mirror of
https://github.com/kasmtech/workspaces-core-images.git
synced 2024-11-24 16:33:19 +01:00
Switch to Squid 5.6, add websocket support
This commit is contained in:
parent
4063f13994
commit
7b9f13b079
@ -11,7 +11,7 @@ ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8'
|
||||
|
||||
FROM install_tools AS squid_builder
|
||||
|
||||
RUN wget --progress=dot:giga 'https://kasmweb-build-artifacts.s3.amazonaws.com/kasm-squid-builder/96a014eae9161b234fc4eafb07d3b6dd555b8417/output/kasm-squid-builder_centos_amd64.tar.gz'
|
||||
RUN wget --progress=dot:giga 'https://kasmweb-build-artifacts.s3.amazonaws.com/kasm-squid-builder/de1dffbc94d4132d6c696de8c6dfcd6f08900f61/output/kasm-squid-builder_centos_amd64.tar.gz'
|
||||
RUN tar -xzf kasm-squid-builder_centos_amd64.tar.gz -C /
|
||||
|
||||
FROM install_tools
|
||||
|
@ -16,10 +16,10 @@ ARG DISTRO=oracle8
|
||||
|
||||
RUN if [ "${DISTRO}" == "oracle8" ]; then \
|
||||
ARCH=$(arch | sed 's/aarch64/arm64/g' | sed 's/x86_64/amd64/g') && \
|
||||
wget --progress=dot:giga "https://kasmweb-build-artifacts.s3.amazonaws.com/kasm-squid-builder/96a014eae9161b234fc4eafb07d3b6dd555b8417/output/kasm-squid-builder_oracle_${ARCH}.tar.gz"; \
|
||||
wget --progress=dot:giga "https://kasmweb-build-artifacts.s3.amazonaws.com/kasm-squid-builder/de1dffbc94d4132d6c696de8c6dfcd6f08900f61/output/kasm-squid-builder_oracle_${ARCH}.tar.gz"; \
|
||||
else \
|
||||
ARCH=$(arch | sed 's/aarch64/arm64/g' | sed 's/x86_64/amd64/g') && \
|
||||
wget --progress=dot:giga "https://kasmweb-build-artifacts.s3.amazonaws.com/kasm-squid-builder/96a014eae9161b234fc4eafb07d3b6dd555b8417/output/kasm-squid-builder_centos_${ARCH}.tar.gz"; \
|
||||
wget --progress=dot:giga "https://kasmweb-build-artifacts.s3.amazonaws.com/kasm-squid-builder/de1dffbc94d4132d6c696de8c6dfcd6f08900f61/output/kasm-squid-builder_centos_${ARCH}.tar.gz"; \
|
||||
fi
|
||||
RUN tar -xzf kasm-squid-builder_*.tar.gz -C /
|
||||
|
||||
|
@ -15,7 +15,7 @@ FROM install_tools AS squid_builder
|
||||
ARG DISTRO=opensuse
|
||||
|
||||
RUN ARCH=$(arch | sed 's/aarch64/arm64/g' | sed 's/x86_64/amd64/g') && \
|
||||
wget --progress=dot:giga "https://kasmweb-build-artifacts.s3.amazonaws.com/kasm-squid-builder/919fdaaa1cb5184deb5f849e28ad6324615129cd/output/kasm-squid-builder_opensuse_${ARCH}.tar.gz"
|
||||
wget --progress=dot:giga "https://kasmweb-build-artifacts.s3.amazonaws.com/kasm-squid-builder/de1dffbc94d4132d6c696de8c6dfcd6f08900f61/output/kasm-squid-builder_opensuse_${ARCH}.tar.gz"
|
||||
RUN tar -xzf kasm-squid-builder_*.tar.gz -C /
|
||||
|
||||
FROM install_tools
|
||||
|
@ -100,8 +100,7 @@ else
|
||||
|
||||
apt-get update
|
||||
apt-get install -y gettext ssl-cert libxfont2
|
||||
dpkg -i /tmp/kasmvncserver.deb
|
||||
apt-get -yf install
|
||||
apt-get install -y /tmp/kasmvncserver.deb
|
||||
rm -f /tmp/kasmvncserver.deb
|
||||
fi
|
||||
#mkdir $KASM_VNC_PATH/certs
|
||||
|
@ -4,7 +4,7 @@ set -ex
|
||||
ARCH=$(arch | sed 's/aarch64/arm64/g' | sed 's/x86_64/amd64/g')
|
||||
|
||||
# intall squid
|
||||
SQUID_COMMIT='6392f7dfb1040c67c0a5d5518abf508282523cc0'
|
||||
SQUID_COMMIT='de1dffbc94d4132d6c696de8c6dfcd6f08900f61'
|
||||
SQUID_DISTRO=${DISTRO}
|
||||
# currently all distros use the ubuntu build of squid except centos/oracle
|
||||
if [[ "${SQUID_DISTRO}" != @(centos|oracle7) ]] ; then
|
||||
@ -78,7 +78,7 @@ log_level: 5
|
||||
sasldb_path: /etc/sasl2/memcached-sasldb2
|
||||
EOL
|
||||
|
||||
KASM_SQUID_ADAPTER=https://kasmweb-build-artifacts.s3.amazonaws.com/kasm_squid_adapter/040a19d1f0df7f5caed00f85abb8c0653a66f6a7/kasm_squid_adapter_${DISTRO/kali/ubuntu}_${ARCH}_develop.040a19.tar.gz
|
||||
KASM_SQUID_ADAPTER=https://kasmweb-build-artifacts.s3.amazonaws.com/kasm_squid_adapter/d54ebc03a8696964b12cb99e5863116fb3a26c0b/kasm_squid_adapter_${DISTRO/kali/ubuntu}_${ARCH}_develop.d54ebc.tar.gz
|
||||
|
||||
wget -qO- ${KASM_SQUID_ADAPTER} | tar xz -C /etc/squid/
|
||||
ls -la /etc/squid
|
||||
|
@ -18,7 +18,7 @@ ssl_bump bump all
|
||||
|
||||
acl CONNECT method CONNECT
|
||||
|
||||
# The following two lines are an example of how we can leaverage squid to block ports, there can be as
|
||||
# The following two lines are an example of how we can leaverage squid to block ports, there can be as
|
||||
# many acl statements adding ports to Safe_ports as are needed.
|
||||
#acl Safe_ports port 443 # https
|
||||
#http_access deny !Safe_ports
|
||||
@ -36,6 +36,8 @@ http_access deny all
|
||||
http_port 3128 ssl-bump cert=/usr/local/squid/etc/ssl_cert/squid.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
|
||||
sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /usr/local/squid/var/logs/ssl_db -M 4MB
|
||||
|
||||
http_upgrade_request_protocols OTHER allow all
|
||||
|
||||
coredump_dir /var/spool/squid
|
||||
|
||||
refresh_pattern ^ftp: 1440 20% 10080
|
||||
|
@ -1,66 +1,69 @@
|
||||
#!/usr/bin/env bash
|
||||
set -ex
|
||||
IP=$(ip route get 1.1.1.1 | grep -oP "src \\K\\S+")
|
||||
|
||||
mkdir /tmp/working_certs
|
||||
cd /tmp/working_certs
|
||||
{
|
||||
IP=$(ip route get 1.1.1.1 | grep -oP "src \\K\\S+")
|
||||
|
||||
if [ -f /etc/centos-release ]; then
|
||||
DISTRO=centos
|
||||
elif [ -f /etc/oracle-release ]; then
|
||||
DISTRO=oracle7
|
||||
elif [ -f /usr/bin/zypper ]; then
|
||||
DISTRO=opensuse
|
||||
fi
|
||||
mkdir /tmp/working_certs
|
||||
cd /tmp/working_certs
|
||||
|
||||
if [[ "${DISTRO}" == @(centos|oracle7) ]]; then
|
||||
CERT_FILE=/etc/pki/ca-trust/source/anchors/squid.crt
|
||||
elif [ "${DISTRO}" == "opensuse" ]; then
|
||||
CERT_FILE=/usr/share/pki/trust/anchors/squid.crt
|
||||
else
|
||||
CERT_FILE=/usr/local/share/ca-certificates/squid.crt
|
||||
fi
|
||||
CERT_NAME="Squid Root CA"
|
||||
openssl req -new -newkey rsa:2048 -sha256 -days 3650 -nodes -x509 -extensions v3_ca -subj "/C=US/ST=CA/O=Kasm Technologies/CN=kasm.localhost.net" -keyout myCA.pem -out myCA.pem
|
||||
openssl x509 -in myCA.pem -outform DER -out myCA.der
|
||||
openssl x509 -in myCA.pem -outform DER -out myCA.der
|
||||
cp myCA.pem ${CERT_FILE}
|
||||
cp myCA.pem /usr/local/squid/etc/ssl_cert/squid.pem
|
||||
if [[ "${DISTRO}" == @(centos|oracle7) ]]; then
|
||||
update-ca-trust
|
||||
else
|
||||
update-ca-certificates
|
||||
fi
|
||||
if [ -f /etc/centos-release ]; then
|
||||
DISTRO=centos
|
||||
elif [ -f /etc/oracle-release ]; then
|
||||
DISTRO=oracle7
|
||||
elif [ -f /usr/bin/zypper ]; then
|
||||
DISTRO=opensuse
|
||||
fi
|
||||
|
||||
cd $HOME
|
||||
rm -rf /tmp/working_certs
|
||||
if [[ "${DISTRO}" == @(centos|oracle7) ]]; then
|
||||
CERT_FILE=/etc/pki/ca-trust/source/anchors/squid.crt
|
||||
elif [ "${DISTRO}" == "opensuse" ]; then
|
||||
CERT_FILE=/usr/share/pki/trust/anchors/squid.crt
|
||||
else
|
||||
CERT_FILE=/usr/local/share/ca-certificates/squid.crt
|
||||
fi
|
||||
CERT_NAME="Squid Root CA"
|
||||
openssl req -new -newkey rsa:2048 -sha256 -days 3650 -nodes -x509 -extensions v3_ca -subj "/C=US/ST=CA/O=Kasm Technologies/CN=kasm.localhost.net" -keyout myCA.pem -out myCA.pem
|
||||
openssl x509 -in myCA.pem -outform DER -out myCA.der
|
||||
openssl x509 -in myCA.pem -outform DER -out myCA.der
|
||||
cp myCA.pem ${CERT_FILE}
|
||||
cp myCA.pem /usr/local/squid/etc/ssl_cert/squid.pem
|
||||
if [[ "${DISTRO}" == @(centos|oracle7) ]]; then
|
||||
update-ca-trust
|
||||
else
|
||||
update-ca-certificates
|
||||
fi
|
||||
|
||||
for certDB in $(find / -name "cert9.db")
|
||||
do
|
||||
certdir=$(dirname ${certDB});
|
||||
echo "Updating $certdir"
|
||||
certutil -A -n "${CERT_NAME}" -t "TCu,," -i ${CERT_FILE} -d sql:${certdir}
|
||||
chown -R 1000:1000 ${certdir}
|
||||
done
|
||||
cd $HOME
|
||||
rm -rf /tmp/working_certs
|
||||
|
||||
export MEMCACHE_PASSWORD="$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 13 )"
|
||||
echo $MEMCACHE_PASSWORD | saslpasswd2 -a memcached -c -f /etc/sasl2/memcached-sasldb2 kasm
|
||||
if [[ "${DISTRO}" == @(centos|oracle7|opensuse) ]]; then
|
||||
MEMCACHE_USER=memcached
|
||||
else
|
||||
MEMCACHE_USER=memcache
|
||||
fi
|
||||
chown $MEMCACHE_USER:$MEMCACHE_USER /etc/sasl2/memcached-sasldb2
|
||||
for certDB in $(find / -name "cert9.db")
|
||||
do
|
||||
certdir=$(dirname ${certDB});
|
||||
echo "Updating $certdir"
|
||||
certutil -A -n "${CERT_NAME}" -t "TCu,," -i ${CERT_FILE} -d sql:${certdir}
|
||||
chown -R 1000:1000 ${certdir}
|
||||
done
|
||||
|
||||
export MEMCACHE_PASSWORD="$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 13 )"
|
||||
echo $MEMCACHE_PASSWORD | saslpasswd2 -a memcached -c -f /etc/sasl2/memcached-sasldb2 kasm
|
||||
if [[ "${DISTRO}" == @(centos|oracle7|opensuse) ]]; then
|
||||
MEMCACHE_USER=memcached
|
||||
else
|
||||
MEMCACHE_USER=memcache
|
||||
fi
|
||||
chown $MEMCACHE_USER:$MEMCACHE_USER /etc/sasl2/memcached-sasldb2
|
||||
|
||||
|
||||
if [[ "${DISTRO}" == @(centos|oracle7) ]]; then
|
||||
/usr/bin/memcached -u $MEMCACHE_USER &
|
||||
elif [ "${DISTRO}" == "opensuse" ]; then
|
||||
/usr/sbin/memcached -u $MEMCACHE_USER &
|
||||
else
|
||||
/etc/init.d/memcached start
|
||||
fi
|
||||
/etc/squid/kasm_squid_adapter --load-cache
|
||||
/usr/local/squid/sbin/squid -f /etc/squid/squid.conf
|
||||
if [[ "${DISTRO}" == @(centos|oracle7) ]]; then
|
||||
/usr/bin/memcached -u $MEMCACHE_USER &
|
||||
elif [ "${DISTRO}" == "opensuse" ]; then
|
||||
/usr/sbin/memcached -u $MEMCACHE_USER &
|
||||
else
|
||||
/etc/init.d/memcached start
|
||||
fi
|
||||
/etc/squid/kasm_squid_adapter --load-cache
|
||||
/usr/local/squid/sbin/squid -f /etc/squid/squid.conf
|
||||
|
||||
echo "Done!"
|
||||
echo "Done!"
|
||||
} 2>&1 | tee /usr/local/squid/var/logs/start_squid.log
|
||||
|
Loading…
Reference in New Issue
Block a user