From 7b9f13b079a1184f6f55a4e5f8325196517957db Mon Sep 17 00:00:00 2001 From: Dmitry Maksyoma Date: Wed, 12 Oct 2022 09:00:01 +0000 Subject: [PATCH] Switch to Squid 5.6, add websocket support --- dockerfile-kasm-core-centos | 2 +- dockerfile-kasm-core-oracle | 4 +- dockerfile-kasm-core-suse | 2 +- .../install/kasm_vnc/install_kasm_vnc.sh | 3 +- .../install/squid/install/install_squid.sh | 4 +- src/ubuntu/install/squid/resources/squid.conf | 4 +- .../install/squid/resources/start_squid.sh | 113 +++++++++--------- 7 files changed, 68 insertions(+), 64 deletions(-) diff --git a/dockerfile-kasm-core-centos b/dockerfile-kasm-core-centos index 504d40e..e3fc3c8 100644 --- a/dockerfile-kasm-core-centos +++ b/dockerfile-kasm-core-centos @@ -11,7 +11,7 @@ ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8' FROM install_tools AS squid_builder -RUN wget --progress=dot:giga 'https://kasmweb-build-artifacts.s3.amazonaws.com/kasm-squid-builder/96a014eae9161b234fc4eafb07d3b6dd555b8417/output/kasm-squid-builder_centos_amd64.tar.gz' +RUN wget --progress=dot:giga 'https://kasmweb-build-artifacts.s3.amazonaws.com/kasm-squid-builder/de1dffbc94d4132d6c696de8c6dfcd6f08900f61/output/kasm-squid-builder_centos_amd64.tar.gz' RUN tar -xzf kasm-squid-builder_centos_amd64.tar.gz -C / FROM install_tools diff --git a/dockerfile-kasm-core-oracle b/dockerfile-kasm-core-oracle index 8441a98..2b8042f 100644 --- a/dockerfile-kasm-core-oracle +++ b/dockerfile-kasm-core-oracle @@ -16,10 +16,10 @@ ARG DISTRO=oracle8 RUN if [ "${DISTRO}" == "oracle8" ]; then \ ARCH=$(arch | sed 's/aarch64/arm64/g' | sed 's/x86_64/amd64/g') && \ - wget --progress=dot:giga "https://kasmweb-build-artifacts.s3.amazonaws.com/kasm-squid-builder/96a014eae9161b234fc4eafb07d3b6dd555b8417/output/kasm-squid-builder_oracle_${ARCH}.tar.gz"; \ + wget --progress=dot:giga "https://kasmweb-build-artifacts.s3.amazonaws.com/kasm-squid-builder/de1dffbc94d4132d6c696de8c6dfcd6f08900f61/output/kasm-squid-builder_oracle_${ARCH}.tar.gz"; \ else \ ARCH=$(arch | sed 's/aarch64/arm64/g' | sed 's/x86_64/amd64/g') && \ - wget --progress=dot:giga "https://kasmweb-build-artifacts.s3.amazonaws.com/kasm-squid-builder/96a014eae9161b234fc4eafb07d3b6dd555b8417/output/kasm-squid-builder_centos_${ARCH}.tar.gz"; \ + wget --progress=dot:giga "https://kasmweb-build-artifacts.s3.amazonaws.com/kasm-squid-builder/de1dffbc94d4132d6c696de8c6dfcd6f08900f61/output/kasm-squid-builder_centos_${ARCH}.tar.gz"; \ fi RUN tar -xzf kasm-squid-builder_*.tar.gz -C / diff --git a/dockerfile-kasm-core-suse b/dockerfile-kasm-core-suse index f9ef80d..3e4ceb5 100644 --- a/dockerfile-kasm-core-suse +++ b/dockerfile-kasm-core-suse @@ -15,7 +15,7 @@ FROM install_tools AS squid_builder ARG DISTRO=opensuse RUN ARCH=$(arch | sed 's/aarch64/arm64/g' | sed 's/x86_64/amd64/g') && \ - wget --progress=dot:giga "https://kasmweb-build-artifacts.s3.amazonaws.com/kasm-squid-builder/919fdaaa1cb5184deb5f849e28ad6324615129cd/output/kasm-squid-builder_opensuse_${ARCH}.tar.gz" + wget --progress=dot:giga "https://kasmweb-build-artifacts.s3.amazonaws.com/kasm-squid-builder/de1dffbc94d4132d6c696de8c6dfcd6f08900f61/output/kasm-squid-builder_opensuse_${ARCH}.tar.gz" RUN tar -xzf kasm-squid-builder_*.tar.gz -C / FROM install_tools diff --git a/src/ubuntu/install/kasm_vnc/install_kasm_vnc.sh b/src/ubuntu/install/kasm_vnc/install_kasm_vnc.sh index acd9a96..f99da7a 100644 --- a/src/ubuntu/install/kasm_vnc/install_kasm_vnc.sh +++ b/src/ubuntu/install/kasm_vnc/install_kasm_vnc.sh @@ -100,8 +100,7 @@ else apt-get update apt-get install -y gettext ssl-cert libxfont2 - dpkg -i /tmp/kasmvncserver.deb - apt-get -yf install + apt-get install -y /tmp/kasmvncserver.deb rm -f /tmp/kasmvncserver.deb fi #mkdir $KASM_VNC_PATH/certs diff --git a/src/ubuntu/install/squid/install/install_squid.sh b/src/ubuntu/install/squid/install/install_squid.sh index 62928d6..740e9e4 100644 --- a/src/ubuntu/install/squid/install/install_squid.sh +++ b/src/ubuntu/install/squid/install/install_squid.sh @@ -4,7 +4,7 @@ set -ex ARCH=$(arch | sed 's/aarch64/arm64/g' | sed 's/x86_64/amd64/g') # intall squid -SQUID_COMMIT='6392f7dfb1040c67c0a5d5518abf508282523cc0' +SQUID_COMMIT='de1dffbc94d4132d6c696de8c6dfcd6f08900f61' SQUID_DISTRO=${DISTRO} # currently all distros use the ubuntu build of squid except centos/oracle if [[ "${SQUID_DISTRO}" != @(centos|oracle7) ]] ; then @@ -78,7 +78,7 @@ log_level: 5 sasldb_path: /etc/sasl2/memcached-sasldb2 EOL -KASM_SQUID_ADAPTER=https://kasmweb-build-artifacts.s3.amazonaws.com/kasm_squid_adapter/040a19d1f0df7f5caed00f85abb8c0653a66f6a7/kasm_squid_adapter_${DISTRO/kali/ubuntu}_${ARCH}_develop.040a19.tar.gz +KASM_SQUID_ADAPTER=https://kasmweb-build-artifacts.s3.amazonaws.com/kasm_squid_adapter/d54ebc03a8696964b12cb99e5863116fb3a26c0b/kasm_squid_adapter_${DISTRO/kali/ubuntu}_${ARCH}_develop.d54ebc.tar.gz wget -qO- ${KASM_SQUID_ADAPTER} | tar xz -C /etc/squid/ ls -la /etc/squid diff --git a/src/ubuntu/install/squid/resources/squid.conf b/src/ubuntu/install/squid/resources/squid.conf index 463df5c..717fb45 100644 --- a/src/ubuntu/install/squid/resources/squid.conf +++ b/src/ubuntu/install/squid/resources/squid.conf @@ -18,7 +18,7 @@ ssl_bump bump all acl CONNECT method CONNECT -# The following two lines are an example of how we can leaverage squid to block ports, there can be as +# The following two lines are an example of how we can leaverage squid to block ports, there can be as # many acl statements adding ports to Safe_ports as are needed. #acl Safe_ports port 443 # https #http_access deny !Safe_ports @@ -36,6 +36,8 @@ http_access deny all http_port 3128 ssl-bump cert=/usr/local/squid/etc/ssl_cert/squid.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /usr/local/squid/var/logs/ssl_db -M 4MB +http_upgrade_request_protocols OTHER allow all + coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 diff --git a/src/ubuntu/install/squid/resources/start_squid.sh b/src/ubuntu/install/squid/resources/start_squid.sh index acc641b..c2c7a7f 100644 --- a/src/ubuntu/install/squid/resources/start_squid.sh +++ b/src/ubuntu/install/squid/resources/start_squid.sh @@ -1,66 +1,69 @@ #!/usr/bin/env bash set -ex -IP=$(ip route get 1.1.1.1 | grep -oP "src \\K\\S+") -mkdir /tmp/working_certs -cd /tmp/working_certs +{ + IP=$(ip route get 1.1.1.1 | grep -oP "src \\K\\S+") -if [ -f /etc/centos-release ]; then - DISTRO=centos -elif [ -f /etc/oracle-release ]; then - DISTRO=oracle7 -elif [ -f /usr/bin/zypper ]; then - DISTRO=opensuse -fi + mkdir /tmp/working_certs + cd /tmp/working_certs -if [[ "${DISTRO}" == @(centos|oracle7) ]]; then - CERT_FILE=/etc/pki/ca-trust/source/anchors/squid.crt -elif [ "${DISTRO}" == "opensuse" ]; then - CERT_FILE=/usr/share/pki/trust/anchors/squid.crt -else - CERT_FILE=/usr/local/share/ca-certificates/squid.crt -fi -CERT_NAME="Squid Root CA" -openssl req -new -newkey rsa:2048 -sha256 -days 3650 -nodes -x509 -extensions v3_ca -subj "/C=US/ST=CA/O=Kasm Technologies/CN=kasm.localhost.net" -keyout myCA.pem -out myCA.pem -openssl x509 -in myCA.pem -outform DER -out myCA.der -openssl x509 -in myCA.pem -outform DER -out myCA.der -cp myCA.pem ${CERT_FILE} -cp myCA.pem /usr/local/squid/etc/ssl_cert/squid.pem -if [[ "${DISTRO}" == @(centos|oracle7) ]]; then - update-ca-trust -else - update-ca-certificates -fi + if [ -f /etc/centos-release ]; then + DISTRO=centos + elif [ -f /etc/oracle-release ]; then + DISTRO=oracle7 + elif [ -f /usr/bin/zypper ]; then + DISTRO=opensuse + fi -cd $HOME -rm -rf /tmp/working_certs + if [[ "${DISTRO}" == @(centos|oracle7) ]]; then + CERT_FILE=/etc/pki/ca-trust/source/anchors/squid.crt + elif [ "${DISTRO}" == "opensuse" ]; then + CERT_FILE=/usr/share/pki/trust/anchors/squid.crt + else + CERT_FILE=/usr/local/share/ca-certificates/squid.crt + fi + CERT_NAME="Squid Root CA" + openssl req -new -newkey rsa:2048 -sha256 -days 3650 -nodes -x509 -extensions v3_ca -subj "/C=US/ST=CA/O=Kasm Technologies/CN=kasm.localhost.net" -keyout myCA.pem -out myCA.pem + openssl x509 -in myCA.pem -outform DER -out myCA.der + openssl x509 -in myCA.pem -outform DER -out myCA.der + cp myCA.pem ${CERT_FILE} + cp myCA.pem /usr/local/squid/etc/ssl_cert/squid.pem + if [[ "${DISTRO}" == @(centos|oracle7) ]]; then + update-ca-trust + else + update-ca-certificates + fi -for certDB in $(find / -name "cert9.db") -do - certdir=$(dirname ${certDB}); - echo "Updating $certdir" - certutil -A -n "${CERT_NAME}" -t "TCu,," -i ${CERT_FILE} -d sql:${certdir} - chown -R 1000:1000 ${certdir} -done + cd $HOME + rm -rf /tmp/working_certs -export MEMCACHE_PASSWORD="$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 13 )" -echo $MEMCACHE_PASSWORD | saslpasswd2 -a memcached -c -f /etc/sasl2/memcached-sasldb2 kasm -if [[ "${DISTRO}" == @(centos|oracle7|opensuse) ]]; then - MEMCACHE_USER=memcached -else - MEMCACHE_USER=memcache -fi -chown $MEMCACHE_USER:$MEMCACHE_USER /etc/sasl2/memcached-sasldb2 + for certDB in $(find / -name "cert9.db") + do + certdir=$(dirname ${certDB}); + echo "Updating $certdir" + certutil -A -n "${CERT_NAME}" -t "TCu,," -i ${CERT_FILE} -d sql:${certdir} + chown -R 1000:1000 ${certdir} + done + + export MEMCACHE_PASSWORD="$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 13 )" + echo $MEMCACHE_PASSWORD | saslpasswd2 -a memcached -c -f /etc/sasl2/memcached-sasldb2 kasm + if [[ "${DISTRO}" == @(centos|oracle7|opensuse) ]]; then + MEMCACHE_USER=memcached + else + MEMCACHE_USER=memcache + fi + chown $MEMCACHE_USER:$MEMCACHE_USER /etc/sasl2/memcached-sasldb2 -if [[ "${DISTRO}" == @(centos|oracle7) ]]; then - /usr/bin/memcached -u $MEMCACHE_USER & -elif [ "${DISTRO}" == "opensuse" ]; then - /usr/sbin/memcached -u $MEMCACHE_USER & -else - /etc/init.d/memcached start -fi -/etc/squid/kasm_squid_adapter --load-cache -/usr/local/squid/sbin/squid -f /etc/squid/squid.conf + if [[ "${DISTRO}" == @(centos|oracle7) ]]; then + /usr/bin/memcached -u $MEMCACHE_USER & + elif [ "${DISTRO}" == "opensuse" ]; then + /usr/sbin/memcached -u $MEMCACHE_USER & + else + /etc/init.d/memcached start + fi + /etc/squid/kasm_squid_adapter --load-cache + /usr/local/squid/sbin/squid -f /etc/squid/squid.conf -echo "Done!" + echo "Done!" +} 2>&1 | tee /usr/local/squid/var/logs/start_squid.log