-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
initial commit for working transparent https proxy setup using TLS-na…
…tive proxy with SNI-based forwarding
- Loading branch information
Showing
5 changed files
with
115 additions
and
17 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,66 @@ | ||
# 3proxy.full is fully functional 3proxy build based on busibox:glibc | ||
# | ||
#to build: | ||
# docker build -f Dockerfile.full -t 3proxy.full . | ||
#to run: | ||
# by default 3proxy uses safe chroot environment with chroot to /usr/local/3proxy with uid/gid 65535/65535 and expects | ||
# configuration file to be placed in /usr/local/etc/3proxy. | ||
# Paths in configuration file must be relative to /usr/local/3proxy, that is use /logs instead of | ||
# /usr/local/3proxy/logs. nserver in chroot is required for DNS resolution. An example: | ||
# | ||
# echo nserver 8.8.8.8 >/path/to/local/config/directory/3proxy.cfg | ||
# echo proxy -p3129 >>/path/to/local/config/directory/3proxy.cfg | ||
# docker run -p 3129:3129 -v /path/to/local/config/directory:/usr/local/3proxy/conf -name 3proxy.full 3proxy.full | ||
# | ||
# /path/to/local/config/directory in this example must conrain 3proxy.cfg | ||
# if you need 3proxy to be executed without chroot with root permissions, replace /etc/3proxy/3proxy.cfg by e.g. mounting config | ||
# dir to /etc/3proxy ot by providing config file /etc/3proxy/3proxy.cfg | ||
# docker run -p 3129:3129 -v /path/to/local/config/directory:/etc/3proxy -name 3proxy.full 3proxy.full | ||
# | ||
# use "log" without pathname in config to log to stdout. | ||
# plugins are located in /usr/local/3proxy/libexec (/libexec for chroot config). | ||
|
||
# switched to ubuntu:20.04 to not have problems with apt install on ubuntu 20.04 hosts | ||
FROM ubuntu:20.04 AS buildenv | ||
# COPY . 3proxyt | ||
RUN apt-get update && apt-get install -y git gcc build-essential libssl-dev tree | ||
RUN git clone https://github.com/3proxy/3proxy | ||
RUN cd 3proxy &&\ | ||
echo "">> Makefile.Linux &&\ | ||
echo PLUGINS = StringsPlugin TrafficPlugin PCREPlugin TransparentPlugin SSLPlugin>>Makefile.Linux &&\ | ||
echo LIBS = -l:libcrypto.a -l:libssl.a -ldl >>Makefile.Linux &&\ | ||
make -f Makefile.Linux &&\ | ||
strip bin/3proxy &&\ | ||
strip bin/StringsPlugin.ld.so &&\ | ||
strip bin/TrafficPlugin.ld.so &&\ | ||
strip bin/PCREPlugin.ld.so &&\ | ||
strip bin/TransparentPlugin.ld.so &&\ | ||
strip bin/SSLPlugin.ld.so | ||
RUN tree 3proxy/bin | ||
RUN ls -l /lib/x86_64-linux-gnu/libdl.so.* | ||
|
||
# FROM busybox:glibc | ||
FROM ubuntu:20.04 | ||
# COPY --from=buildenv /lib/x86_64-linux-gnu/libdl.so.* /lib/ # COPY failed: no source files were specified probably because of the symlink | ||
# /lib/x86_64-linux-gnu/libdl.so.2 -> libdl-2.31.so | ||
COPY --from=buildenv /lib/x86_64-linux-gnu/libdl-2.31.so /lib/ | ||
RUN ln -s /lib/libdl-2.31.so /lib/libdl.so.2 | ||
|
||
COPY --from=buildenv 3proxy/bin/* /bin/ | ||
# COPY --from=buildenv 3proxy/bin/3proxy /bin/ | ||
COPY --from=buildenv 3proxy/bin/*.ld.so /usr/local/3proxy/libexec/ | ||
RUN mkdir /usr/local/3proxy/logs &&\ | ||
mkdir /usr/local/3proxy/conf &&\ | ||
chown -R 65535:65535 /usr/local/3proxy &&\ | ||
chmod -R 550 /usr/local/3proxy &&\ | ||
chmod 750 /usr/local/3proxy/logs &&\ | ||
chmod -R 555 /usr/local/3proxy/libexec &&\ | ||
chown -R root /usr/local/3proxy/libexec &&\ | ||
mkdir /etc/3proxy/ &&\ | ||
echo chroot /usr/local/3proxy 65535 65535 >/etc/3proxy/3proxy.cfg &&\ | ||
echo include /conf/3proxy.cfg >>/etc/3proxy/3proxy.cfg &&\ | ||
chmod 440 /etc/3proxy/3proxy.cfg | ||
|
||
|
||
|
||
CMD ["/bin/3proxy", "/etc/3proxy/3proxy.cfg"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
# this config forwards transparently redirected (to port 8012) TLS connections via parent upstream HTTPS-CONNECT proxy based on SNI in TLS client hello | ||
plugin /usr/local/3proxy/libexec/TransparentPlugin.ld.so transparent_plugin | ||
log | ||
logformat "L[%Y-%m-%dT%H:%M:%S.%.]_TLS-proxy || %U@%N:%p src: %C:%c dst: %R:%r orig_dst: %Q:%q ext_iface: %e hops: %h host: %n bytes-I/0: %I/%O byte/sec-I/O: %B/%b duration: %D text: %T error: %E" | ||
auth iponly | ||
#fakeresolve | ||
|
||
allow * | ||
parent 1000 connect+ tools.dbpedia.org 8894 user1 mypassword | ||
|
||
transparent | ||
tlspr -p8012 -P443 -c1 | ||
# tls -p8012 -i127.0.0.1 -e127.0.0.1 -b127.0.0.1 # TODO think about inferfaces and whether to not require | ||
# tlspr redirects all incoming TLS connection on port 8012 to the parent proxy using default destination port 443 (in theory - see NOTE for weird behavior) | ||
# using the required (-c1 option) hostname in SNI extension of TLS client hello as target authority for the upstream proxy (CONNECT request) | ||
# see https://github.com/3proxy/3proxy/commit/013d4bc3339d8e3760855eae448972f3f34cba14 commit message for the -cN options and other pararemeters | ||
# NOTE: -P443 does not seem to have an effect neither when using transparent plugin (which is good) nor when not using it (then weird target port is used) | ||
|
||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters