Better APK proxying, incl ssl bump (mitm!)
This commit is contained in:
parent
ae1fd5ae4a
commit
198e8b1c36
|
@ -1,9 +1,16 @@
|
|||
ARG DOCKER_ARCH
|
||||
FROM --platform=linux/${DOCKER_ARCH} alpine:latest
|
||||
|
||||
RUN sed -i -e s:https:http:g /etc/apk/repositories
|
||||
# Instead of doing the following, we add a squid cert to effectively MITM ourselves (!):
|
||||
# RUN sed -i -e s:https:http:g /etc/apk/repositories
|
||||
#
|
||||
ARG http_proxy_hostname
|
||||
COPY ./squid/mitm-myself.sh /root
|
||||
RUN /root/mitm-myself.sh ${http_proxy_hostname}
|
||||
|
||||
ARG http_proxy
|
||||
RUN http_proxy=${http_proxy} apk add bash sudo alpine-sdk linux-headers
|
||||
RUN http_proxy=${http_proxy} https_proxy=${http_proxy} apk add bash sudo alpine-sdk linux-headers \
|
||||
rustup openssl-dev
|
||||
|
||||
ARG UID
|
||||
ARG BUILD_USER
|
||||
|
|
|
@ -9,8 +9,11 @@ DOCKER_SQUID_CONTAINER?=squid
|
|||
ifeq ($(DOCKER_SQUID_CONTAINER),)
|
||||
DOCKER_SQUID_OPTS=
|
||||
else
|
||||
DOCKER_SQUID_OPTS=--link $(DOCKER_SQUID_CONTAINER):squid -e http_proxy=http://squid:3128/
|
||||
HTTP_PROXY=http://$(shell docker inspect squid | preserves-tool convert -o unquoted --select '/ . "NetworkSettings" . "IPAddress"'):3128/
|
||||
DOCKER_SQUID_OPTS=--link $(DOCKER_SQUID_CONTAINER):squid \
|
||||
-e http_proxy=http://squid:3128/ \
|
||||
-e https_proxy=http://squid:3128/
|
||||
DOCKER_SQUID_IP=$(shell docker inspect squid | preserves-tool convert -o unquoted --select '/ . "NetworkSettings" . "IPAddress"')
|
||||
HTTP_PROXY=http://$(DOCKER_SQUID_IP):3128/
|
||||
endif
|
||||
|
||||
ARCH?=aarch64
|
||||
|
@ -51,8 +54,10 @@ build-image: .build-image.$(ARCH)
|
|||
|
||||
.build-image.$(ARCH): $(KEYFILE)
|
||||
docker buildx build \
|
||||
--progress plain \
|
||||
--platform=linux/$(DOCKER_ARCH) \
|
||||
--build-arg http_proxy=$(HTTP_PROXY) \
|
||||
--build-arg http_proxy_hostname=$(DOCKER_SQUID_IP) \
|
||||
--build-arg DOCKER_ARCH=$(DOCKER_ARCH) \
|
||||
--build-arg KEYFILE=$(KEYFILE) \
|
||||
--build-arg UID=$(UID) \
|
||||
|
|
|
@ -0,0 +1,25 @@
|
|||
FROM debian:latest
|
||||
|
||||
RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y squid-openssl
|
||||
|
||||
RUN openssl req -new -newkey rsa:2048 -nodes -x509 -sha256 \
|
||||
-extensions v3_ca -days 365 \
|
||||
-keyout /etc/ssl/private/squid-ca.key \
|
||||
-out /etc/ssl/certs/squid-ca.pem \
|
||||
-subj "/CN=localhost" \
|
||||
-addext "subjectAltName=DNS:localhost"
|
||||
|
||||
COPY ./squid.conf /etc/squid/conf.d/synit-squid.conf
|
||||
|
||||
RUN mkdir -p /var/spool/squid
|
||||
|
||||
CMD \
|
||||
chmod -R 0777 /var/spool/squid && \
|
||||
([ -d /var/spool/squid/ssl_db ] || \
|
||||
/usr/lib/squid/security_file_certgen -c -s /var/spool/squid/ssl_db -M 4MB) && \
|
||||
/etc/init.d/squid start && \
|
||||
tail -F /var/log/squid/access.log
|
||||
|
||||
# other potentially interesting log files: /var/log/squid/cache.log /var/log/squid/store.log
|
||||
|
||||
EXPOSE 3127 3128
|
|
@ -0,0 +1,5 @@
|
|||
#!/bin/sh
|
||||
apk add ca-certificates openssl
|
||||
openssl s_client -showcerts -connect "$1":3127 </dev/null 2>/dev/null \
|
||||
| openssl x509 | tee /usr/local/share/ca-certificates/synit-squid-snakeoil.crt
|
||||
update-ca-certificates
|
|
@ -0,0 +1,32 @@
|
|||
http_access allow localnet
|
||||
|
||||
http_port 3128 ssl-bump \
|
||||
generate-host-certificates=on \
|
||||
dynamic_cert_mem_cache_size=4MB \
|
||||
tls-cert=/etc/ssl/certs/squid-ca.pem \
|
||||
tls-key=/etc/ssl/private/squid-ca.key
|
||||
|
||||
# We do not (cannot! it's a Squid limitation, apparently?) ssl-bump on
|
||||
# HTTPS connections to the proxy. So what use is it? The answer: it's
|
||||
# a means by which clients can download the cert of the proxy and then
|
||||
# add it to their trusted roots (!!!).
|
||||
#
|
||||
https_port 3127 \
|
||||
tls-cert=/etc/ssl/certs/squid-ca.pem \
|
||||
tls-key=/etc/ssl/private/squid-ca.key
|
||||
|
||||
acl step1 at_step SslBump1
|
||||
ssl_bump peek step1
|
||||
ssl_bump bump all
|
||||
ssl_bump splice all
|
||||
|
||||
cache_dir aufs /var/spool/squid 262144 16 256 min-size=0
|
||||
refresh_pattern . 10080 9999% 43200
|
||||
|
||||
maximum_object_size 10240 MB
|
||||
minimum_object_size 0 KB
|
||||
maximum_object_size_in_memory 0 MB
|
||||
offline_mode on
|
||||
|
||||
# cache_store_log stdio:/var/log/squid/store.log
|
||||
strip_query_terms off
|
|
@ -0,0 +1,8 @@
|
|||
#!/bin/sh
|
||||
docker buildx build -t synit-squid "$(dirname "$0")"
|
||||
docker run -it --rm \
|
||||
-p 3127:3127 \
|
||||
-p 3128:3128 \
|
||||
-v /var/tmp/synit-squid-cache:/var/spool/squid \
|
||||
--name squid \
|
||||
synit-squid
|
Loading…
Reference in New Issue