Build an authentication proxy server using Docker
background
In-house authenticated proxy server is only an obstacle to software development. Applications that do not support proxies with authentication, setting changes every time a password is changed, setting differences between development members ... I have always been troubled by these problems. When I looked it up there, I found out that my predecessors used Squid to set up an authentication proxy server [^ 1], and I also set up Squid on my Mac and used it. (Very convenient!)
However, the development members have come to say things like "Is security okay with that?" And "It's no good because the environment changes with other members."
Since there is no help for it, I deployed the authentication proxy construction script for Mac to the members and succeeded in unifying the environment for the time being. However, the mechanism of the contents (especially Squid) has not been developed so much, so if there is a problem, I have to consider it, and I have not been able to expand it to other projects very much.
This time, we made it possible to build an authentication proxy server as simply as possible with only Docker, so we will introduce the mechanism focusing on Squid settings.
[^ 1]: Docker container with authenticated proxy without authentication or [Reduce stress caused by authenticated proxy with squid](https: / /qiita.com/scalper/items/e945dd103d356db6eae6), Skip authentication proxy authentication by setting up HTTP proxy on mac, etc. There are also many.
What I made
This time, we will introduce the following repositories. Please refer to here for the latest information.
https://github.com/k-ishigaki/proxy-docker
Prerequisites
It should work if Docker (Docker Compose) is installed. The version of Docker I used was:
$ docker version
(Omitted)
Server: Docker Engine - Community
Engine:
Version: 19.03.12
API version: 1.40 (minimum version 1.12)
(Omitted)
$ docker --version
Docker version 19.03.9, build 9d988398e7
$ docker-compose --version
docker-compose version 1.26.2, build eefe0d31
Overall picture
Set up an authentication proxy server (Squid) on the Docker container and add authentication information (Authorization header). By doing this, applications that use proxies can connect to the Internet without authentication.
Squid settings
I will explain the settings of squid.conf.template one by one.
Basic settings
Set the standby port to 8080.
If you do not set visible_hostname, an error will be displayed saying" It is not set ", so set it to none [^ visible_hostname].
Turn on DNS. If this is set, you will be able to specify the proxy server for the domain name. (It seems that there are some environments that don't work, but I don't know the cause.)
http_port 8080
visible_hostname none
dns_defnames on
[^ visible_hostname]: Set visible_hostname, which causes an error when trying to start squid after a long time!
ACL definition
Define ACL (Access Control) of Squid.
localnet defines access from the local network, to_localnet_fast defines access to the local network, to_localhost_fast defines access to the local host, and to_direct_access_domains defines access to the specified domain.
In the dst (destination) ACL, the -n flag is specified to disable DNS Lookup. If enabled, network access will be extremely slow.
Also, to_direct_access_domains specifies to include the domains specified in .direct_access_domains [^ direct_access_domains].
[^ direct_access_domains]: The proxy exclusion domain such as the in-house portal site is imported from another file so that it can be easily set.
acl localnet src 0.0.0.1-0.255.255.255
acl localnet src 10.0.0.0/8
(Omitted)
acl to_localnet_fast dst -n 0.0.0.1-0.255.255.255
acl to_localnet_fast dst -n 10.0.0.0/8
(Omitted)
acl to_localhost_fast dst -n 127.0.0.0/8
acl to_direct_access_domains dstdomain -n "/.direct_access_domains"
Permission to Squid
Specifies the network that allows access to Squid. Only access from the internal network is allowed [^ http_access].
[^ http_access]: In order to allow access from virtual environments such as VirtualBox, access from not only localhost but also localnet is permitted.
http_access allow localhost
http_access allow localnet
Forwarding settings to a proxy server with authentication
Specify the request to transfer to the proxy server with authentication.
By default, Squid operates "try to transfer to the proxy specified by cache_peer, and if it is impossible, try to connect directly ", sonever_direct allow <connection destination other than the connection destination that allows direct connection> Specify the connection destination that prohibits [^ always_direct].
[^ always_direct]: always_direct allow <connection destination that allows direct connection> is not set because when connecting to the corporate network via VPN, it connects via a proxy.
Specify the parent proxy (proxy with authentication) with cache_peer.
Variables such as $ proxy_port are replaced with envsubst when the Docker container is started.
never_direct allow !to_localhost_fast !to_localnet_fast !to_direct_access_domains
cache_peer $proxy_host parent $proxy_port 0 proxy-only no-digest no-netdb-exchange login=$proxy_auth
Settings to keep Squid secret
By default, proxy servers such as Squid carry information such as PROXY_VIA that says" I'm passing through a proxy ".
Depending on the environment, if the communication header is different, communication may not be possible, so delete the information that Squid puts on its own.
In addition, Squid's cache is disabled with cache deny all so that it operates only for forwarding.
forwarded_for delete
via off
cache deny all
request_header_access Cache-Control deny all
request_header_access Connection deny all
request_header_add Proxy-Connection "Keep-Alive" all
Launch proxy for authentication with Docker
Build and launch the Docker image via Docker Compose.
Since it is necessary to set the proxy to build, set HTTP_PROXY_FOR_PROXY in the environment variable to build and start.
To pull the base image (Alpine), it is necessary to set the proxy on the Docker Daemon side, but since the setting method differs depending on the Docker execution environment, load the local image with load instead of downloading with pull. I am doing it.
If the <proxy_user> and <proxy_password> contain symbols, you need to enter the URL-encoded value.
cd proxy-docker
docker load ./alpine.tar
HTTP_PROXY_FOR_PROXY=http://<proxy_user>:<proxy_password>@<proxy_host>:<proxy_port> HOST_PORT=8080 docker-compose up -d
Docker Compose settings
Parameters for building and starting are defined in docker-compose.yml.
I try to put HTTP_PROXY and HTTPS_PROXY in args (environment variable at build time) and environment (environment variable at startup).
Also, the port on the host side can be set with HOST_PORT.
If the 8080 port is already filled, you can specify another port.
version: "3.4"
x-proxy_settings: &proxy_settings
HTTP_PROXY: "${HTTP_PROXY_FOR_PROXY:?HTTP_PROXY_FOR_PROXY must be set. Prease read README}"
HTTPS_PROXY: "${HTTP_PROXY_FOR_PROXY}"
services:
proxy:
build:
context: .
args:
<<: *proxy_settings
environment:
<<: *proxy_settings
ports:
- "${HOST_PORT:-8080}:8080"
Dockerfile settings
Since it is long, I will omit the contents, but I am doing the following.
- At build time
Connect to the Internet using the value set in
HTTP_PROXYand install Squid - At startup
Modify the Squid configuration file using the value set in
HTTP_PROXYand start Squid
Summary
I briefly introduced how to set up an authentication proxy server using Squid and how to launch it with Docker. We hope that as many people as possible can use this information to get rid of the inconvenience of authenticated proxies.
Recommended Posts