From 1bb2a1217b6958361fdcb21cc42156552af78dee Mon Sep 17 00:00:00 2001 From: Wolfgang Klinger Date: Tue, 15 Oct 2019 08:11:23 +0200 Subject: [PATCH] Remove connect script, update README --- .gitignore | 1 + README.md | 68 +++++++++++++++++++++++++++++--------------- build/Dockerfile | 32 ++++++++++++--------- build/entrypoint.sh | 18 +++++++++--- build/tinyproxy.conf | 11 ++++--- connect | 42 --------------------------- 6 files changed, 83 insertions(+), 89 deletions(-) create mode 100644 .gitignore delete mode 100755 connect diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..4c49bd7 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.env diff --git a/README.md b/README.md index 106250f..9e97a31 100644 --- a/README.md +++ b/README.md @@ -1,55 +1,72 @@ # openconnect + tinyproxy + microsocks -This Docker image contains an [openconnect client](http://www.infradead.org/openconnect/) (version 8.04 with pulse/juniper support) and the [tinyproxy proxy server](https://tinyproxy.github.io/) for http/s connections (default on port 8888) and the [microsocks proxy](https://github.com/rofl0r/microsocks) for socks5 connections (default on port 8889) in a very small [alpine linux](https://www.alpinelinux.org/) image. +This Docker image contains an [openconnect client](http://www.infradead.org/openconnect/) (version 8.04 with pulse/juniper support) and the [tinyproxy proxy server](https://tinyproxy.github.io/) for http/s connections (default on port 8888) and the [microsocks proxy](https://github.com/rofl0r/microsocks) for socks5 connections (default on port 8889) in a very small [alpine linux](https://www.alpinelinux.org/) image (around 60 MB). You can find the image on docker hub: https://hub.docker.com/r/wazum/openconnect-proxy -# Run +# Requirements -First set the variables in `connect` according to your credentials. +If you don't want to set the environment variables on the command line +set the environment variables in a `.env` file: - OPENCONNECT_URL= - OPENCONNECT_USER= - OPENCONNECT_OPTIONS="--authgroup --servercert --protocol=" + OPENCONNECT_URL= + OPENCONNECT_USER= + OPENCONNECT_PASSWORD= + OPENCONNECT_OPTIONS=--authgroup \ + --servercert --protocol= \ + --reconnect-timeout 86400 -You can also change the ports used +_(don't use quotes around the values!)_ + +Either set the password in the `.env` file or leave the variable `OPENCONNECT_PASSWORD` unset, so you get prompted when starting up the container. + +Optionally set a multi factor authentication code: + + OPENCONNECT_MFA_CODE= + +You can also change the ports the proxies are listening on (these are the default values): HTTPS_PROXY_PORT=8888 SOCKS5_PROXY_PORT=8889 -If you have the password for your connection in a file, provide the path +# Run container in foreground - PASSWORD_FILE=/path/to/file +To start the container in foreground run: -Next start the container with + docker run -it --rm --privileged --env-file=.env --net host wazum/openconnect-proxy - chmod 755 ./connect - ./connect +Either use `--net host` or `-p 8888:8888 -p 8889:8889` to make the proxy ports available on the host. -The container will be started in the foreground. -If you want to start it in the background in daemon mode you can call +Without using a `.env` file set the environment variables on the command line with the docker run option `-e`: - ./connect -d + docker run … -e OPENCONNECT_URL=vpn.gateway.com/example \ + -e OPENCONNECT_OPTIONS='' \ + -e OPENCONNECT_USER= … -In daemon mode you can view the stderr log with +# Run container in background + +To start the container in daemon mode (background) set the `-d` option: + + docker run -d -it --rm … + +In daemon mode you can view the stderr log with `docker logs`: - docker logs docker logs `docker ps|grep "wazum/openconnect-proxy"|awk -F' ' '{print $1}'` # Configure proxy -The container is connected via openconnect and you can configure your browser -to use the proxy on port 8888 (see configuration above), -e.g. with FoxyProxy or any suitable extension. +The container is connected via _openconnect_ and now you can configure your browser +and other software to use one of the proxies (8888 for http/s or 8889 for socks). -Or set environment variables with +For example FoxyProxy (available for Firefox, Chrome) is a suitable browser extension. + +You may also set environment variables: export http_proxy="http://127.0.0.1:8888/" export https_proxy="http://127.0.0.1:8888/" -composer, git and others use these if you don't use the git+ssh protocol. -For that see the next section. +composer, git (if you don't use the git+ssh protocol, see below) and others use these. # ssh through the proxy @@ -86,3 +103,8 @@ You can build the container yourself with docker build -f build/Dockerfile -t wazum/openconnect-proxy:custom ./build +# Support + +You like using my work? Get something for me (surprise! surprise!) from my wishlist on [Amazon](https://smile.amazon.de/hz/wishlist/ls/307SIOOD654GF/) or [help me pay](https://www.paypal.me/wazum) the next pizza or Pho soup (mjam). Thanks a lot! + + diff --git a/build/Dockerfile b/build/Dockerfile index 5176492..d148a95 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -1,25 +1,23 @@ FROM alpine:edge MAINTAINER Wolfgang Klinger -# openconnect is not yet available on main RUN apk add --no-cache libcrypto1.1 libssl1.1 libstdc++ --repository http://dl-cdn.alpinelinux.org/alpine/edge/main RUN apk add --no-cache oath-toolkit-libpskc --repository http://dl-cdn.alpinelinux.org/alpine/edge/community RUN apk add --no-cache nettle --repository http://dl-cdn.alpinelinux.org/alpine/edge/main +# openconnect is not yet available on main RUN apk add --no-cache openconnect tinyproxy --repository http://dl-cdn.alpinelinux.org/alpine/edge/testing -RUN apk --no-cache add ca-certificates wget && \ - wget -q -O /etc/apk/keys/sgerrand.rsa.pub https://alpine-pkgs.sgerrand.com/sgerrand.rsa.pub && \ - wget https://github.com/sgerrand/alpine-pkg-glibc/releases/download/2.30-r0/glibc-2.30-r0.apk && \ - apk add glibc-2.30-r0.apk - -RUN apk add --no-cache gcc make musl-dev && \ - cd /tmp && \ - wget https://github.com/rofl0r/microsocks/archive/v1.0.1.tar.gz && \ - tar -xzvf v1.0.1.tar.gz && \ - cd microsocks-1.0.1 && \ - make && \ - make install && \ - apk del gcc make musl-dev +RUN apk add --no-cache ca-certificates wget \ + && wget -q -O /etc/apk/keys/sgerrand.rsa.pub https://alpine-pkgs.sgerrand.com/sgerrand.rsa.pub \ + && wget https://github.com/sgerrand/alpine-pkg-glibc/releases/download/2.30-r0/glibc-2.30-r0.apk \ + && apk add --no-cache --virtual .build-deps glibc-2.30-r0.apk gcc make musl-dev \ + && cd /tmp \ + && wget https://github.com/rofl0r/microsocks/archive/v1.0.1.tar.gz \ + && tar -xzvf v1.0.1.tar.gz \ + && cd microsocks-1.0.1 \ + && make \ + && make install \ + && apk del .build-deps wget # Use an up-to-date version of vpnc-script # https://www.infradead.org/openconnect/vpnc-script.html @@ -31,4 +29,10 @@ COPY tinyproxy.conf /etc/tinyproxy.conf COPY entrypoint.sh /entrypoint.sh RUN chmod +x /entrypoint.sh +ENV HTTPS_PROXY_PORT=${HTTPS_PROXY_PORT:-8888} +ENV SOCKS5_PROXY_PORT=${SOCKS5_PROXY_PORT:-8889} + +EXPOSE ${HTTPS_PROXY_PORT} +EXPOSE ${SOCKS5_PROXY_PORT} + ENTRYPOINT ["/entrypoint.sh"] diff --git a/build/entrypoint.sh b/build/entrypoint.sh index fd3b7e9..e6ec127 100644 --- a/build/entrypoint.sh +++ b/build/entrypoint.sh @@ -4,10 +4,20 @@ sed "s/^Port .*$/Port $HTTPS_PROXY_PORT/" -i /etc/tinyproxy.conf # Start proxy -tinyproxy -c /etc/tinyproxy.conf +/usr/bin/tinyproxy -c /etc/tinyproxy.conf && echo "HTTP/S proxy listening on $HTTPS_PROXY_PORT" # Start socks5 proxy -/usr/local/bin/microsocks -i 0.0.0.0 -p $SOCKS5_PROXY_PORT & +/usr/local/bin/microsocks -i 0.0.0.0 -p $SOCKS5_PROXY_PORT & +echo "socks5 proxy listening on $SOCKS5_PROXY_PORT" -# Start openconnect with a reconnect timeout of 24 hours -echo "$OPENCONNECT_PASSWORD" | openconnect -v -u $OPENCONNECT_USER --no-dtls --passwd-on-stdin $OPENCONNECT_OPTIONS --reconnect-timeout 86400 $OPENCONNECT_URL +# Start openconnect +if [[ -z "${OPENCONNECT_PASSWORD}" ]]; then +# Ask for password + openconnect -v -u $OPENCONNECT_USER $OPENCONNECT_OPTIONS $OPENCONNECT_URL +elif [[ ! -z "${OPENCONNECT_PASSWORD}" ]] && [[ ! -z "${OPENCONNECT_MFA_CODE}" ]]; then +# Multi factor authentication (MFA) + (echo $OPENCONNECT_PASSWORD; echo $OPENCONNECT_MFA_CODE) | openconnect -v -u $OPENCONNECT_USER $OPENCONNECT_OPTIONS --passwd-on-stdin $OPENCONNECT_URL +elif [[ ! -z "${OPENCONNECT_PASSWORD}" ]]; then +# Standard authentication + echo $OPENCONNECT_PASSWORD | openconnect -v -u $OPENCONNECT_USER $OPENCONNECT_OPTIONS --passwd-on-stdin $OPENCONNECT_URL +fi diff --git a/build/tinyproxy.conf b/build/tinyproxy.conf index 4903a70..9455bdf 100644 --- a/build/tinyproxy.conf +++ b/build/tinyproxy.conf @@ -46,7 +46,7 @@ Port 8888 # Timeout: The maximum number of seconds of inactivity a connection is # allowed to have before it is closed by tinyproxy. # -Timeout 600 +Timeout 3600 # # ErrorFile: Defines the HTML file to send when a given HTTP error @@ -99,7 +99,7 @@ StatFile "/usr/local/share/tinyproxy/stats.html" # option must not be enabled if the Logfile directive is being used. # These two directives are mutually exclusive. # -#Syslog On +Syslog On # # Log to stdout if no Syslog and no LogFile given @@ -118,7 +118,7 @@ StatFile "/usr/local/share/tinyproxy/stats.html" # LogLevel was set to Warning, then all log messages from Warning to # Critical would be output, but Notice and below would be suppressed. # -LogLevel Info +LogLevel Connect # # PidFile: Write the PID of the main tinyproxy thread to this file so it @@ -191,7 +191,7 @@ MaxSpareServers 10 # # StartServers: The number of servers to start initially. # -StartServers 5 +StartServers 2 # # MaxRequestsPerChild: The number of connections a thread will handle @@ -210,6 +210,7 @@ MaxRequestsPerChild 0 # tested against the controls based on order. # Allow 127.0.0.1 +Allow 0.0.0.0/0 # # AddHeader: Adds the specified headers to outgoing HTTP requests that @@ -327,5 +328,3 @@ ViaProxyName "tinyproxy" # If not set then no rewriting occurs. # #ReverseBaseURL "http://localhost:8888/" - -Allow 0.0.0.0/0 diff --git a/connect b/connect deleted file mode 100755 index c17c1a2..0000000 --- a/connect +++ /dev/null @@ -1,42 +0,0 @@ -#!/bin/bash - -# Edit this - -PASSWORD_FILE= -OPENCONNECT_USER= -OPENCONNECT_URL= -OPENCONNECT_OPTIONS="--authgroup --servercert --protocol=pulse" -HTTPS_PROXY_PORT=8888 -SOCKS5_PROXY_PORT=8889 - -# Don't touch this - -container() { - if [ "$PASSWORD_FILE" ]; then - OPENCONNECT_PASSWORD="`cat $PASSWORD_FILE`" - else -# Ask for password on the commandline - stty -echo - printf "VPN password: " - read OPENCONNECT_PASSWORD - stty echo - printf "\n\n" - fi - - # Start container with proxy on specified port - until docker run -it --rm "$@" --privileged --name openconnect-proxy \ - -e OPENCONNECT_URL="$OPENCONNECT_URL" \ - -e OPENCONNECT_OPTIONS="$OPENCONNECT_OPTIONS" \ - -e OPENCONNECT_USER="$OPENCONNECT_USER" \ - -e OPENCONNECT_PASSWORD="$OPENCONNECT_PASSWORD" \ - -e HTTPS_PROXY_PORT="$HTTPS_PROXY_PORT" \ - -e SOCKS5_PROXY_PORT="$SOCKS5_PROXY_PORT" \ - -p $HTTPS_PROXY_PORT:$HTTPS_PROXY_PORT \ - -p $SOCKS5_PROXY_PORT:$SOCKS5_PROXY_PORT \ - "wazum/openconnect-proxy:latest"; do - echo "openconnect exited with code $?. Restarting process…" >&2 - sleep 1 - done -} - -container "$@"