Added HTTPS support

A root SSL certificate is generated when the server starts up; this
is used to man-in-the-middle HTTPS requests. The client will still
be able to tell that their connection is compromised, since by
default they won't trust the new CA.

Author: Alex Fraser

Dockerfile

@@ -1,11 +1,46 @@
-FROM silarsis/base
-MAINTAINER Kevin Littlejohn <kevin@littlejohn.id.au>
-RUN apt-get -yq update
+FROM ubuntu:14.04
+
+MAINTAINER Alex Fraser <alex@vpac-innovations.com.au>
+
+# Run a caching proxy on the host and bind a port to APT_PROXY_PORT to cache
+# apt requests. Build with `docker build --build-arg APT_PROXY_PORT=[X] [...]`.
+WORKDIR /root
+ARG APT_PROXY_PORT=
+COPY detect-apt-proxy.sh /root/
+RUN export DEBIAN_FRONTEND=noninteractive TERM=linux \
+    && ./detect-apt-proxy.sh ${APT_PROXY_PORT} no \
+    && apt-get update \
+    && apt-get install -y --no-install-recommends \
+        build-essential \
+        curl \
+        dpkg-dev \
+        iptables \
+        libssl-dev \
+        patch \
+        squid-langpack \
+        ssl-cert \
+    && apt-get source -y squid3 squid-langpack \
+    && apt-get build-dep -y squid3 squid-langpack
+#    rm -rf /var/lib/apt/lists/* \
+#        /etc/apt/apt.conf.d/30proxy \
+
+# It's silly, but run dpkg-buildpackage again if it fails the first time. This
+# is needed because sometimes the `configure` script is busy when building in
+# Docker after autoconf sets its mode +x.
+COPY squid3.patch /root/
+RUN cd squid3-3.?.? \
+    && patch -p1 < /root/squid3.patch \
+    && export NUM_PROCS=`grep -c ^processor /proc/cpuinfo` \
+    && (dpkg-buildpackage -b -j${NUM_PROCS} || dpkg-buildpackage -b -j${NUM_PROCS})
+RUN dpkg -i \
+        squid3-common_3.?.?-?ubuntu?.?_all.deb \
+        squid3_3.?.?-?ubuntu?.?_*.deb \
+    && mkdir -p /etc/squid3/ssl_cert
 
-RUN apt-get -yq install squid iptables
 ADD squid.conf /etc/squid3/squid.conf
 ADD start_squid.sh /usr/local/bin/start_squid.sh
 
-EXPOSE 3128
+VOLUME /var/spool/squid3
+EXPOSE 3128 3129
 
 CMD ["/usr/local/bin/start_squid.sh"]

detect-apt-proxy.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# If the host is running a web proxy, use it for apt.
+# Adapted from https://gist.github.com/dergachev/8441335
+
+APT_PROXY_PORT=$1
+PROXY_LAUNCHPAD=${2:-no}
+
+HOST_IP=$(route -n | awk '/^0.0.0.0/ {print $2}')
+nc -z "$HOST_IP" ${APT_PROXY_PORT}
+
+if [ $? -eq 0 ]; then
+    echo "Acquire::http::Proxy \"http://$HOST_IP:$APT_PROXY_PORT\";" >> /etc/apt/apt.conf.d/30proxy
+    if [ "$PROXY_LAUNCHPAD" = yes ]; then
+        echo "Acquire::http::Proxy::ppa.launchpad.net DIRECT;" >> /etc/apt/apt.conf.d/30proxy
+    fi
+    echo "Using host's apt proxy"
+else
+    echo "No apt proxy detected on Docker host"
+fi

run.sh

@@ -3,18 +3,13 @@
 # Script to maintain ip rules on the host when starting up a transparent
 # proxy server for docker.
 
-CACHEDIR="/tmp/squid3" # Change this to place the cache somewhere else
+CACHEDIR=${CACHEDIR:-/tmp/squid3}
+CONTAINER_NAME=${CONTAINER_NAME:-docker-proxy}
 
 set -e
 
-# Guard for my own scripts
-# Note, if you're running this script direct, it will rebuild if it can't see
-# the image.
-[ -z ${RUNNING_DRUN} ] && {
-  RUN_DOCKER="docker run"
-  CONTAINER_NAME='docker-proxy'
-  docker images | grep "^${CONTAINER_NAME} " >/dev/null || docker build -q --rm -t ${CONTAINER_NAME} "$(dirname $0)"
-}
+sudo docker images | grep -q "^${CONTAINER_NAME} " \
+    || (echo "Build ${CONTAINER_NAME} image first" && exit 1)
 
 start_routing () {
   # Add a new route table that routes everything marked through the new container
@@ -28,13 +23,15 @@ start_routing () {
       sudo ln -s /usr/local/etc/iproute2/rt_tables /etc/iproute2/rt_tables
     fi
   fi
-  ([ -e /etc/iproute2/rt_tables ] && grep TRANSPROXY /etc/iproute2/rt_tables >/dev/null) || \
-    sudo sh -c "echo '1	TRANSPROXY' >> /etc/iproute2/rt_tables"
-  ip rule show | grep TRANSPROXY >/dev/null || \
-    sudo ip rule add from all fwmark 0x1 lookup TRANSPROXY
+  ([ -e /etc/iproute2/rt_tables ] && grep -q TRANSPROXY /etc/iproute2/rt_tables) \
+    || sudo sh -c "echo '1	TRANSPROXY' >> /etc/iproute2/rt_tables"
+  ip rule show | grep -q TRANSPROXY \
+    || sudo ip rule add from all fwmark 0x1 lookup TRANSPROXY
   sudo ip route add default via "${IPADDR}" dev docker0 table TRANSPROXY
-  # Mark packets to port 80 external, so they route through the new route table
+  # Mark packets to port 80 and 443 external, so they route through the new
+  # route table
   sudo iptables -t mangle -I PREROUTING -p tcp --dport 80 \! -s "${IPADDR}" -i docker0 -j MARK --set-mark 1
+  sudo iptables -t mangle -I PREROUTING -p tcp --dport 443 \! -s "${IPADDR}" -i docker0 -j MARK --set-mark 1
   # Exemption rule to stop docker from masquerading traffic routed to the
   # transparent proxy
   sudo iptables -t nat -I POSTROUTING -o docker0 -s 172.17.0.0/16 -j ACCEPT
@@ -44,22 +41,19 @@ stop_routing () {
   # Remove the appropriate rules - that is, those that mention the IP Address.
   set +e
   [ "x$IPADDR" != "x" ] && {
-    ip route show table TRANSPROXY | grep default >/dev/null && \
-      sudo ip route del default table TRANSPROXY
-    sudo iptables -t mangle -L PREROUTING -n | grep 'tcp dpt:80 MARK set 0x1' >/dev/null && \
-      sudo iptables -t mangle -D PREROUTING -p tcp --dport 80 \! -s "${IPADDR}" -i docker0 -j MARK --set-mark 1
+    ip route show table TRANSPROXY | grep -q default \
+      && sudo ip route del default table TRANSPROXY
+    sudo iptables -t mangle -L PREROUTING -n | grep -q 'tcp dpt:80 MARK set 0x1' \
+      && sudo iptables -t mangle -D PREROUTING -p tcp --dport 80 \! -s "${IPADDR}" -i docker0 -j MARK --set-mark 1 \
+      && sudo iptables -t mangle -D PREROUTING -p tcp --dport 443 \! -s "${IPADDR}" -i docker0 -j MARK --set-mark 1 \
     sudo iptables -t nat -D POSTROUTING -o docker0 -s 172.17.0.0/16 -j ACCEPT 2>/dev/null
   }
   set -e
 }
 
 stop () {
-  # Ideally we'd leave the container around and re-use it, but I really
-  # need a nice way to query for a named container first. Doesn't cost much
-  # to create a new container anyway, especially given the cache volume is mapped.
   set +e
-  docker kill ${CONTAINER_NAME} >/dev/null 2>&1
-  docker rm ${CONTAINER_NAME} >/dev/null 2>&1
+  sudo docker rm -f ${CONTAINER_NAME} >/dev/null 2>&1
   set -e
   stop_routing
 }
@@ -85,18 +79,17 @@ run () {
   # Because we're named, make sure the container doesn't already exist
   stop
   # Run and find the IP for the running container
-  CID=$(${RUN_DOCKER} --privileged -d -v "${CACHEDIR}":/var/spool/squid3 --name ${CONTAINER_NAME} ${CONTAINER_NAME})
-  IPADDR=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' ${CID})
+  CID=$(sudo docker run --privileged -d -v "${CACHEDIR}":/var/spool/squid3 --name ${CONTAINER_NAME} ${CONTAINER_NAME})
+  IPADDR=$(sudo docker inspect --format '{{ .NetworkSettings.IPAddress }}' ${CID})
   start_routing
   # Run at console, kill cleanly if ctrl-c is hit
   trap interrupted INT
   trap terminated TERM
   echo 'Now entering wait, please hit "ctrl-c" to kill proxy and undo routing'
-  docker logs -f "${CID}"
+  sudo docker logs -f "${CID}"
   echo 'Squid exited unexpectedly, cleaning up...'
   stop
 }
 
-# Guard so I can include this script into my own scripts
-[ -z ${RUNNING_DRUN} ] && run
+run
 echo

squid.conf

@@ -10,22 +10,27 @@ acl Safe_ports port 488		# gss-http
 acl Safe_ports port 591		# filemaker
 acl Safe_ports port 777		# multiling http
 acl CONNECT method CONNECT
+
 http_access deny !Safe_ports
 http_access deny CONNECT !SSL_ports
 http_access allow localhost manager
 http_access deny manager
 http_access allow localhost
 http_access allow all
 #http_access deny all
-http_port 3128 transparent
+
+http_port 3128 intercept
+https_port 3129 cert=/etc/squid3/ssl_cert/myCA.pem generate-host-certificates=on intercept ssl-bump
+
 maximum_object_size 512 MB
 cache_dir ufs /var/spool/squid3 2024 2 8
 cache_mem 200 MB
 maximum_object_size_in_memory 100 MB
 cache_replacement_policy heap LFUDA
+
 refresh_pattern Packages\.bz2$ 0       20%     4320 refresh-ims
 refresh_pattern Sources\.bz2$  0       20%     4320 refresh-ims
 refresh_pattern Release\.gpg$  0       20%     4320 refresh-ims
 refresh_pattern Release$       0       20%     4320 refresh-ims
-refresh_pattern -i .(udeb|tar.gz|deb|rpm|exe|zip|tar|tgz|bz2|ram|rar|bin)$  129600 100% 129600 override-expire ignore-no-cache ignore-no-store
+refresh_pattern -i .(udeb|tar.gz|deb|rpm|exe|zip|tar|tgz|bz2|ram|rar|bin|jar)$  129600 100% 129600 override-expire ignore-no-cache ignore-no-store
 refresh_pattern .              0       20%     4320

squid3.patch

@@ -0,0 +1,13 @@
+--- a/debian/rules       2014-02-18 03:13:28.000000000 +0000
++++ b/debian/rules       2016-04-04 02:03:23.732296279 +0000
+@@ -41,8 +41,10 @@
+		--enable-icmp \
+		--enable-zph-qos \
+		--enable-ecap \
++		--enable-ssl \
+		--disable-translation \
+		--with-swapdir=/var/spool/squid3 \
++		--with-open-ssl=/etc/ssl/openssl.cnf \
+		--with-logdir=/var/log/squid3 \
+		--with-pidfile=/var/run/squid3.pid \
+		--with-filedescriptors=65536 \

start_squid.sh

@@ -1,16 +1,38 @@
 #!/bin/bash
 
-# Setup the NAT rule that enables transparent proxying
-IPADDR=$(/sbin/ip -o -f inet addr show eth0 | awk '{ sub(/\/.+/,"",$4); print $4 }')
-iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination ${IPADDR}:3128
+function gen-cert() {
+    cd /etc/squid3/ssl_cert
+    openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 \
+        -keyout myCA.pem -out myCA.pem \
+        -subj '/CN=squid-ssl/O=NULL/C=AU'
+    chmod 600 myCA.pem
+    openssl x509 -in myCA.pem -outform DER -out myCA.der
+    chown proxy.proxy myCA.pem
+    return $?
+}
 
-# Make sure our cache is setup
-chown proxy.proxy /var/spool/squid3
-[ -e /var/spool/squid3/swap.state ] || squid3 -z 2>/dev/null
+function start-routing() {
+    # Setup the NAT rule that enables transparent proxying
+    IPADDR=$(/sbin/ip -o -f inet addr show eth0 | awk '{ sub(/\/.+/,"",$4); print $4 }')
+    iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination ${IPADDR}:3128
+    return $?
+}
+
+function init-cache() {
+    # Make sure our cache is setup
+    touch /var/log/squid3/access.log /var/log/squid3/cache.log
+    chown proxy.proxy -R /var/spool/squid3 /var/log/squid3
+    [ -e /var/spool/squid3/swap.state ] || squid3 -z 2>/dev/null
+}
+
+gen-cert || exit 1
+start-routing || exit 1
+init-cache
+
+echo starting server
 
 # Run squid and tail the logs
 squid3
-while true; do
-  [ -e /var/log/squid3/access.log ] && tail -f /var/log/squid3/access.log
-  sleep 1
-done
+sleep 0.5
+ps aux
+tail -f /var/log/squid3/access.log /var/log/squid3/cache.log