.
continuous-integration/drone/push Build is passing Details

This commit is contained in:
Giles Bradshaw 2020-08-07 13:52:04 +01:00
parent a7cb95e166
commit c0d5e0bc86
14 changed files with 10 additions and 492 deletions

1
.gitignore vendored
View File

@ -1,2 +1 @@
myCA/*.pem
node_modules

View File

@ -7,11 +7,12 @@ inspired by https://github.com/salrashid123/squid_proxy
## making a CA
```shell
cd myCA
openssl genrsa -out CA_key.pem 2048
openssl req -x509 -days 600 -new -nodes -key CA_key.pem -out CA_crt.pem -extensions v3_ca -config openssl.cnf -subj "/C=US/ST=California/L=Mountain View/O=Google/OU=Enterprise/CN=MyCA"
openssl req -x509 -days 600 -new -nodes -key CA_key.pem -out CA_crt.pem -extensions v3_ca -config openssl.cnf -subj "/C=UK/ST=Devon/L=Rose Ash/O=Google/OU=SiGyl/CN=Proxy-ca"
```
then set secrets ca-crt and ca-key to the created files
## releasing
[see here](https://sigyl.com/releases/)

View File

@ -1,6 +1,6 @@
version: "3.7"
services:
squid:
squid-4:
deploy:
placement:
constraints: [node.labels.com.sigyl.git-stack == yes]
@ -18,10 +18,12 @@ services:
EXTRA_CONFIG1=tls_outgoing_options
capath=/etc/ssl/certs
options=NO_SSLv3,NO_TLSv1 min-version=1.2
- EXTRA_CONFIG2=sslproxy_cipher ECDHE+ECDSA+AESGCM:ECDHE+RSA+AESGCM:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM #:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
# - EXTRA_CONFIG2=sslproxy_cipher ECDHE+ECDSA+AESGCM:ECDHE+RSA+AESGCM:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM #:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
# these are basically to make everything canched
- 'EXTRA_CONFIG3=refresh_pattern ^http: 999999999 1000000000% 999999999 ignore-no-cache override-expire ignore-reload'
- 'EXTRA_CONFIG4=refresh_pattern ^https: 999999999 1000000000% 999999999 ignore-no-cache override-expire ignore-reload'
- 'EXTRA_CONFIG2=refresh_pattern ^http: 999999999 1000000000% 999999999 ignore-no-cache override-expire ignore-reload'
- 'EXTRA_CONFIG3=refresh_pattern ^https: 999999999 1000000000% 999999999 ignore-no-cache override-expire ignore-reload'
volumes:
- squid-4-cache:/var/cache/squid4
ports:
- 3128:3128
networks:
@ -46,7 +48,7 @@ services:
- appnet
- externalnet
volumes:
squid-cache:
squid-4-cache:
squid-deb-cache:
networks:

View File

@ -1,24 +0,0 @@
FROM debian:8
RUN apt-get -y update
RUN apt-get install -y curl git openssl build-essential libssl-dev wget vim curl
#RUN mkdir -p /var/log/supervisor
WORKDIR /apps/
RUN wget -O - http://www.squid-cache.org/Versions/v4/squid-4.12.tar.gz | tar zxfv - \
&& CPU=$(( `nproc --all`-1 )) \
&& cd /apps/squid-4.12/ \
&& ./configure --prefix=/apps/squid --enable-icap-client --enable-ssl --with-openssl --enable-ssl-crtd --enable-auth --enable-basic-auth-helpers="NCSA" \
&& make -j$CPU \
&& make install \
&& cd /apps \
&& rm -rf /apps/squid-4.12
ADD . /apps/
RUN chown -R nobody:nogroup /apps/
RUN mkdir -p /apps/squid/var/lib/
RUN /apps/squid/libexec/security_file_certgen -c -s /apps/squid/var/lib/ssl_db -M 4MB
RUN /apps/squid/sbin/squid -N -f /apps/squid.cache.conf -z
RUN chown -R nobody:nogroup /apps/
EXPOSE 3128
ENTRYPOINT ["/apps/squid/sbin/squid", "-NsY", "-f"]
CMD ["/apps/squid.intercept.conf"]

View File

@ -1,3 +0,0 @@
I made dhparam.pem
openssl dhparam -outform PEM -out dhparam.pem 2048

View File

@ -1,8 +0,0 @@
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEAk5sKJOAoHj9bZCoUyN0pnYwjzS2vCZWcNOCGKVO+MuyVhbphVGez
UidUVK7OIFX5XUNfrHvxKeN2NkHHfOJXAYdVD/0Th6Ead+nh/xtBw9+ycRhmLR1F
tQY1Kbv23j8h+rJ0q5aiMnCEKevnbPBlV3ARK1oXjAHVuT08flGOcRLb3Qp+qLKQ
xX5WGQcFzVJf56MA/bl5bUbuo7e8O1eZYjdtzz+nvk8zaYqEhqrrPkJDPveGdVKu
FYB4vRfBuOHc/1K9+kwzfNsAYhj51Qs64KjukmpjxZPTVojvnKRqiavRmgBdMWiL
J8VStE1njcXhusk3jGJazeQ5EsJA9u41qwIBAg==
-----END DH PARAMETERS-----

View File

@ -1,3 +0,0 @@
cache_dir aufs /apps/squid/var/cache/squid 10000 16 256
coredump_dir /apps/squid/var/cache

View File

@ -1,72 +0,0 @@
always_direct allow all
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow all
http_access allow manager localhost
http_access deny manager
htcp_access allow localnet
htcp_access deny all
visible_hostname git.local-domain
http_port 3128 ssl-bump generate-host-certificates=on cert=/apps/CA_crt.pem key=/apps/CA_key.pem version=4
#http_port 3128 ssl-bump generate-host-certificates=on cert=/apps/CA_crt.pem key=/apps/CA_key.pem options=NO_SSLv3 dhparams=/apps/dhparam.pem
#https_port 3129 ssl-bump generate-host-certificates=on cert=/apps/CA_crt.pem key=/apps/CA_key.pem options=NO_SSLv3 dhparams=/apps/dhparam.pem
always_direct allow all
acl excluded_sites ssl::server_name .wellsfargo.com
ssl_bump splice excluded_sites
ssl_bump bump all
sslproxy_cert_error deny all
sslcrtd_program /apps/squid/libexec/ssl_crtd -s /apps/squid/var/lib/ssl_db -M 4MB sslcrtd_children 8 startup=1 idle=1
icap_enable on
icap_preview_enable on
icap_preview_size 128
icap_send_client_ip on
adaptation_access url_check allow all
access_log /apps/squid/var/logs/access.log squid
# these are basically to make everything canched
refresh_pattern ^http: 999999999 1000000000% 999999999 ignore-no-cache override-expire ignore-reload
refresh_pattern ^https: 999999999 1000000000% 999999999 ignore-no-cache override-expire ignore-reload
debug_options 11,2 22,10
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320
icp_port 3130
coredump_dir /apps/squid/var/cache
cache_mem 1000 MB
maximum_object_size 4096 MB
cache_dir aufs /apps/squid/var/cache/squid 10000 16 256

View File

@ -1,121 +0,0 @@
ARG DOCKER_PREFIX=
FROM ${DOCKER_PREFIX}ubuntu:xenial
ARG TRUST_CERT=
RUN if [ ! -z "$TRUST_CERT" ]; then \
echo "$TRUST_CERT" > /usr/local/share/ca-certificates/build-trust.crt ; \
update-ca-certificates ; \
fi
# Normalize apt sources
RUN cat /etc/apt/sources.list | grep -v '^#' | sed /^$/d | sort | uniq > sources.tmp.1 && \
cat /etc/apt/sources.list | sed s/deb\ /deb-src\ /g | grep -v '^#' | sed /^$/d | sort | uniq > sources.tmp.2 && \
cat sources.tmp.1 sources.tmp.2 > /etc/apt/sources.list && \
rm -f sources.tmp.1 sources.tmp.2
RUN apt-get update && \
DEBIAN_FRONTEND=noninteractive apt-get build-dep -y squid && \
DEBIAN_FRONTEND=noninteractive apt-get install -y wget tar xz-utils libssl-dev
ARG SQUID_VERSION=4.0.21
# TODO: verify the squid download with the signing key
RUN mkdir /src \
&& cd /src \
&& wget http://www.squid-cache.org/Versions/v4/squid-$SQUID_VERSION.tar.xz \
&& mkdir squid \
&& tar -C squid --strip-components=1 -xvf squid-$SQUID_VERSION.tar.xz
RUN cd /src/squid && \
./configure \
--prefix=/usr \
--datadir=/usr/share/squid4 \
--sysconfdir=/etc/squid4 \
--localstatedir=/var \
--mandir=/usr/share/man \
--enable-inline \
--enable-async-io=8 \
--enable-storeio="ufs,aufs,diskd,rock" \
--enable-removal-policies="lru,heap" \
--enable-delay-pools \
--enable-cache-digests \
--enable-underscores \
--enable-icap-client \
--enable-follow-x-forwarded-for \
--enable-auth-basic="DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB" \
--enable-auth-digest="file,LDAP" \
--enable-auth-negotiate="kerberos,wrapper" \
--enable-auth-ntlm="fake" \
--enable-external-acl-helpers="file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group" \
--enable-url-rewrite-helpers="fake" \
--enable-eui \
--enable-esi \
--enable-icmp \
--enable-zph-qos \
--with-openssl \
--enable-ssl \
--enable-ssl-crtd \
--disable-translation \
--with-swapdir=/var/spool/squid4 \
--with-logdir=/var/log/squid4 \
--with-pidfile=/var/run/squid4.pid \
--with-filedescriptors=65536 \
--with-large-files \
--with-default-user=proxy \
--disable-arch-native
ARG CONCURRENCY=1
RUN cd /src/squid && \
make -j$CONCURRENCY && \
make install
# Download p2cli dependency
RUN wget -O /usr/local/bin/p2 \
https://github.com/wrouesnel/p2cli/releases/download/r1/p2 && \
chmod +x /usr/local/bin/p2
# Clone and build proxychains-ng for SSL upstream proxying
ARG PROXYCHAINS_COMMITTISH=7a233fb1f05bcbf3d7f5c91658932261de1e13cb
RUN apt-get install -y git
RUN git clone https://github.com/rofl0r/proxychains-ng.git /src/proxychains-ng && \
cd /src/proxychains-ng && \
git checkout $PROXYCHAINS_COMMITTISH && \
./configure --prefix=/usr --sysconfdir=/etc && \
make -j$CONCURRENCY && make install
ARG URL_DOH=https://github.com/wrouesnel/dns-over-https-proxy/releases/download/v0.0.2/dns-over-https-proxy_v0.0.2_linux-amd64.tar.gz
RUN wget -O /tmp/doh.tgz \
$URL_DOH && \
tar -xvvf /tmp/doh.tgz --strip-components=1 -C /usr/local/bin/ && \
chmod +x /usr/local/bin/dns-over-https-proxy
COPY squid.conf.p2 /squid.conf.p2
COPY squid.bsh /squid.bsh
# Configuration environment
ENV HTTP_PORT=3128 \
ICP_PORT= \
HTCP_PORT= \
MITM_PROXY= \
MITM_CERT= \
MITM_KEY= \
VISIBLE_HOSTNAME=docker-squid4 \
MAX_CACHE_SIZE=40000 \
MAX_OBJECT_SIZE="1536 MB" \
MEM_CACHE_SIZE="128 MB" \
DNS_OVER_HTTPS_LISTEN_ADDR="127.0.0.153:53" \
DNS_OVER_HTTPS_SERVER="https://dns.google.com/resolve" \
DNS_OVER_HTTPS_NO_FALLTHROUGH="" \
DNS_OVER_HTTPS_FALLTHROUGH_STATUSES=NXDOMAIN \
DNS_OVER_HTTPS_PREFIX_SERVER= \
DNS_OVER_HTTPS_SUFFIX_SERVER=
EXPOSE 3128
ENTRYPOINT [ "/squid.bsh" ]

View File

@ -1 +0,0 @@
from https://github.com/wrouesnel/docker-squid4

View File

@ -1,134 +0,0 @@
#!/bin/bash
# Setup the ssl_cert directory
if [ ! -d /etc/squid4/ssl_cert ]; then
mkdir /etc/squid4/ssl_cert
fi
chown -R proxy:proxy /etc/squid4
chmod 700 /etc/squid4/ssl_cert
# Setup the squid cache directory
if [ ! -d /var/cache/squid4 ]; then
mkdir -p /var/cache/squid4
fi
chown -R proxy: /var/cache/squid4
chmod -R 750 /var/cache/squid4
if [ ! -z $MITM_PROXY ]; then
if [ ! -z $MITM_KEY ]; then
echo "Copying $MITM_KEY as MITM key..."
cp $MITM_KEY /etc/squid4/ssl_cert/mitm.pem
chown root:proxy /etc/squid4/ssl_cert/mitm.pem
fi
if [ ! -z $MITM_CERT ]; then
echo "Copying $MITM_CERT as MITM CA..."
cp $MITM_CERT /etc/squid4/ssl_cert/mitm.crt
chown root:proxy /etc/squid4/ssl_cert/mitm.crt
fi
if [ -z $MITM_CERT ] || [ -z $MITM_KEY ]; then
echo "Must specify $MITM_CERT AND $MITM_KEY." 1>&2
exit 1
fi
fi
chown proxy: /dev/stdout
chown proxy: /dev/stderr
# Initialize the certificates database
/usr/libexec/security_file_certgen -c -s /var/spool/squid4/ssl_db
chown -R proxy: /var/spool/squid4/ssl_db
#ssl_crtd -c -s
#ssl_db
# Set the configuration
if [ "$CONFIG_DISABLE" != "yes" ]; then
p2 -t /squid.conf.p2 > /etc/squid4/squid.conf
# Parse the cache peer lines from the environment and add them to the
# configuration
echo '# CACHE PEERS FROM DOCKER' >> /etc/squid4/squid.conf
env | grep 'CACHE_PEER' | sort | while read cacheline; do
echo "# $cacheline " >> /etc/squid4/squid.conf
line=$(echo $cacheline | cut -d'=' -f2-)
echo "cache_peer $line" >> /etc/squid4/squid.conf
done
# Parse the extra config lines and append them to the configuration
echo '# EXTRA CONFIG FROM DOCKER' >> /etc/squid4/squid.conf
env | grep 'EXTRA_CONFIG' | sort | while read extraline; do
echo "# $extraline " >> /etc/squid4/squid.conf
line=$(echo $extraline | cut -d'=' -f2-)
echo "$line" >> /etc/squid4/squid.conf
done
else
echo "/etc/squid4/squid.conf: CONFIGURATION TEMPLATING IS DISABLED."
fi
if [ "$DNS_OVER_HTTPS" = "yes" ]; then
echo "Starting DNS-over-HTTPS proxy..."
# TODO: find a way to tie this to the proxychains config
dns-over-https-proxy -default "$DNS_OVER_HTTPS_SERVER" \
-address "$DNS_OVER_HTTPS_LISTEN_ADDR" \
-primary-dns "$DNS_OVER_HTTPS_PREFIX_SERVER" \
-fallback-dns "$DNS_OVER_HTTPS_SUFFIX_SERVER" \
-no-fallthrough "$(echo $DNS_OVER_HTTPS_NO_FALLTHROUGH | tr -s ' ' ',')" \
-fallthrough-statuses "$DNS_OVER_HTTPS_FALLTHROUGH_STATUSES" &
echo "Adding dns_nameservers line to squid.conf..."
echo "dns_nameservers $(echo $DNS_OVER_HTTPS_LISTEN_ADDR | cut -d':' -f1)" >> /etc/squid4/squid.conf
fi
if [ ! -e /etc/squid4/squid.conf ]; then
echo "ERROR: /etc/squid4/squid.conf does not exist. Squid will not work."
exit 1
fi
# If proxychains is requested and config templating is active
if [ "$PROXYCHAIN" = "yes" ] && [ "$CONFIG_DISABLE" != "yes" ]; then
echo "# PROXYCHAIN CONFIG FROM DOCKER" > /etc/proxychains.conf
# Enable remote DNS proxy
if [ ! -z "$PROXYCHAIN_DNS" ]; then
echo "proxy_dns" >> /etc/proxychains.conf
fi
# Configure proxy type
if [ ! -z "$PROXYCHAIN_TYPE" ]; then
echo "$PROXYCHAIN_TYPE" >> /etc/proxychains.conf
else
echo "strict_chain" >> /etc/proxychains.conf
fi
echo "[ProxyList]" >> /etc/proxychains.conf
env | grep 'PROXYCHAIN_PROXY' | sort | while read proxyline; do
echo "# $proxyline " >> /etc/squid4/squid.conf
line=$(echo $proxyline | cut -d'=' -f2-)
echo "$line" >> /etc/proxychains.conf
done
else
echo "/etc/proxychains.conf : CONFIGURATION TEMPLATING IS DISABLED"
fi
# Build the configuration directories if needed
squid -z -N
if [ "$PROXYCHAIN" = "yes" ]; then
if [ ! -e /etc/proxychains.conf ]; then
echo "ERROR: /etc/proxychains.conf does not exist. Squid with proxychains will not work."
exit 1
fi
# Start squid with proxychains
proxychains4 -f /etc/proxychains.conf squid -N 2>&1 &
PID=$!
else
# Start squid normally
squid -N 2>&1 &
PID=$!
fi
# This construct allows signals to kill the container successfully.
trap "kill -TERM $(jobs -p)" INT TERM
wait $PID
wait $PID
exit $?

View File

@ -1,46 +0,0 @@
# TEMPLATED CONFIGURATION FILE. UPDATED ON EACH RUN.
# Default all logs to stdout and stderr
logfile_rotate 0
access_log stdio:/dev/stdout combined
cache_store_log stdio:/dev/stdout
cache_log /dev/stderr
netdb_filename stdio:/var/cache/squid4/netdb.state
# Visible hostname to allow multi-squid
visible_hostname {{VISIBLE_HOSTNAME|default:"docker-squid4"}}
{% if DISABLE_CACHE|default:"" != "yes" %}
# Cache directory is fixed since we'll bind mount.
cache_dir aufs /var/cache/squid4 {{MAX_CACHE_SIZE|default:"40000"}} 16 256
{% endif %}
maximum_object_size {{MAX_OBJECT_SIZE|default:"1536 MB"}}
cache_mem {{MEM_CACHE_SIZE|default:"128 MB"}}
tls_outgoing_options capath=/etc/ssl/certs \
options={{TLS_OPTIONS|default:"NO_SSLv3,NO_TLSv1"}} \
cipher=ALL:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
http_port {{HTTP_PORT}} {% if MITM_PROXY|default:"" == "yes" %} ssl-bump \
generate-host-certificates=on \
dynamic_cert_mem_cache_size=4MB \
cert=/etc/squid4/ssl_cert/mitm.crt \
key=/etc/squid4/ssl_cert/mitm.pem
{% endif %}
{% if MITM_PROXY|default:"" == "yes" %}
ssl_bump server-first all
{% endif %}
{% if ICP_PORT|default:"" != "" %}
icp_port {{ICP_PORT}}
icp_access allow all
{% endif %}
{% if HTCP_PORT|default:"" != "" %}
htcp_port {{HTCP_PORT}}
htcp_access allow all
{% endif %}
http_access allow all

View File

@ -1,72 +0,0 @@
always_direct allow all
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow all
http_access allow manager localhost
http_access deny manager
htcp_access allow localnet
htcp_access deny all
visible_hostname git.local-domain
http_port 3128 ssl-bump generate-host-certificates=on cert=/apps/CA_crt.pem key=/apps/CA_key.pem version=4
#http_port 3128 ssl-bump generate-host-certificates=on cert=/apps/CA_crt.pem key=/apps/CA_key.pem options=NO_SSLv3 dhparams=/apps/dhparam.pem
#https_port 3129 ssl-bump generate-host-certificates=on cert=/apps/CA_crt.pem key=/apps/CA_key.pem options=NO_SSLv3 dhparams=/apps/dhparam.pem
always_direct allow all
acl excluded_sites ssl::server_name .wellsfargo.com
ssl_bump splice excluded_sites
ssl_bump bump all
sslproxy_cert_error deny all
#sslcrtd_program /apps/squid/libexec/ssl_crtd -s /apps/squid/var/lib/ssl_db -M 4MB sslcrtd_children 8 startup=1 idle=1
icap_enable on
icap_preview_enable on
icap_preview_size 128
icap_send_client_ip on
adaptation_access url_check allow all
access_log /apps/squid/var/logs/access.log squid
# these are basically to make everything canched
refresh_pattern ^http: 999999999 1000000000% 999999999 ignore-no-cache override-expire ignore-reload
refresh_pattern ^https: 999999999 1000000000% 999999999 ignore-no-cache override-expire ignore-reload
debug_options 11,2 22,10
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320
icp_port 3130
coredump_dir /apps/squid/var/cache
cache_mem 1000 MB
maximum_object_size 4096 MB
cache_dir aufs /apps/squid/var/cache/squid 10000 16 256