From 198e8b1c365d78d678cc068f321f25fcf4f4c352 Mon Sep 17 00:00:00 2001
From: Tony Garnock-Jones <tonyg@leastfixedpoint.com>
Date: Fri, 12 Nov 2021 13:15:20 +0100
Subject: [PATCH] Better APK proxying, incl ssl bump (mitm!)

---
 packaging/Dockerfile           | 11 +++++++++--
 packaging/Makefile             |  9 +++++++--
 packaging/squid/Dockerfile     | 25 +++++++++++++++++++++++++
 packaging/squid/mitm-myself.sh |  5 +++++
 packaging/squid/squid.conf     | 32 ++++++++++++++++++++++++++++++++
 packaging/squid/start.sh       |  8 ++++++++
 6 files changed, 86 insertions(+), 4 deletions(-)
 create mode 100644 packaging/squid/Dockerfile
 create mode 100755 packaging/squid/mitm-myself.sh
 create mode 100644 packaging/squid/squid.conf
 create mode 100755 packaging/squid/start.sh

diff --git a/packaging/Dockerfile b/packaging/Dockerfile
index 46e86c9..b1bf2c9 100644
--- a/packaging/Dockerfile
+++ b/packaging/Dockerfile
@@ -1,9 +1,16 @@
 ARG DOCKER_ARCH
 FROM --platform=linux/${DOCKER_ARCH} alpine:latest
 
-RUN sed -i -e s:https:http:g /etc/apk/repositories
+# Instead of doing the following, we add a squid cert to effectively MITM ourselves (!):
+#   RUN sed -i -e s:https:http:g /etc/apk/repositories
+#
+ARG http_proxy_hostname
+COPY ./squid/mitm-myself.sh /root
+RUN /root/mitm-myself.sh ${http_proxy_hostname}
+
 ARG http_proxy
-RUN http_proxy=${http_proxy} apk add bash sudo alpine-sdk linux-headers
+RUN http_proxy=${http_proxy} https_proxy=${http_proxy} apk add bash sudo alpine-sdk linux-headers \
+    rustup openssl-dev
 
 ARG UID
 ARG BUILD_USER
diff --git a/packaging/Makefile b/packaging/Makefile
index 28b7851..85a3094 100644
--- a/packaging/Makefile
+++ b/packaging/Makefile
@@ -9,8 +9,11 @@ DOCKER_SQUID_CONTAINER?=squid
 ifeq ($(DOCKER_SQUID_CONTAINER),)
 DOCKER_SQUID_OPTS=
 else
-DOCKER_SQUID_OPTS=--link $(DOCKER_SQUID_CONTAINER):squid -e http_proxy=http://squid:3128/
-HTTP_PROXY=http://$(shell docker inspect squid | preserves-tool convert -o unquoted --select '/ . "NetworkSettings" . "IPAddress"'):3128/
+DOCKER_SQUID_OPTS=--link $(DOCKER_SQUID_CONTAINER):squid \
+	-e http_proxy=http://squid:3128/ \
+	-e https_proxy=http://squid:3128/
+DOCKER_SQUID_IP=$(shell docker inspect squid | preserves-tool convert -o unquoted --select '/ . "NetworkSettings" . "IPAddress"')
+HTTP_PROXY=http://$(DOCKER_SQUID_IP):3128/
 endif
 
 ARCH?=aarch64
@@ -51,8 +54,10 @@ build-image: .build-image.$(ARCH)
 
 .build-image.$(ARCH): $(KEYFILE)
 	docker buildx build \
+		--progress plain \
 		--platform=linux/$(DOCKER_ARCH) \
 		--build-arg http_proxy=$(HTTP_PROXY) \
+		--build-arg http_proxy_hostname=$(DOCKER_SQUID_IP) \
 		--build-arg DOCKER_ARCH=$(DOCKER_ARCH) \
 		--build-arg KEYFILE=$(KEYFILE) \
 		--build-arg UID=$(UID) \
diff --git a/packaging/squid/Dockerfile b/packaging/squid/Dockerfile
new file mode 100644
index 0000000..1360a2f
--- /dev/null
+++ b/packaging/squid/Dockerfile
@@ -0,0 +1,25 @@
+FROM debian:latest
+
+RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y squid-openssl
+
+RUN openssl req -new -newkey rsa:2048 -nodes -x509 -sha256 \
+   -extensions v3_ca -days 365 \
+   -keyout /etc/ssl/private/squid-ca.key \
+   -out /etc/ssl/certs/squid-ca.pem \
+   -subj "/CN=localhost" \
+   -addext "subjectAltName=DNS:localhost"
+
+COPY ./squid.conf /etc/squid/conf.d/synit-squid.conf
+
+RUN mkdir -p /var/spool/squid
+
+CMD \
+    chmod -R 0777 /var/spool/squid && \
+    ([ -d /var/spool/squid/ssl_db ] || \
+       /usr/lib/squid/security_file_certgen -c -s /var/spool/squid/ssl_db -M 4MB) && \
+    /etc/init.d/squid start && \
+    tail -F /var/log/squid/access.log
+
+# other potentially interesting log files: /var/log/squid/cache.log /var/log/squid/store.log
+
+EXPOSE 3127 3128
diff --git a/packaging/squid/mitm-myself.sh b/packaging/squid/mitm-myself.sh
new file mode 100755
index 0000000..1c8e500
--- /dev/null
+++ b/packaging/squid/mitm-myself.sh
@@ -0,0 +1,5 @@
+#!/bin/sh
+apk add ca-certificates openssl
+openssl s_client -showcerts -connect "$1":3127 </dev/null 2>/dev/null \
+    | openssl x509 | tee /usr/local/share/ca-certificates/synit-squid-snakeoil.crt
+update-ca-certificates
diff --git a/packaging/squid/squid.conf b/packaging/squid/squid.conf
new file mode 100644
index 0000000..573e9e9
--- /dev/null
+++ b/packaging/squid/squid.conf
@@ -0,0 +1,32 @@
+http_access allow localnet
+
+http_port 3128 ssl-bump \
+          generate-host-certificates=on \
+          dynamic_cert_mem_cache_size=4MB \
+          tls-cert=/etc/ssl/certs/squid-ca.pem \
+          tls-key=/etc/ssl/private/squid-ca.key
+
+# We do not (cannot! it's a Squid limitation, apparently?) ssl-bump on
+# HTTPS connections to the proxy. So what use is it? The answer: it's
+# a means by which clients can download the cert of the proxy and then
+# add it to their trusted roots (!!!).
+#
+https_port 3127 \
+           tls-cert=/etc/ssl/certs/squid-ca.pem \
+           tls-key=/etc/ssl/private/squid-ca.key
+
+acl step1 at_step SslBump1
+ssl_bump peek step1
+ssl_bump bump all
+ssl_bump splice all
+
+cache_dir aufs /var/spool/squid 262144 16 256 min-size=0
+refresh_pattern . 10080 9999% 43200
+
+maximum_object_size 10240 MB
+minimum_object_size 0 KB
+maximum_object_size_in_memory 0 MB
+offline_mode on
+
+# cache_store_log stdio:/var/log/squid/store.log
+strip_query_terms off
diff --git a/packaging/squid/start.sh b/packaging/squid/start.sh
new file mode 100755
index 0000000..6e46bdd
--- /dev/null
+++ b/packaging/squid/start.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+docker buildx build -t synit-squid "$(dirname "$0")"
+docker run -it --rm \
+       -p 3127:3127 \
+       -p 3128:3128 \
+       -v /var/tmp/synit-squid-cache:/var/spool/squid \
+       --name squid \
+       synit-squid