- Notifications
You must be signed in to change notification settings - Fork46
Multi-mode Squid Proxy container running SSL intercept
License
salrashid123/squid_proxy
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
Sample squid proxy and Dockerfile demonstrating various config modes.
The Dockerfile and git image compiles squid withssl_crtd enabled which allows for SSL intercept and rewrite.
The corresponding docker image is on dockerhub:
The image has no entrypoint set to allow you to test and run different modes.
To run the image, simply invoke a shell in the container and start squid in the background for the mode youare interested in:
This image should be used for debugging and testing so i've left a lot of stuff in the dockerfile (eg, gcc, python, etc).
If you really want to use this in prod, modify the image to and minimize the footprint (use multistage builds, alpine,distroless images, etc)
docker run -p 3128:3128 -ti docker.io/salrashid123/squidproxy /bin/bash
please note that the root CA's have been updated (on
1/9/22. You can find the docker image with the original certs assalrashid123/squidproxy:1(or you can regenerate your own image from a prior commit))
The CA's provided currently are chained (root-ca.crt ->tls-ca.crt ->server_crt.pem. With the combined root and subordinate astls-ca-chain.pem)
11/20/22: Upgrade to debian-11,
squid-5.7:docker.io/salrashid123/squidproxy@sha256:latestdocker.io/salrashid123/squidproxy@sha256:
1/10/22: Upgrade built in CA,
squid-3.5.27:docker.io/salrashid123/squidproxy@sha256:b46d3648443d675bb3ac020248495d5d7af1b7f3b683c3068e45c0f040aa5d9c
Also see
Explicit forward proxy mode intercepts HTTP traffic and uses CONNECT for https.
Launch:
$ /apps/squid/sbin/squid -NsY -f /apps/squid.conf.forward &then in a new window run both http and https calls:
curl -v -x localhost:3128 -L http://httpbin.org/getcurl -v -x localhost:3128 -L https://httpbin.org/get
you should see a GET and CONNECT logs within the container
$ cat /apps/squid/var/logs/access.log1668952181.370 112 192.168.9.1 TCP_MISS/301 1560 GET http://www.bbc.com/ - HIER_DIRECT/151.101.0.81 text/html1668952181.517 146 192.168.9.1 TCP_TUNNEL/200 237935 CONNECT www.bbc.com:443 - HIER_DIRECT/151.101.0.81 -You can also setup allow/deny rules for the domain:
If you want to usehttps_port, usesquid.conf.https_port. Forhttps_port seecurl options like this:
curl -v --proxy-cacert tls-ca.crt --resolve squid.yourdomain.com:3128:127.0.0.1 -x https://squid.yourdomain.com:3128 https://httpbin.org/get
In this mode, an HTTPS connection actually terminates the SSL connectionon the proxy, then proceeds todownload the certificate for the server you intended to visit. The proxy server then issues a new certificate with thesame specifications of the site you wanted to visit and sends that down.
Essentially, the squid proxy is acting as man-in-the-middle. Ofcourse, you client needs to trust the certificate for the proxybut if not, you will see a certificate warning.
Here is the relevant squid conf setting to allow this:
squid.conf.intercept:
# Squid normally listens to port 3128visible_hostname squid.yourdomain.comhttp_port 3128 ssl-bump generate-host-certificates=on cert=/apps/tls-ca.crt key=/apps/tls-ca.keyalways_direct allow allacl excluded_sites ssl::server_name .wellsfargo.comssl_bump splice excluded_sitesssl_bump bump allsslproxy_cert_error deny allsslcrtd_program /apps/squid/libexec/security_file_certgen -s /apps/squid/var/lib/ssl_db -M 4MB sslcrtd_children 8 startup=1 idle=1The configuration above will insepct all SSL traffic but onlysplice traffic to wellsfargo.com to view its intended SNI (server_name). You can use the splice capability to apply ACL rules against without inspecting.
Launch
$ docker run -p 3128:3128 -ti docker.io/salrashid123/squidproxy /apps/squid/sbin/squid -NsY -f /apps/squid.conf.interceptthen in a new window, try to access a secure site
$ wget https://raw.githubusercontent.com/salrashid123/squid_proxy/master/tls-ca.crt$ curl -v --proxy-cacert tls-ca.crt --cacert tls-ca.crt -x localhost:3128 https://www.httpbin.org/get
you should see the proxy intercept and recreate httpbin's public certificate:
* Server certificate:* subject: CN=www.httpbin.org* start date: Jan 9 22:05:43 2022 GMT* expire date: Jan 9 22:05:43 2032 GMT* subjectAltName: host "www.httpbin.org" matched cert's "www.httpbin.org"* issuer: C=US; O=Google; OU=Enterprise; CN=Enterprise Subordinate CA <<<<<<<<<* SSL certificate verify ok.* TLSv1.2 (OUT), TLS header, Supplemental data (23):> GET /get HTTP/1.1> Host: www.httpbin.org> User-Agent: curl/7.85.0> Accept: */*note the issuer is the proxy's server certificate (tls-ca.crt), NOT httpbin's official public cert
Now try to accesswww.wellsfargo.com. The configuration above simply views the SNI information without snooping on the data
$ curl -vvvv --proxy-cacert tls-ca.crt --cacert tls-ca.crt -x localhost:3128 https://www.wellsfargo.com* Server certificate:* subject: jurisdictionC=US; jurisdictionST=Delaware; businessCategory=Private Organization; serialNumber=251212; C=US; ST=California; L=San Francisco; O=Wells Fargo & Company; CN=www.wellsfargo.com* start date: Aug 3 00:00:00 2022 GMT* expire date: Aug 3 23:59:59 2023 GMT* subjectAltName: host "www.wellsfargo.com" matched cert's "www.wellsfargo.com"* issuer: C=US; O=DigiCert Inc; CN=DigiCert EV RSA CA G2* SSL certificate verify ok.content_adaptation/ allows you to not just intercept SSL traffic, but to actually rewrite the content both ways.
Has cache enabled for HTTP traffic
Launch
$ /apps/squid/sbin/squid -NsY -f /apps/squid.conf.cacheRun two requests
curl -s -x localhost:3128 -L http://www.bbc.com/robots.txtcurl -s -x localhost:3128 -L http://www.bbc.com/robots.txtFirst request is a TCP_MISS, the second is TCP_MEM_HIT
$ cat /apps/squid/var/logs/access.log1669042557.206 75 192.168.9.1 TCP_MISS/200 20927 GET http://www.bbc.com/robots.txt - HIER_DIRECT/151.101.0.81 text/plain1669042569.313 0 192.168.9.1 TCP_MEM_HIT/200 20935 GET http://www.bbc.com/robots.txt - HIER_NONE/- text/plainEnables squid proxy in default mode but requires a username password for the proxy
- user: user1
- password:user1
Launch:
$ /apps/squid/sbin/squid -NsY -f /apps/squid.conf.basicauth &$ curl -v -x localhost:3128 --proxy-user user1:user1 -L http://httpbin.org/getTHe specific config for this mode:
squid.conf.basicaith
#user1:user1#/apps/squid/squid_passwd: user1:aje5nXwboMxWYauth_param basic program /apps/squid/libexec/basic_ncsa_auth /apps/squid_passwdacl authenticated proxy_auth REQUIREDhttp_access allow authenticatedhttp_access deny allLogs would show
1669042602.565 37 192.168.9.1 TCP_MISS/200 606 GET http://httpbin.org/get user1 HIER_DIRECT/34.203.186.29 application/jsonFROM debian:11 AS buildRUN apt-get -y updateRUN apt-get install -y curl supervisor git openssl build-essential libssl-dev wget vim curl git python3 python3-pip procpsRUN mkdir -p /var/log/supervisorCOPY supervisord.conf /etc/supervisor/conf.d/supervisord.confWORKDIR /apps/RUN wget -O - http://www.squid-cache.org/Versions/v5/squid-5.7.tar.gz | tar zxfv - \ && CPU=$(( `nproc --all`-1 )) \ && cd /apps/squid-5.7/ \ && ./configure --prefix=/apps/squid --enable-icap-client --enable-ssl --with-openssl --enable-ssl-crtd --enable-auth --enable-basic-auth-helpers="NCSA" \ && make -j$CPU \ && make install \ && cd /apps \ && rm -rf /apps/squid-5.7ADD . /apps/RUN chown -R nobody:nogroup /apps/RUN mkdir -p /apps/squid/var/lib/RUN /apps/squid/libexec/security_file_certgen -c -s /apps/squid/var/lib/ssl_db -M 4MBRUN /apps/squid/sbin/squid -N -f /apps/squid.conf.cache -zRUN chown -R nobody:nogroup /apps/RUN chgrp -R 0 /apps && chmod -R g=u /appsRUN ln -s /usr/bin/python3 /usr/bin/pythonEXPOSE 3128#CMD ["/usr/bin/supervisord"]
like i said, its a bit of a large, bloated image.
THis repo and image comes with a built-in CA (root-ca.crt is the true parent CA that signed a subordinate catls-ca.crt (yes, i know, its confusing but i used that subca with that name)). You are free to generate and volume mount your own CA.