Build an authentication proxy server using Docker

background

In-house authenticated proxy server is only an obstacle to software development. Applications that do not support proxies with authentication, setting changes every time a password is changed, setting differences between development members ... I have always been troubled by these problems. When I looked it up there, I found out that my predecessors used Squid to set up an authentication proxy server [^ 1], and I also set up Squid on my Mac and used it. (Very convenient!)

However, the development members have come to say things like "Is security okay with that?" And "It's no good because the environment changes with other members."

Since there is no help for it, I deployed the authentication proxy construction script for Mac to the members and succeeded in unifying the environment for the time being. However, the mechanism of the contents (especially Squid) has not been developed so much, so if there is a problem, I have to consider it, and I have not been able to expand it to other projects very much.

This time, we made it possible to build an authentication proxy server as simply as possible with only Docker, so we will introduce the mechanism focusing on Squid settings.

[^ 1]: Docker container with authenticated proxy without authentication or [Reduce stress caused by authenticated proxy with squid](https: / /qiita.com/scalper/items/e945dd103d356db6eae6), Skip authentication proxy authentication by setting up HTTP proxy on mac, etc. There are also many.

What I made

This time, we will introduce the following repositories. Please refer to here for the latest information.

https://github.com/k-ishigaki/proxy-docker

Prerequisites

It should work if Docker (Docker Compose) is installed. The version of Docker I used was:

$ docker version
(Omitted)
Server: Docker Engine - Community
 Engine:
  Version:          19.03.12
  API version:      1.40 (minimum version 1.12)
(Omitted)
$ docker --version
Docker version 19.03.9, build 9d988398e7
$ docker-compose --version
docker-compose version 1.26.2, build eefe0d31

Overall picture

Set up an authentication proxy server (Squid) on the Docker container and add authentication information (Authorization header). By doing this, applications that use proxies can connect to the Internet without authentication.

alt

Squid settings

I will explain the settings of squid.conf.template one by one.

Basic settings

Set the standby port to 8080. If you do not set visible_hostname, an error will be displayed saying" It is not set ", so set it to none [^ visible_hostname]. Turn on DNS. If this is set, you will be able to specify the proxy server for the domain name. (It seems that there are some environments that don't work, but I don't know the cause.)

http_port 8080
visible_hostname none
dns_defnames on

[^ visible_hostname]: Set visible_hostname, which causes an error when trying to start squid after a long time!

ACL definition

Define ACL (Access Control) of Squid. localnet defines access from the local network, to_localnet_fast defines access to the local network, to_localhost_fast defines access to the local host, and to_direct_access_domains defines access to the specified domain.

In the dst (destination) ACL, the -n flag is specified to disable DNS Lookup. If enabled, network access will be extremely slow. Also, to_direct_access_domains specifies to include the domains specified in .direct_access_domains [^ direct_access_domains].

[^ direct_access_domains]: The proxy exclusion domain such as the in-house portal site is imported from another file so that it can be easily set.

acl localnet src 0.0.0.1-0.255.255.255
acl localnet src 10.0.0.0/8
(Omitted)
acl to_localnet_fast dst -n 0.0.0.1-0.255.255.255
acl to_localnet_fast dst -n 10.0.0.0/8
(Omitted)
acl to_localhost_fast dst -n 127.0.0.0/8
acl to_direct_access_domains dstdomain -n "/.direct_access_domains"

Permission to Squid

Specifies the network that allows access to Squid. Only access from the internal network is allowed [^ http_access].

[^ http_access]: In order to allow access from virtual environments such as VirtualBox, access from not only localhost but also localnet is permitted.

http_access allow localhost
http_access allow localnet

Forwarding settings to a proxy server with authentication

Specify the request to transfer to the proxy server with authentication. By default, Squid operates "try to transfer to the proxy specified by cache_peer, and if it is impossible, try to connect directly ", sonever_direct allow <connection destination other than the connection destination that allows direct connection> Specify the connection destination that prohibits [^ always_direct].

[^ always_direct]: always_direct allow <connection destination that allows direct connection> is not set because when connecting to the corporate network via VPN, it connects via a proxy.

Specify the parent proxy (proxy with authentication) with cache_peer. Variables such as $ proxy_port are replaced with envsubst when the Docker container is started.

never_direct allow !to_localhost_fast !to_localnet_fast !to_direct_access_domains
cache_peer $proxy_host parent $proxy_port 0 proxy-only no-digest no-netdb-exchange login=$proxy_auth

Settings to keep Squid secret

By default, proxy servers such as Squid carry information such as PROXY_VIA that says" I'm passing through a proxy ". Depending on the environment, if the communication header is different, communication may not be possible, so delete the information that Squid puts on its own. In addition, Squid's cache is disabled with cache deny all so that it operates only for forwarding.

forwarded_for delete
via off
cache deny all
request_header_access Cache-Control deny all
request_header_access Connection deny all
request_header_add Proxy-Connection "Keep-Alive" all

Launch proxy for authentication with Docker

Build and launch the Docker image via Docker Compose. Since it is necessary to set the proxy to build, set HTTP_PROXY_FOR_PROXY in the environment variable to build and start. To pull the base image (Alpine), it is necessary to set the proxy on the Docker Daemon side, but since the setting method differs depending on the Docker execution environment, load the local image with load instead of downloading with pull. I am doing it.

If the <proxy_user> and <proxy_password> contain symbols, you need to enter the URL-encoded value.

cd proxy-docker
docker load ./alpine.tar
HTTP_PROXY_FOR_PROXY=http://<proxy_user>:<proxy_password>@<proxy_host>:<proxy_port> HOST_PORT=8080 docker-compose up -d

Docker Compose settings

Parameters for building and starting are defined in docker-compose.yml. I try to put HTTP_PROXY and HTTPS_PROXY in args (environment variable at build time) and environment (environment variable at startup). Also, the port on the host side can be set with HOST_PORT. If the 8080 port is already filled, you can specify another port.

version: "3.4"

x-proxy_settings: &proxy_settings
    HTTP_PROXY: "${HTTP_PROXY_FOR_PROXY:?HTTP_PROXY_FOR_PROXY must be set. Prease read README}"
    HTTPS_PROXY: "${HTTP_PROXY_FOR_PROXY}"

services:
    proxy:
        build:
            context: .
            args:
                <<: *proxy_settings
        environment:
            <<: *proxy_settings
        ports:
            - "${HOST_PORT:-8080}:8080"

Dockerfile settings

Since it is long, I will omit the contents, but I am doing the following.

Summary

I briefly introduced how to set up an authentication proxy server using Squid and how to launch it with Docker. We hope that as many people as possible can use this information to get rid of the inconvenience of authenticated proxies.

Recommended Posts

Build an authentication proxy server using Docker
Proxy server with squid using docker image
[Docker] Build an Apache container on EC2 using dockerfile
multi-project docker build using jib
I tried to build an environment using Docker (beginner)
How to build CloudStack using Docker
[App development 0.5] [Node.js express Docker] Build an environment for Node.js Express MongoDB using Docker
Quick build maven project using maven docker container
Build an environment with Docker on AWS
Build an Ultra96v2 development environment on Docker 1
Build an environment of "API development + API verification using Swagger UI" with Docker
[App development 1] [Node.js express Docker] Build an environment for Node.js Express MongoDB (mongoose) using Docker [December 2020]
Build a Kotlin app using OpenJDK's Docker container
[Rails] How to build an environment with Docker
[First team development ②] Build an environment with Docker
Allows you to specify a proxy server to use for apt communication during docker build
(Under construction) Try to build chef automate infra server using Docker on macbook Memo
Implementation of Google Sign-In using Google OAuth 2.0 authentication (server edition)
[Road _node.js_1-1] Road to build Node.js Express MySQL environment using Docker
Build a docker container for a python simple web server
Build an environment of Ruby2.7.x + Rails6.0.x + MySQL8.0.x with Docker
Easily build Redmine on Windows using WSL2 and Docker
Build an Android image for Orange Pi 4 with Docker
Try to build a Java development environment using Docker
[2021] Build a Docker + Vagrant environment for using React / TypeScript
I tried to build an API server with Go (Echo) x MySQL x Docker x Clean Architecture
[Amateur remarks] Build multiple WordPress on AWS using Docker Compose
I want to build Java Applet without using an IDE
I tried to build the environment little by little using docker
Configuration script for using docker in proxy environment on ubuntu 20.04.1