Switch to Squid 5.6, add websocket support

2024-11-24 16:33:19 +01:00 · 2022-10-12 09:00:01 +00:00 · 2022-10-12 09:00:01 +00:00 · 7b9f13b079
commit 7b9f13b079
parent 4063f13994
7 changed files with 68 additions and 64 deletions
--- a/2
+++ b/2
@ -11,7 +11,7 @@ ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8'

 FROM install_tools AS squid_builder

-RUN wget --progress=dot:giga 'https://kasmweb-build-artifacts.s3.amazonaws.com/kasm-squid-builder/96a014eae9161b234fc4eafb07d3b6dd555b8417/output/kasm-squid-builder_centos_amd64.tar.gz'
+RUN wget --progress=dot:giga 'https://kasmweb-build-artifacts.s3.amazonaws.com/kasm-squid-builder/de1dffbc94d4132d6c696de8c6dfcd6f08900f61/output/kasm-squid-builder_centos_amd64.tar.gz'
 RUN tar -xzf kasm-squid-builder_centos_amd64.tar.gz -C /

 FROM install_tools
--- a/4
+++ b/4
@ -16,10 +16,10 @@ ARG DISTRO=oracle8

 RUN if [ "${DISTRO}" == "oracle8" ]; then \
  ARCH=$(arch | sed 's/aarch64/arm64/g' | sed 's/x86_64/amd64/g') && \
-  wget --progress=dot:giga "https://kasmweb-build-artifacts.s3.amazonaws.com/kasm-squid-builder/96a014eae9161b234fc4eafb07d3b6dd555b8417/output/kasm-squid-builder_oracle_${ARCH}.tar.gz"; \
+  wget --progress=dot:giga "https://kasmweb-build-artifacts.s3.amazonaws.com/kasm-squid-builder/de1dffbc94d4132d6c696de8c6dfcd6f08900f61/output/kasm-squid-builder_oracle_${ARCH}.tar.gz"; \
 else \
  ARCH=$(arch | sed 's/aarch64/arm64/g' | sed 's/x86_64/amd64/g') && \
-  wget --progress=dot:giga "https://kasmweb-build-artifacts.s3.amazonaws.com/kasm-squid-builder/96a014eae9161b234fc4eafb07d3b6dd555b8417/output/kasm-squid-builder_centos_${ARCH}.tar.gz"; \
+  wget --progress=dot:giga "https://kasmweb-build-artifacts.s3.amazonaws.com/kasm-squid-builder/de1dffbc94d4132d6c696de8c6dfcd6f08900f61/output/kasm-squid-builder_centos_${ARCH}.tar.gz"; \
 fi
 RUN tar -xzf kasm-squid-builder_*.tar.gz -C /

--- a/2
+++ b/2
@ -15,7 +15,7 @@ FROM install_tools AS squid_builder
 ARG DISTRO=opensuse

 RUN ARCH=$(arch | sed 's/aarch64/arm64/g' | sed 's/x86_64/amd64/g') && \
-  wget --progress=dot:giga "https://kasmweb-build-artifacts.s3.amazonaws.com/kasm-squid-builder/919fdaaa1cb5184deb5f849e28ad6324615129cd/output/kasm-squid-builder_opensuse_${ARCH}.tar.gz"
+  wget --progress=dot:giga "https://kasmweb-build-artifacts.s3.amazonaws.com/kasm-squid-builder/de1dffbc94d4132d6c696de8c6dfcd6f08900f61/output/kasm-squid-builder_opensuse_${ARCH}.tar.gz"
 RUN tar -xzf kasm-squid-builder_*.tar.gz -C /

 FROM install_tools
--- a/src/ubuntu/install/kasm_vnc/install_kasm_vnc.sh
+++ b/src/ubuntu/install/kasm_vnc/install_kasm_vnc.sh
@ -100,8 +100,7 @@ else

    apt-get update
    apt-get install -y gettext ssl-cert libxfont2
-    dpkg -i /tmp/kasmvncserver.deb
-    apt-get -yf install
+    apt-get install -y /tmp/kasmvncserver.deb
    rm -f /tmp/kasmvncserver.deb
 fi
 #mkdir $KASM_VNC_PATH/certs
--- a/src/ubuntu/install/squid/install/install_squid.sh
+++ b/src/ubuntu/install/squid/install/install_squid.sh
@ -4,7 +4,7 @@ set -ex
 ARCH=$(arch | sed 's/aarch64/arm64/g' | sed 's/x86_64/amd64/g')

 # intall squid
-SQUID_COMMIT='6392f7dfb1040c67c0a5d5518abf508282523cc0'
+SQUID_COMMIT='de1dffbc94d4132d6c696de8c6dfcd6f08900f61'
 SQUID_DISTRO=${DISTRO}
 # currently all distros use the ubuntu build of squid except centos/oracle
 if [[ "${SQUID_DISTRO}" != @(centos|oracle7) ]] ; then
@ -78,7 +78,7 @@ log_level: 5
 sasldb_path: /etc/sasl2/memcached-sasldb2
 EOL

-KASM_SQUID_ADAPTER=https://kasmweb-build-artifacts.s3.amazonaws.com/kasm_squid_adapter/040a19d1f0df7f5caed00f85abb8c0653a66f6a7/kasm_squid_adapter_${DISTRO/kali/ubuntu}_${ARCH}_develop.040a19.tar.gz
+KASM_SQUID_ADAPTER=https://kasmweb-build-artifacts.s3.amazonaws.com/kasm_squid_adapter/d54ebc03a8696964b12cb99e5863116fb3a26c0b/kasm_squid_adapter_${DISTRO/kali/ubuntu}_${ARCH}_develop.d54ebc.tar.gz

 wget -qO- ${KASM_SQUID_ADAPTER} | tar xz -C /etc/squid/
 ls -la /etc/squid
--- a/src/ubuntu/install/squid/resources/squid.conf
+++ b/src/ubuntu/install/squid/resources/squid.conf
@ -18,7 +18,7 @@ ssl_bump bump all

 acl CONNECT method CONNECT

-# The following two lines are an example of how we can leaverage squid to block ports, there can be as 
+# The following two lines are an example of how we can leaverage squid to block ports, there can be as
 # many acl statements adding ports to Safe_ports as are needed.
 #acl Safe_ports port 443         # https
 #http_access deny !Safe_ports
@ -36,6 +36,8 @@ http_access deny all
 http_port 3128 ssl-bump cert=/usr/local/squid/etc/ssl_cert/squid.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
 sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /usr/local/squid/var/logs/ssl_db -M 4MB

+http_upgrade_request_protocols OTHER allow all
+
 coredump_dir /var/spool/squid

 refresh_pattern ^ftp:           1440    20%     10080
--- a/src/ubuntu/install/squid/resources/start_squid.sh
+++ b/src/ubuntu/install/squid/resources/start_squid.sh
@ -1,66 +1,69 @@
 #!/usr/bin/env bash
 set -ex
-IP=$(ip route get 1.1.1.1 | grep -oP "src \\K\\S+")

-mkdir /tmp/working_certs
-cd /tmp/working_certs
+{
+    IP=$(ip route get 1.1.1.1 | grep -oP "src \\K\\S+")

-if [ -f /etc/centos-release ]; then
-    DISTRO=centos
-elif [ -f /etc/oracle-release ]; then
-    DISTRO=oracle7
-elif [ -f /usr/bin/zypper ]; then
-    DISTRO=opensuse
-fi
+    mkdir /tmp/working_certs
+    cd /tmp/working_certs

-if [[ "${DISTRO}" == @(centos|oracle7) ]]; then
-    CERT_FILE=/etc/pki/ca-trust/source/anchors/squid.crt
-elif [ "${DISTRO}" == "opensuse" ]; then
-    CERT_FILE=/usr/share/pki/trust/anchors/squid.crt
-else
-    CERT_FILE=/usr/local/share/ca-certificates/squid.crt
-fi
-CERT_NAME="Squid Root CA"
-openssl req -new -newkey rsa:2048 -sha256 -days 3650 -nodes -x509 -extensions v3_ca -subj "/C=US/ST=CA/O=Kasm Technologies/CN=kasm.localhost.net" -keyout myCA.pem  -out myCA.pem
-openssl x509 -in myCA.pem -outform DER -out myCA.der
-openssl x509 -in myCA.pem -outform DER -out myCA.der
-cp myCA.pem  ${CERT_FILE}
-cp myCA.pem  /usr/local/squid/etc/ssl_cert/squid.pem
-if [[ "${DISTRO}" == @(centos|oracle7) ]]; then
-    update-ca-trust
-else
-    update-ca-certificates
-fi
+    if [ -f /etc/centos-release ]; then
+        DISTRO=centos
+    elif [ -f /etc/oracle-release ]; then
+        DISTRO=oracle7
+    elif [ -f /usr/bin/zypper ]; then
+        DISTRO=opensuse
+    fi

-cd $HOME
-rm -rf /tmp/working_certs
+    if [[ "${DISTRO}" == @(centos|oracle7) ]]; then
+        CERT_FILE=/etc/pki/ca-trust/source/anchors/squid.crt
+    elif [ "${DISTRO}" == "opensuse" ]; then
+        CERT_FILE=/usr/share/pki/trust/anchors/squid.crt
+    else
+        CERT_FILE=/usr/local/share/ca-certificates/squid.crt
+    fi
+    CERT_NAME="Squid Root CA"
+    openssl req -new -newkey rsa:2048 -sha256 -days 3650 -nodes -x509 -extensions v3_ca -subj "/C=US/ST=CA/O=Kasm Technologies/CN=kasm.localhost.net" -keyout myCA.pem  -out myCA.pem
+    openssl x509 -in myCA.pem -outform DER -out myCA.der
+    openssl x509 -in myCA.pem -outform DER -out myCA.der
+    cp myCA.pem  ${CERT_FILE}
+    cp myCA.pem  /usr/local/squid/etc/ssl_cert/squid.pem
+    if [[ "${DISTRO}" == @(centos|oracle7) ]]; then
+        update-ca-trust
+    else
+        update-ca-certificates
+    fi

-for certDB in $(find / -name "cert9.db")
-do
-    certdir=$(dirname ${certDB});
-    echo "Updating $certdir"
-    certutil -A -n "${CERT_NAME}" -t "TCu,," -i ${CERT_FILE} -d sql:${certdir}
-    chown -R 1000:1000 ${certdir}
-done
+    cd $HOME
+    rm -rf /tmp/working_certs

-export MEMCACHE_PASSWORD="$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 13 )"
-echo $MEMCACHE_PASSWORD | saslpasswd2 -a memcached -c -f /etc/sasl2/memcached-sasldb2 kasm
-if [[ "${DISTRO}" == @(centos|oracle7|opensuse) ]]; then
-    MEMCACHE_USER=memcached
-else
-    MEMCACHE_USER=memcache
-fi
-chown $MEMCACHE_USER:$MEMCACHE_USER /etc/sasl2/memcached-sasldb2
+    for certDB in $(find / -name "cert9.db")
+    do
+        certdir=$(dirname ${certDB});
+        echo "Updating $certdir"
+        certutil -A -n "${CERT_NAME}" -t "TCu,," -i ${CERT_FILE} -d sql:${certdir}
+        chown -R 1000:1000 ${certdir}
+    done
+
+    export MEMCACHE_PASSWORD="$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 13 )"
+    echo $MEMCACHE_PASSWORD | saslpasswd2 -a memcached -c -f /etc/sasl2/memcached-sasldb2 kasm
+    if [[ "${DISTRO}" == @(centos|oracle7|opensuse) ]]; then
+        MEMCACHE_USER=memcached
+    else
+        MEMCACHE_USER=memcache
+    fi
+    chown $MEMCACHE_USER:$MEMCACHE_USER /etc/sasl2/memcached-sasldb2


-if [[ "${DISTRO}" == @(centos|oracle7) ]]; then
-    /usr/bin/memcached -u $MEMCACHE_USER &
-elif [ "${DISTRO}" == "opensuse" ]; then
-    /usr/sbin/memcached -u $MEMCACHE_USER &
-else
-    /etc/init.d/memcached start
-fi
-/etc/squid/kasm_squid_adapter  --load-cache
-/usr/local/squid/sbin/squid -f /etc/squid/squid.conf
+    if [[ "${DISTRO}" == @(centos|oracle7) ]]; then
+        /usr/bin/memcached -u $MEMCACHE_USER &
+    elif [ "${DISTRO}" == "opensuse" ]; then
+        /usr/sbin/memcached -u $MEMCACHE_USER &
+    else
+        /etc/init.d/memcached start
+    fi
+    /etc/squid/kasm_squid_adapter  --load-cache
+    /usr/local/squid/sbin/squid -f /etc/squid/squid.conf

-echo "Done!"
+    echo "Done!"
+} 2>&1 | tee /usr/local/squid/var/logs/start_squid.log