imp: switching from Alpine to Debian

Author: Tardo

.hadolint.yaml

@@ -1,7 +1,5 @@
 ignored:
-  - DL3003
-  - DL3007
-  - DL3018
+  - DL3008
 trustedRegistries:
   - docker.io
   - "*.gcr.io"

Dockerfile

@@ -1,28 +1,31 @@
-FROM alpine:latest AS build-privoxy
+FROM debian:stable-slim AS build-privoxy
 
 ARG PRIVOXY_VERSION=4.0.0
 ARG PRIVOXY_SRC_SHA1SUM=d302cb0bf23536e67a1b5505d01486a335d9c4c0
 ARG PRIVOXY_CONFIG_OPTIONS="--disable-toggle --disable-editor --disable-force --with-openssl --with-brotli"
-ARG PRIVOXY_BUILD_EXTRA="openssl-dev brotli-dev"
+ARG PRIVOXY_BUILD_EXTRA="libssl-dev libbrotli-dev"
 
-SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
+SHELL ["/bin/bash", "-eo", "pipefail", "-c"]
 
 WORKDIR /build
 
 RUN set -eux; \
-    apk add --no-cache --virtual build-tools \
-        gcc \
+    apt-get update && apt-get install -y --no-install-recommends \
+        build-essential \
         autoconf \
-        make \
-        git; \
-    apk add --no-cache --virtual build-deps \
-        libc-dev \
-        zlib-dev \
-        pcre2-dev \
-        $PRIVOXY_BUILD_EXTRA;
-
+        ca-certificates \
+        git \
+        curl \
+        libc6-dev \
+        zlib1g-dev \
+        libpcre2-dev \
+        $PRIVOXY_BUILD_EXTRA; \
+    apt-get clean; \
+    rm -rf /var/lib/apt/lists/*;
+
+# hadolint ignore=DL3003
 RUN set -eux; \
-    wget -qO privoxy-src.tar.gz https://sourceforge.net/projects/ijbswa/files/Sources/${PRIVOXY_VERSION}%20%28stable%29/privoxy-${PRIVOXY_VERSION}-stable-src.tar.gz/download; \
+    curl -L -o privoxy-src.tar.gz https://sourceforge.net/projects/ijbswa/files/Sources/${PRIVOXY_VERSION}%20%28stable%29/privoxy-${PRIVOXY_VERSION}-stable-src.tar.gz/download; \
     echo "${PRIVOXY_SRC_SHA1SUM} privoxy-src.tar.gz" | sha1sum -c; \
     tar -zxvf privoxy-src.tar.gz; \
     cd privoxy-${PRIVOXY_VERSION}-stable; \
@@ -34,34 +37,23 @@ RUN set -eux; \
     privoxy --version;
 
 
-FROM alpine:latest AS build-adblock2privoxy
+FROM haskell:slim AS build-adblock2privoxy
 
 ARG ADBLOCK2PRIVOXY_RESOLVER=lts-21.25
 
-SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
+SHELL ["/bin/bash", "-eo", "pipefail", "-c"]
 
 WORKDIR /build
 
 RUN set -eux; \
-    apk add --no-cache --virtual build-tools \
-        gcc \
-        g++ \
-        make \
-        curl \
-        gmp \
+    apt-get update && apt-get install -y --no-install-recommends \
         git \
-        ghc \
-        cabal \
-        stack; \
-    apk add --no-cache --virtual build-deps \
-        musl-dev \
-        zlib-dev \
-        gmp-dev \
-        ncurses-libs \
-        ncurses-dev \
-        xz;
-    #curl -sSL https://get.haskellstack.org/ | sh;
+        zlib1g-dev \
+        libncurses-dev; \
+    apt-get clean; \
+    rm -rf /var/lib/apt/lists/*;
 
+# hadolint ignore=DL3003
 RUN set -eux; \
     git clone https://github.com/essandess/adblock2privoxy.git . --depth=1; \
     export STACK_ROOT=/usr/local/etc/.stack; \
@@ -72,11 +64,19 @@ RUN set -eux; \
     adblock2privoxy --version;
 
 
-FROM alpine:latest AS runtime
+FROM debian:stable-slim AS runtime
 
 ARG SYSTEM_EXTRA_PKGS="brotli net-tools"
 
-SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
+SHELL ["/bin/bash", "-eo", "pipefail", "-c"]
+
+ENV PRIVOXY_PORT=8118 \
+    ADBLOCK_URLS="" \
+    ADBLOCK_NGINX_ENABLED=true \
+    ADBLOCK_CSS_DOMAIN="172.17.0.2" \
+    NGINX_SERVER_NAME="172.17.0.2" \
+    NGINX_PORT=80 \
+    NGINX_PORT_SSL=443
 
 # Create Privoxy User
 RUN set -ex; \
@@ -94,19 +94,24 @@ RUN set -ex; \
 
 # Add system tools
 RUN set -eux; \
-    apk add --no-cache --virtual runtime-deps \
+    apt-get update && apt-get install -y --no-install-recommends \
         python3 \
-        pcre2 \
+        pcre2-utils \
         openssl \
         nginx \
-        gmp \
-        ncurses \
-        $SYSTEM_EXTRA_PKGS;
+        libgmp-dev \
+        libncurses-dev \
+        ca-certificates \
+        gettext-base \
+        $SYSTEM_EXTRA_PKGS; \
+    apt-get clean; \
+    rm -rf /var/lib/apt/lists/*;
 
 # Docker Entry Point
 COPY docker-entrypoint.sh /usr/local/sbin/
-RUN sed -i 's/\r$//' /usr/local/sbin/docker-entrypoint.sh && \
-        chmod +x /usr/local/sbin/docker-entrypoint.sh;
+RUN set -ex; \
+    sed -i 's/\r$//' /usr/local/sbin/docker-entrypoint.sh; \
+    chmod +x /usr/local/sbin/docker-entrypoint.sh;
 
 # Privman
 COPY data/rules/ /usr/local/etc/privoxy/privman-rules/
@@ -120,19 +125,46 @@ RUN set -ex; \
 
 # Privoxy
 COPY --from=build-privoxy /usr/local /usr/local
-COPY data/config /usr/local/etc/privoxy/
-# hadolint ignore=SC1003
+# hadolint ignore=SC1003,SC2016
 RUN set -ex; \
-    #mv /usr/local/etc/privoxy/config /usr/local/etc/privoxy/config.orig; \
     mkdir -p /var/log/privoxy /usr/local/etc/privoxy/CA /usr/local/etc/privoxy/certs /usr/local/etc/privoxy/privman-rules; \
     chown -R privoxy:privoxy /var/log/privoxy /usr/local/etc/privoxy; \
+    chmod +x /usr/local/sbin/privoxy; \
+    cp -a /usr/local/etc/privoxy /opt/privoxy-default; \
+    # Change the default config
+    cp /usr/local/etc/privoxy/config /usr/local/etc/privoxy/config.orig; \
     sed -i '/^+set-image-blocker{pattern}/a +https-inspection \\' /usr/local/etc/privoxy/match-all.action; \
-    cp -a /usr/local/etc/privoxy /opt/privoxy-default;
+    sed -i \
+        -e 's/^confdir .+/confdir \/usr\/local\/etc\/privoxy/' \
+        -e 's/^templdir .+/templdir \/usr\/local\/etc\/privoxy\/templates/' \
+        -e '/^actionsfile user.action/a actionsfile privman-rules\/user.action\nactionsfile ab2p.system.action\nactionsfile ab2p.action' \
+        -e '/^filterfile user.filter/a filterfile privman-rules\/user.filter\nfilterfile ab2p.system.filter\nfilterfile ab2p.filter' \
+        -e 's/^#debug     1.+/debug     1/' \
+        -e 's/^#debug   512.+/debug   512/' \
+        -e 's/^#debug  1024.+/debug  1024/' \
+        -e 's/^#debug  8192.+/debug  8192/' \
+        -e 's/^listen-address .+/listen-address  0.0.0.0:${PRIVOXY_PORT}/' \
+        -e 's/^enforce-blocks .+/#enforce-blocks 0/' \
+        -e 's/^buffer-limit .+/buffer-limit 25600/' \
+        -e 's/^keep-alive-timeout .+/keep-alive-timeout 120/' \
+        -e 's/^tolerate-pipelining .+/tolerate-pipelining 0/' \
+        -e 's/^socket-timeout .+/socket-timeout 30/' \
+        -e 's/^#max-client-connections .+/max-client-connections 256/' \
+        -e 's/^#listen-backlog .+/listen-backlog 128/' \
+        -e 's/^#ca-directory .+/ca-directory \/usr\/local\/etc\/privoxy\/CA/' \
+        -e 's/^#ca-cert-file .+/ca-cert-file privoxy-ca-bundle.crt/' \
+        -e 's/^#ca-key-file .+/ca-key-file cakey.pem/' \
+        -e 's/^#certificate-directory .+/certificate-directory \/usr\/local\/etc\/privoxy\/certs/' \
+        -e 's/^#trusted-cas-file .+/trusted-cas-file trustedCAs.pem/' \
+        -e '$a\receive-buffer-size 32768' \
+        -e '$a\cipher-list ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256' \
+    /usr/local/etc/privoxy/config; \
+    chmod +x /usr/local/sbin/privoxy;
 
 # adblock2privoxy
 COPY --from=build-adblock2privoxy /usr/local/bin/adblock2privoxy /usr/local/bin/adblock2privoxy
 COPY --from=build-adblock2privoxy /build/adblock2privoxy/templates /opt/local/share/adblock2privoxy/templates
-COPY data/nginx.conf /etc/nginx/nginx.conf
+COPY templates/nginx.conf.template /etc/nginx/nginx.conf.template
 RUN set -ex; \
     mkdir -p /usr/local/etc/adblock2privoxy/css; \
     echo "# Dummy file" | tee -a /usr/local/etc/privoxy/ab2p.system.action /usr/local/etc/privoxy/ab2p.action /usr/local/etc/privoxy/ab2p.system.filter /usr/local/etc/privoxy/ab2p.filter; \
@@ -146,15 +178,9 @@ RUN set -ex; \
     privoxy --version; \
     adblock2privoxy --version;
 
-# Common
-ENV ADBLOCK_URLS=""
-ENV ADBLOCK_CSS_DOMAIN="172.17.0.2:8119"
-
 ENTRYPOINT ["/usr/local/sbin/docker-entrypoint.sh"]
 
 VOLUME /usr/local/etc/privoxy
-EXPOSE 8118/tcp
-EXPOSE 8119/tcp
 
 USER privoxy
 

README.md

@@ -2,9 +2,10 @@
 
 ## :page_with_curl: About
 
-Alpine docker with [privoxy](https://www.privoxy.org) enabled and configured to work with HTTPS.
+Image with [privoxy](https://www.privoxy.org) enabled and configured to work with HTTPS.
 
 It also includes '[adblock2privoxy](https://github.com/essandess/adblock2privoxy)' to translate adblock rules to privoxy with CSS hidden elements & blackhole.
+This means that this image also includes an nginx server so that the advanced CSS rules work correctly.
 
 **The default configuration is intended for personal use only (ex. raspberry)**
 
@@ -14,13 +15,26 @@ This image downloads the 'trustedCAs' file from curl.se and also generates the c
 
 Privoxy Status Page: https://config.privoxy.org/show-status
 
+### Default Ports
+
+| PORT | Description | Required |
+|----------------|-------------|-------------|
+| 8118 | Privoxy | [x] |
+| 80 | Nginx | [] |
+| 443 | Nginx SSL | [] |
+
 
 ### Env. Variables
 
 | Name | Description | Default |
 |----------------|-------------|-------------|
+| PRIVOXY_PORT | The Privoxy port | 8118 |
 | ADBLOCK_URLS | String of urls separated by spaces | "" |
-| ADBLOCK_CSS_DOMAIN | A domain/IP that points to the container (IP:PORT) | 172.17.0.2:8119 |
+| ADBLOCK_CSS_DOMAIN | A domain/IP that points to the container (IP:PORT) | 172.17.0.2 |
+| ADBLOCK_NGINX_ENABLED | The server to use to get the css files | true |
+| NGINX_SERVER_NAME | The server name for verification process (must coincide with ADBLOCK_CSS_DOMAIN name part) | 172.17.0.2 |
+| NGINX_PORT | The HTTP port | 80 |
+| NGINX_PORT_SSL | The HTTPS port | 443 |
 
 - Can get urls from: https://easylist.to/
 
@@ -38,11 +52,13 @@ services:
     container_name: privoxy
     ports:
       - 8118:8118
-      - 8119:8119
+      - 80:80
+      - 443:443
     environment:
       TZ: Europe/Madrid
       ADBLOCK_URLS: https://easylist.to/easylist/easylist.txt
-      ADBLOCK_CSS_DOMAIN: privoxy.local:8119
+      ADBLOCK_CSS_DOMAIN: privoxy.local
+      NGINX_SERVER_NAME: privoxy.local
     volumes:
       - privoxy-ca:/usr/local/etc/privoxy/CA
     restart: unless-stopped
@@ -77,6 +93,7 @@ docker cp privoxy:/usr/local/etc/privoxy/CA/privoxy-ca-bundle.crt .
 - `max-client-connections` > Increased to 256
 - `listen-backlog` > Set to 128
 - `receive-buffer-size` > Increased to 32768 bytes
+- `tolerate-pipelining` > Disabled
 
 ## :bookmark: Points of Interest
 

bin/privman.py

@@ -1,8 +1,9 @@
-#!/usr/bin/python
+#!/usr/bin/python3
 # Copyright  Alexandre Díaz <dev@redneboa.es>
 # Privoxy Manager
 
 import os
+import re
 import argparse
 import subprocess
 import urllib.request
@@ -35,7 +36,7 @@ def update_trusted_ca(forced=False):
         print_log("Trusted CA", "Nothing to do. The file already exists.")
 
 
-def generate_crt_bundle(subj, forced=False):
+def generate_crt_bundle(subj, subj_nginx, forced=False):
     ca_bundle_file = os.path.join(BASEDIR_CA, "privoxy-ca-bundle.crt")
     ca_key_file = os.path.join(BASEDIR_CA, "cakey.pem")
     if not os.path.isfile(ca_bundle_file) or forced:
@@ -50,10 +51,41 @@ def generate_crt_bundle(subj, forced=False):
             '-addext "subjectKeyIdentifier=hash"'
         )
         print_log("CRT Bundle", f"Generated successfully in '{ca_bundle_file}'")
+        generate_nginx_certs(subj_nginx, ca_bundle_file, ca_key_file)
     else:
         print_log("CRT Bundle", "Nothing to do. The file already exists.")
 
 
+def generate_nginx_certs(subj, ca_bundle_file, ca_key_file):
+    nginx_priv_key_file = os.path.join(BASEDIR_CA, "nginx.pem")
+    nginx_priv_csr_file = os.path.join(BASEDIR_CA, "nginx.csr")
+    nginx_cert_file = os.path.join(BASEDIR_CA, "nginx.crt")
+    nginx_cert_conf_file = os.path.join(BASEDIR_CA, "nginx.cnf")
+    nginx_sn = os.environ.get("NGINX_SERVER_NAME", "")
+    f_subj = f"{subj}/CN={nginx_sn}"
+    re_ipv4 = r"\d{1,3}\.\d{1,3}\.\d{1,3}.\d{1,3}"
+    with open(nginx_cert_conf_file, "w") as file:
+        if re.match(re_ipv4, nginx_sn):
+            file.write(f"subjectAltName=IP:{nginx_sn}")
+        else:
+            file.write(f"subjectAltName=DNS:{nginx_sn}")
+    os.system(
+        "openssl req -newkey rsa:2048 -nodes "
+        f"-keyout {nginx_priv_key_file} "
+        f"-out {nginx_priv_csr_file} "
+        f'-subj "{f_subj}" '
+    )
+    os.system(
+        "openssl x509 -req "
+        f"-in {nginx_priv_csr_file} "
+        f"-CA {ca_bundle_file} "
+        f"-CAkey {ca_key_file} "
+        f"-CAcreateserial -out {nginx_cert_file} -days 365 -sha256 "
+        f"-extfile {nginx_cert_conf_file}"
+    )
+    print_log("NGINX Certs", f"Generated successfully in '{nginx_cert_file}'")
+
+
 def init_adblock_filters():
     subprocess.run(
         [
@@ -255,6 +287,13 @@ def remove_blocklist(urls):
         help="Generate the .crt bundle",
         default="/C=ES/ST=Madrid/L=Madrid/O=DockerPrivoxy Security/OU=PROXY Department/CN=privoxy.proxy",
     )
+    parser.add_argument(
+        "--nginx-subj",
+        type=str,
+        nargs=1,
+        help="SUBJ parameters for nginx certificate",
+        default="/C=ES/ST=Madrid/L=Madrid/O=DockerPrivoxy NGinx/OU=PROXY Department",
+    )
     parser.add_argument(
         "--update-adblock-filters",
         help="Update Adblock Filters",
@@ -303,12 +342,14 @@ def remove_blocklist(urls):
 
     if args.init:
         update_trusted_ca()
-        generate_crt_bundle(args.crt_bundle_subj)
+        generate_crt_bundle(args.crt_bundle_subj, args.nginx_subj)
         init_adblock_filters()
     if args.update_trusted_ca:
         need_restart = update_trusted_ca(forced=True)
     if args.regenerate_crt_bundle:
-        need_restart = generate_crt_bundle(args.crt_bundle_subj, forced=True)
+        need_restart = generate_crt_bundle(
+            args.crt_bundle_subj, args.nginx_subj, forced=True
+        )
     if args.update_adblock_filters:
         need_restart = update_adblock_filters()
     if args.add_whitelist: