Better APK proxying, incl ssl bump (mitm!)
This commit is contained in:
parent
ae1fd5ae4a
commit
198e8b1c36
|
@ -1,9 +1,16 @@
|
||||||
ARG DOCKER_ARCH
|
ARG DOCKER_ARCH
|
||||||
FROM --platform=linux/${DOCKER_ARCH} alpine:latest
|
FROM --platform=linux/${DOCKER_ARCH} alpine:latest
|
||||||
|
|
||||||
RUN sed -i -e s:https:http:g /etc/apk/repositories
|
# Instead of doing the following, we add a squid cert to effectively MITM ourselves (!):
|
||||||
|
# RUN sed -i -e s:https:http:g /etc/apk/repositories
|
||||||
|
#
|
||||||
|
ARG http_proxy_hostname
|
||||||
|
COPY ./squid/mitm-myself.sh /root
|
||||||
|
RUN /root/mitm-myself.sh ${http_proxy_hostname}
|
||||||
|
|
||||||
ARG http_proxy
|
ARG http_proxy
|
||||||
RUN http_proxy=${http_proxy} apk add bash sudo alpine-sdk linux-headers
|
RUN http_proxy=${http_proxy} https_proxy=${http_proxy} apk add bash sudo alpine-sdk linux-headers \
|
||||||
|
rustup openssl-dev
|
||||||
|
|
||||||
ARG UID
|
ARG UID
|
||||||
ARG BUILD_USER
|
ARG BUILD_USER
|
||||||
|
|
|
@ -9,8 +9,11 @@ DOCKER_SQUID_CONTAINER?=squid
|
||||||
ifeq ($(DOCKER_SQUID_CONTAINER),)
|
ifeq ($(DOCKER_SQUID_CONTAINER),)
|
||||||
DOCKER_SQUID_OPTS=
|
DOCKER_SQUID_OPTS=
|
||||||
else
|
else
|
||||||
DOCKER_SQUID_OPTS=--link $(DOCKER_SQUID_CONTAINER):squid -e http_proxy=http://squid:3128/
|
DOCKER_SQUID_OPTS=--link $(DOCKER_SQUID_CONTAINER):squid \
|
||||||
HTTP_PROXY=http://$(shell docker inspect squid | preserves-tool convert -o unquoted --select '/ . "NetworkSettings" . "IPAddress"'):3128/
|
-e http_proxy=http://squid:3128/ \
|
||||||
|
-e https_proxy=http://squid:3128/
|
||||||
|
DOCKER_SQUID_IP=$(shell docker inspect squid | preserves-tool convert -o unquoted --select '/ . "NetworkSettings" . "IPAddress"')
|
||||||
|
HTTP_PROXY=http://$(DOCKER_SQUID_IP):3128/
|
||||||
endif
|
endif
|
||||||
|
|
||||||
ARCH?=aarch64
|
ARCH?=aarch64
|
||||||
|
@ -51,8 +54,10 @@ build-image: .build-image.$(ARCH)
|
||||||
|
|
||||||
.build-image.$(ARCH): $(KEYFILE)
|
.build-image.$(ARCH): $(KEYFILE)
|
||||||
docker buildx build \
|
docker buildx build \
|
||||||
|
--progress plain \
|
||||||
--platform=linux/$(DOCKER_ARCH) \
|
--platform=linux/$(DOCKER_ARCH) \
|
||||||
--build-arg http_proxy=$(HTTP_PROXY) \
|
--build-arg http_proxy=$(HTTP_PROXY) \
|
||||||
|
--build-arg http_proxy_hostname=$(DOCKER_SQUID_IP) \
|
||||||
--build-arg DOCKER_ARCH=$(DOCKER_ARCH) \
|
--build-arg DOCKER_ARCH=$(DOCKER_ARCH) \
|
||||||
--build-arg KEYFILE=$(KEYFILE) \
|
--build-arg KEYFILE=$(KEYFILE) \
|
||||||
--build-arg UID=$(UID) \
|
--build-arg UID=$(UID) \
|
||||||
|
|
|
@ -0,0 +1,25 @@
|
||||||
|
FROM debian:latest
|
||||||
|
|
||||||
|
RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y squid-openssl
|
||||||
|
|
||||||
|
RUN openssl req -new -newkey rsa:2048 -nodes -x509 -sha256 \
|
||||||
|
-extensions v3_ca -days 365 \
|
||||||
|
-keyout /etc/ssl/private/squid-ca.key \
|
||||||
|
-out /etc/ssl/certs/squid-ca.pem \
|
||||||
|
-subj "/CN=localhost" \
|
||||||
|
-addext "subjectAltName=DNS:localhost"
|
||||||
|
|
||||||
|
COPY ./squid.conf /etc/squid/conf.d/synit-squid.conf
|
||||||
|
|
||||||
|
RUN mkdir -p /var/spool/squid
|
||||||
|
|
||||||
|
CMD \
|
||||||
|
chmod -R 0777 /var/spool/squid && \
|
||||||
|
([ -d /var/spool/squid/ssl_db ] || \
|
||||||
|
/usr/lib/squid/security_file_certgen -c -s /var/spool/squid/ssl_db -M 4MB) && \
|
||||||
|
/etc/init.d/squid start && \
|
||||||
|
tail -F /var/log/squid/access.log
|
||||||
|
|
||||||
|
# other potentially interesting log files: /var/log/squid/cache.log /var/log/squid/store.log
|
||||||
|
|
||||||
|
EXPOSE 3127 3128
|
|
@ -0,0 +1,5 @@
|
||||||
|
#!/bin/sh
|
||||||
|
apk add ca-certificates openssl
|
||||||
|
openssl s_client -showcerts -connect "$1":3127 </dev/null 2>/dev/null \
|
||||||
|
| openssl x509 | tee /usr/local/share/ca-certificates/synit-squid-snakeoil.crt
|
||||||
|
update-ca-certificates
|
|
@ -0,0 +1,32 @@
|
||||||
|
http_access allow localnet
|
||||||
|
|
||||||
|
http_port 3128 ssl-bump \
|
||||||
|
generate-host-certificates=on \
|
||||||
|
dynamic_cert_mem_cache_size=4MB \
|
||||||
|
tls-cert=/etc/ssl/certs/squid-ca.pem \
|
||||||
|
tls-key=/etc/ssl/private/squid-ca.key
|
||||||
|
|
||||||
|
# We do not (cannot! it's a Squid limitation, apparently?) ssl-bump on
|
||||||
|
# HTTPS connections to the proxy. So what use is it? The answer: it's
|
||||||
|
# a means by which clients can download the cert of the proxy and then
|
||||||
|
# add it to their trusted roots (!!!).
|
||||||
|
#
|
||||||
|
https_port 3127 \
|
||||||
|
tls-cert=/etc/ssl/certs/squid-ca.pem \
|
||||||
|
tls-key=/etc/ssl/private/squid-ca.key
|
||||||
|
|
||||||
|
acl step1 at_step SslBump1
|
||||||
|
ssl_bump peek step1
|
||||||
|
ssl_bump bump all
|
||||||
|
ssl_bump splice all
|
||||||
|
|
||||||
|
cache_dir aufs /var/spool/squid 262144 16 256 min-size=0
|
||||||
|
refresh_pattern . 10080 9999% 43200
|
||||||
|
|
||||||
|
maximum_object_size 10240 MB
|
||||||
|
minimum_object_size 0 KB
|
||||||
|
maximum_object_size_in_memory 0 MB
|
||||||
|
offline_mode on
|
||||||
|
|
||||||
|
# cache_store_log stdio:/var/log/squid/store.log
|
||||||
|
strip_query_terms off
|
|
@ -0,0 +1,8 @@
|
||||||
|
#!/bin/sh
|
||||||
|
docker buildx build -t synit-squid "$(dirname "$0")"
|
||||||
|
docker run -it --rm \
|
||||||
|
-p 3127:3127 \
|
||||||
|
-p 3128:3128 \
|
||||||
|
-v /var/tmp/synit-squid-cache:/var/spool/squid \
|
||||||
|
--name squid \
|
||||||
|
synit-squid
|
Loading…
Reference in New Issue