Reusing CA certificate

Alex Fraser · Alex Fraser · commit 2fa84c5f54ea · 2016-04-07T11:12:40.000+10:00
Using a volume to persist the CA certificate so it doesn't need
to be reinstalled in the clients when the proxy is restarted.
diff --git a/Dockerfile b/Dockerfile
@@ -2,8 +2,11 @@ FROM ubuntu:14.04
 
 MAINTAINER Alex Fraser <alex@vpac-innovations.com.au>
 
+# Install base dependencies.
 # Run a caching proxy on the host and bind a port to APT_PROXY_PORT to cache
 # apt requests. Build with `docker build --build-arg APT_PROXY_PORT=[X] [...]`.
+# Not required if you're using a transparent proxy (like the one built by
+# this project).
 WORKDIR /root
 ARG APT_PROXY_PORT=
 COPY detect-apt-proxy.sh /root/
@@ -24,25 +27,26 @@ RUN export DEBIAN_FRONTEND=noninteractive TERM=linux \
 #    rm -rf /var/lib/apt/lists/* \
 #        /etc/apt/apt.conf.d/30proxy \
 
+# Customise and build Squid.
 # It's silly, but run dpkg-buildpackage again if it fails the first time. This
 # is needed because sometimes the `configure` script is busy when building in
 # Docker after autoconf sets its mode +x.
-COPY squid3.patch /root/
+COPY squid3.patch mime.conf /root/
 RUN cd squid3-3.?.? \
     && patch -p1 < /root/squid3.patch \
     && export NUM_PROCS=`grep -c ^processor /proc/cpuinfo` \
-    && (dpkg-buildpackage -b -j${NUM_PROCS} || dpkg-buildpackage -b -j${NUM_PROCS})
-COPY mime.conf /root/
-RUN dpkg -i \
-        squid3-common_3.?.?-?ubuntu?.?_all.deb \
-        squid3_3.?.?-?ubuntu?.?_*.deb \
+    && (dpkg-buildpackage -b -j${NUM_PROCS} \
+        || dpkg-buildpackage -b -j${NUM_PROCS}) \
+    && DEBIAN_FRONTEND=noninteractive TERM=linux dpkg -i \
+        ../squid3-common_3.?.?-?ubuntu?.?_all.deb \
+        ../squid3_3.?.?-?ubuntu?.?_*.deb \
     && mkdir -p /etc/squid3/ssl_cert \
-    && cat mime.conf >> /usr/share/squid3/mime.conf
+    && cat /root/mime.conf >> /usr/share/squid3/mime.conf
 
 COPY squid.conf /etc/squid3/squid.conf
 COPY start_squid.sh /usr/local/bin/start_squid.sh
 
-VOLUME /var/spool/squid3
+VOLUME /var/spool/squid3 /etc/squid3/ssl_cert
 EXPOSE 3128 3129 3130
 
 CMD ["/usr/local/bin/start_squid.sh"]
diff --git a/run.sh b/run.sh
@@ -4,6 +4,7 @@
 # proxy server for docker.
 
 CACHEDIR=${CACHEDIR:-/tmp/squid3}
+CERTDIR=${CACHEDIR:-/tmp/squid3_cert}
 CONTAINER_NAME=${CONTAINER_NAME:-docker-proxy}
 
 set -e
@@ -30,8 +31,10 @@ start_routing () {
   sudo ip route add default via "${IPADDR}" dev docker0 table TRANSPROXY
   # Mark packets to port 80 and 443 external, so they route through the new
   # route table
-  sudo iptables -t mangle -I PREROUTING -p tcp --dport 80 \! -s "${IPADDR}" -i docker0 -j MARK --set-mark 1
-  sudo iptables -t mangle -I PREROUTING -p tcp --dport 443 \! -s "${IPADDR}" -i docker0 -j MARK --set-mark 1
+  COMMON_RULES="-t mangle -I PREROUTING -p tcp -i docker0 ! -s ${IPADDR}
+    -j MARK --set-mark 1"
+  sudo iptables $COMMON_RULES --dport 80
+  sudo iptables $COMMON_RULES --dport 443
   # Exemption rule to stop docker from masquerading traffic routed to the
   # transparent proxy
   sudo iptables -t nat -I POSTROUTING -o docker0 -s 172.17.0.0/16 -j ACCEPT
@@ -78,14 +81,15 @@ terminated () {
 run () {
   # Make sure we have a cache dir - if you're running in vbox you should
   # probably map this through to the host machine for persistence
-  mkdir -p "${CACHEDIR}"
+  mkdir -p "${CACHEDIR}" "${CERTDIR}"
   # Because we're named, make sure the container doesn't already exist
   stop
   # Run and find the IP for the running container. Bind the forward proxy port
   # so clients can get the CA certificate.
   CID=$(sudo docker run --privileged -d \
         --name ${CONTAINER_NAME} \
         --volume="${CACHEDIR}":/var/spool/squid3 \
+        --volume="${CERTDIR}":/etc/squid3/ssl_cert \
         --publish=3128:3128 \
         ${CONTAINER_NAME})
   IPADDR=$(sudo docker inspect --format '{{ .NetworkSettings.IPAddress }}' ${CID})
diff --git a/start_squid.sh b/start_squid.sh
@@ -1,17 +1,22 @@
 #!/bin/bash
 
 function gen-cert() {
-    pushd /etc/squid3/ssl_cert
-    openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 \
-        -keyout privkey.pem -out ca.pem \
-        -subj '/CN=squid-ssl/O=NULL/C=AU'
-    chown proxy.proxy privkey.pem
-    chmod 600 privkey.pem
-    openssl x509 -in ca.pem -outform DER -out ca.der
+    pushd /etc/squid3/ssl_cert > /dev/null
+    if [ ! -f ca.pem ]; then
+        openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes \
+            -x509 -keyout privkey.pem -out ca.pem \
+            -subj '/CN=docker-proxy/O=NULL/C=AU'
+        chown proxy.proxy privkey.pem
+        chmod 600 privkey.pem
+        openssl x509 -in ca.pem -outform DER -out ca.der
+    else
+        echo "Reusing existing certificate"
+    fi
+    openssl x509 -sha1 -in ca.pem -noout -fingerprint
     # Make CA certificate available for download via HTTP Forwarding port
     # e.g. GET http://docker-proxy:3128/squid-internal-static/icons/ca.pem
     cp `pwd`/ca.* /usr/share/squid3/icons/
-    popd
+    popd > /dev/null
     return $?
 }
 
