=NO_SSLv3 dhparams=/apps/dhparam.pem +http_port 3128 ssl-bump generate-host-certificates=on cert=/apps/CA_crt.pem key=/apps/CA_key.pem +#http_port 3128 ssl-bump generate-host-certificates=on cert=/apps/CA_crt.pem key=/apps/CA_key.pem options=NO_SSLv3 dhparams=/apps/dhparam.pem +#https_port 3129 ssl-bump generate-host-certificates=on cert=/apps/CA_crt.pem key=/apps/CA_key.pem options=NO_SSLv3 dhparams=/apps/dhparam.pem always_direct allow all acl excluded_sites ssl::server_name .wellsfargo.com From b1ffbd6c644822e9bd6cba1c31237f036872f345 Mon Sep 17 00:00:00 2001 From: Giles Bradshaw Date: Thu, 6 Aug 2020 10:20:05 +0100 Subject: [PATCH 04/50] test: version=4wq --- docker/squid.intercept.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/squid.intercept.conf b/docker/squid.intercept.conf index 0a0fe29..71ac726 100644 --- a/docker/squid.intercept.conf +++ b/docker/squid.intercept.conf @@ -28,7 +28,7 @@ htcp_access deny all visible_hostname git.local-domain -http_port 3128 ssl-bump generate-host-certificates=on cert=/apps/CA_crt.pem key=/apps/CA_key.pem +http_port 3128 ssl-bump generate-host-certificates=on cert=/apps/CA_crt.pem key=/apps/CA_key.pem version=4 #http_port 3128 ssl-bump generate-host-certificates=on cert=/apps/CA_crt.pem key=/apps/CA_key.pem options=NO_SSLv3 dhparams=/apps/dhparam.pem #https_port 3129 ssl-bump generate-host-certificates=on cert=/apps/CA_crt.pem key=/apps/CA_key.pem options=NO_SSLv3 dhparams=/apps/dhparam.pem From 63a782b3910783f7333fc9c5c556d60b471554b3 Mon Sep 17 00:00:00 2001 From: Giles Bradshaw Date: Thu, 6 Aug 2020 10:28:48 +0100 Subject: [PATCH 05/50] test: squid:4 --- .drone/drone-home.jsonnet | 6 ++--- .drone/drone-home.yml | 45 ++++++++++++------------------------- docker/Dockerfile | 6 ++--- docker/squid.intercept.conf | 4 ++-- 4 files changed, 22 insertions(+), 39 deletions(-) diff --git a/.drone/drone-home.jsonnet b/.drone/drone-home.jsonnet index ef1c4e7..cc2a75c 100644 --- a/.drone/drone-home.jsonnet +++ b/.drone/drone-home.jsonnet @@ -49,7 +49,7 @@ local publicSecrets = import 'lib/public-secrets.libsonnet'; '/stack/squid' ), images.wait(15), - /*images.docker { + images.docker { name +: 'build docker image:', environment +: environment.environmentSecrets([ 'LOCAL_DOCKER_REGISTRY', @@ -71,7 +71,7 @@ local publicSecrets = import 'lib/public-secrets.libsonnet'; 'docker push $${LOCAL_DOCKER_REGISTRY}squid', 'docker logout $${LOCAL_DOCKER_REGISTRY}', ], - },*/ + } /* compose([ environment.envSet('local-docker-registry'), environment.envSet('local-registry-password'), @@ -96,7 +96,7 @@ local publicSecrets = import 'lib/public-secrets.libsonnet'; ] } }, - ), + ),*/ ], } ] diff --git a/.drone/drone-home.yml b/.drone/drone-home.yml index 06ee2c2..8b487d2 100644 --- a/.drone/drone-home.yml +++ b/.drone/drone-home.yml @@ -29,42 +29,25 @@ steps: commands: - sleep 15 -- name: deploy squid - image: appleboy/drone-ssh - settings: - envs: - - drone_tag - - drone_commit - - drone_build_number - - drone_repo_name - - drone_repo_namespace - - local_docker_registry - - local_registry_password - host: - from_secret: ssh-host - key: - from_secret: ssh-key - port: - from_secret: ssh-port - script: - - set -e - - docker network prune -f - - cd /stack/squid/myCA - - cd .. - - docker stack rm squid - - sleep 60 - - docker volume rm squid_squid-cache - - export SQUID_IMAGE=$${LOCAL_DOCKER_REGISTRY}squid - - docker login $${LOCAL_DOCKER_REGISTRY} --username client --password "$${LOCAL_REGISTRY_PASSWORD}" - - docker pull $${SQUID_IMAGE} - - docker stack deploy -c docker-compose.yml squid - username: - from_secret: ssh-user +- name: "dockerbuild docker image:" + image: docker:dind + commands: + - set -e + - pwd + - sleep 15 + - cd docker + - docker login $${LOCAL_DOCKER_REGISTRY} --username client --password "$${LOCAL_REGISTRY_PASSWORD}" + - docker build . -t $${LOCAL_DOCKER_REGISTRY}squid + - docker push $${LOCAL_DOCKER_REGISTRY}squid + - docker logout $${LOCAL_DOCKER_REGISTRY} environment: LOCAL_DOCKER_REGISTRY: from_secret: local-docker-registry LOCAL_REGISTRY_PASSWORD: from_secret: local-registry-password + volumes: + - name: dockersock + path: /var/run services: - name: docker diff --git a/docker/Dockerfile b/docker/Dockerfile index ebe0a65..7d0b6f6 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -3,14 +3,14 @@ RUN apt-get -y update RUN apt-get install -y curl supervisor git openssl build-essential libssl-dev wget vim curl RUN mkdir -p /var/log/supervisor WORKDIR /apps/ -RUN wget -O - http://www.squid-cache.org/Versions/v3/3.5/squid-3.5.27.tar.gz | tar zxfv - \ +RUN wget -O - http://www.squid-cache.org/Versions/v4/squid-4.12.tar.gz.asc | tar zxfv - \ && CPU=$(( `nproc --all`-1 )) \ - && cd /apps/squid-3.5.27/ \ + && cd /apps/squid-4.12/ \ && ./configure --prefix=/apps/squid --enable-icap-client --enable-ssl --with-openssl --enable-ssl-crtd --enable-auth --enable-basic-auth-helpers="NCSA" \ && make -j$CPU \ && make install \ && cd /apps \ - && rm -rf /apps/squid-3.5.27 + && rm -rf /apps/squid-4.12 ADD . /apps/ RUN chown -R nobody:nogroup /apps/ diff --git a/docker/squid.intercept.conf b/docker/squid.intercept.conf index 71ac726..da6ea38 100644 --- a/docker/squid.intercept.conf +++ b/docker/squid.intercept.conf @@ -28,8 +28,8 @@ htcp_access deny all visible_hostname git.local-domain -http_port 3128 ssl-bump generate-host-certificates=on cert=/apps/CA_crt.pem key=/apps/CA_key.pem version=4 -#http_port 3128 ssl-bump generate-host-certificates=on cert=/apps/CA_crt.pem key=/apps/CA_key.pem options=NO_SSLv3 dhparams=/apps/dhparam.pem +#http_port 3128 ssl-bump generate-host-certificates=on cert=/apps/CA_crt.pem key=/apps/CA_key.pem version=4 +http_port 3128 ssl-bump generate-host-certificates=on cert=/apps/CA_crt.pem key=/apps/CA_key.pem options=NO_SSLv3 dhparams=/apps/dhparam.pem #https_port 3129 ssl-bump generate-host-certificates=on cert=/apps/CA_crt.pem key=/apps/CA_key.pem options=NO_SSLv3 dhparams=/apps/dhparam.pem always_direct allow all From 70c5e4f1a19d3e8484697969d3dc98df2d5e37a1 Mon Sep 17 00:00:00 2001 From: Giles Bradshaw Date: Thu, 6 Aug 2020 10:33:27 +0100 Subject: [PATCH 06/50] test: squid:4 --- docker/Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index 7d0b6f6..baf56ef 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -3,7 +3,7 @@ RUN apt-get -y update RUN apt-get install -y curl supervisor git openssl build-essential libssl-dev wget vim curl RUN mkdir -p /var/log/supervisor WORKDIR /apps/ -RUN wget -O - http://www.squid-cache.org/Versions/v4/squid-4.12.tar.gz.asc | tar zxfv - \ +RUN wget -O - http://www.squid-cache.org/Versions/v4/squid-4.12.tar.gz | tar zxfv - \ && CPU=$(( `nproc --all`-1 )) \ && cd /apps/squid-4.12/ \ && ./configure --prefix=/apps/squid --enable-icap-client --enable-ssl --with-openssl --enable-ssl-crtd --enable-auth --enable-basic-auth-helpers="NCSA" \ @@ -15,7 +15,7 @@ ADD . /apps/ RUN chown -R nobody:nogroup /apps/ RUN mkdir -p /apps/squid/var/lib/ -RUN /apps/squid/libexec/ssl_crtd -c -s /apps/squid/var/lib/ssl_db -M 4MB +RUN /apps/squid/libexec/security_file_certgen -c -s /apps/squid/var/lib/ssl_db -M 4MB RUN /apps/squid/sbin/squid -N -f /apps/squid.cache.conf -z RUN chown -R nobody:nogroup /apps/ From 3b24eabf9f9928d0a2f328fe39fe85f779b5117e Mon Sep 17 00:00:00 2001 From: Giles Bradshaw Date: Thu, 6 Aug 2020 10:51:41 +0100 Subject: [PATCH 07/50] test: squid:4 --- .drone/drone-home.jsonnet | 25 ++++++- .drone/drone-home.yml | 4 +- docker/Dockerfile | 4 +- squid-4/Dockerfile | 121 ++++++++++++++++++++++++++++++++++ squid-4/README.md | 1 + squid-4/squid.bsh | 134 ++++++++++++++++++++++++++++++++++++++ squid-4/squid.conf.p2 | 46 +++++++++++++ 7 files changed, 330 insertions(+), 5 deletions(-) create mode 100644 squid-4/Dockerfile create mode 100644 squid-4/README.md create mode 100644 squid-4/squid.bsh create mode 100644 squid-4/squid.conf.p2 diff --git a/.drone/drone-home.jsonnet b/.drone/drone-home.jsonnet index cc2a75c..2fd0ed5 100644 --- a/.drone/drone-home.jsonnet +++ b/.drone/drone-home.jsonnet @@ -49,6 +49,29 @@ local publicSecrets = import 'lib/public-secrets.libsonnet'; '/stack/squid' ), images.wait(15), + images.docker { + name +: 'build docker image:', + environment +: environment.environmentSecrets([ + 'LOCAL_DOCKER_REGISTRY', + 'LOCAL_REGISTRY_PASSWORD', + ]), + volumes: [ + { + name: 'dockersock', + path: '/var/run', + }, + ], + commands: [ + 'set -e', + 'pwd', + 'sleep 15', + 'cd squid-4', + 'docker login $${LOCAL_DOCKER_REGISTRY} --username client --password "$${LOCAL_REGISTRY_PASSWORD}"', + 'docker build . -t $${LOCAL_DOCKER_REGISTRY}squid-4', + 'docker push $${LOCAL_DOCKER_REGISTRY}squid', + 'docker logout $${LOCAL_DOCKER_REGISTRY}', + ], + },/* images.docker { name +: 'build docker image:', environment +: environment.environmentSecrets([ @@ -71,7 +94,7 @@ local publicSecrets = import 'lib/public-secrets.libsonnet'; 'docker push $${LOCAL_DOCKER_REGISTRY}squid', 'docker logout $${LOCAL_DOCKER_REGISTRY}', ], - } /* + } */ /* compose([ environment.envSet('local-docker-registry'), environment.envSet('local-registry-password'), diff --git a/.drone/drone-home.yml b/.drone/drone-home.yml index 8b487d2..7307127 100644 --- a/.drone/drone-home.yml +++ b/.drone/drone-home.yml @@ -35,9 +35,9 @@ steps: - set -e - pwd - sleep 15 - - cd docker + - cd squid-4 - docker login $${LOCAL_DOCKER_REGISTRY} --username client --password "$${LOCAL_REGISTRY_PASSWORD}" - - docker build . -t $${LOCAL_DOCKER_REGISTRY}squid + - docker build . -t $${LOCAL_DOCKER_REGISTRY}squid-4 - docker push $${LOCAL_DOCKER_REGISTRY}squid - docker logout $${LOCAL_DOCKER_REGISTRY} environment: diff --git a/docker/Dockerfile b/docker/Dockerfile index baf56ef..e4bde17 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -1,7 +1,7 @@ FROM debian:8 RUN apt-get -y update -RUN apt-get install -y curl supervisor git openssl build-essential libssl-dev wget vim curl -RUN mkdir -p /var/log/supervisor +RUN apt-get install -y curl git openssl build-essential libssl-dev wget vim curl +#RUN mkdir -p /var/log/supervisor WORKDIR /apps/ RUN wget -O - http://www.squid-cache.org/Versions/v4/squid-4.12.tar.gz | tar zxfv - \ && CPU=$(( `nproc --all`-1 )) \ diff --git a/squid-4/Dockerfile b/squid-4/Dockerfile new file mode 100644 index 0000000..d12ffd4 --- /dev/null +++ b/squid-4/Dockerfile @@ -0,0 +1,121 @@ +ARG DOCKER_PREFIX= + +FROM ${DOCKER_PREFIX}ubuntu:artful + +ARG TRUST_CERT= + +RUN if [ ! -z "$TRUST_CERT" ]; then \ + echo "$TRUST_CERT" > /usr/local/share/ca-certificates/build-trust.crt ; \ + update-ca-certificates ; \ + fi + +# Normalize apt sources +RUN cat /etc/apt/sources.list | grep -v '^#' | sed /^$/d | sort | uniq > sources.tmp.1 && \ + cat /etc/apt/sources.list | sed s/deb\ /deb-src\ /g | grep -v '^#' | sed /^$/d | sort | uniq > sources.tmp.2 && \ + cat sources.tmp.1 sources.tmp.2 > /etc/apt/sources.list && \ + rm -f sources.tmp.1 sources.tmp.2 + +RUN apt-get update && \ + DEBIAN_FRONTEND=noninteractive apt-get build-dep -y squid && \ + DEBIAN_FRONTEND=noninteractive apt-get install -y wget tar xz-utils libssl-dev + +ARG SQUID_VERSION=4.0.21 + +# TODO: verify the squid download with the signing key +RUN mkdir /src \ + && cd /src \ + && wget http://www.squid-cache.org/Versions/v4/squid-$SQUID_VERSION.tar.xz \ + && mkdir squid \ + && tar -C squid --strip-components=1 -xvf squid-$SQUID_VERSION.tar.xz + +RUN cd /src/squid && \ + ./configure \ + --prefix=/usr \ + --datadir=/usr/share/squid4 \ + --sysconfdir=/etc/squid4 \ + --localstatedir=/var \ + --mandir=/usr/share/man \ + --enable-inline \ + --enable-async-io=8 \ + --enable-storeio="ufs,aufs,diskd,rock" \ + --enable-removal-policies="lru,heap" \ + --enable-delay-pools \ + --enable-cache-digests \ + --enable-underscores \ + --enable-icap-client \ + --enable-follow-x-forwarded-for \ + --enable-auth-basic="DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB" \ + --enable-auth-digest="file,LDAP" \ + --enable-auth-negotiate="kerberos,wrapper" \ + --enable-auth-ntlm="fake" \ + --enable-external-acl-helpers="file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group" \ + --enable-url-rewrite-helpers="fake" \ + --enable-eui \ + --enable-esi \ + --enable-icmp \ + --enable-zph-qos \ + --with-openssl \ + --enable-ssl \ + --enable-ssl-crtd \ + --disable-translation \ + --with-swapdir=/var/spool/squid4 \ + --with-logdir=/var/log/squid4 \ + --with-pidfile=/var/run/squid4.pid \ + --with-filedescriptors=65536 \ + --with-large-files \ + --with-default-user=proxy \ + --disable-arch-native + +ARG CONCURRENCY=1 + +RUN cd /src/squid && \ + make -j$CONCURRENCY && \ + make install + +# Download p2cli dependency +RUN wget -O /usr/local/bin/p2 \ + https://github.com/wrouesnel/p2cli/releases/download/r1/p2 && \ + chmod +x /usr/local/bin/p2 + +# Clone and build proxychains-ng for SSL upstream proxying +ARG PROXYCHAINS_COMMITTISH=7a233fb1f05bcbf3d7f5c91658932261de1e13cb + +RUN apt-get install -y git + +RUN git clone https://github.com/rofl0r/proxychains-ng.git /src/proxychains-ng && \ + cd /src/proxychains-ng && \ + git checkout $PROXYCHAINS_COMMITTISH && \ + ./configure --prefix=/usr --sysconfdir=/etc && \ + make -j$CONCURRENCY && make install + +ARG URL_DOH=https://github.com/wrouesnel/dns-over-https-proxy/releases/download/v0.0.2/dns-over-https-proxy_v0.0.2_linux-amd64.tar.gz + +RUN wget -O /tmp/doh.tgz \ + $URL_DOH && \ + tar -xvvf /tmp/doh.tgz --strip-components=1 -C /usr/local/bin/ && \ + chmod +x /usr/local/bin/dns-over-https-proxy + +COPY squid.conf.p2 /squid.conf.p2 +COPY squid.bsh /squid.bsh + +# Configuration environment +ENV HTTP_PORT=3128 \ + ICP_PORT= \ + HTCP_PORT= \ + MITM_PROXY= \ + MITM_CERT= \ + MITM_KEY= \ + VISIBLE_HOSTNAME=docker-squid4 \ + MAX_CACHE_SIZE=40000 \ + MAX_OBJECT_SIZE="1536 MB" \ + MEM_CACHE_SIZE="128 MB" \ + DNS_OVER_HTTPS_LISTEN_ADDR="127.0.0.153:53" \ + DNS_OVER_HTTPS_SERVER="https://dns.google.com/resolve" \ + DNS_OVER_HTTPS_NO_FALLTHROUGH="" \ + DNS_OVER_HTTPS_FALLTHROUGH_STATUSES=NXDOMAIN \ + DNS_OVER_HTTPS_PREFIX_SERVER= \ + DNS_OVER_HTTPS_SUFFIX_SERVER= + +EXPOSE 3128 + +ENTRYPOINT [ "/squid.bsh" ] \ No newline at end of file diff --git a/squid-4/README.md b/squid-4/README.md new file mode 100644 index 0000000..7777e56 --- /dev/null +++ b/squid-4/README.md @@ -0,0 +1 @@ +from https://github.com/wrouesnel/docker-squid4 diff --git a/squid-4/squid.bsh b/squid-4/squid.bsh new file mode 100644 index 0000000..33e6e6e --- /dev/null +++ b/squid-4/squid.bsh @@ -0,0 +1,134 @@ +#!/bin/bash + +# Setup the ssl_cert directory +if [ ! -d /etc/squid4/ssl_cert ]; then + mkdir /etc/squid4/ssl_cert +fi + +chown -R proxy:proxy /etc/squid4 +chmod 700 /etc/squid4/ssl_cert + +# Setup the squid cache directory +if [ ! -d /var/cache/squid4 ]; then + mkdir -p /var/cache/squid4 +fi +chown -R proxy: /var/cache/squid4 +chmod -R 750 /var/cache/squid4 + +if [ ! -z $MITM_PROXY ]; then + if [ ! -z $MITM_KEY ]; then + echo "Copying $MITM_KEY as MITM key..." + cp $MITM_KEY /etc/squid4/ssl_cert/mitm.pem + chown root:proxy /etc/squid4/ssl_cert/mitm.pem + fi + + if [ ! -z $MITM_CERT ]; then + echo "Copying $MITM_CERT as MITM CA..." + cp $MITM_CERT /etc/squid4/ssl_cert/mitm.crt + chown root:proxy /etc/squid4/ssl_cert/mitm.crt + fi + + if [ -z $MITM_CERT ] || [ -z $MITM_KEY ]; then + echo "Must specify $MITM_CERT AND $MITM_KEY." 1>&2 + exit 1 + fi +fi + +chown proxy: /dev/stdout +chown proxy: /dev/stderr + +# Initialize the certificates database +/usr/libexec/security_file_certgen -c -s /var/spool/squid4/ssl_db +chown -R proxy: /var/spool/squid4/ssl_db + +#ssl_crtd -c -s +#ssl_db + +# Set the configuration +if [ "$CONFIG_DISABLE" != "yes" ]; then + p2 -t /squid.conf.p2 > /etc/squid4/squid.conf + + # Parse the cache peer lines from the environment and add them to the + # configuration + echo '# CACHE PEERS FROM DOCKER' >> /etc/squid4/squid.conf + env | grep 'CACHE_PEER' | sort | while read cacheline; do + echo "# $cacheline " >> /etc/squid4/squid.conf + line=$(echo $cacheline | cut -d'=' -f2-) + echo "cache_peer $line" >> /etc/squid4/squid.conf + done + + # Parse the extra config lines and append them to the configuration + echo '# EXTRA CONFIG FROM DOCKER' >> /etc/squid4/squid.conf + env | grep 'EXTRA_CONFIG' | sort | while read extraline; do + echo "# $extraline " >> /etc/squid4/squid.conf + line=$(echo $extraline | cut -d'=' -f2-) + echo "$line" >> /etc/squid4/squid.conf + done +else + echo "/etc/squid4/squid.conf: CONFIGURATION TEMPLATING IS DISABLED." +fi + +if [ "$DNS_OVER_HTTPS" = "yes" ]; then + echo "Starting DNS-over-HTTPS proxy..." + # TODO: find a way to tie this to the proxychains config + dns-over-https-proxy -default "$DNS_OVER_HTTPS_SERVER" \ + -address "$DNS_OVER_HTTPS_LISTEN_ADDR" \ + -primary-dns "$DNS_OVER_HTTPS_PREFIX_SERVER" \ + -fallback-dns "$DNS_OVER_HTTPS_SUFFIX_SERVER" \ + -no-fallthrough "$(echo $DNS_OVER_HTTPS_NO_FALLTHROUGH | tr -s ' ' ',')" \ + -fallthrough-statuses "$DNS_OVER_HTTPS_FALLTHROUGH_STATUSES" & + echo "Adding dns_nameservers line to squid.conf..." + echo "dns_nameservers $(echo $DNS_OVER_HTTPS_LISTEN_ADDR | cut -d':' -f1)" >> /etc/squid4/squid.conf +fi + +if [ ! -e /etc/squid4/squid.conf ]; then + echo "ERROR: /etc/squid4/squid.conf does not exist. Squid will not work." + exit 1 +fi + +# If proxychains is requested and config templating is active +if [ "$PROXYCHAIN" = "yes" ] && [ "$CONFIG_DISABLE" != "yes" ]; then + echo "# PROXYCHAIN CONFIG FROM DOCKER" > /etc/proxychains.conf + # Enable remote DNS proxy + if [ ! -z "$PROXYCHAIN_DNS" ]; then + echo "proxy_dns" >> /etc/proxychains.conf + fi + # Configure proxy type + if [ ! -z "$PROXYCHAIN_TYPE" ]; then + echo "$PROXYCHAIN_TYPE" >> /etc/proxychains.conf + else + echo "strict_chain" >> /etc/proxychains.conf + fi + + echo "[ProxyList]" >> /etc/proxychains.conf + env | grep 'PROXYCHAIN_PROXY' | sort | while read proxyline; do + echo "# $proxyline " >> /etc/squid4/squid.conf + line=$(echo $proxyline | cut -d'=' -f2-) + echo "$line" >> /etc/proxychains.conf + done +else + echo "/etc/proxychains.conf : CONFIGURATION TEMPLATING IS DISABLED" +fi + +# Build the configuration directories if needed +squid -z -N + +if [ "$PROXYCHAIN" = "yes" ]; then + if [ ! -e /etc/proxychains.conf ]; then + echo "ERROR: /etc/proxychains.conf does not exist. Squid with proxychains will not work." + exit 1 + fi + # Start squid with proxychains + proxychains4 -f /etc/proxychains.conf squid -N 2>&1 & + PID=$! +else + # Start squid normally + squid -N 2>&1 & + PID=$! +fi + +# This construct allows signals to kill the container successfully. +trap "kill -TERM $(jobs -p)" INT TERM +wait $PID +wait $PID +exit $? \ No newline at end of file diff --git a/squid-4/squid.conf.p2 b/squid-4/squid.conf.p2 new file mode 100644 index 0000000..fa6e8cb --- /dev/null +++ b/squid-4/squid.conf.p2 @@ -0,0 +1,46 @@ +# TEMPLATED CONFIGURATION FILE. UPDATED ON EACH RUN. + +# Default all logs to stdout and stderr +logfile_rotate 0 +access_log stdio:/dev/stdout combined +cache_store_log stdio:/dev/stdout +cache_log /dev/stderr +netdb_filename stdio:/var/cache/squid4/netdb.state + +# Visible hostname to allow multi-squid +visible_hostname {{VISIBLE_HOSTNAME|default:"docker-squid4"}} + +{% if DISABLE_CACHE|default:"" != "yes" %} +# Cache directory is fixed since we'll bind mount. +cache_dir aufs /var/cache/squid4 {{MAX_CACHE_SIZE|default:"40000"}} 16 256 +{% endif %} + +maximum_object_size {{MAX_OBJECT_SIZE|default:"1536 MB"}} +cache_mem {{MEM_CACHE_SIZE|default:"128 MB"}} + +tls_outgoing_options capath=/etc/ssl/certs \ + options={{TLS_OPTIONS|default:"NO_SSLv3,NO_TLSv1"}} \ + cipher=ALL:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS + +http_port {{HTTP_PORT}} {% if MITM_PROXY|default:"" == "yes" %} ssl-bump \ + generate-host-certificates=on \ + dynamic_cert_mem_cache_size=4MB \ + cert=/etc/squid4/ssl_cert/mitm.crt \ + key=/etc/squid4/ssl_cert/mitm.pem +{% endif %} + +{% if MITM_PROXY|default:"" == "yes" %} +ssl_bump server-first all +{% endif %} + +{% if ICP_PORT|default:"" != "" %} +icp_port {{ICP_PORT}} +icp_access allow all +{% endif %} + +{% if HTCP_PORT|default:"" != "" %} +htcp_port {{HTCP_PORT}} +htcp_access allow all +{% endif %} + +http_access allow all \ No newline at end of file From 12e3666db0cf34b7d2e5f36730e04f251342c783 Mon Sep 17 00:00:00 2001 From: Giles Bradshaw Date: Thu, 6 Aug 2020 11:05:40 +0100 Subject: [PATCH 08/50] test: squid:4 --- .drone/drone-home.jsonnet | 10 ++++----- .drone/drone-home.yml | 45 +++++++++++++++++++++++++++------------ squid-4/Dockerfile | 2 +- 3 files changed, 37 insertions(+), 20 deletions(-) diff --git a/.drone/drone-home.jsonnet b/.drone/drone-home.jsonnet index 2fd0ed5..288bdbb 100644 --- a/.drone/drone-home.jsonnet +++ b/.drone/drone-home.jsonnet @@ -49,7 +49,7 @@ local publicSecrets = import 'lib/public-secrets.libsonnet'; '/stack/squid' ), images.wait(15), - images.docker { + /*images.docker { name +: 'build docker image:', environment +: environment.environmentSecrets([ 'LOCAL_DOCKER_REGISTRY', @@ -68,10 +68,10 @@ local publicSecrets = import 'lib/public-secrets.libsonnet'; 'cd squid-4', 'docker login $${LOCAL_DOCKER_REGISTRY} --username client --password "$${LOCAL_REGISTRY_PASSWORD}"', 'docker build . -t $${LOCAL_DOCKER_REGISTRY}squid-4', - 'docker push $${LOCAL_DOCKER_REGISTRY}squid', + 'docker push $${LOCAL_DOCKER_REGISTRY}squid-4', 'docker logout $${LOCAL_DOCKER_REGISTRY}', ], - },/* + }, images.docker { name +: 'build docker image:', environment +: environment.environmentSecrets([ @@ -94,7 +94,7 @@ local publicSecrets = import 'lib/public-secrets.libsonnet'; 'docker push $${LOCAL_DOCKER_REGISTRY}squid', 'docker logout $${LOCAL_DOCKER_REGISTRY}', ], - } */ /* + } */ compose([ environment.envSet('local-docker-registry'), environment.envSet('local-registry-password'), @@ -119,7 +119,7 @@ local publicSecrets = import 'lib/public-secrets.libsonnet'; ] } }, - ),*/ + ), ], } ] diff --git a/.drone/drone-home.yml b/.drone/drone-home.yml index 7307127..06ee2c2 100644 --- a/.drone/drone-home.yml +++ b/.drone/drone-home.yml @@ -29,25 +29,42 @@ steps: commands: - sleep 15 -- name: "dockerbuild docker image:" - image: docker:dind - commands: - - set -e - - pwd - - sleep 15 - - cd squid-4 - - docker login $${LOCAL_DOCKER_REGISTRY} --username client --password "$${LOCAL_REGISTRY_PASSWORD}" - - docker build . -t $${LOCAL_DOCKER_REGISTRY}squid-4 - - docker push $${LOCAL_DOCKER_REGISTRY}squid - - docker logout $${LOCAL_DOCKER_REGISTRY} +- name: deploy squid + image: appleboy/drone-ssh + settings: + envs: + - drone_tag + - drone_commit + - drone_build_number + - drone_repo_name + - drone_repo_namespace + - local_docker_registry + - local_registry_password + host: + from_secret: ssh-host + key: + from_secret: ssh-key + port: + from_secret: ssh-port + script: + - set -e + - docker network prune -f + - cd /stack/squid/myCA + - cd .. + - docker stack rm squid + - sleep 60 + - docker volume rm squid_squid-cache + - export SQUID_IMAGE=$${LOCAL_DOCKER_REGISTRY}squid + - docker login $${LOCAL_DOCKER_REGISTRY} --username client --password "$${LOCAL_REGISTRY_PASSWORD}" + - docker pull $${SQUID_IMAGE} + - docker stack deploy -c docker-compose.yml squid + username: + from_secret: ssh-user environment: LOCAL_DOCKER_REGISTRY: from_secret: local-docker-registry LOCAL_REGISTRY_PASSWORD: from_secret: local-registry-password - volumes: - - name: dockersock - path: /var/run services: - name: docker diff --git a/squid-4/Dockerfile b/squid-4/Dockerfile index d12ffd4..8a2d15f 100644 --- a/squid-4/Dockerfile +++ b/squid-4/Dockerfile @@ -1,6 +1,6 @@ ARG DOCKER_PREFIX= -FROM ${DOCKER_PREFIX}ubuntu:artful +FROM ${DOCKER_PREFIX}ubuntu:xenial ARG TRUST_CERT= From b3c9b54c0c8cec71a9d4595df009b62a4e4a9997 Mon Sep 17 00:00:00 2001 From: Giles Bradshaw Date: Thu, 6 Aug 2020 11:10:50 +0100 Subject: [PATCH 09/50] test: squid:4 --- .drone/drone-home.jsonnet | 6 +++--- .drone/drone-home.yml | 3 --- docker-compose.yml | 2 +- 3 files changed, 4 insertions(+), 7 deletions(-) diff --git a/.drone/drone-home.jsonnet b/.drone/drone-home.jsonnet index 288bdbb..f33288e 100644 --- a/.drone/drone-home.jsonnet +++ b/.drone/drone-home.jsonnet @@ -112,9 +112,9 @@ local publicSecrets = import 'lib/public-secrets.libsonnet'; "docker stack rm squid", "sleep 60", "docker volume rm squid_squid-cache", - 'export SQUID_IMAGE=$${LOCAL_DOCKER_REGISTRY}squid', - 'docker login $${LOCAL_DOCKER_REGISTRY} --username client --password "$${LOCAL_REGISTRY_PASSWORD}"', - 'docker pull $${SQUID_IMAGE}', + //'export SQUID_IMAGE=$${LOCAL_DOCKER_REGISTRY}squid', + //'docker login $${LOCAL_DOCKER_REGISTRY} --username client --password "$${LOCAL_REGISTRY_PASSWORD}"', + //'docker pull $${SQUID_IMAGE}', "docker stack deploy -c docker-compose.yml squid", ] } diff --git a/.drone/drone-home.yml b/.drone/drone-home.yml index 06ee2c2..f151b15 100644 --- a/.drone/drone-home.yml +++ b/.drone/drone-home.yml @@ -54,9 +54,6 @@ steps: - docker stack rm squid - sleep 60 - docker volume rm squid_squid-cache - - export SQUID_IMAGE=$${LOCAL_DOCKER_REGISTRY}squid - - docker login $${LOCAL_DOCKER_REGISTRY} --username client --password "$${LOCAL_REGISTRY_PASSWORD}" - - docker pull $${SQUID_IMAGE} - docker stack deploy -c docker-compose.yml squid username: from_secret: ssh-user diff --git a/docker-compose.yml b/docker-compose.yml index ffeb08d..48c87cb 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -7,7 +7,7 @@ services: replicas: 1 restart_policy: condition: any - image: ${SQUID_IMAGE} + image: wrouesnel/docker-squid4 volumes: - squid-cache:/apps/squid/var/cache/squid #- ./squid.intercept.conf:/etc/squid/squid.conf From a2b8b9fc61390c166546d7dab2d555134f7b9c73 Mon Sep 17 00:00:00 2001 From: Giles Bradshaw Date: Thu, 6 Aug 2020 11:34:15 +0100 Subject: [PATCH 10/50] . --- docker-compose.yml | 5 ++- docker/squid.intercept.conf | 4 +- squid-4/squid.intercept.conf | 72 ++++++++++++++++++++++++++++++++++++ 3 files changed, 78 insertions(+), 3 deletions(-) create mode 100644 squid-4/squid.intercept.conf diff --git a/docker-compose.yml b/docker-compose.yml index 48c87cb..d22c032 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -8,8 +8,11 @@ services: restart_policy: condition: any image: wrouesnel/docker-squid4 + environment: + - CONFIG_DISABLE=yes volumes: - - squid-cache:/apps/squid/var/cache/squid + - ./squid-4/squid.intercept.conf:/etc/squid4/squid.conf + # - squid-cache:/apps/squid/var/cache/squid #- ./squid.intercept.conf:/etc/squid/squid.conf - ./myCA/CA_crt.pem:/apps/CA_crt.pem - ./myCA/CA_key.pem:/apps/CA_key.pem diff --git a/docker/squid.intercept.conf b/docker/squid.intercept.conf index da6ea38..71ac726 100644 --- a/docker/squid.intercept.conf +++ b/docker/squid.intercept.conf @@ -28,8 +28,8 @@ htcp_access deny all visible_hostname git.local-domain -#http_port 3128 ssl-bump generate-host-certificates=on cert=/apps/CA_crt.pem key=/apps/CA_key.pem version=4 -http_port 3128 ssl-bump generate-host-certificates=on cert=/apps/CA_crt.pem key=/apps/CA_key.pem options=NO_SSLv3 dhparams=/apps/dhparam.pem +http_port 3128 ssl-bump generate-host-certificates=on cert=/apps/CA_crt.pem key=/apps/CA_key.pem version=4 +#http_port 3128 ssl-bump generate-host-certificates=on cert=/apps/CA_crt.pem key=/apps/CA_key.pem options=NO_SSLv3 dhparams=/apps/dhparam.pem #https_port 3129 ssl-bump generate-host-certificates=on cert=/apps/CA_crt.pem key=/apps/CA_key.pem options=NO_SSLv3 dhparams=/apps/dhparam.pem always_direct allow all diff --git a/squid-4/squid.intercept.conf b/squid-4/squid.intercept.conf new file mode 100644 index 0000000..59c0e78 --- /dev/null +++ b/squid-4/squid.intercept.conf @@ -0,0 +1,72 @@ +always_direct allow all + +acl localhost src 127.0.0.1/32 +acl to_localhost dst 127.0.0.0/8 +acl localnet src 10.0.0.0/8 # RFC1918 possible internal network +acl localnet src 172.16.0.0/12 # RFC1918 possible internal network +acl localnet src 192.168.0.0/16 # RFC1918 possible internal network +acl SSL_ports port 443 +acl Safe_ports port 80 # http +acl Safe_ports port 21 # ftp +acl Safe_ports port 443 # https +acl Safe_ports port 70 # gopher +acl Safe_ports port 210 # wais +acl Safe_ports port 1025-65535 # unregistered ports +acl Safe_ports port 280 # http-mgmt +acl Safe_ports port 488 # gss-http +acl Safe_ports port 591 # filemaker +acl Safe_ports port 777 # multiling http +acl CONNECT method CONNECT + +http_access allow all +http_access allow manager localhost +http_access deny manager + +htcp_access allow localnet +htcp_access deny all + + +visible_hostname git.local-domain + +http_port 3128 ssl-bump generate-host-certificates=on cert=/apps/CA_crt.pem key=/apps/CA_key.pem version=4 +#http_port 3128 ssl-bump generate-host-certificates=on cert=/apps/CA_crt.pem key=/apps/CA_key.pem options=NO_SSLv3 dhparams=/apps/dhparam.pem +#https_port 3129 ssl-bump generate-host-certificates=on cert=/apps/CA_crt.pem key=/apps/CA_key.pem options=NO_SSLv3 dhparams=/apps/dhparam.pem + +always_direct allow all +acl excluded_sites ssl::server_name .wellsfargo.com +ssl_bump splice excluded_sites +ssl_bump bump all + +sslproxy_cert_error deny all +// sslcrtd_program /apps/squid/libexec/ssl_crtd -s /apps/squid/var/lib/ssl_db -M 4MB sslcrtd_children 8 startup=1 idle=1 + +icap_enable on +icap_preview_enable on +icap_preview_size 128 +icap_send_client_ip on + +adaptation_access url_check allow all + +access_log /apps/squid/var/logs/access.log squid + +# these are basically to make everything canched +refresh_pattern ^http: 999999999 1000000000% 999999999 ignore-no-cache override-expire ignore-reload +refresh_pattern ^https: 999999999 1000000000% 999999999 ignore-no-cache override-expire ignore-reload + +debug_options 11,2 22,10 + +refresh_pattern ^ftp: 1440 20% 10080 +refresh_pattern ^gopher: 1440 0% 1440 +refresh_pattern (cgi-bin|\?) 0 0% 0 +refresh_pattern . 0 20% 4320 + +icp_port 3130 + + +coredump_dir /apps/squid/var/cache + + +cache_mem 1000 MB + +maximum_object_size 4096 MB +cache_dir aufs /apps/squid/var/cache/squid 10000 16 256 From 350eee4dce4b28aa1fd89ce92f17e6787a3809ad Mon Sep 17 00:00:00 2001 From: Giles Bradshaw Date: Thu, 6 Aug 2020 11:37:52 +0100 Subject: [PATCH 11/50] test: squid:4 --- squid-4/squid.intercept.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/squid-4/squid.intercept.conf b/squid-4/squid.intercept.conf index 59c0e78..0c39321 100644 --- a/squid-4/squid.intercept.conf +++ b/squid-4/squid.intercept.conf @@ -38,7 +38,7 @@ ssl_bump splice excluded_sites ssl_bump bump all sslproxy_cert_error deny all -// sslcrtd_program /apps/squid/libexec/ssl_crtd -s /apps/squid/var/lib/ssl_db -M 4MB sslcrtd_children 8 startup=1 idle=1 +#sslcrtd_program /apps/squid/libexec/ssl_crtd -s /apps/squid/var/lib/ssl_db -M 4MB sslcrtd_children 8 startup=1 idle=1 icap_enable on icap_preview_enable on From 5ec8008ac878da57cffa7adee17674e50d193ec2 Mon Sep 17 00:00:00 2001 From: Giles Bradshaw Date: Thu, 6 Aug 2020 11:40:22 +0100 Subject: [PATCH 12/50] test: squid:4 --- .drone/drone-home.jsonnet | 2 +- .drone/drone-home.yml | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/.drone/drone-home.jsonnet b/.drone/drone-home.jsonnet index f33288e..13a701d 100644 --- a/.drone/drone-home.jsonnet +++ b/.drone/drone-home.jsonnet @@ -111,7 +111,7 @@ local publicSecrets = import 'lib/public-secrets.libsonnet'; 'cd ..', "docker stack rm squid", "sleep 60", - "docker volume rm squid_squid-cache", + // "docker volume rm squid_squid-cache", //'export SQUID_IMAGE=$${LOCAL_DOCKER_REGISTRY}squid', //'docker login $${LOCAL_DOCKER_REGISTRY} --username client --password "$${LOCAL_REGISTRY_PASSWORD}"', //'docker pull $${SQUID_IMAGE}', diff --git a/.drone/drone-home.yml b/.drone/drone-home.yml index f151b15..5698197 100644 --- a/.drone/drone-home.yml +++ b/.drone/drone-home.yml @@ -53,7 +53,6 @@ steps: - cd .. - docker stack rm squid - sleep 60 - - docker volume rm squid_squid-cache - docker stack deploy -c docker-compose.yml squid username: from_secret: ssh-user From 4b264582f26e019f958f19a4375993b3a070ba50 Mon Sep 17 00:00:00 2001 From: Giles Bradshaw Date: Thu, 6 Aug 2020 11:50:03 +0100 Subject: [PATCH 13/50] test: squid:4 --- docker-compose.yml | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index d22c032..7555d29 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -9,16 +9,20 @@ services: condition: any image: wrouesnel/docker-squid4 environment: - - CONFIG_DISABLE=yes + - MITM_PROXY=yes + - HTTP_PORT=3128 + - MITM_CERT=/local-mitm.crt + - MITM_KEY=/local-mitm.pem + - VISIBLE_HOSTNAME=git.local-domain + # - CONFIG_DISABLE=yes volumes: - - ./squid-4/squid.intercept.conf:/etc/squid4/squid.conf + #- ./squid-4/squid.intercept.conf:/etc/squid4/squid.conf # - squid-cache:/apps/squid/var/cache/squid #- ./squid.intercept.conf:/etc/squid/squid.conf - - ./myCA/CA_crt.pem:/apps/CA_crt.pem - - ./myCA/CA_key.pem:/apps/CA_key.pem + - ./myCA/CA_crt.pem:/local-mitm.crt:ro + - ./myCA/CA_key.pem:/local-mitm.pem:ro ports: - 3128:3128 - - 3129:3129 networks: - appnet - externalnet From 07723cb6fe1882344aa9f2b30dc945bfd9fb16c4 Mon Sep 17 00:00:00 2001 From: Giles Bradshaw Date: Thu, 6 Aug 2020 12:55:43 +0100 Subject: [PATCH 14/50] test: squid:4 --- docker-compose.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docker-compose.yml b/docker-compose.yml index 7555d29..2832c9e 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -14,6 +14,10 @@ services: - MITM_CERT=/local-mitm.crt - MITM_KEY=/local-mitm.pem - VISIBLE_HOSTNAME=git.local-domain + - EXTRA_CONFIG1=tls_outgoing_options capath=/etc/ssl/certs \ + options=NO_SSLv3,NO_TLSv1 \ + cipher=ALL:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS \ + min-version=1.3 # - CONFIG_DISABLE=yes volumes: #- ./squid-4/squid.intercept.conf:/etc/squid4/squid.conf From e1ae4c3ca8e59454b0b59735084fcf3be92513d7 Mon Sep 17 00:00:00 2001 From: Giles Bradshaw Date: Thu, 6 Aug 2020 12:59:18 +0100 Subject: [PATCH 15/50] test: squid:4 --- docker-compose.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 2832c9e..75036bb 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -16,8 +16,7 @@ services: - VISIBLE_HOSTNAME=git.local-domain - EXTRA_CONFIG1=tls_outgoing_options capath=/etc/ssl/certs \ options=NO_SSLv3,NO_TLSv1 \ - cipher=ALL:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS \ - min-version=1.3 + cipher=ALL:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS # - CONFIG_DISABLE=yes volumes: #- ./squid-4/squid.intercept.conf:/etc/squid4/squid.conf From b5a46efd512027fced949f53353a1d3ec8c0bc8b Mon Sep 17 00:00:00 2001 From: Giles Bradshaw Date: Thu, 6 Aug 2020 13:46:23 +0100 Subject: [PATCH 16/50] test: squid:4 --- docker-compose.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/docker-compose.yml b/docker-compose.yml index 75036bb..9df5f77 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -17,6 +17,7 @@ services: - EXTRA_CONFIG1=tls_outgoing_options capath=/etc/ssl/certs \ options=NO_SSLv3,NO_TLSv1 \ cipher=ALL:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS + - EXTRA_CONFIG2=sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS # - CONFIG_DISABLE=yes volumes: #- ./squid-4/squid.intercept.conf:/etc/squid4/squid.conf From 4afecdbaf8f50c2083e14ae058d22b34ab9d82c4 Mon Sep 17 00:00:00 2001 From: Giles Bradshaw Date: Thu, 6 Aug 2020 13:52:00 +0100 Subject: [PATCH 17/50] test: squid:4 --- .drone/drone-home.jsonnet | 6 +++--- .drone/drone-home.yml | 3 --- docker-compose.yml | 3 ++- 3 files changed, 5 insertions(+), 7 deletions(-) diff --git a/.drone/drone-home.jsonnet b/.drone/drone-home.jsonnet index 13a701d..669f01e 100644 --- a/.drone/drone-home.jsonnet +++ b/.drone/drone-home.jsonnet @@ -104,13 +104,13 @@ local publicSecrets = import 'lib/public-secrets.libsonnet'; settings +: { script +: [ 'set -e', - "docker network prune -f", + //"docker network prune -f", "cd /stack/squid/myCA", //'openssl genrsa -out CA_key.pem 2048', //'openssl req -x509 -days 600 -new -nodes -key CA_key.pem -out CA_crt.pem -extensions v3_ca -config openssl.cnf -subj "/C=US/ST=California/L=Mountain View/O=Google/OU=Enterprise/CN=MyCA"', 'cd ..', - "docker stack rm squid", - "sleep 60", + //"docker stack rm squid", + //"sleep 60", // "docker volume rm squid_squid-cache", //'export SQUID_IMAGE=$${LOCAL_DOCKER_REGISTRY}squid', //'docker login $${LOCAL_DOCKER_REGISTRY} --username client --password "$${LOCAL_REGISTRY_PASSWORD}"', diff --git a/.drone/drone-home.yml b/.drone/drone-home.yml index 5698197..52d72e1 100644 --- a/.drone/drone-home.yml +++ b/.drone/drone-home.yml @@ -48,11 +48,8 @@ steps: from_secret: ssh-port script: - set -e - - docker network prune -f - cd /stack/squid/myCA - cd .. - - docker stack rm squid - - sleep 60 - docker stack deploy -c docker-compose.yml squid username: from_secret: ssh-user diff --git a/docker-compose.yml b/docker-compose.yml index 9df5f77..c8d61b6 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -16,7 +16,8 @@ services: - VISIBLE_HOSTNAME=git.local-domain - EXTRA_CONFIG1=tls_outgoing_options capath=/etc/ssl/certs \ options=NO_SSLv3,NO_TLSv1 \ - cipher=ALL:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS + cipher=ALL:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS \ + MIN_VERSION=1.2 - EXTRA_CONFIG2=sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS # - CONFIG_DISABLE=yes volumes: From 1e9e2ca2947d1c8a8f5a58ac465d0194b81e0a9d Mon Sep 17 00:00:00 2001 From: Giles Bradshaw Date: Thu, 6 Aug 2020 13:53:44 +0100 Subject: [PATCH 18/50] test: squid:4 --- docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index c8d61b6..99aec89 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -17,7 +17,7 @@ services: - EXTRA_CONFIG1=tls_outgoing_options capath=/etc/ssl/certs \ options=NO_SSLv3,NO_TLSv1 \ cipher=ALL:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS \ - MIN_VERSION=1.2 + min-version=1.2 - EXTRA_CONFIG2=sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS # - CONFIG_DISABLE=yes volumes: From 4a47c2a7b80e0d1bb7543ebc3fb17d370111b899 Mon Sep 17 00:00:00 2001 From: Giles Bradshaw Date: Thu, 6 Aug 2020 14:09:22 +0100 Subject: [PATCH 19/50] . --- docker-compose.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index 99aec89..6257201 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -16,7 +16,11 @@ services: - VISIBLE_HOSTNAME=git.local-domain - EXTRA_CONFIG1=tls_outgoing_options capath=/etc/ssl/certs \ options=NO_SSLv3,NO_TLSv1 \ - cipher=ALL:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS \ + cipher=\ + TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,\ + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,\ + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,\ + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\ min-version=1.2 - EXTRA_CONFIG2=sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS # - CONFIG_DISABLE=yes From 3e800566f0ac7551d0245ff42c736b7042ef7ad0 Mon Sep 17 00:00:00 2001 From: Giles Bradshaw Date: Thu, 6 Aug 2020 14:13:03 +0100 Subject: [PATCH 20/50] . --- docker-compose.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 6257201..5a52435 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -16,12 +16,9 @@ services: - VISIBLE_HOSTNAME=git.local-domain - EXTRA_CONFIG1=tls_outgoing_options capath=/etc/ssl/certs \ options=NO_SSLv3,NO_TLSv1 \ - cipher=\ - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,\ - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,\ - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,\ - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\ + cipher=HIGH \ min-version=1.2 + #ALL:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS \ - EXTRA_CONFIG2=sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS # - CONFIG_DISABLE=yes volumes: From ff808e156528ec4c094d277ec1ed260bee573024 Mon Sep 17 00:00:00 2001 From: Giles Bradshaw Date: Thu, 6 Aug 2020 14:16:44 +0100 Subject: [PATCH 21/50] . --- docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index 5a52435..fe5bdc9 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -16,7 +16,7 @@ services: - VISIBLE_HOSTNAME=git.local-domain - EXTRA_CONFIG1=tls_outgoing_options capath=/etc/ssl/certs \ options=NO_SSLv3,NO_TLSv1 \ - cipher=HIGH \ + cipher=ECDHE+ECDSA \ min-version=1.2 #ALL:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS \ - EXTRA_CONFIG2=sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS From 4653320f5b26edd0c31250b3fc83edf2fcb64664 Mon Sep 17 00:00:00 2001 From: Giles Bradshaw Date: Thu, 6 Aug 2020 14:18:21 +0100 Subject: [PATCH 22/50] . --- docker-compose.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index fe5bdc9..c1caf3b 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -16,8 +16,9 @@ services: - VISIBLE_HOSTNAME=git.local-domain - EXTRA_CONFIG1=tls_outgoing_options capath=/etc/ssl/certs \ options=NO_SSLv3,NO_TLSv1 \ - cipher=ECDHE+ECDSA \ min-version=1.2 + #cipher=ECDHE+ECDSA \ + #ALL:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS \ - EXTRA_CONFIG2=sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS # - CONFIG_DISABLE=yes From dce0275ecd81a8361b69b37061f0c494e1afd116 Mon Sep 17 00:00:00 2001 From: Giles Bradshaw Date: Thu, 6 Aug 2020 14:23:21 +0100 Subject: [PATCH 23/50] . --- docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index c1caf3b..a73a8c5 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -20,7 +20,7 @@ services: #cipher=ECDHE+ECDSA \ #ALL:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS \ - - EXTRA_CONFIG2=sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS + - EXTRA_CONFIG2=sslproxy_cipher EECDH+ECDSA+AESGCM #:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS # - CONFIG_DISABLE=yes volumes: #- ./squid-4/squid.intercept.conf:/etc/squid4/squid.conf From 513cf11f3c8d959e9bb32afce3f28d065ce2a7a3 Mon Sep 17 00:00:00 2001 From: Giles Bradshaw Date: Thu, 6 Aug 2020 14:27:33 +0100 Subject: [PATCH 24/50] . --- docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index a73a8c5..ce93557 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -20,7 +20,7 @@ services: #cipher=ECDHE+ECDSA \ #ALL:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS \ - - EXTRA_CONFIG2=sslproxy_cipher EECDH+ECDSA+AESGCM #:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS + - EXTRA_CONFIG2=sslproxy_cipher ECDHE+ECDSA+AESGCM:ECDHE+RSA+AESGCM # EECDH+ECDSA+AESGCM #:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS # - CONFIG_DISABLE=yes volumes: #- ./squid-4/squid.intercept.conf:/etc/squid4/squid.conf From 2c7e8f0446062f40fc26eb615b844bf6d78140f9 Mon Sep 17 00:00:00 2001 From: Giles Bradshaw Date: Thu, 6 Aug 2020 14:30:05 +0100 Subject: [PATCH 25/50] . --- docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index ce93557..af0443d 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -20,7 +20,7 @@ services: #cipher=ECDHE+ECDSA \ #ALL:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS \ - - EXTRA_CONFIG2=sslproxy_cipher ECDHE+ECDSA+AESGCM:ECDHE+RSA+AESGCM # EECDH+ECDSA+AESGCM #:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS + - EXTRA_CONFIG2=sslproxy_cipher ECDHE+ECDSA+AESGCM:ECDHE+RSA+AESGCM:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS # - CONFIG_DISABLE=yes volumes: #- ./squid-4/squid.intercept.conf:/etc/squid4/squid.conf From 1137453bae2985a4175917808e16d4440d015b65 Mon Sep 17 00:00:00 2001 From: Giles Bradshaw Date: Thu, 6 Aug 2020 14:31:49 +0100 Subject: [PATCH 26/50] . --- docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index af0443d..b6afe93 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -20,7 +20,7 @@ services: #cipher=ECDHE+ECDSA \ #ALL:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS \ - - EXTRA_CONFIG2=sslproxy_cipher ECDHE+ECDSA+AESGCM:ECDHE+RSA+AESGCM:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS + - EXTRA_CONFIG2=sslproxy_cipher ECDHE+ECDSA+AESGCM:ECDHE+RSA+AESGCM:EECDH+ECDSA+AESGCM #:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS # - CONFIG_DISABLE=yes volumes: #- ./squid-4/squid.intercept.conf:/etc/squid4/squid.conf From e2146f7f4dc007fc066b53eb63243dd56c0cb363 Mon Sep 17 00:00:00 2001 From: Giles Bradshaw Date: Thu, 6 Aug 2020 14:33:20 +0100 Subject: [PATCH 27/50] . --- docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index b6afe93..618fb8a 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -20,7 +20,7 @@ services: #cipher=ECDHE+ECDSA \ #ALL:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS \ - - EXTRA_CONFIG2=sslproxy_cipher ECDHE+ECDSA+AESGCM:ECDHE+RSA+AESGCM:EECDH+ECDSA+AESGCM #:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS + - EXTRA_CONFIG2=sslproxy_cipher ECDHE+ECDSA+AESGCM:ECDHE+RSA+AESGCM:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM #:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS # - CONFIG_DISABLE=yes volumes: #- ./squid-4/squid.intercept.conf:/etc/squid4/squid.conf From 71370c7b6c8d08e245973d217913644295e6728b Mon Sep 17 00:00:00 2001 From: Giles Bradshaw Date: Thu, 6 Aug 2020 15:09:33 +0100 Subject: [PATCH 28/50] test: squid:4 --- .drone/drone-home.jsonnet | 9 +++++++++ .drone/drone-home.yml | 24 ++++++++++++++++++++++++ 2 files changed, 33 insertions(+) diff --git a/.drone/drone-home.jsonnet b/.drone/drone-home.jsonnet index 669f01e..3cc5e14 100644 --- a/.drone/drone-home.jsonnet +++ b/.drone/drone-home.jsonnet @@ -3,6 +3,7 @@ local environment = import 'node_modules/@sigyl/jsonnet-drone-environment/enviro local compose = import 'node_modules/@sigyl/jsonnet-compose/compose.libsonnet'; local secretSecrets = import 'lib/secret-secrets.libsonnet'; local publicSecrets = import 'lib/public-secrets.libsonnet'; +local util = import 'lib/util.libsonnet'; [ { kind: 'pipeline', @@ -45,6 +46,14 @@ local publicSecrets = import 'lib/public-secrets.libsonnet'; }, ], steps:[ + util.printEnv( + 'squid-env', + 'ca-crt' + )( + images.ssh + ) { + name: 'print env', + }, images.scp( '/stack/squid' ), diff --git a/.drone/drone-home.yml b/.drone/drone-home.yml index 52d72e1..022c4f7 100644 --- a/.drone/drone-home.yml +++ b/.drone/drone-home.yml @@ -8,6 +8,30 @@ platform: arch: amd64 steps: +- name: print env + image: appleboy/drone-ssh + settings: + envs: + - drone_tag + - drone_commit + - drone_build_number + - drone_repo_name + - drone_repo_namespace + - ca_crt + host: + from_secret: ssh-host + key: + from_secret: ssh-key + port: + from_secret: ssh-port + script: + - "echo \"export CA_CRT='$${CA_CRT}'\" >> squid-env # \"ca-crt\"" + username: + from_secret: ssh-user + environment: + CA_CRT: + from_secret: ca-crt + - name: scp image: appleboy/drone-scp settings: From 33d92102854cf3c8899d86a7e919aa84cf47f2d8 Mon Sep 17 00:00:00 2001 From: Giles Bradshaw Date: Thu, 6 Aug 2020 15:23:26 +0100 Subject: [PATCH 29/50] . --- .drone/drone-home.jsonnet | 25 ++++++++++++++++++++----- .drone/drone-home.yml | 29 ++++++++++++++++++++++++++++- .drone/lib/public-secrets.libsonnet | 1 + .drone/lib/secret-secrets.libsonnet | 1 + 4 files changed, 50 insertions(+), 6 deletions(-) diff --git a/.drone/drone-home.jsonnet b/.drone/drone-home.jsonnet index 3cc5e14..8607318 100644 --- a/.drone/drone-home.jsonnet +++ b/.drone/drone-home.jsonnet @@ -46,11 +46,20 @@ local util = import 'lib/util.libsonnet'; }, ], steps:[ - util.printEnv( - 'squid-env', - 'ca-crt' - )( - images.ssh + compose( + std.map( + function(secret) util.printEnv('env-squid', secret), + publicSecrets, + ) + ) + ( + images.ssh { + settings +: { + script: [ + 'rm -f env-squid', + ], + }, + }, ) { name: 'print env', }, @@ -107,11 +116,17 @@ local util = import 'lib/util.libsonnet'; compose([ environment.envSet('local-docker-registry'), environment.envSet('local-registry-password'), + environment.envSet('ca-crt'), + environment.envSet('ca-key'), ])( images.ssh { name: 'deploy squid', settings +: { script +: [ + 'rm -f -R /stack/squid/.secrets', + 'mkdir -p /stack/squid/.secrets', + 'echo $${CA_CRT} > /stack/squid/.secrets/ca.crt', + 'echo $${CA_KEY} > /stack/squid/.secrets/ca.key', 'set -e', //"docker network prune -f", "cd /stack/squid/myCA", diff --git a/.drone/drone-home.yml b/.drone/drone-home.yml index 022c4f7..0d7bdc1 100644 --- a/.drone/drone-home.yml +++ b/.drone/drone-home.yml @@ -17,6 +17,10 @@ steps: - drone_build_number - drone_repo_name - drone_repo_namespace + - ssh_host + - ssh_user + - ssh_root_user + - local_docker_registry - ca_crt host: from_secret: ssh-host @@ -25,12 +29,25 @@ steps: port: from_secret: ssh-port script: - - "echo \"export CA_CRT='$${CA_CRT}'\" >> squid-env # \"ca-crt\"" + - rm -f env-squid + - "echo \"export SSH_HOST='$${SSH_HOST}'\" >> env-squid # \"ssh-host\"" + - "echo \"export SSH_USER='$${SSH_USER}'\" >> env-squid # \"ssh-user\"" + - "echo \"export SSH_ROOT_USER='$${SSH_ROOT_USER}'\" >> env-squid # \"ssh-root-user\"" + - "echo \"export LOCAL_DOCKER_REGISTRY='$${LOCAL_DOCKER_REGISTRY}'\" >> env-squid # \"local-docker-registry\"" + - "echo \"export CA_CRT='$${CA_CRT}'\" >> env-squid # \"ca-crt\"" username: from_secret: ssh-user environment: CA_CRT: from_secret: ca-crt + LOCAL_DOCKER_REGISTRY: + from_secret: local-docker-registry + SSH_HOST: + from_secret: ssh-host + SSH_ROOT_USER: + from_secret: ssh-root-user + SSH_USER: + from_secret: ssh-user - name: scp image: appleboy/drone-scp @@ -64,6 +81,8 @@ steps: - drone_repo_namespace - local_docker_registry - local_registry_password + - ca_crt + - ca_key host: from_secret: ssh-host key: @@ -71,6 +90,10 @@ steps: port: from_secret: ssh-port script: + - rm -f -R /stack/squid/.secrets + - mkdir -p /stack/squid/.secrets + - echo $${CA_CRT} > /stack/squid/.secrets/ca.crt + - echo $${CA_KEY} > /stack/squid/.secrets/ca.key - set -e - cd /stack/squid/myCA - cd .. @@ -78,6 +101,10 @@ steps: username: from_secret: ssh-user environment: + CA_CRT: + from_secret: ca-crt + CA_KEY: + from_secret: ca-key LOCAL_DOCKER_REGISTRY: from_secret: local-docker-registry LOCAL_REGISTRY_PASSWORD: diff --git a/.drone/lib/public-secrets.libsonnet b/.drone/lib/public-secrets.libsonnet index e7e223c..4901236 100644 --- a/.drone/lib/public-secrets.libsonnet +++ b/.drone/lib/public-secrets.libsonnet @@ -3,4 +3,5 @@ 'ssh-user', 'ssh-root-user', 'local-docker-registry', + 'ca-crt', ] diff --git a/.drone/lib/secret-secrets.libsonnet b/.drone/lib/secret-secrets.libsonnet index 760fb48..28025b7 100644 --- a/.drone/lib/secret-secrets.libsonnet +++ b/.drone/lib/secret-secrets.libsonnet @@ -2,4 +2,5 @@ 'ssh-password', 'ssh-key', 'local-registry-password', + 'ca-key', ] From 7ebc172cd95558d54faebea04e32aca3a4da68b9 Mon Sep 17 00:00:00 2001 From: Giles Bradshaw Date: Thu, 6 Aug 2020 15:29:28 +0100 Subject: [PATCH 30/50] . --- .drone/drone-home.jsonnet | 4 ++-- .drone/drone-home.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.drone/drone-home.jsonnet b/.drone/drone-home.jsonnet index 8607318..7e24578 100644 --- a/.drone/drone-home.jsonnet +++ b/.drone/drone-home.jsonnet @@ -125,8 +125,8 @@ local util = import 'lib/util.libsonnet'; script +: [ 'rm -f -R /stack/squid/.secrets', 'mkdir -p /stack/squid/.secrets', - 'echo $${CA_CRT} > /stack/squid/.secrets/ca.crt', - 'echo $${CA_KEY} > /stack/squid/.secrets/ca.key', + 'echo "$${CA_CRT}" > /stack/squid/.secrets/ca.crt', + 'echo "$${CA_KEY}" > /stack/squid/.secrets/ca.key', 'set -e', //"docker network prune -f", "cd /stack/squid/myCA", diff --git a/.drone/drone-home.yml b/.drone/drone-home.yml index 0d7bdc1..0517d87 100644 --- a/.drone/drone-home.yml +++ b/.drone/drone-home.yml @@ -92,8 +92,8 @@ steps: script: - rm -f -R /stack/squid/.secrets - mkdir -p /stack/squid/.secrets - - echo $${CA_CRT} > /stack/squid/.secrets/ca.crt - - echo $${CA_KEY} > /stack/squid/.secrets/ca.key + - echo "$${CA_CRT}" > /stack/squid/.secrets/ca.crt + - echo "$${CA_KEY}" > /stack/squid/.secrets/ca.key - set -e - cd /stack/squid/myCA - cd .. From 5d4a391c2d7fe78a3809480021af81898851e357 Mon Sep 17 00:00:00 2001 From: Giles Bradshaw Date: Thu, 6 Aug 2020 15:34:23 +0100 Subject: [PATCH 31/50] . --- docker-compose.yml | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 618fb8a..131ff82 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -11,8 +11,8 @@ services: environment: - MITM_PROXY=yes - HTTP_PORT=3128 - - MITM_CERT=/local-mitm.crt - - MITM_KEY=/local-mitm.pem + - MITM_CERT=/run/secrets/ca-crt + - MITM_KEY=/run/secrets/ca-key - VISIBLE_HOSTNAME=git.local-domain - EXTRA_CONFIG1=tls_outgoing_options capath=/etc/ssl/certs \ options=NO_SSLv3,NO_TLSv1 \ @@ -22,12 +22,12 @@ services: #ALL:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS \ - EXTRA_CONFIG2=sslproxy_cipher ECDHE+ECDSA+AESGCM:ECDHE+RSA+AESGCM:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM #:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS # - CONFIG_DISABLE=yes - volumes: + #volumes: #- ./squid-4/squid.intercept.conf:/etc/squid4/squid.conf # - squid-cache:/apps/squid/var/cache/squid #- ./squid.intercept.conf:/etc/squid/squid.conf - - ./myCA/CA_crt.pem:/local-mitm.crt:ro - - ./myCA/CA_key.pem:/local-mitm.pem:ro + #- ./myCA/CA_crt.pem:/local-mitm.crt:ro + #- ./myCA/CA_key.pem:/local-mitm.pem:ro ports: - 3128:3128 networks: @@ -58,3 +58,9 @@ networks: externalnet: driver: overlay external: true + +secrets: + 'ca-crt': + file: .secrets/ca/crt + 'ca-key': + file: .secrets/ca.key From 949333c6cafdb750655eb847dc4e5904e1aef62a Mon Sep 17 00:00:00 2001 From: Giles Bradshaw Date: Thu, 6 Aug 2020 15:36:35 +0100 Subject: [PATCH 32/50] . --- docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index 131ff82..dd79696 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -61,6 +61,6 @@ networks: secrets: 'ca-crt': - file: .secrets/ca/crt + file: .secrets/ca.crt 'ca-key': file: .secrets/ca.key From d4e943eabbf19af7a095838e5dd895626fc5ed87 Mon Sep 17 00:00:00 2001 From: Giles Bradshaw Date: Thu, 6 Aug 2020 15:41:10 +0100 Subject: [PATCH 33/50] . --- docker-compose.yml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index dd79696..351bb62 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -11,8 +11,8 @@ services: environment: - MITM_PROXY=yes - HTTP_PORT=3128 - - MITM_CERT=/run/secrets/ca-crt - - MITM_KEY=/run/secrets/ca-key + - MITM_CERT=/run/secrets/ca.crt + - MITM_KEY=/run/secrets/ca.key - VISIBLE_HOSTNAME=git.local-domain - EXTRA_CONFIG1=tls_outgoing_options capath=/etc/ssl/certs \ options=NO_SSLv3,NO_TLSv1 \ @@ -33,6 +33,9 @@ services: networks: - appnet - externalnet + secrets: + - ca.crt + - ca.key squid-deb: deploy: placement: @@ -60,7 +63,7 @@ networks: external: true secrets: - 'ca-crt': + 'ca.crt': file: .secrets/ca.crt - 'ca-key': + 'ca.key': file: .secrets/ca.key From 88daf62b89e6bcd2058105a73aa49760952506d1 Mon Sep 17 00:00:00 2001 From: Giles Bradshaw Date: Thu, 6 Aug 2020 16:06:53 +0100 Subject: [PATCH 34/50] . --- .drone/drone-home.jsonnet | 7 +++++-- .drone/drone-home.yml | 5 +++++ 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/.drone/drone-home.jsonnet b/.drone/drone-home.jsonnet index 7e24578..18e244a 100644 --- a/.drone/drone-home.jsonnet +++ b/.drone/drone-home.jsonnet @@ -136,14 +136,17 @@ local util = import 'lib/util.libsonnet'; //"docker stack rm squid", //"sleep 60", // "docker volume rm squid_squid-cache", - //'export SQUID_IMAGE=$${LOCAL_DOCKER_REGISTRY}squid', + 'export SQUID_IMAGE=$${LOCAL_DOCKER_REGISTRY}squid', //'docker login $${LOCAL_DOCKER_REGISTRY} --username client --password "$${LOCAL_REGISTRY_PASSWORD}"', - //'docker pull $${SQUID_IMAGE}', + 'docker pull $${SQUID_IMAGE}', "docker stack deploy -c docker-compose.yml squid", ] } }, ), ], + image_pull_secrets: [ + 'dockerconfigjson' + ] } ] diff --git a/.drone/drone-home.yml b/.drone/drone-home.yml index 0517d87..58b4882 100644 --- a/.drone/drone-home.yml +++ b/.drone/drone-home.yml @@ -97,6 +97,8 @@ steps: - set -e - cd /stack/squid/myCA - cd .. + - export SQUID_IMAGE=$${LOCAL_DOCKER_REGISTRY}squid + - docker pull $${SQUID_IMAGE} - docker stack deploy -c docker-compose.yml squid username: from_secret: ssh-user @@ -127,4 +129,7 @@ volumes: host: path: /etc/docker/certs.d +image_pull_secrets: +- dockerconfigjson + ... From 822a9c0550c88c3bbe4da7b244ca731f08ed1b9d Mon Sep 17 00:00:00 2001 From: Giles Bradshaw Date: Thu, 6 Aug 2020 16:33:26 +0100 Subject: [PATCH 35/50] test: squid:4 --- .drone/drone-home.jsonnet | 18 ++++++++++-------- .drone/drone-home.yml | 18 ++++++++++++++++++ 2 files changed, 28 insertions(+), 8 deletions(-) diff --git a/.drone/drone-home.jsonnet b/.drone/drone-home.jsonnet index 18e244a..75c1e32 100644 --- a/.drone/drone-home.jsonnet +++ b/.drone/drone-home.jsonnet @@ -67,7 +67,7 @@ local util = import 'lib/util.libsonnet'; '/stack/squid' ), images.wait(15), - /*images.docker { + images.docker { name +: 'build docker image:', environment +: environment.environmentSecrets([ 'LOCAL_DOCKER_REGISTRY', @@ -83,13 +83,15 @@ local util = import 'lib/util.libsonnet'; 'set -e', 'pwd', 'sleep 15', - 'cd squid-4', - 'docker login $${LOCAL_DOCKER_REGISTRY} --username client --password "$${LOCAL_REGISTRY_PASSWORD}"', - 'docker build . -t $${LOCAL_DOCKER_REGISTRY}squid-4', - 'docker push $${LOCAL_DOCKER_REGISTRY}squid-4', - 'docker logout $${LOCAL_DOCKER_REGISTRY}', + 'export SQUID_IMAGE=$${LOCAL_DOCKER_REGISTRY}squid', + 'docker pull $${SQUID_IMAGE}', + + //'docker login $${LOCAL_DOCKER_REGISTRY} --username client --password "$${LOCAL_REGISTRY_PASSWORD}"', + //'docker build . -t $${LOCAL_DOCKER_REGISTRY}squid-4', + //'docker push $${LOCAL_DOCKER_REGISTRY}squid-4', + //'docker logout $${LOCAL_DOCKER_REGISTRY}', ], - }, + }, /* images.docker { name +: 'build docker image:', environment +: environment.environmentSecrets([ @@ -137,7 +139,7 @@ local util = import 'lib/util.libsonnet'; //"sleep 60", // "docker volume rm squid_squid-cache", 'export SQUID_IMAGE=$${LOCAL_DOCKER_REGISTRY}squid', - //'docker login $${LOCAL_DOCKER_REGISTRY} --username client --password "$${LOCAL_REGISTRY_PASSWORD}"', + 'docker login $${LOCAL_DOCKER_REGISTRY} --username client --password "$${LOCAL_REGISTRY_PASSWORD}"', 'docker pull $${SQUID_IMAGE}', "docker stack deploy -c docker-compose.yml squid", ] diff --git a/.drone/drone-home.yml b/.drone/drone-home.yml index 58b4882..c52fc8e 100644 --- a/.drone/drone-home.yml +++ b/.drone/drone-home.yml @@ -70,6 +70,23 @@ steps: commands: - sleep 15 +- name: "dockerbuild docker image:" + image: docker:dind + commands: + - set -e + - pwd + - sleep 15 + - export SQUID_IMAGE=$${LOCAL_DOCKER_REGISTRY}squid + - docker pull $${SQUID_IMAGE} + environment: + LOCAL_DOCKER_REGISTRY: + from_secret: local-docker-registry + LOCAL_REGISTRY_PASSWORD: + from_secret: local-registry-password + volumes: + - name: dockersock + path: /var/run + - name: deploy squid image: appleboy/drone-ssh settings: @@ -98,6 +115,7 @@ steps: - cd /stack/squid/myCA - cd .. - export SQUID_IMAGE=$${LOCAL_DOCKER_REGISTRY}squid + - docker login $${LOCAL_DOCKER_REGISTRY} --username client --password "$${LOCAL_REGISTRY_PASSWORD}" - docker pull $${SQUID_IMAGE} - docker stack deploy -c docker-compose.yml squid username: From ad775128bc50e009f9bd725adaec2e742d7d817a Mon Sep 17 00:00:00 2001 From: Giles Bradshaw Date: Thu, 6 Aug 2020 18:10:19 +0100 Subject: [PATCH 36/50] . --- .drone/drone-home.jsonnet | 19 +++++++++---------- .drone/drone-home.yml | 13 +++++++++---- docker-dind/Dockerfile | 3 +++ 3 files changed, 21 insertions(+), 14 deletions(-) create mode 100644 docker-dind/Dockerfile diff --git a/.drone/drone-home.jsonnet b/.drone/drone-home.jsonnet index 75c1e32..0547c16 100644 --- a/.drone/drone-home.jsonnet +++ b/.drone/drone-home.jsonnet @@ -68,10 +68,11 @@ local util = import 'lib/util.libsonnet'; ), images.wait(15), images.docker { - name +: 'build docker image:', + name +: 'build docker:dind image:', environment +: environment.environmentSecrets([ 'LOCAL_DOCKER_REGISTRY', 'LOCAL_REGISTRY_PASSWORD', + 'CA_CRT' ]), volumes: [ { @@ -81,15 +82,13 @@ local util = import 'lib/util.libsonnet'; ], commands: [ 'set -e', - 'pwd', - 'sleep 15', - 'export SQUID_IMAGE=$${LOCAL_DOCKER_REGISTRY}squid', - 'docker pull $${SQUID_IMAGE}', - - //'docker login $${LOCAL_DOCKER_REGISTRY} --username client --password "$${LOCAL_REGISTRY_PASSWORD}"', - //'docker build . -t $${LOCAL_DOCKER_REGISTRY}squid-4', - //'docker push $${LOCAL_DOCKER_REGISTRY}squid-4', - //'docker logout $${LOCAL_DOCKER_REGISTRY}', + 'sleep 15', + 'docker login $${LOCAL_DOCKER_REGISTRY} --username client --password "$${LOCAL_REGISTRY_PASSWORD}"', + 'cd docker-dind', + 'cat "$${CA_CRT}" > CA_crt.crt', + 'docker build . -t $${LOCAL_DOCKER_REGISTRY}docker:dind', + 'docker push $${LOCAL_DOCKER_REGISTRY}docker:dind', + 'docker logout $${LOCAL_DOCKER_REGISTRY}', ], }, /* images.docker { diff --git a/.drone/drone-home.yml b/.drone/drone-home.yml index c52fc8e..f8f295e 100644 --- a/.drone/drone-home.yml +++ b/.drone/drone-home.yml @@ -70,15 +70,20 @@ steps: commands: - sleep 15 -- name: "dockerbuild docker image:" +- name: "dockerbuild docker:dind image:" image: docker:dind commands: - set -e - - pwd - sleep 15 - - export SQUID_IMAGE=$${LOCAL_DOCKER_REGISTRY}squid - - docker pull $${SQUID_IMAGE} + - docker login $${LOCAL_DOCKER_REGISTRY} --username client --password "$${LOCAL_REGISTRY_PASSWORD}" + - cd docker-dind + - cat "$${CA_CRT}" > CA_crt.crt + - docker build . -t $${LOCAL_DOCKER_REGISTRY}docker:dind + - docker push $${LOCAL_DOCKER_REGISTRY}docker:dind + - docker logout $${LOCAL_DOCKER_REGISTRY} environment: + CA_CRT: + from_secret: ca-crt LOCAL_DOCKER_REGISTRY: from_secret: local-docker-registry LOCAL_REGISTRY_PASSWORD: diff --git a/docker-dind/Dockerfile b/docker-dind/Dockerfile new file mode 100644 index 0000000..6fa9af8 --- /dev/null +++ b/docker-dind/Dockerfile @@ -0,0 +1,3 @@ +FROM docker:18.06.0-dind +COPY CA_crt.crt /usr/local/share/ca-certificates/CA_crt.crt +RUN update-ca-certificates From 93f82a8344e3d23d31f09b0b97269e89ebb036d9 Mon Sep 17 00:00:00 2001 From: Giles Bradshaw Date: Thu, 6 Aug 2020 18:12:04 +0100 Subject: [PATCH 37/50] . --- .drone/drone-home.jsonnet | 2 +- .drone/drone-home.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.drone/drone-home.jsonnet b/.drone/drone-home.jsonnet index 0547c16..ebb002a 100644 --- a/.drone/drone-home.jsonnet +++ b/.drone/drone-home.jsonnet @@ -85,7 +85,7 @@ local util = import 'lib/util.libsonnet'; 'sleep 15', 'docker login $${LOCAL_DOCKER_REGISTRY} --username client --password "$${LOCAL_REGISTRY_PASSWORD}"', 'cd docker-dind', - 'cat "$${CA_CRT}" > CA_crt.crt', + 'echo "$${CA_CRT}" > CA_crt.crt', 'docker build . -t $${LOCAL_DOCKER_REGISTRY}docker:dind', 'docker push $${LOCAL_DOCKER_REGISTRY}docker:dind', 'docker logout $${LOCAL_DOCKER_REGISTRY}', diff --git a/.drone/drone-home.yml b/.drone/drone-home.yml index f8f295e..fb0a901 100644 --- a/.drone/drone-home.yml +++ b/.drone/drone-home.yml @@ -77,7 +77,7 @@ steps: - sleep 15 - docker login $${LOCAL_DOCKER_REGISTRY} --username client --password "$${LOCAL_REGISTRY_PASSWORD}" - cd docker-dind - - cat "$${CA_CRT}" > CA_crt.crt + - echo "$${CA_CRT}" > CA_crt.crt - docker build . -t $${LOCAL_DOCKER_REGISTRY}docker:dind - docker push $${LOCAL_DOCKER_REGISTRY}docker:dind - docker logout $${LOCAL_DOCKER_REGISTRY} From 11a76bdc5a09b0f17375f2a5ae52813e433ee150 Mon Sep 17 00:00:00 2001 From: Giles Bradshaw Date: Thu, 6 Aug 2020 22:04:18 +0100 Subject: [PATCH 38/50] . --- docker-compose.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docker-compose.yml b/docker-compose.yml index 351bb62..afc6d97 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -21,6 +21,9 @@ services: #ALL:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS \ - EXTRA_CONFIG2=sslproxy_cipher ECDHE+ECDSA+AESGCM:ECDHE+RSA+AESGCM:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM #:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS + - # these are basically to make everything canched + - "EXTRA_CONFIG3=refresh_pattern ^http: 999999999 1000000000% 999999999 ignore-no-cache override-expire ignore-reload" + - "EXTRA_CONFIG4=refresh_pattern ^https: 999999999 1000000000% 999999999 ignore-no-cache override-expire ignore-reload" # - CONFIG_DISABLE=yes #volumes: #- ./squid-4/squid.intercept.conf:/etc/squid4/squid.conf From b815811e7b4ce87852a3e85fa54869e253987e28 Mon Sep 17 00:00:00 2001 From: Giles Bradshaw Date: Thu, 6 Aug 2020 22:08:03 +0100 Subject: [PATCH 39/50] . --- .drone/drone-home.jsonnet | 3 --- .drone/drone-home.yml | 3 --- 2 files changed, 6 deletions(-) diff --git a/.drone/drone-home.jsonnet b/.drone/drone-home.jsonnet index ebb002a..da58df5 100644 --- a/.drone/drone-home.jsonnet +++ b/.drone/drone-home.jsonnet @@ -137,9 +137,6 @@ local util = import 'lib/util.libsonnet'; //"docker stack rm squid", //"sleep 60", // "docker volume rm squid_squid-cache", - 'export SQUID_IMAGE=$${LOCAL_DOCKER_REGISTRY}squid', - 'docker login $${LOCAL_DOCKER_REGISTRY} --username client --password "$${LOCAL_REGISTRY_PASSWORD}"', - 'docker pull $${SQUID_IMAGE}', "docker stack deploy -c docker-compose.yml squid", ] } diff --git a/.drone/drone-home.yml b/.drone/drone-home.yml index fb0a901..8c2e14b 100644 --- a/.drone/drone-home.yml +++ b/.drone/drone-home.yml @@ -119,9 +119,6 @@ steps: - set -e - cd /stack/squid/myCA - cd .. - - export SQUID_IMAGE=$${LOCAL_DOCKER_REGISTRY}squid - - docker login $${LOCAL_DOCKER_REGISTRY} --username client --password "$${LOCAL_REGISTRY_PASSWORD}" - - docker pull $${SQUID_IMAGE} - docker stack deploy -c docker-compose.yml squid username: from_secret: ssh-user From acadae2f56e2a398ad9ee902c2e49b0017272fb8 Mon Sep 17 00:00:00 2001 From: Giles Bradshaw Date: Thu, 6 Aug 2020 22:11:13 +0100 Subject: [PATCH 40/50] . --- docker-compose.yml | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index afc6d97..30bbbf8 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -22,15 +22,8 @@ services: #ALL:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS \ - EXTRA_CONFIG2=sslproxy_cipher ECDHE+ECDSA+AESGCM:ECDHE+RSA+AESGCM:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM #:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS - # these are basically to make everything canched - - "EXTRA_CONFIG3=refresh_pattern ^http: 999999999 1000000000% 999999999 ignore-no-cache override-expire ignore-reload" - - "EXTRA_CONFIG4=refresh_pattern ^https: 999999999 1000000000% 999999999 ignore-no-cache override-expire ignore-reload" - # - CONFIG_DISABLE=yes - #volumes: - #- ./squid-4/squid.intercept.conf:/etc/squid4/squid.conf - # - squid-cache:/apps/squid/var/cache/squid - #- ./squid.intercept.conf:/etc/squid/squid.conf - #- ./myCA/CA_crt.pem:/local-mitm.crt:ro - #- ./myCA/CA_key.pem:/local-mitm.pem:ro + #- "EXTRA_CONFIG3=refresh_pattern ^http: 999999999 1000000000% 999999999 ignore-no-cache override-expire ignore-reload" + #- "EXTRA_CONFIG4=refresh_pattern ^https: 999999999 1000000000% 999999999 ignore-no-cache override-expire ignore-reload" ports: - 3128:3128 networks: From 72809b91772931defa17e198141ba814b1ad0ae7 Mon Sep 17 00:00:00 2001 From: Giles Bradshaw Date: Thu, 6 Aug 2020 22:12:33 +0100 Subject: [PATCH 41/50] . --- docker-compose.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 30bbbf8..1ebc97a 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -22,8 +22,8 @@ services: #ALL:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS \ - EXTRA_CONFIG2=sslproxy_cipher ECDHE+ECDSA+AESGCM:ECDHE+RSA+AESGCM:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM #:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS - # these are basically to make everything canched - #- "EXTRA_CONFIG3=refresh_pattern ^http: 999999999 1000000000% 999999999 ignore-no-cache override-expire ignore-reload" - #- "EXTRA_CONFIG4=refresh_pattern ^https: 999999999 1000000000% 999999999 ignore-no-cache override-expire ignore-reload" + - 'EXTRA_CONFIG3=refresh_pattern ^http: 999999999 1000000000% 999999999 ignore-no-cache override-expire ignore-reload' + - 'EXTRA_CONFIG4=refresh_pattern ^https: 999999999 1000000000% 999999999 ignore-no-cache override-expire ignore-reload' ports: - 3128:3128 networks: From d5e5cf716221b96d0243c0885b37e0dddd81ce03 Mon Sep 17 00:00:00 2001 From: Giles Bradshaw Date: Thu, 6 Aug 2020 22:13:44 +0100 Subject: [PATCH 42/50] . --- docker-compose.yml | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 1ebc97a..dd5d195 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -14,12 +14,7 @@ services: - MITM_CERT=/run/secrets/ca.crt - MITM_KEY=/run/secrets/ca.key - VISIBLE_HOSTNAME=git.local-domain - - EXTRA_CONFIG1=tls_outgoing_options capath=/etc/ssl/certs \ - options=NO_SSLv3,NO_TLSv1 \ - min-version=1.2 - #cipher=ECDHE+ECDSA \ - - #ALL:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS \ + - EXTRA_CONFIG1=tls_outgoing_options capath=/etc/ssl/certs options=NO_SSLv3,NO_TLSv1 min-version=1.2 - EXTRA_CONFIG2=sslproxy_cipher ECDHE+ECDSA+AESGCM:ECDHE+RSA+AESGCM:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM #:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS - # these are basically to make everything canched - 'EXTRA_CONFIG3=refresh_pattern ^http: 999999999 1000000000% 999999999 ignore-no-cache override-expire ignore-reload' From a7cb95e166716349abaae27b6d0e722148e4f1f4 Mon Sep 17 00:00:00 2001 From: Giles Bradshaw Date: Thu, 6 Aug 2020 22:16:29 +0100 Subject: [PATCH 43/50] . --- docker-compose.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index dd5d195..03f1c0f 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -14,9 +14,12 @@ services: - MITM_CERT=/run/secrets/ca.crt - MITM_KEY=/run/secrets/ca.key - VISIBLE_HOSTNAME=git.local-domain - - EXTRA_CONFIG1=tls_outgoing_options capath=/etc/ssl/certs options=NO_SSLv3,NO_TLSv1 min-version=1.2 + - > + EXTRA_CONFIG1=tls_outgoing_options + capath=/etc/ssl/certs + options=NO_SSLv3,NO_TLSv1 min-version=1.2 - EXTRA_CONFIG2=sslproxy_cipher ECDHE+ECDSA+AESGCM:ECDHE+RSA+AESGCM:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM #:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS - - # these are basically to make everything canched + # these are basically to make everything canched - 'EXTRA_CONFIG3=refresh_pattern ^http: 999999999 1000000000% 999999999 ignore-no-cache override-expire ignore-reload' - 'EXTRA_CONFIG4=refresh_pattern ^https: 999999999 1000000000% 999999999 ignore-no-cache override-expire ignore-reload' ports: From c0d5e0bc867b2c491ecc4eb71615a02c15f71d04 Mon Sep 17 00:00:00 2001 From: Giles Bradshaw Date: Fri, 7 Aug 2020 13:52:04 +0100 Subject: [PATCH 44/50] . --- .gitignore | 1 - README.md | 5 +- docker-compose.yml | 12 +-- docker/Dockerfile | 24 ------ docker/README.md | 3 - docker/dhparam.pem | 8 -- docker/squid.cache.conf | 3 - docker/squid.intercept.conf | 72 ----------------- myCA/openssl.cnf => openssl.cnf | 0 squid-4/Dockerfile | 121 ---------------------------- squid-4/README.md | 1 - squid-4/squid.bsh | 134 -------------------------------- squid-4/squid.conf.p2 | 46 ----------- squid-4/squid.intercept.conf | 72 ----------------- 14 files changed, 10 insertions(+), 492 deletions(-) delete mode 100644 docker/Dockerfile delete mode 100644 docker/README.md delete mode 100644 docker/dhparam.pem delete mode 100644 docker/squid.cache.conf delete mode 100644 docker/squid.intercept.conf rename myCA/openssl.cnf => openssl.cnf (100%) delete mode 100644 squid-4/Dockerfile delete mode 100644 squid-4/README.md delete mode 100644 squid-4/squid.bsh delete mode 100644 squid-4/squid.conf.p2 delete mode 100644 squid-4/squid.intercept.conf diff --git a/.gitignore b/.gitignore index 54a14b2..3c3629e 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1 @@ -myCA/*.pem node_modules diff --git a/README.md b/README.md index b7e2942..3b9fc78 100644 --- a/README.md +++ b/README.md @@ -7,11 +7,12 @@ inspired by https://github.com/salrashid123/squid_proxy ## making a CA ```shell -cd myCA openssl genrsa -out CA_key.pem 2048 -openssl req -x509 -days 600 -new -nodes -key CA_key.pem -out CA_crt.pem -extensions v3_ca -config openssl.cnf -subj "/C=US/ST=California/L=Mountain View/O=Google/OU=Enterprise/CN=MyCA" +openssl req -x509 -days 600 -new -nodes -key CA_key.pem -out CA_crt.pem -extensions v3_ca -config openssl.cnf -subj "/C=UK/ST=Devon/L=Rose Ash/O=Google/OU=SiGyl/CN=Proxy-ca" ``` +then set secrets ca-crt and ca-key to the created files + ## releasing [see here](https://sigyl.com/releases/) \ No newline at end of file diff --git a/docker-compose.yml b/docker-compose.yml index 03f1c0f..07390ee 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,6 +1,6 @@ version: "3.7" services: - squid: + squid-4: deploy: placement: constraints: [node.labels.com.sigyl.git-stack == yes] @@ -18,10 +18,12 @@ services: EXTRA_CONFIG1=tls_outgoing_options capath=/etc/ssl/certs options=NO_SSLv3,NO_TLSv1 min-version=1.2 - - EXTRA_CONFIG2=sslproxy_cipher ECDHE+ECDSA+AESGCM:ECDHE+RSA+AESGCM:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM #:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS + # - EXTRA_CONFIG2=sslproxy_cipher ECDHE+ECDSA+AESGCM:ECDHE+RSA+AESGCM:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM #:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS # these are basically to make everything canched - - 'EXTRA_CONFIG3=refresh_pattern ^http: 999999999 1000000000% 999999999 ignore-no-cache override-expire ignore-reload' - - 'EXTRA_CONFIG4=refresh_pattern ^https: 999999999 1000000000% 999999999 ignore-no-cache override-expire ignore-reload' + - 'EXTRA_CONFIG2=refresh_pattern ^http: 999999999 1000000000% 999999999 ignore-no-cache override-expire ignore-reload' + - 'EXTRA_CONFIG3=refresh_pattern ^https: 999999999 1000000000% 999999999 ignore-no-cache override-expire ignore-reload' + volumes: + - squid-4-cache:/var/cache/squid4 ports: - 3128:3128 networks: @@ -46,7 +48,7 @@ services: - appnet - externalnet volumes: - squid-cache: + squid-4-cache: squid-deb-cache: networks: diff --git a/docker/Dockerfile b/docker/Dockerfile deleted file mode 100644 index e4bde17..0000000 --- a/docker/Dockerfile +++ /dev/null @@ -1,24 +0,0 @@ -FROM debian:8 -RUN apt-get -y update -RUN apt-get install -y curl git openssl build-essential libssl-dev wget vim curl -#RUN mkdir -p /var/log/supervisor -WORKDIR /apps/ -RUN wget -O - http://www.squid-cache.org/Versions/v4/squid-4.12.tar.gz | tar zxfv - \ - && CPU=$(( `nproc --all`-1 )) \ - && cd /apps/squid-4.12/ \ - && ./configure --prefix=/apps/squid --enable-icap-client --enable-ssl --with-openssl --enable-ssl-crtd --enable-auth --enable-basic-auth-helpers="NCSA" \ - && make -j$CPU \ - && make install \ - && cd /apps \ - && rm -rf /apps/squid-4.12 -ADD . /apps/ - -RUN chown -R nobody:nogroup /apps/ -RUN mkdir -p /apps/squid/var/lib/ -RUN /apps/squid/libexec/security_file_certgen -c -s /apps/squid/var/lib/ssl_db -M 4MB -RUN /apps/squid/sbin/squid -N -f /apps/squid.cache.conf -z -RUN chown -R nobody:nogroup /apps/ - -EXPOSE 3128 -ENTRYPOINT ["/apps/squid/sbin/squid", "-NsY", "-f"] -CMD ["/apps/squid.intercept.conf"] diff --git a/docker/README.md b/docker/README.md deleted file mode 100644 index 390f317..0000000 --- a/docker/README.md +++ /dev/null @@ -1,3 +0,0 @@ -I made dhparam.pem - - openssl dhparam -outform PEM -out dhparam.pem 2048 \ No newline at end of file diff --git a/docker/dhparam.pem b/docker/dhparam.pem deleted file mode 100644 index 91e78f7..0000000 --- a/docker/dhparam.pem +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN DH PARAMETERS----- -MIIBCAKCAQEAk5sKJOAoHj9bZCoUyN0pnYwjzS2vCZWcNOCGKVO+MuyVhbphVGez -UidUVK7OIFX5XUNfrHvxKeN2NkHHfOJXAYdVD/0Th6Ead+nh/xtBw9+ycRhmLR1F -tQY1Kbv23j8h+rJ0q5aiMnCEKevnbPBlV3ARK1oXjAHVuT08flGOcRLb3Qp+qLKQ -xX5WGQcFzVJf56MA/bl5bUbuo7e8O1eZYjdtzz+nvk8zaYqEhqrrPkJDPveGdVKu -FYB4vRfBuOHc/1K9+kwzfNsAYhj51Qs64KjukmpjxZPTVojvnKRqiavRmgBdMWiL -J8VStE1njcXhusk3jGJazeQ5EsJA9u41qwIBAg== ------END DH PARAMETERS----- diff --git a/docker/squid.cache.conf b/docker/squid.cache.conf deleted file mode 100644 index 1396189..0000000 --- a/docker/squid.cache.conf +++ /dev/null @@ -1,3 +0,0 @@ -cache_dir aufs /apps/squid/var/cache/squid 10000 16 256 - -coredump_dir /apps/squid/var/cache \ No newline at end of file diff --git a/docker/squid.intercept.conf b/docker/squid.intercept.conf deleted file mode 100644 index 71ac726..0000000 --- a/docker/squid.intercept.conf +++ /dev/null @@ -1,72 +0,0 @@ -always_direct allow all - -acl localhost src 127.0.0.1/32 -acl to_localhost dst 127.0.0.0/8 -acl localnet src 10.0.0.0/8 # RFC1918 possible internal network -acl localnet src 172.16.0.0/12 # RFC1918 possible internal network -acl localnet src 192.168.0.0/16 # RFC1918 possible internal network -acl SSL_ports port 443 -acl Safe_ports port 80 # http -acl Safe_ports port 21 # ftp -acl Safe_ports port 443 # https -acl Safe_ports port 70 # gopher -acl Safe_ports port 210 # wais -acl Safe_ports port 1025-65535 # unregistered ports -acl Safe_ports port 280 # http-mgmt -acl Safe_ports port 488 # gss-http -acl Safe_ports port 591 # filemaker -acl Safe_ports port 777 # multiling http -acl CONNECT method CONNECT - -http_access allow all -http_access allow manager localhost -http_access deny manager - -htcp_access allow localnet -htcp_access deny all - - -visible_hostname git.local-domain - -http_port 3128 ssl-bump generate-host-certificates=on cert=/apps/CA_crt.pem key=/apps/CA_key.pem version=4 -#http_port 3128 ssl-bump generate-host-certificates=on cert=/apps/CA_crt.pem key=/apps/CA_key.pem options=NO_SSLv3 dhparams=/apps/dhparam.pem -#https_port 3129 ssl-bump generate-host-certificates=on cert=/apps/CA_crt.pem key=/apps/CA_key.pem options=NO_SSLv3 dhparams=/apps/dhparam.pem - -always_direct allow all -acl excluded_sites ssl::server_name .wellsfargo.com -ssl_bump splice excluded_sites -ssl_bump bump all - -sslproxy_cert_error deny all -sslcrtd_program /apps/squid/libexec/ssl_crtd -s /apps/squid/var/lib/ssl_db -M 4MB sslcrtd_children 8 startup=1 idle=1 - -icap_enable on -icap_preview_enable on -icap_preview_size 128 -icap_send_client_ip on - -adaptation_access url_check allow all - -access_log /apps/squid/var/logs/access.log squid - -# these are basically to make everything canched -refresh_pattern ^http: 999999999 1000000000% 999999999 ignore-no-cache override-expire ignore-reload -refresh_pattern ^https: 999999999 1000000000% 999999999 ignore-no-cache override-expire ignore-reload - -debug_options 11,2 22,10 - -refresh_pattern ^ftp: 1440 20% 10080 -refresh_pattern ^gopher: 1440 0% 1440 -refresh_pattern (cgi-bin|\?) 0 0% 0 -refresh_pattern . 0 20% 4320 - -icp_port 3130 - - -coredump_dir /apps/squid/var/cache - - -cache_mem 1000 MB - -maximum_object_size 4096 MB -cache_dir aufs /apps/squid/var/cache/squid 10000 16 256 diff --git a/myCA/openssl.cnf b/openssl.cnf similarity index 100% rename from myCA/openssl.cnf rename to openssl.cnf diff --git a/squid-4/Dockerfile b/squid-4/Dockerfile deleted file mode 100644 index 8a2d15f..0000000 --- a/squid-4/Dockerfile +++ /dev/null @@ -1,121 +0,0 @@ -ARG DOCKER_PREFIX= - -FROM ${DOCKER_PREFIX}ubuntu:xenial - -ARG TRUST_CERT= - -RUN if [ ! -z "$TRUST_CERT" ]; then \ - echo "$TRUST_CERT" > /usr/local/share/ca-certificates/build-trust.crt ; \ - update-ca-certificates ; \ - fi - -# Normalize apt sources -RUN cat /etc/apt/sources.list | grep -v '^#' | sed /^$/d | sort | uniq > sources.tmp.1 && \ - cat /etc/apt/sources.list | sed s/deb\ /deb-src\ /g | grep -v '^#' | sed /^$/d | sort | uniq > sources.tmp.2 && \ - cat sources.tmp.1 sources.tmp.2 > /etc/apt/sources.list && \ - rm -f sources.tmp.1 sources.tmp.2 - -RUN apt-get update && \ - DEBIAN_FRONTEND=noninteractive apt-get build-dep -y squid && \ - DEBIAN_FRONTEND=noninteractive apt-get install -y wget tar xz-utils libssl-dev - -ARG SQUID_VERSION=4.0.21 - -# TODO: verify the squid download with the signing key -RUN mkdir /src \ - && cd /src \ - && wget http://www.squid-cache.org/Versions/v4/squid-$SQUID_VERSION.tar.xz \ - && mkdir squid \ - && tar -C squid --strip-components=1 -xvf squid-$SQUID_VERSION.tar.xz - -RUN cd /src/squid && \ - ./configure \ - --prefix=/usr \ - --datadir=/usr/share/squid4 \ - --sysconfdir=/etc/squid4 \ - --localstatedir=/var \ - --mandir=/usr/share/man \ - --enable-inline \ - --enable-async-io=8 \ - --enable-storeio="ufs,aufs,diskd,rock" \ - --enable-removal-policies="lru,heap" \ - --enable-delay-pools \ - --enable-cache-digests \ - --enable-underscores \ - --enable-icap-client \ - --enable-follow-x-forwarded-for \ - --enable-auth-basic="DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB" \ - --enable-auth-digest="file,LDAP" \ - --enable-auth-negotiate="kerberos,wrapper" \ - --enable-auth-ntlm="fake" \ - --enable-external-acl-helpers="file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group" \ - --enable-url-rewrite-helpers="fake" \ - --enable-eui \ - --enable-esi \ - --enable-icmp \ - --enable-zph-qos \ - --with-openssl \ - --enable-ssl \ - --enable-ssl-crtd \ - --disable-translation \ - --with-swapdir=/var/spool/squid4 \ - --with-logdir=/var/log/squid4 \ - --with-pidfile=/var/run/squid4.pid \ - --with-filedescriptors=65536 \ - --with-large-files \ - --with-default-user=proxy \ - --disable-arch-native - -ARG CONCURRENCY=1 - -RUN cd /src/squid && \ - make -j$CONCURRENCY && \ - make install - -# Download p2cli dependency -RUN wget -O /usr/local/bin/p2 \ - https://github.com/wrouesnel/p2cli/releases/download/r1/p2 && \ - chmod +x /usr/local/bin/p2 - -# Clone and build proxychains-ng for SSL upstream proxying -ARG PROXYCHAINS_COMMITTISH=7a233fb1f05bcbf3d7f5c91658932261de1e13cb - -RUN apt-get install -y git - -RUN git clone https://github.com/rofl0r/proxychains-ng.git /src/proxychains-ng && \ - cd /src/proxychains-ng && \ - git checkout $PROXYCHAINS_COMMITTISH && \ - ./configure --prefix=/usr --sysconfdir=/etc && \ - make -j$CONCURRENCY && make install - -ARG URL_DOH=https://github.com/wrouesnel/dns-over-https-proxy/releases/download/v0.0.2/dns-over-https-proxy_v0.0.2_linux-amd64.tar.gz - -RUN wget -O /tmp/doh.tgz \ - $URL_DOH && \ - tar -xvvf /tmp/doh.tgz --strip-components=1 -C /usr/local/bin/ && \ - chmod +x /usr/local/bin/dns-over-https-proxy - -COPY squid.conf.p2 /squid.conf.p2 -COPY squid.bsh /squid.bsh - -# Configuration environment -ENV HTTP_PORT=3128 \ - ICP_PORT= \ - HTCP_PORT= \ - MITM_PROXY= \ - MITM_CERT= \ - MITM_KEY= \ - VISIBLE_HOSTNAME=docker-squid4 \ - MAX_CACHE_SIZE=40000 \ - MAX_OBJECT_SIZE="1536 MB" \ - MEM_CACHE_SIZE="128 MB" \ - DNS_OVER_HTTPS_LISTEN_ADDR="127.0.0.153:53" \ - DNS_OVER_HTTPS_SERVER="https://dns.google.com/resolve" \ - DNS_OVER_HTTPS_NO_FALLTHROUGH="" \ - DNS_OVER_HTTPS_FALLTHROUGH_STATUSES=NXDOMAIN \ - DNS_OVER_HTTPS_PREFIX_SERVER= \ - DNS_OVER_HTTPS_SUFFIX_SERVER= - -EXPOSE 3128 - -ENTRYPOINT [ "/squid.bsh" ] \ No newline at end of file diff --git a/squid-4/README.md b/squid-4/README.md deleted file mode 100644 index 7777e56..0000000 --- a/squid-4/README.md +++ /dev/null @@ -1 +0,0 @@ -from https://github.com/wrouesnel/docker-squid4 diff --git a/squid-4/squid.bsh b/squid-4/squid.bsh deleted file mode 100644 index 33e6e6e..0000000 --- a/squid-4/squid.bsh +++ /dev/null @@ -1,134 +0,0 @@ -#!/bin/bash - -# Setup the ssl_cert directory -if [ ! -d /etc/squid4/ssl_cert ]; then - mkdir /etc/squid4/ssl_cert -fi - -chown -R proxy:proxy /etc/squid4 -chmod 700 /etc/squid4/ssl_cert - -# Setup the squid cache directory -if [ ! -d /var/cache/squid4 ]; then - mkdir -p /var/cache/squid4 -fi -chown -R proxy: /var/cache/squid4 -chmod -R 750 /var/cache/squid4 - -if [ ! -z $MITM_PROXY ]; then - if [ ! -z $MITM_KEY ]; then - echo "Copying $MITM_KEY as MITM key..." - cp $MITM_KEY /etc/squid4/ssl_cert/mitm.pem - chown root:proxy /etc/squid4/ssl_cert/mitm.pem - fi - - if [ ! -z $MITM_CERT ]; then - echo "Copying $MITM_CERT as MITM CA..." - cp $MITM_CERT /etc/squid4/ssl_cert/mitm.crt - chown root:proxy /etc/squid4/ssl_cert/mitm.crt - fi - - if [ -z $MITM_CERT ] || [ -z $MITM_KEY ]; then - echo "Must specify $MITM_CERT AND $MITM_KEY." 1>&2 - exit 1 - fi -fi - -chown proxy: /dev/stdout -chown proxy: /dev/stderr - -# Initialize the certificates database -/usr/libexec/security_file_certgen -c -s /var/spool/squid4/ssl_db -chown -R proxy: /var/spool/squid4/ssl_db - -#ssl_crtd -c -s -#ssl_db - -# Set the configuration -if [ "$CONFIG_DISABLE" != "yes" ]; then - p2 -t /squid.conf.p2 > /etc/squid4/squid.conf - - # Parse the cache peer lines from the environment and add them to the - # configuration - echo '# CACHE PEERS FROM DOCKER' >> /etc/squid4/squid.conf - env | grep 'CACHE_PEER' | sort | while read cacheline; do - echo "# $cacheline " >> /etc/squid4/squid.conf - line=$(echo $cacheline | cut -d'=' -f2-) - echo "cache_peer $line" >> /etc/squid4/squid.conf - done - - # Parse the extra config lines and append them to the configuration - echo '# EXTRA CONFIG FROM DOCKER' >> /etc/squid4/squid.conf - env | grep 'EXTRA_CONFIG' | sort | while read extraline; do - echo "# $extraline " >> /etc/squid4/squid.conf - line=$(echo $extraline | cut -d'=' -f2-) - echo "$line" >> /etc/squid4/squid.conf - done -else - echo "/etc/squid4/squid.conf: CONFIGURATION TEMPLATING IS DISABLED." -fi - -if [ "$DNS_OVER_HTTPS" = "yes" ]; then - echo "Starting DNS-over-HTTPS proxy..." - # TODO: find a way to tie this to the proxychains config - dns-over-https-proxy -default "$DNS_OVER_HTTPS_SERVER" \ - -address "$DNS_OVER_HTTPS_LISTEN_ADDR" \ - -primary-dns "$DNS_OVER_HTTPS_PREFIX_SERVER" \ - -fallback-dns "$DNS_OVER_HTTPS_SUFFIX_SERVER" \ - -no-fallthrough "$(echo $DNS_OVER_HTTPS_NO_FALLTHROUGH | tr -s ' ' ',')" \ - -fallthrough-statuses "$DNS_OVER_HTTPS_FALLTHROUGH_STATUSES" & - echo "Adding dns_nameservers line to squid.conf..." - echo "dns_nameservers $(echo $DNS_OVER_HTTPS_LISTEN_ADDR | cut -d':' -f1)" >> /etc/squid4/squid.conf -fi - -if [ ! -e /etc/squid4/squid.conf ]; then - echo "ERROR: /etc/squid4/squid.conf does not exist. Squid will not work." - exit 1 -fi - -# If proxychains is requested and config templating is active -if [ "$PROXYCHAIN" = "yes" ] && [ "$CONFIG_DISABLE" != "yes" ]; then - echo "# PROXYCHAIN CONFIG FROM DOCKER" > /etc/proxychains.conf - # Enable remote DNS proxy - if [ ! -z "$PROXYCHAIN_DNS" ]; then - echo "proxy_dns" >> /etc/proxychains.conf - fi - # Configure proxy type - if [ ! -z "$PROXYCHAIN_TYPE" ]; then - echo "$PROXYCHAIN_TYPE" >> /etc/proxychains.conf - else - echo "strict_chain" >> /etc/proxychains.conf - fi - - echo "[ProxyList]" >> /etc/proxychains.conf - env | grep 'PROXYCHAIN_PROXY' | sort | while read proxyline; do - echo "# $proxyline " >> /etc/squid4/squid.conf - line=$(echo $proxyline | cut -d'=' -f2-) - echo "$line" >> /etc/proxychains.conf - done -else - echo "/etc/proxychains.conf : CONFIGURATION TEMPLATING IS DISABLED" -fi - -# Build the configuration directories if needed -squid -z -N - -if [ "$PROXYCHAIN" = "yes" ]; then - if [ ! -e /etc/proxychains.conf ]; then - echo "ERROR: /etc/proxychains.conf does not exist. Squid with proxychains will not work." - exit 1 - fi - # Start squid with proxychains - proxychains4 -f /etc/proxychains.conf squid -N 2>&1 & - PID=$! -else - # Start squid normally - squid -N 2>&1 & - PID=$! -fi - -# This construct allows signals to kill the container successfully. -trap "kill -TERM $(jobs -p)" INT TERM -wait $PID -wait $PID -exit $? \ No newline at end of file diff --git a/squid-4/squid.conf.p2 b/squid-4/squid.conf.p2 deleted file mode 100644 index fa6e8cb..0000000 --- a/squid-4/squid.conf.p2 +++ /dev/null @@ -1,46 +0,0 @@ -# TEMPLATED CONFIGURATION FILE. UPDATED ON EACH RUN. - -# Default all logs to stdout and stderr -logfile_rotate 0 -access_log stdio:/dev/stdout combined -cache_store_log stdio:/dev/stdout -cache_log /dev/stderr -netdb_filename stdio:/var/cache/squid4/netdb.state - -# Visible hostname to allow multi-squid -visible_hostname {{VISIBLE_HOSTNAME|default:"docker-squid4"}} - -{% if DISABLE_CACHE|default:"" != "yes" %} -# Cache directory is fixed since we'll bind mount. -cache_dir aufs /var/cache/squid4 {{MAX_CACHE_SIZE|default:"40000"}} 16 256 -{% endif %} - -maximum_object_size {{MAX_OBJECT_SIZE|default:"1536 MB"}} -cache_mem {{MEM_CACHE_SIZE|default:"128 MB"}} - -tls_outgoing_options capath=/etc/ssl/certs \ - options={{TLS_OPTIONS|default:"NO_SSLv3,NO_TLSv1"}} \ - cipher=ALL:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS - -http_port {{HTTP_PORT}} {% if MITM_PROXY|default:"" == "yes" %} ssl-bump \ - generate-host-certificates=on \ - dynamic_cert_mem_cache_size=4MB \ - cert=/etc/squid4/ssl_cert/mitm.crt \ - key=/etc/squid4/ssl_cert/mitm.pem -{% endif %} - -{% if MITM_PROXY|default:"" == "yes" %} -ssl_bump server-first all -{% endif %} - -{% if ICP_PORT|default:"" != "" %} -icp_port {{ICP_PORT}} -icp_access allow all -{% endif %} - -{% if HTCP_PORT|default:"" != "" %} -htcp_port {{HTCP_PORT}} -htcp_access allow all -{% endif %} - -http_access allow all \ No newline at end of file diff --git a/squid-4/squid.intercept.conf b/squid-4/squid.intercept.conf deleted file mode 100644 index 0c39321..0000000 --- a/squid-4/squid.intercept.conf +++ /dev/null @@ -1,72 +0,0 @@ -always_direct allow all - -acl localhost src 127.0.0.1/32 -acl to_localhost dst 127.0.0.0/8 -acl localnet src 10.0.0.0/8 # RFC1918 possible internal network -acl localnet src 172.16.0.0/12 # RFC1918 possible internal network -acl localnet src 192.168.0.0/16 # RFC1918 possible internal network -acl SSL_ports port 443 -acl Safe_ports port 80 # http -acl Safe_ports port 21 # ftp -acl Safe_ports port 443 # https -acl Safe_ports port 70 # gopher -acl Safe_ports port 210 # wais -acl Safe_ports port 1025-65535 # unregistered ports -acl Safe_ports port 280 # http-mgmt -acl Safe_ports port 488 # gss-http -acl Safe_ports port 591 # filemaker -acl Safe_ports port 777 # multiling http -acl CONNECT method CONNECT - -http_access allow all -http_access allow manager localhost -http_access deny manager - -htcp_access allow localnet -htcp_access deny all - - -visible_hostname git.local-domain - -http_port 3128 ssl-bump generate-host-certificates=on cert=/apps/CA_crt.pem key=/apps/CA_key.pem version=4 -#http_port 3128 ssl-bump generate-host-certificates=on cert=/apps/CA_crt.pem key=/apps/CA_key.pem options=NO_SSLv3 dhparams=/apps/dhparam.pem -#https_port 3129 ssl-bump generate-host-certificates=on cert=/apps/CA_crt.pem key=/apps/CA_key.pem options=NO_SSLv3 dhparams=/apps/dhparam.pem - -always_direct allow all -acl excluded_sites ssl::server_name .wellsfargo.com -ssl_bump splice excluded_sites -ssl_bump bump all - -sslproxy_cert_error deny all -#sslcrtd_program /apps/squid/libexec/ssl_crtd -s /apps/squid/var/lib/ssl_db -M 4MB sslcrtd_children 8 startup=1 idle=1 - -icap_enable on -icap_preview_enable on -icap_preview_size 128 -icap_send_client_ip on - -adaptation_access url_check allow all - -access_log /apps/squid/var/logs/access.log squid - -# these are basically to make everything canched -refresh_pattern ^http: 999999999 1000000000% 999999999 ignore-no-cache override-expire ignore-reload -refresh_pattern ^https: 999999999 1000000000% 999999999 ignore-no-cache override-expire ignore-reload - -debug_options 11,2 22,10 - -refresh_pattern ^ftp: 1440 20% 10080 -refresh_pattern ^gopher: 1440 0% 1440 -refresh_pattern (cgi-bin|\?) 0 0% 0 -refresh_pattern . 0 20% 4320 - -icp_port 3130 - - -coredump_dir /apps/squid/var/cache - - -cache_mem 1000 MB - -maximum_object_size 4096 MB -cache_dir aufs /apps/squid/var/cache/squid 10000 16 256 From 4453d5fefed27a5f4935f96bb6167cc1d252a1e6 Mon Sep 17 00:00:00 2001 From: Giles Bradshaw Date: Fri, 7 Aug 2020 14:15:21 +0100 Subject: [PATCH 45/50] . --- docker-compose.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 07390ee..868b4ff 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -20,8 +20,8 @@ services: options=NO_SSLv3,NO_TLSv1 min-version=1.2 # - EXTRA_CONFIG2=sslproxy_cipher ECDHE+ECDSA+AESGCM:ECDHE+RSA+AESGCM:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM #:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS # these are basically to make everything canched - - 'EXTRA_CONFIG2=refresh_pattern ^http: 999999999 1000000000% 999999999 ignore-no-cache override-expire ignore-reload' - - 'EXTRA_CONFIG3=refresh_pattern ^https: 999999999 1000000000% 999999999 ignore-no-cache override-expire ignore-reload' + - 'EXTRA_CONFIG2=refresh_pattern ^http: 999999999 1000000000% 999999999 override-expire ignore-reload' + - 'EXTRA_CONFIG3=refresh_pattern ^https: 999999999 1000000000% 999999999 override-expire ignore-reload' volumes: - squid-4-cache:/var/cache/squid4 ports: From aad2857dee46f72c783f60e5bd8e6308c3558e5b Mon Sep 17 00:00:00 2001 From: Giles Bradshaw Date: Fri, 7 Aug 2020 14:20:13 +0100 Subject: [PATCH 46/50] . --- docker-compose.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 868b4ff..2552f4c 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -20,8 +20,8 @@ services: options=NO_SSLv3,NO_TLSv1 min-version=1.2 # - EXTRA_CONFIG2=sslproxy_cipher ECDHE+ECDSA+AESGCM:ECDHE+RSA+AESGCM:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM #:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS # these are basically to make everything canched - - 'EXTRA_CONFIG2=refresh_pattern ^http: 999999999 1000000000% 999999999 override-expire ignore-reload' - - 'EXTRA_CONFIG3=refresh_pattern ^https: 999999999 1000000000% 999999999 override-expire ignore-reload' + - 'EXTRA_CONFIG2=refresh_pattern ^http: 999999999 1000000000% 999999999 override-expire' + - 'EXTRA_CONFIG3=refresh_pattern ^https: 999999999 1000000000% 999999999 override-expire' volumes: - squid-4-cache:/var/cache/squid4 ports: From 7053c733dd13883eaae18609fa9c8c9d91d894e9 Mon Sep 17 00:00:00 2001 From: Giles Bradshaw Date: Fri, 7 Aug 2020 14:26:40 +0100 Subject: [PATCH 47/50] . --- docker-compose.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/docker-compose.yml b/docker-compose.yml index 2552f4c..6bb3e18 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -22,6 +22,7 @@ services: # these are basically to make everything canched - 'EXTRA_CONFIG2=refresh_pattern ^http: 999999999 1000000000% 999999999 override-expire' - 'EXTRA_CONFIG3=refresh_pattern ^https: 999999999 1000000000% 999999999 override-expire' + - EXTRA_CONFIG4=cache_deny auth.docker.io volumes: - squid-4-cache:/var/cache/squid4 ports: From c7a076e32c2268de1f71ef26414e5be853d4b411 Mon Sep 17 00:00:00 2001 From: Giles Bradshaw Date: Fri, 7 Aug 2020 14:29:13 +0100 Subject: [PATCH 48/50] . --- docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index 6bb3e18..8a12de4 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -22,7 +22,7 @@ services: # these are basically to make everything canched - 'EXTRA_CONFIG2=refresh_pattern ^http: 999999999 1000000000% 999999999 override-expire' - 'EXTRA_CONFIG3=refresh_pattern ^https: 999999999 1000000000% 999999999 override-expire' - - EXTRA_CONFIG4=cache_deny auth.docker.io + - EXTRA_CONFIG4=cache deny auth.docker.io volumes: - squid-4-cache:/var/cache/squid4 ports: From cd0f9c681dc6a46bc27c07e3e84ef716bb50dd4e Mon Sep 17 00:00:00 2001 From: Giles Bradshaw Date: Fri, 7 Aug 2020 14:33:28 +0100 Subject: [PATCH 49/50] . --- docker-compose.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index 8a12de4..fe3718f 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -22,7 +22,8 @@ services: # these are basically to make everything canched - 'EXTRA_CONFIG2=refresh_pattern ^http: 999999999 1000000000% 999999999 override-expire' - 'EXTRA_CONFIG3=refresh_pattern ^https: 999999999 1000000000% 999999999 override-expire' - - EXTRA_CONFIG4=cache deny auth.docker.io + - EXTRA_CONFIG4= acl no_cache_domains auth.docker.io + - EXTRA_CONFIG5=cache deny no_cache_domains volumes: - squid-4-cache:/var/cache/squid4 ports: From 8e61bf92ced358d3f774aa98f7c6764eb598a7c0 Mon Sep 17 00:00:00 2001 From: Giles Bradshaw Date: Fri, 7 Aug 2020 14:35:53 +0100 Subject: [PATCH 50/50] . --- docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index fe3718f..df9b681 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -22,7 +22,7 @@ services: # these are basically to make everything canched - 'EXTRA_CONFIG2=refresh_pattern ^http: 999999999 1000000000% 999999999 override-expire' - 'EXTRA_CONFIG3=refresh_pattern ^https: 999999999 1000000000% 999999999 override-expire' - - EXTRA_CONFIG4= acl no_cache_domains auth.docker.io + - EXTRA_CONFIG4= acl no_cache_domains dstdomain auth.docker.io - EXTRA_CONFIG5=cache deny no_cache_domains volumes: - squid-4-cache:/var/cache/squid4