Switch to Squid 5.6, add websocket support

This commit is contained in:
Dmitry Maksyoma 2022-10-12 09:00:01 +00:00 committed by Justin Travis
parent 4063f13994
commit 7b9f13b079
7 changed files with 68 additions and 64 deletions

View File

@ -11,7 +11,7 @@ ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8'
FROM install_tools AS squid_builder
RUN wget --progress=dot:giga 'https://kasmweb-build-artifacts.s3.amazonaws.com/kasm-squid-builder/96a014eae9161b234fc4eafb07d3b6dd555b8417/output/kasm-squid-builder_centos_amd64.tar.gz'
RUN wget --progress=dot:giga 'https://kasmweb-build-artifacts.s3.amazonaws.com/kasm-squid-builder/de1dffbc94d4132d6c696de8c6dfcd6f08900f61/output/kasm-squid-builder_centos_amd64.tar.gz'
RUN tar -xzf kasm-squid-builder_centos_amd64.tar.gz -C /
FROM install_tools

View File

@ -16,10 +16,10 @@ ARG DISTRO=oracle8
RUN if [ "${DISTRO}" == "oracle8" ]; then \
ARCH=$(arch | sed 's/aarch64/arm64/g' | sed 's/x86_64/amd64/g') && \
wget --progress=dot:giga "https://kasmweb-build-artifacts.s3.amazonaws.com/kasm-squid-builder/96a014eae9161b234fc4eafb07d3b6dd555b8417/output/kasm-squid-builder_oracle_${ARCH}.tar.gz"; \
wget --progress=dot:giga "https://kasmweb-build-artifacts.s3.amazonaws.com/kasm-squid-builder/de1dffbc94d4132d6c696de8c6dfcd6f08900f61/output/kasm-squid-builder_oracle_${ARCH}.tar.gz"; \
else \
ARCH=$(arch | sed 's/aarch64/arm64/g' | sed 's/x86_64/amd64/g') && \
wget --progress=dot:giga "https://kasmweb-build-artifacts.s3.amazonaws.com/kasm-squid-builder/96a014eae9161b234fc4eafb07d3b6dd555b8417/output/kasm-squid-builder_centos_${ARCH}.tar.gz"; \
wget --progress=dot:giga "https://kasmweb-build-artifacts.s3.amazonaws.com/kasm-squid-builder/de1dffbc94d4132d6c696de8c6dfcd6f08900f61/output/kasm-squid-builder_centos_${ARCH}.tar.gz"; \
fi
RUN tar -xzf kasm-squid-builder_*.tar.gz -C /

View File

@ -15,7 +15,7 @@ FROM install_tools AS squid_builder
ARG DISTRO=opensuse
RUN ARCH=$(arch | sed 's/aarch64/arm64/g' | sed 's/x86_64/amd64/g') && \
wget --progress=dot:giga "https://kasmweb-build-artifacts.s3.amazonaws.com/kasm-squid-builder/919fdaaa1cb5184deb5f849e28ad6324615129cd/output/kasm-squid-builder_opensuse_${ARCH}.tar.gz"
wget --progress=dot:giga "https://kasmweb-build-artifacts.s3.amazonaws.com/kasm-squid-builder/de1dffbc94d4132d6c696de8c6dfcd6f08900f61/output/kasm-squid-builder_opensuse_${ARCH}.tar.gz"
RUN tar -xzf kasm-squid-builder_*.tar.gz -C /
FROM install_tools

View File

@ -100,8 +100,7 @@ else
apt-get update
apt-get install -y gettext ssl-cert libxfont2
dpkg -i /tmp/kasmvncserver.deb
apt-get -yf install
apt-get install -y /tmp/kasmvncserver.deb
rm -f /tmp/kasmvncserver.deb
fi
#mkdir $KASM_VNC_PATH/certs

View File

@ -4,7 +4,7 @@ set -ex
ARCH=$(arch | sed 's/aarch64/arm64/g' | sed 's/x86_64/amd64/g')
# intall squid
SQUID_COMMIT='6392f7dfb1040c67c0a5d5518abf508282523cc0'
SQUID_COMMIT='de1dffbc94d4132d6c696de8c6dfcd6f08900f61'
SQUID_DISTRO=${DISTRO}
# currently all distros use the ubuntu build of squid except centos/oracle
if [[ "${SQUID_DISTRO}" != @(centos|oracle7) ]] ; then
@ -78,7 +78,7 @@ log_level: 5
sasldb_path: /etc/sasl2/memcached-sasldb2
EOL
KASM_SQUID_ADAPTER=https://kasmweb-build-artifacts.s3.amazonaws.com/kasm_squid_adapter/040a19d1f0df7f5caed00f85abb8c0653a66f6a7/kasm_squid_adapter_${DISTRO/kali/ubuntu}_${ARCH}_develop.040a19.tar.gz
KASM_SQUID_ADAPTER=https://kasmweb-build-artifacts.s3.amazonaws.com/kasm_squid_adapter/d54ebc03a8696964b12cb99e5863116fb3a26c0b/kasm_squid_adapter_${DISTRO/kali/ubuntu}_${ARCH}_develop.d54ebc.tar.gz
wget -qO- ${KASM_SQUID_ADAPTER} | tar xz -C /etc/squid/
ls -la /etc/squid

View File

@ -18,7 +18,7 @@ ssl_bump bump all
acl CONNECT method CONNECT
# The following two lines are an example of how we can leaverage squid to block ports, there can be as
# The following two lines are an example of how we can leaverage squid to block ports, there can be as
# many acl statements adding ports to Safe_ports as are needed.
#acl Safe_ports port 443 # https
#http_access deny !Safe_ports
@ -36,6 +36,8 @@ http_access deny all
http_port 3128 ssl-bump cert=/usr/local/squid/etc/ssl_cert/squid.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /usr/local/squid/var/logs/ssl_db -M 4MB
http_upgrade_request_protocols OTHER allow all
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080

View File

@ -1,66 +1,69 @@
#!/usr/bin/env bash
set -ex
IP=$(ip route get 1.1.1.1 | grep -oP "src \\K\\S+")
mkdir /tmp/working_certs
cd /tmp/working_certs
{
IP=$(ip route get 1.1.1.1 | grep -oP "src \\K\\S+")
if [ -f /etc/centos-release ]; then
DISTRO=centos
elif [ -f /etc/oracle-release ]; then
DISTRO=oracle7
elif [ -f /usr/bin/zypper ]; then
DISTRO=opensuse
fi
mkdir /tmp/working_certs
cd /tmp/working_certs
if [[ "${DISTRO}" == @(centos|oracle7) ]]; then
CERT_FILE=/etc/pki/ca-trust/source/anchors/squid.crt
elif [ "${DISTRO}" == "opensuse" ]; then
CERT_FILE=/usr/share/pki/trust/anchors/squid.crt
else
CERT_FILE=/usr/local/share/ca-certificates/squid.crt
fi
CERT_NAME="Squid Root CA"
openssl req -new -newkey rsa:2048 -sha256 -days 3650 -nodes -x509 -extensions v3_ca -subj "/C=US/ST=CA/O=Kasm Technologies/CN=kasm.localhost.net" -keyout myCA.pem -out myCA.pem
openssl x509 -in myCA.pem -outform DER -out myCA.der
openssl x509 -in myCA.pem -outform DER -out myCA.der
cp myCA.pem ${CERT_FILE}
cp myCA.pem /usr/local/squid/etc/ssl_cert/squid.pem
if [[ "${DISTRO}" == @(centos|oracle7) ]]; then
update-ca-trust
else
update-ca-certificates
fi
if [ -f /etc/centos-release ]; then
DISTRO=centos
elif [ -f /etc/oracle-release ]; then
DISTRO=oracle7
elif [ -f /usr/bin/zypper ]; then
DISTRO=opensuse
fi
cd $HOME
rm -rf /tmp/working_certs
if [[ "${DISTRO}" == @(centos|oracle7) ]]; then
CERT_FILE=/etc/pki/ca-trust/source/anchors/squid.crt
elif [ "${DISTRO}" == "opensuse" ]; then
CERT_FILE=/usr/share/pki/trust/anchors/squid.crt
else
CERT_FILE=/usr/local/share/ca-certificates/squid.crt
fi
CERT_NAME="Squid Root CA"
openssl req -new -newkey rsa:2048 -sha256 -days 3650 -nodes -x509 -extensions v3_ca -subj "/C=US/ST=CA/O=Kasm Technologies/CN=kasm.localhost.net" -keyout myCA.pem -out myCA.pem
openssl x509 -in myCA.pem -outform DER -out myCA.der
openssl x509 -in myCA.pem -outform DER -out myCA.der
cp myCA.pem ${CERT_FILE}
cp myCA.pem /usr/local/squid/etc/ssl_cert/squid.pem
if [[ "${DISTRO}" == @(centos|oracle7) ]]; then
update-ca-trust
else
update-ca-certificates
fi
for certDB in $(find / -name "cert9.db")
do
certdir=$(dirname ${certDB});
echo "Updating $certdir"
certutil -A -n "${CERT_NAME}" -t "TCu,," -i ${CERT_FILE} -d sql:${certdir}
chown -R 1000:1000 ${certdir}
done
cd $HOME
rm -rf /tmp/working_certs
export MEMCACHE_PASSWORD="$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 13 )"
echo $MEMCACHE_PASSWORD | saslpasswd2 -a memcached -c -f /etc/sasl2/memcached-sasldb2 kasm
if [[ "${DISTRO}" == @(centos|oracle7|opensuse) ]]; then
MEMCACHE_USER=memcached
else
MEMCACHE_USER=memcache
fi
chown $MEMCACHE_USER:$MEMCACHE_USER /etc/sasl2/memcached-sasldb2
for certDB in $(find / -name "cert9.db")
do
certdir=$(dirname ${certDB});
echo "Updating $certdir"
certutil -A -n "${CERT_NAME}" -t "TCu,," -i ${CERT_FILE} -d sql:${certdir}
chown -R 1000:1000 ${certdir}
done
export MEMCACHE_PASSWORD="$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 13 )"
echo $MEMCACHE_PASSWORD | saslpasswd2 -a memcached -c -f /etc/sasl2/memcached-sasldb2 kasm
if [[ "${DISTRO}" == @(centos|oracle7|opensuse) ]]; then
MEMCACHE_USER=memcached
else
MEMCACHE_USER=memcache
fi
chown $MEMCACHE_USER:$MEMCACHE_USER /etc/sasl2/memcached-sasldb2
if [[ "${DISTRO}" == @(centos|oracle7) ]]; then
/usr/bin/memcached -u $MEMCACHE_USER &
elif [ "${DISTRO}" == "opensuse" ]; then
/usr/sbin/memcached -u $MEMCACHE_USER &
else
/etc/init.d/memcached start
fi
/etc/squid/kasm_squid_adapter --load-cache
/usr/local/squid/sbin/squid -f /etc/squid/squid.conf
if [[ "${DISTRO}" == @(centos|oracle7) ]]; then
/usr/bin/memcached -u $MEMCACHE_USER &
elif [ "${DISTRO}" == "opensuse" ]; then
/usr/sbin/memcached -u $MEMCACHE_USER &
else
/etc/init.d/memcached start
fi
/etc/squid/kasm_squid_adapter --load-cache
/usr/local/squid/sbin/squid -f /etc/squid/squid.conf
echo "Done!"
echo "Done!"
} 2>&1 | tee /usr/local/squid/var/logs/start_squid.log