jdeathe/containerised-squid-proxy.sh

## containerised-squid-proxy.sh
#
# WARNING! This configures a Man-In-The-Middle proxy that decrypts HTTPS traffic.
#
# - Requires Local DNS: https://gist.github.com/jdeathe/252578a3217ab9782fed10c3b3816d30
# - Disable the SSH features and process - using local docker.
# - https://docs.docker.com/engine/userguide/networking/
# - http://www.squid-cache.org/Versions/v3/3.3/cfgman/http_port.html
# - http://www.squid-cache.org/Versions/v3/3.3/cfgman/ssl_bump.html
# - http://www.squid-cache.org/Versions/v3/3.3/cfgman/refresh_pattern.html
# - https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_options.html

LOOPBACK_IP_ALIAS="192.168.127.1/24"
LOOPBACK_ALIAS_IP="${LOOPBACK_ALIAS%%/*}"

# Alias for loopback interface.
# Note this is not persistent accross reboots.
if [[ $(uname) == Darwin ]]; then
  sudo ifconfig lo0 alias ${LOOPBACK_IP_ALIAS} up
else
  sudo ip addr add ${LOOPBACK_IP_ALIAS} dev lo:0
fi

# Create an isolated infrastructure network
docker network create --driver bridge local_infra 2> /dev/null || true

LOCAL_INFRA_GATEWAY="$(
  docker network inspect -f '{{ index (index .IPAM.Config 0).Gateway }}' local_infra | awk -F/ '{ print $1; }'
)"

docker pull jdeathe/centos-ssh:centos-7-2.1.2

eval "sudo -E $(
    docker inspect \
    -f "{{.ContainerConfig.Labels.install}}" \
    jdeathe/centos-ssh:centos-7-2.1.2
  ) install \
  --name=squid.1.0 \
  --env='SSH_AUTOSTART_SSHD=false' \
  --env='SSH_AUTOSTART_SSHD_BOOTSTRAP=false' \
  --env='DOCKER_PORT_MAP_TCP_22=NULL' \
  --setopt='--network local_infra' \
  --setopt='--expose 3126-3128' \
  --setopt='--publish ${LOOPBACK_ALIAS_IP}:3126-3128:3126-3128' \
  --setopt='--volume {{NAME}}.data-cache:/var/spool/squid' \
  --setopt='--volume {{NAME}}.data-certs:/etc/pki/tls/certs'
"

docker exec -i squid.1.0 yum -y install squid openssl ca-certificates

docker exec -i squid.1.0 tee /etc/supervisord.d/squid.conf 1> /dev/null <<-CONFIG
[program:squid]
priority = 100
command = bash -c "/usr/sbin/squid -N -z -F -f /etc/squid/squid.conf >> /var/log/squid/squid.out 2>&1; exec /usr/sbin/squid -N -f /etc/squid/squid.conf"
startsecs = 1
autorestart = true
redirect_stderr = true
stdout_logfile = /var/log/squid/cache.log
stdout_events_enabled = true
CONFIG

# - Standard port configuration done in the custom configuration later.
# - Allow SSL connections on non-standard ports.
# - Rules for refresh_pattern need to be above standard rules so redefine later.
docker exec -i squid.1.0 sed -i \
  -e 's~^\(http_port 3128\)$~#\1~' \
  -e 's~^\(http_access deny CONNECT !SSL_ports\)$~#\1~' \
  -e 's~^\(refresh_pattern .*\)$~#\1~g' \
  /etc/squid/squid.conf

docker exec -i squid.1.0 mkdir /etc/squid/conf.d

docker exec -i squid.1.0 tee -a /etc/squid/squid.conf 1> /dev/null <<-CONFIG
include /etc/squid/conf.d/*.conf
CONFIG

docker exec -i squid.1.0 tee /etc/squid/conf.d/10-large-file-cache.conf 1> /dev/null <<-CONFIG
dns_nameservers ${LOOPBACK_ALIAS_IP} 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220

# Disk cache
maximum_object_size 1024 MB
cache_dir ufs /var/spool/squid 10240 16 256

# Extend the expiry for package files to 90 day
refresh_pattern -i .(rpm|iso)$ 129600 100% 129600 refresh-ims override-expire
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB

sslproxy_cafile /etc/pki/tls/cert.pem
# Need a later version of squid to support certificate hash better than sha1
# sslproxy_cert_sign_hash sha256
sslproxy_cipher ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,CIPHER_SERVER_PREFERENCE

ssl_bump server-first all

# Transparent http
http_port 0.0.0.0:3126 intercept

# Transparent https
https_port 0.0.0.0:3127 \
intercept ssl-bump \
cert=/etc/pki/tls/certs/proxy.localdomain.pem \
dhparams=/etc/pki/tls/certs/dhparam.pem \
dynamic_cert_mem_cache_size=4MB \
generate-host-certificates=on \
options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,CIPHER_SERVER_PREFERENCE \
cipher=ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

# Standard http + https
http_port 0.0.0.0:3128 \
ssl-bump \
cert=/etc/pki/tls/certs/proxy.localdomain.pem \
dhparams=/etc/pki/tls/certs/dhparam.pem \
dynamic_cert_mem_cache_size=4MB \
generate-host-certificates=on \
options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,CIPHER_SERVER_PREFERENCE \
cipher=ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
CONFIG

# Initialise SSL Database and set permissions
docker exec -i squid.1.0 /usr/lib64/squid/ssl_crtd -c -s /var/lib/ssl_db
docker exec -i squid.1.0 chown -R squid:squid /var/lib/ssl_db

# Generate CA Certificate if one isn't already available
docker exec -it squid.1.0 bash -c "if [[ ! -f /etc/pki/tls/certs/proxy.localdomain.pem ]]; then openssl req \
-x509 \
-extensions v3_ca \
-sha256 \
-nodes \
-new \
-newkey rsa:2048 \
-days 365 \
-subj "/C=--/ST=STATE/L=LOCALITY/O=ORGANIZATION/CN=proxy.localdomain" \
-keyout /etc/pki/tls/certs/proxy.localdomain.pem \
-out /etc/pki/tls/certs/proxy.localdomain.pem; \
fi"

# Generate Diffie–Hellman parameters if not already available
docker exec -i squid.1.0 bash -c "if [[ ! -f /etc/pki/tls/certs/dhparam.pem ]]; then openssl dhparam \
  -outform PEM \
  -out /etc/pki/tls/certs/dhparam.pem 2048; \
fi"

# Copy certificate from conainer to distribute
docker cp squid.1.0:/etc/pki/tls/certs/proxy.localdomain.pem .

# Append ca-intermediate.pem to the cafile
if [[ -f ./ca-intermediate.pem ]]; then
  docker cp ca-intermediate.pem squid.1.0:/etc/pki/ca-trust/source/anchors/
fi

# If you need to trust StartCom https://www.startssl.com/certs/sca.server3.crt
if [[ -f ./sca.server3.crt ]]; then
  docker cp sca.server3.crt squid.1.0:/etc/pki/ca-trust/source/anchors/
fi

docker exec -it squid.1.0 update-ca-trust

# Restarting the container allows supervisord start the process. If you
# Upload a new configuration you will need restart for the changes to apply.
docker restart squid.1.0

# Tail the logs - Note: Use Ctl + c to exit.
docker logs -f --tail=30 squid.1.0

echo "Set up your network connection to use the proxy ${LOOPBACK_ALIAS_IP}:3128 for both HTTP and HTTPS."
	#
	# WARNING! This configures a Man-In-The-Middle proxy that decrypts HTTPS traffic.
	#
	# - Requires Local DNS: https://gist.github.com/jdeathe/252578a3217ab9782fed10c3b3816d30
	# - Disable the SSH features and process - using local docker.
	# - https://docs.docker.com/engine/userguide/networking/
	# - http://www.squid-cache.org/Versions/v3/3.3/cfgman/http_port.html
	# - http://www.squid-cache.org/Versions/v3/3.3/cfgman/ssl_bump.html
	# - http://www.squid-cache.org/Versions/v3/3.3/cfgman/refresh_pattern.html
	# - https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_options.html

	LOOPBACK_IP_ALIAS="192.168.127.1/24"
	LOOPBACK_ALIAS_IP="${LOOPBACK_ALIAS%%/*}"

	# Alias for loopback interface.
	# Note this is not persistent accross reboots.
	if [[ $(uname) == Darwin ]]; then
	sudo ifconfig lo0 alias ${LOOPBACK_IP_ALIAS} up
	else
	sudo ip addr add ${LOOPBACK_IP_ALIAS} dev lo:0
	fi

	# Create an isolated infrastructure network
	docker network create --driver bridge local_infra 2> /dev/null \|\| true

	LOCAL_INFRA_GATEWAY="$(
	docker network inspect -f '{{ index (index .IPAM.Config 0).Gateway }}' local_infra \| awk -F/ '{ print $1; }'
	)"

	docker pull jdeathe/centos-ssh:centos-7-2.1.2

	eval "sudo -E $(
	docker inspect \
	-f "{{.ContainerConfig.Labels.install}}" \
	jdeathe/centos-ssh:centos-7-2.1.2
	) install \
	--name=squid.1.0 \
	--env='SSH_AUTOSTART_SSHD=false' \
	--env='SSH_AUTOSTART_SSHD_BOOTSTRAP=false' \
	--env='DOCKER_PORT_MAP_TCP_22=NULL' \
	--setopt='--network local_infra' \
	--setopt='--expose 3126-3128' \
	--setopt='--publish ${LOOPBACK_ALIAS_IP}:3126-3128:3126-3128' \
	--setopt='--volume {{NAME}}.data-cache:/var/spool/squid' \
	--setopt='--volume {{NAME}}.data-certs:/etc/pki/tls/certs'
	"

	docker exec -i squid.1.0 yum -y install squid openssl ca-certificates

	docker exec -i squid.1.0 tee /etc/supervisord.d/squid.conf 1> /dev/null <<-CONFIG
	[program:squid]
	priority = 100
	command = bash -c "/usr/sbin/squid -N -z -F -f /etc/squid/squid.conf >> /var/log/squid/squid.out 2>&1; exec /usr/sbin/squid -N -f /etc/squid/squid.conf"
	startsecs = 1
	autorestart = true
	redirect_stderr = true
	stdout_logfile = /var/log/squid/cache.log
	stdout_events_enabled = true
	CONFIG

	# - Standard port configuration done in the custom configuration later.
	# - Allow SSL connections on non-standard ports.
	# - Rules for refresh_pattern need to be above standard rules so redefine later.
	docker exec -i squid.1.0 sed -i \
	-e 's~^\(http_port 3128\)$~#\1~' \
	-e 's~^\(http_access deny CONNECT !SSL_ports\)$~#\1~' \
	-e 's~^\(refresh_pattern .*\)$~#\1~g' \
	/etc/squid/squid.conf

	docker exec -i squid.1.0 mkdir /etc/squid/conf.d

	docker exec -i squid.1.0 tee -a /etc/squid/squid.conf 1> /dev/null <<-CONFIG
	include /etc/squid/conf.d/*.conf
	CONFIG

	docker exec -i squid.1.0 tee /etc/squid/conf.d/10-large-file-cache.conf 1> /dev/null <<-CONFIG
	dns_nameservers ${LOOPBACK_ALIAS_IP} 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220

	# Disk cache
	maximum_object_size 1024 MB
	cache_dir ufs /var/spool/squid 10240 16 256

	# Extend the expiry for package files to 90 day
	refresh_pattern -i .(rpm\|iso)$ 129600 100% 129600 refresh-ims override-expire
	refresh_pattern ^ftp: 1440 20% 10080
	refresh_pattern ^gopher: 1440 0% 1440
	refresh_pattern -i (/cgi-bin/\|\?) 0 0% 0
	refresh_pattern . 0 20% 4320

	sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB

	sslproxy_cafile /etc/pki/tls/cert.pem
	# Need a later version of squid to support certificate hash better than sha1
	# sslproxy_cert_sign_hash sha256
	sslproxy_cipher ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
	sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,CIPHER_SERVER_PREFERENCE

	ssl_bump server-first all

	# Transparent http
	http_port 0.0.0.0:3126 intercept

	# Transparent https
	https_port 0.0.0.0:3127 \
	intercept ssl-bump \
	cert=/etc/pki/tls/certs/proxy.localdomain.pem \
	dhparams=/etc/pki/tls/certs/dhparam.pem \
	dynamic_cert_mem_cache_size=4MB \
	generate-host-certificates=on \
	options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,CIPHER_SERVER_PREFERENCE \
	cipher=ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

	# Standard http + https
	http_port 0.0.0.0:3128 \
	ssl-bump \
	cert=/etc/pki/tls/certs/proxy.localdomain.pem \
	dhparams=/etc/pki/tls/certs/dhparam.pem \
	dynamic_cert_mem_cache_size=4MB \
	generate-host-certificates=on \
	options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,CIPHER_SERVER_PREFERENCE \
	cipher=ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
	CONFIG

	# Initialise SSL Database and set permissions
	docker exec -i squid.1.0 /usr/lib64/squid/ssl_crtd -c -s /var/lib/ssl_db
	docker exec -i squid.1.0 chown -R squid:squid /var/lib/ssl_db

	# Generate CA Certificate if one isn't already available
	docker exec -it squid.1.0 bash -c "if [[ ! -f /etc/pki/tls/certs/proxy.localdomain.pem ]]; then openssl req \
	-x509 \
	-extensions v3_ca \
	-sha256 \
	-nodes \
	-new \
	-newkey rsa:2048 \
	-days 365 \
	-subj "/C=--/ST=STATE/L=LOCALITY/O=ORGANIZATION/CN=proxy.localdomain" \
	-keyout /etc/pki/tls/certs/proxy.localdomain.pem \
	-out /etc/pki/tls/certs/proxy.localdomain.pem; \
	fi"

	# Generate Diffie–Hellman parameters if not already available
	docker exec -i squid.1.0 bash -c "if [[ ! -f /etc/pki/tls/certs/dhparam.pem ]]; then openssl dhparam \
	-outform PEM \
	-out /etc/pki/tls/certs/dhparam.pem 2048; \
	fi"

	# Copy certificate from conainer to distribute
	docker cp squid.1.0:/etc/pki/tls/certs/proxy.localdomain.pem .

	# Append ca-intermediate.pem to the cafile
	if [[ -f ./ca-intermediate.pem ]]; then
	docker cp ca-intermediate.pem squid.1.0:/etc/pki/ca-trust/source/anchors/
	fi

	# If you need to trust StartCom https://www.startssl.com/certs/sca.server3.crt
	if [[ -f ./sca.server3.crt ]]; then
	docker cp sca.server3.crt squid.1.0:/etc/pki/ca-trust/source/anchors/
	fi

	docker exec -it squid.1.0 update-ca-trust

	# Restarting the container allows supervisord start the process. If you
	# Upload a new configuration you will need restart for the changes to apply.
	docker restart squid.1.0

	# Tail the logs - Note: Use Ctl + c to exit.
	docker logs -f --tail=30 squid.1.0

	echo "Set up your network connection to use the proxy ${LOOPBACK_ALIAS_IP}:3128 for both HTTP and HTTPS."