-
Notifications
You must be signed in to change notification settings - Fork 247
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
http://www.squid-cache.org/Doc/config/https_port/ can be used to tell squid to make the proxy available over https This adds a generate-certs.sh script which creates a new CA and the associated TLS certificate so that we can test https proxies with untrusted CA. In other words, this requires the use of `crc config set proxy-ca-file`
- Loading branch information
1 parent
f5a9809
commit 17997c1
Showing
3 changed files
with
121 additions
and
49 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,22 +1,43 @@ | ||
| # First run 'generate-certs.sh' so that the TLS certificate are generated | ||
| # Then 'podman build .' can be run | ||
| # The resulting container image needs to be run with -p 3128:3128 -p 3129:3129 | ||
| # Once the container is running, the https proxy can be tested with | ||
| # https_proxy=https://localhost:3129 curl --proxy-cacert ./pki/rootCA.crt -L https://gandi.net | ||
| # | ||
| # The generated TLS certificate is currently only valid for 192.168.122.1, you'll need to modify | ||
| # generate-certs.sh if you want to use it on a different host | ||
| # | ||
| # https Traffic in the VM can be blocked by running this in a VM: | ||
| # sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -p tcp -m tcp --dport=443 -j REJECT | ||
| # sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 1 -j ACCEPT | ||
| # | ||
| # To allow traffic on port 3128/3129 from the VM to the host, run this on the host: | ||
| # sudo firewall-cmd --zone=libvirt --add-port=3128/tcp | ||
| # sudo firewall-cmd --zone=libvirt --add-port=3129/tcp | ||
| # | ||
| # After this, running this command in a VM hangs: | ||
| # curl -L -I https://gandi.net | ||
| # and this command succeds: | ||
| # https_proxy=https://192.168.122.1:3129 curl --proxy-cacert ./rootCA.crt -L https://gandi.net | ||
| # (commonName must be set to 192.168.122.1 before running generate-certs.sh and building the container image) | ||
|
|
||
| FROM registry.centos.org/centos/centos:centos8 | ||
| MAINTAINER CodeReady Containers <[email protected]> | ||
|
|
||
| ENV SQUID_CACHE_DIR=/var/spool/squid \ | ||
| SQUID_LOG_DIR=/var/log/squid \ | ||
| SQUID_USER=squid | ||
|
|
||
| RUN yum -y install squid && \ | ||
| yum clean all | ||
|
|
||
| # Allow localnet to access proxy. | ||
| RUN sed -i "s/^#\+\(.*[acl|allow] localnet\)/\1/" /etc/squid/squid.conf | ||
| RUN systemctl enable squid.service | ||
|
|
||
| # Workaround for https://github.com/moby/moby/issues/31243 | ||
| RUN usermod -a -G tty squid | ||
|
|
||
| COPY entrypoint.sh /sbin/entrypoint.sh | ||
| RUN chmod 755 /sbin/entrypoint.sh | ||
| # Allow localnet to access proxy and enable access to squid over https | ||
| RUN sed -i "s/^#\+\(.*[acl|allow] localnet\)/\1/" /etc/squid/squid.conf && \ | ||
| sed -i "s!http_port 3128!http_port 3128\nhttps_port 3129 tls-cert=/etc/pki/squid/squid.pem!" /etc/squid/squid.conf | ||
|
|
||
| COPY pki/squid.pem /etc/pki/squid/squid.pem | ||
|
|
||
| EXPOSE 3128/tcp | ||
| EXPOSE 3129/tcp | ||
|
|
||
| ENTRYPOINT ["/sbin/entrypoint.sh"] | ||
| CMD [ "/sbin/init" ] |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,90 @@ | ||
| #!/bin/sh | ||
|
|
||
| # Generates a CA and a certificate for use with squid | ||
| # After running the script, the CA will be in ${destDir}/rootCA.crt, clients | ||
| # will need it, but the squid container has no need for it | ||
| # The only file squid needs is ${destDir}/squid.pem | ||
| # | ||
| # The certificate is only valid for 127.0.0.1, localhost and 192.168.122.1 | ||
| # If certificates for other hostnames/IPs are needed, modify the [alt_names] | ||
| # section | ||
| # | ||
| # The certificate used by squid can be overriden when starting the container: | ||
| # podman run -v ./pki/:/etc/pki/squid:z ... | ||
|
|
||
| set -euo pipefail | ||
|
|
||
| destDir=${1:-pki} | ||
| baseName=${2:-squid} | ||
|
|
||
| mkdir -p $destDir | ||
|
|
||
| cat >${destDir}/rootCA.cnf <<EOF | ||
| # default section for "req" command options | ||
| [req] | ||
| distinguished_name = rootca_dn | ||
| prompt = no | ||
| [rootca_dn] | ||
| # Minimum of 4 bytes are needed for common name | ||
| commonName = squid CA | ||
| # ISO2 country code only | ||
| countryName = FR | ||
| # City is required | ||
| localityName = Paris | ||
| [v3_ca] | ||
| subjectKeyIdentifier=hash | ||
| authorityKeyIdentifier=keyid:always,issuer | ||
| basicConstraints = critical, CA:TRUE, pathlen:3 | ||
| keyUsage = critical, cRLSign, keyCertSign | ||
| nsCertType = sslCA, emailCA | ||
| EOF | ||
|
|
||
| # can most likely be done without config file, see EXAMPLES in man openssl-req: | ||
| # openssl req -new -subj "/C=GB/CN=foo" \ | ||
| # -addext "subjectAltName = DNS:foo.co.uk" \ | ||
| # -addext "certificatePolicies = 1.2.3.4" \ | ||
| # -newkey rsa:2048 -keyout key.pem -out req.pem | ||
| openssl req -x509 -newkey rsa:4096 -nodes -keyout ${destDir}/rootCA.key -sha256 -days 2048 -out ${destDir}/rootCA.crt -config ${destDir}/rootCA.cnf -extensions v3_ca | ||
|
|
||
| cat >${destDir}/${baseName}.cnf <<EOF | ||
| # default section for "req" command options | ||
| [req] | ||
| distinguished_name = cert_dn | ||
| prompt = no | ||
| [cert_dn] | ||
| commonName = squid | ||
| # ISO2 country code only | ||
| countryName = FR | ||
| # City is required | ||
| localityName = Paris | ||
| [v3_req] | ||
| basicConstraints = CA:FALSE | ||
| keyUsage = nonRepudiation, digitalSignature, keyEncipherment | ||
| subjectAltName = @alt_names | ||
| [alt_names] | ||
| DNS.0 = localhost | ||
| IP.0 = 127.0.0.1 | ||
| # can be useful in nested virtualization setups | ||
| IP.1 = 192.168.122.1 | ||
| EOF | ||
|
|
||
| openssl req -newkey rsa:4096 -nodes -keyout ${destDir}/${baseName}.key -out ${destDir}/${baseName}.csr -config ${destDir}/${baseName}.cnf -extensions v3_req #-addext "subjectAltName = IP:${commonName}" | ||
| openssl x509 -req -in ${destDir}/${baseName}.csr -CA ${destDir}/rootCA.crt -CAkey ${destDir}/rootCA.key -CAcreateserial -out ${destDir}/${baseName}.crt -days 1000 -sha256 -extensions v3_req -extfile ${destDir}/${baseName}.cnf | ||
|
|
||
| cat ${destDir}/${baseName}.crt ${destDir}/${baseName}.key >${destDir}/${baseName}.pem | ||
|
|
||
| echo "Successfully generated root CA and certificate" | ||
| echo "" | ||
| echo "Add 'https_port 3129 tls-cert=${destDir}/${baseName}.pem' to your squid configuration file" | ||
| echo "" | ||
| echo "The public CA certificate is ${destDir}/rootCA.crt" | ||
| echo "This can be used with curl with: curl --proxy-cacert ${destDir}/rootCA.crt -L https://gandi.net" |