Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to enable SSL #68

Open
tinyweasel opened this issue Mar 4, 2020 · 10 comments
Open

How to enable SSL #68

tinyweasel opened this issue Mar 4, 2020 · 10 comments

Comments

@tinyweasel
Copy link

When building squid normally you run the following:

./configure --enable-ssl --enable-ssl-crtd ...

How do I enable this in the docker container?
@ataka171
Copy link

ataka171 commented Apr 11, 2020
edited
Loading

Same question

@nathan-b
Copy link

nathan-b commented May 26, 2020
edited
Loading

It looks like the squid in Ubuntu's bionic repository is not built with --enable-ssl. This docker image just pulls from Ubuntu using apt.

I managed to work around it by basing the image off alpine instead.

Step 1: Clone the repo

git clone https://github.com/sameersbn/docker-squid.git
cd docker-squid

Step 2: Modify the Dockerfile:

nathan@nathanb-dev ~/src/docker-squid (git)-[master] % cat Dockerfile
FROM alpine:latest
LABEL maintainer="sameer@damagehead.com"

ENV SQUID_CACHE_DIR=/var/spool/squid \
    SQUID_LOG_DIR=/var/log/squid

RUN apk update \
 && apk add bash squid 

COPY entrypoint.sh /sbin/entrypoint.sh
RUN chmod 755 /sbin/entrypoint.sh

EXPOSE 3128/tcp
ENTRYPOINT ["/sbin/entrypoint.sh"]

Note that you get squid4 instead of squid3, as I don't do the version selection that this repository's dockerfile does.

Step 3: Modify the entrypoint script
The two chown lines should use the squid user and group.

Step 4: Build the image

nathan@nathanb-dev ~/src/docker-squid (git)-[master] % docker build -t mysquid --no-cache .

Step 5: Run the image

nathan@nathanb-dev ~ % docker run --rm -it --name squid -p 3128:3128 -p 3129:3129 -v /home/nathan/tmp/squid.conf:/etc/squid/squid.conf -v /home/nathan/tmp/squidlogs:/var/log/squid -v /tmp/test/certificate.pem:/etc/squid/certificate.pem localsquid:latest

Hope this helps!

@rthunoli
Copy link

Why one more port 3129? is it for https ?

@nathan-b
Copy link

@rthunoli yes, exactly. My config allows me to connect either over plaintext on port 3128 or TLS on port 3129.

@nathan-b
Copy link

If you want to run my container that I built using the recipe I give above, I put it on Dockerhub: https://hub.docker.com/repository/docker/sysdignathan/secure-squid

@nathan-b
Copy link 

nathan@nathanb-dev ~/tmp % cat squid.conf
http_port 3128
https_port 3129 cert=/etc/squid/proxy.pem

dns_v4_first on

acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl CONNECT method CONNECT

http_access allow localnet
http_access allow localhost

Here's a minimal config that allows connections from inside the local network only on either plaintext (3128) or encrypted (3129).

@taras-vibes
Copy link

How do you add certificates?
E.g:
https_port 3129 bump ssl-bump \ cert=/etc/squid/squid-ca-cert-key.pem \ generate-host-certificates=on dynamic_cert_mem_cache_size=16MB

@nathan-b
Copy link

@taras-vibes you see on line 2 of the config I posted that there's cert=/etc/squid/proxy.pem? You just have to mount the certificate into the container at that path as part of the docker run command. For example:

docker run --rm -it --name squid -p 3128:3128 -p 3129:3129 -v /home/nathan/proxy/squid.conf:/etc/squid/squid.conf -v /home/nathan/proxy/squidlogs:/var/log/squid -v /home/nathan/proxy/cert.chain.pem:/etc/squid/proxy.pem sysdignathan/secure-squid:latest

The last -v mounts the local cert into the container at the right location for squid to find and use it.

@taras-vibes
Copy link

Hey @nathan-b thanks for your response:
Yes, I do have files in /etc/squid:
ls /etc/squid/squid-ca-cert-key.pem /etc/squid/squid-ca-cert-key.pem
When I curl it:
curl --proxy-insecure --proxy https://localhost:3129 https://skarnet.org/software/s6/
I see logs in /var/log/squid/access.log:
1711558523.802 119 192.168.65.1 TCP_MISS/200 20284 GET http://www.google.com/ - HIER_DIRECT/142.250.190.68 text/html 1711558526.013 134 192.168.65.1 TCP_MISS/200 20195 GET http://www.google.com/ - HIER_DIRECT/142.250.190.68 text/html 1711560575.965 1563 192.168.65.1 TCP_TUNNEL/200 22989 CONNECT skarnet.org:443 - HIER_DIRECT/95.142.172.232 - 1711560578.331 855 192.168.65.1 TCP_TUNNEL/200 22989 CONNECT skarnet.org:443 - HIER_DIRECT/95.142.172.232 -

It keeps missing on google, but I guess that is expected.
What is TCP_TUNNEL/200 ? Does that mean it has been cached successfully on Secure 3129 port?

@nathan-b
Copy link

@taras-vibes yes, you can read the squid docs to understand the format of the logs, but essentially it means that a TCP tunnel has been successfully established between your system (192.168.65.1) and the destination (95.142.172.232)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@rthunoli @nathan-b @tinyweasel @ataka171 @taras-vibes