synit
/
synit
1
0
Fork 1
Code Issues 2 Pull Requests 1 Projects Releases Wiki Activity

Better APK proxying, incl ssl bump (mitm!)

This commit is contained in:
Tony Garnock-Jones 2021-11-12 13:15:20 +01:00
parent ae1fd5ae4a
commit 198e8b1c36
6 changed files with 86 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
packaging/Dockerfile
View File

@ -1,9 +1,16 @@
ARG DOCKER_ARCH
FROM --platform=linux/${DOCKER_ARCH} alpine:latest
RUN sed -i -e s:https:http:g /etc/apk/repositories
# Instead of doing the following, we add a squid cert to effectively MITM ourselves (!):
# RUN sed -i -e s:https:http:g /etc/apk/repositories
#
ARG http_proxy_hostname
COPY ./squid/mitm-myself.sh /root
RUN /root/mitm-myself.sh ${http_proxy_hostname}
ARG http_proxy
RUN http_proxy=${http_proxy} apk add bash sudo alpine-sdk linux-headers
RUN http_proxy=${http_proxy} https_proxy=${http_proxy} apk add bash sudo alpine-sdk linux-headers \
rustup openssl-dev
ARG UID
ARG BUILD_USER

9
packaging/Makefile
View File

@ -9,8 +9,11 @@ DOCKER_SQUID_CONTAINER?=squid
ifeq ($(DOCKER_SQUID_CONTAINER),)
DOCKER_SQUID_OPTS=
else
DOCKER_SQUID_OPTS=--link $(DOCKER_SQUID_CONTAINER):squid -e http_proxy=http://squid:3128/
HTTP_PROXY=http://$(shell docker inspect squid | preserves-tool convert -o unquoted --select '/ . "NetworkSettings" . "IPAddress"'):3128/
DOCKER_SQUID_OPTS=--link $(DOCKER_SQUID_CONTAINER):squid \
-e http_proxy=http://squid:3128/ \
-e https_proxy=http://squid:3128/
DOCKER_SQUID_IP=$(shell docker inspect squid | preserves-tool convert -o unquoted --select '/ . "NetworkSettings" . "IPAddress"')
HTTP_PROXY=http://$(DOCKER_SQUID_IP):3128/
endif
ARCH?=aarch64
@ -51,8 +54,10 @@ build-image: .build-image.$(ARCH)
.build-image.$(ARCH): $(KEYFILE)
docker buildx build \
--progress plain \
--platform=linux/$(DOCKER_ARCH) \
--build-arg http_proxy=$(HTTP_PROXY) \
--build-arg http_proxy_hostname=$(DOCKER_SQUID_IP) \
--build-arg DOCKER_ARCH=$(DOCKER_ARCH) \
--build-arg KEYFILE=$(KEYFILE) \
--build-arg UID=$(UID) \

25
packaging/squid/Dockerfile Normal file
View File

@ -0,0 +1,25 @@
FROM debian:latest
RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y squid-openssl
RUN openssl req -new -newkey rsa:2048 -nodes -x509 -sha256 \
-extensions v3_ca -days 365 \
-keyout /etc/ssl/private/squid-ca.key \
-out /etc/ssl/certs/squid-ca.pem \
-subj "/CN=localhost" \
-addext "subjectAltName=DNS:localhost"
COPY ./squid.conf /etc/squid/conf.d/synit-squid.conf
RUN mkdir -p /var/spool/squid
CMD \
chmod -R 0777 /var/spool/squid && \
([ -d /var/spool/squid/ssl_db ] || \
/usr/lib/squid/security_file_certgen -c -s /var/spool/squid/ssl_db -M 4MB) && \
/etc/init.d/squid start && \
tail -F /var/log/squid/access.log
# other potentially interesting log files: /var/log/squid/cache.log /var/log/squid/store.log
EXPOSE 3127 3128

5
packaging/squid/mitm-myself.sh Executable file
View File

@ -0,0 +1,5 @@
#!/bin/sh
apk add ca-certificates openssl
openssl s_client -showcerts -connect "$1":3127 </dev/null 2>/dev/null \
| openssl x509 | tee /usr/local/share/ca-certificates/synit-squid-snakeoil.crt
update-ca-certificates

32
packaging/squid/squid.conf Normal file
View File

@ -0,0 +1,32 @@
http_access allow localnet
http_port 3128 ssl-bump \
generate-host-certificates=on \
dynamic_cert_mem_cache_size=4MB \
tls-cert=/etc/ssl/certs/squid-ca.pem \
tls-key=/etc/ssl/private/squid-ca.key
# We do not (cannot! it's a Squid limitation, apparently?) ssl-bump on
# HTTPS connections to the proxy. So what use is it? The answer: it's
# a means by which clients can download the cert of the proxy and then
# add it to their trusted roots (!!!).
#
https_port 3127 \
tls-cert=/etc/ssl/certs/squid-ca.pem \
tls-key=/etc/ssl/private/squid-ca.key
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
ssl_bump splice all
cache_dir aufs /var/spool/squid 262144 16 256 min-size=0
refresh_pattern . 10080 9999% 43200
maximum_object_size 10240 MB
minimum_object_size 0 KB
maximum_object_size_in_memory 0 MB
offline_mode on
# cache_store_log stdio:/var/log/squid/store.log
strip_query_terms off

8
packaging/squid/start.sh Executable file
View File

@ -0,0 +1,8 @@
#!/bin/sh
docker buildx build -t synit-squid "$(dirname "$0")"
docker run -it --rm \
-p 3127:3127 \
-p 3128:3128 \
-v /var/tmp/synit-squid-cache:/var/spool/squid \
--name squid \
synit-squid