Remove connect script, update README

.gitignore

@@ -0,0 +1 @@
+.env

README.md

@@ -1,55 +1,72 @@
 # openconnect + tinyproxy + microsocks
 
-This Docker image contains an [openconnect client](http://www.infradead.org/openconnect/) (version 8.04 with pulse/juniper support) and the [tinyproxy proxy server](https://tinyproxy.github.io/) for http/s connections (default on port 8888) and the [microsocks proxy](https://github.com/rofl0r/microsocks) for socks5 connections (default on port 8889) in a very small [alpine linux](https://www.alpinelinux.org/) image.
+This Docker image contains an [openconnect client](http://www.infradead.org/openconnect/) (version 8.04 with pulse/juniper support) and the [tinyproxy proxy server](https://tinyproxy.github.io/) for http/s connections (default on port 8888) and the [microsocks proxy](https://github.com/rofl0r/microsocks) for socks5 connections (default on port 8889) in a very small [alpine linux](https://www.alpinelinux.org/) image (around 60 MB).
 
 You can find the image on docker hub:
 https://hub.docker.com/r/wazum/openconnect-proxy
 
-# Run
+# Requirements
 
-First set the variables in `connect` according to your credentials.
+If you don't want to set the environment variables on the command line
+set the environment variables in a `.env` file:
 
-	OPENCONNECT_URL=<VPN URL>
-	OPENCONNECT_USER=<VPN User>
-	OPENCONNECT_OPTIONS="--authgroup <VPN Group> --servercert <VPN Server Certificate> --protocol=<Protocol>"
+	OPENCONNECT_URL=<Gateway URL>
+	OPENCONNECT_USER=<Username>
+	OPENCONNECT_PASSWORD=<Password>
+	OPENCONNECT_OPTIONS=--authgroup <VPN Group> \
+		--servercert <VPN Server Certificate> --protocol=<Protocol> \
+		--reconnect-timeout 86400
 
-You can also change the ports used
+_(don't use quotes around the values!)_
+
+Either set the password in the `.env` file or leave the variable `OPENCONNECT_PASSWORD` unset, so you get prompted when starting up the container.
+
+Optionally set a multi factor authentication code:
+
+	OPENCONNECT_MFA_CODE=<Multi factor authentication code>
+
+You can also change the ports the proxies are listening on (these are the default values):
 
 	HTTPS_PROXY_PORT=8888
 	SOCKS5_PROXY_PORT=8889
 
-If you have the password for your connection in a file, provide the path
+# Run container in foreground
 
-	PASSWORD_FILE=/path/to/file
+To start the container in foreground run:
 
-Next start the container with 
+	docker run -it --rm --privileged --env-file=.env --net host wazum/openconnect-proxy
 
-	chmod 755 ./connect
-	./connect
+Either use `--net host` or `-p 8888:8888 -p 8889:8889` to make the proxy ports available on the host.
 
-The container will be started in the foreground.
-If you want to start it in the background in daemon mode you can call
+Without using a `.env` file set the environment variables on the command line with the docker run option `-e`:
 
-	./connect -d
+	docker run … -e OPENCONNECT_URL=vpn.gateway.com/example \
+	-e OPENCONNECT_OPTIONS='<Openconnect Options>' \
+	-e OPENCONNECT_USER=<Username> …
 
-In daemon mode you can view the stderr log with
+# Run container in background
+
+To start the container in daemon mode (background) set the `-d` option:
+
+	docker run -d -it --rm …
+
+In daemon mode you can view the stderr log with `docker logs`:
 
-	docker logs <container ID>
 	docker logs `docker ps|grep "wazum/openconnect-proxy"|awk -F' ' '{print $1}'`
 
 # Configure proxy
 
-The container is connected via openconnect and you can configure your browser
-to use the proxy on port 8888 (see configuration above), 
-e.g. with FoxyProxy or any suitable extension.
+The container is connected via _openconnect_ and now you can configure your browser
+and other software to use one of the proxies (8888 for http/s or 8889 for socks).
 
-Or set environment variables with
+For example FoxyProxy (available for Firefox, Chrome) is a suitable browser extension.
+
+You may also set environment variables:
 
 	export http_proxy="http://127.0.0.1:8888/"
 	export https_proxy="http://127.0.0.1:8888/"
 
-composer, git and others use these if you don't use the git+ssh protocol.
-For that see the next section.
+composer, git (if you don't use the git+ssh protocol, see below) and others use these.
 
 # ssh through the proxy
 
@@ -86,3 +103,8 @@ You can build the container yourself with
 
 	docker build -f build/Dockerfile -t wazum/openconnect-proxy:custom ./build
 
+# Support
+
+You like using my work? Get something for me (surprise! surprise!) from my wishlist on [Amazon](https://smile.amazon.de/hz/wishlist/ls/307SIOOD654GF/) or [help me pay](https://www.paypal.me/wazum) the next pizza or Pho soup (mjam). Thanks a lot!
+
+

build/Dockerfile

@@ -1,25 +1,23 @@
 FROM alpine:edge
 MAINTAINER Wolfgang Klinger <wolfgang@wazum.com>
 
-# openconnect is not yet available on main
 RUN apk add --no-cache libcrypto1.1 libssl1.1 libstdc++ --repository http://dl-cdn.alpinelinux.org/alpine/edge/main
 RUN apk add --no-cache oath-toolkit-libpskc --repository http://dl-cdn.alpinelinux.org/alpine/edge/community
 RUN apk add --no-cache nettle --repository http://dl-cdn.alpinelinux.org/alpine/edge/main
+# openconnect is not yet available on main
 RUN apk add --no-cache openconnect tinyproxy --repository http://dl-cdn.alpinelinux.org/alpine/edge/testing
 
-RUN apk --no-cache add ca-certificates wget && \
-    wget -q -O /etc/apk/keys/sgerrand.rsa.pub https://alpine-pkgs.sgerrand.com/sgerrand.rsa.pub && \
-    wget https://github.com/sgerrand/alpine-pkg-glibc/releases/download/2.30-r0/glibc-2.30-r0.apk && \
-    apk add glibc-2.30-r0.apk
-
-RUN apk add --no-cache gcc make musl-dev && \
-    cd /tmp && \
-    wget https://github.com/rofl0r/microsocks/archive/v1.0.1.tar.gz && \
-    tar -xzvf v1.0.1.tar.gz && \
-    cd microsocks-1.0.1 && \
-    make && \
-    make install && \
-    apk del gcc make musl-dev
+RUN apk add --no-cache ca-certificates wget \
+    && wget -q -O /etc/apk/keys/sgerrand.rsa.pub https://alpine-pkgs.sgerrand.com/sgerrand.rsa.pub \
+    && wget https://github.com/sgerrand/alpine-pkg-glibc/releases/download/2.30-r0/glibc-2.30-r0.apk \
+    && apk add --no-cache --virtual .build-deps glibc-2.30-r0.apk gcc make musl-dev \
+    && cd /tmp \
+    && wget https://github.com/rofl0r/microsocks/archive/v1.0.1.tar.gz \
+    && tar -xzvf v1.0.1.tar.gz \
+    && cd microsocks-1.0.1 \
+    && make \
+    && make install \
+    && apk del .build-deps wget
 
 # Use an up-to-date version of vpnc-script
 # https://www.infradead.org/openconnect/vpnc-script.html
@@ -31,4 +29,10 @@ COPY tinyproxy.conf /etc/tinyproxy.conf
 COPY entrypoint.sh /entrypoint.sh
 RUN chmod +x /entrypoint.sh
 
+ENV HTTPS_PROXY_PORT=${HTTPS_PROXY_PORT:-8888}
+ENV SOCKS5_PROXY_PORT=${SOCKS5_PROXY_PORT:-8889}
+
+EXPOSE ${HTTPS_PROXY_PORT}
+EXPOSE ${SOCKS5_PROXY_PORT}
+
 ENTRYPOINT ["/entrypoint.sh"]

build/entrypoint.sh

@@ -4,10 +4,20 @@
 sed "s/^Port .*$/Port $HTTPS_PROXY_PORT/" -i /etc/tinyproxy.conf
 
 # Start proxy
-tinyproxy -c /etc/tinyproxy.conf
+/usr/bin/tinyproxy -c /etc/tinyproxy.conf && echo "HTTP/S proxy listening on $HTTPS_PROXY_PORT"
 
 # Start socks5 proxy
-/usr/local/bin/microsocks -i 0.0.0.0 -p $SOCKS5_PROXY_PORT &
+/usr/local/bin/microsocks -i 0.0.0.0 -p $SOCKS5_PROXY_PORT & 
+echo "socks5 proxy listening on $SOCKS5_PROXY_PORT"
 
-# Start openconnect with a reconnect timeout of 24 hours
-echo "$OPENCONNECT_PASSWORD" | openconnect -v -u $OPENCONNECT_USER --no-dtls --passwd-on-stdin $OPENCONNECT_OPTIONS --reconnect-timeout 86400 $OPENCONNECT_URL
+# Start openconnect
+if [[ -z "${OPENCONNECT_PASSWORD}" ]]; then
+# Ask for password
+  openconnect -v -u $OPENCONNECT_USER $OPENCONNECT_OPTIONS $OPENCONNECT_URL
+elif [[ ! -z "${OPENCONNECT_PASSWORD}" ]] && [[ ! -z "${OPENCONNECT_MFA_CODE}" ]]; then
+# Multi factor authentication (MFA)
+  (echo $OPENCONNECT_PASSWORD; echo $OPENCONNECT_MFA_CODE) | openconnect -v -u $OPENCONNECT_USER $OPENCONNECT_OPTIONS --passwd-on-stdin $OPENCONNECT_URL
+elif [[ ! -z "${OPENCONNECT_PASSWORD}" ]]; then
+# Standard authentication
+  echo $OPENCONNECT_PASSWORD | openconnect -v -u $OPENCONNECT_USER $OPENCONNECT_OPTIONS --passwd-on-stdin $OPENCONNECT_URL
+fi

build/tinyproxy.conf

@@ -46,7 +46,7 @@ Port 8888
 # Timeout: The maximum number of seconds of inactivity a connection is
 # allowed to have before it is closed by tinyproxy.
 #
-Timeout 600
+Timeout 3600
 
 #
 # ErrorFile: Defines the HTML file to send when a given HTTP error
@@ -99,7 +99,7 @@ StatFile "/usr/local/share/tinyproxy/stats.html"
 # option must not be enabled if the Logfile directive is being used.
 # These two directives are mutually exclusive.
 #
-#Syslog On
+Syslog On
 #
 # Log to stdout if no Syslog and no LogFile given
 
@@ -118,7 +118,7 @@ StatFile "/usr/local/share/tinyproxy/stats.html"
 # LogLevel was set to Warning, then all log messages from Warning to
 # Critical would be output, but Notice and below would be suppressed.
 #
-LogLevel Info
+LogLevel Connect
 
 #
 # PidFile: Write the PID of the main tinyproxy thread to this file so it
@@ -191,7 +191,7 @@ MaxSpareServers 10
 #
 # StartServers: The number of servers to start initially.
 #
-StartServers 5 
+StartServers 2 
 
 #
 # MaxRequestsPerChild: The number of connections a thread will handle
@@ -210,6 +210,7 @@ MaxRequestsPerChild 0
 # tested against the controls based on order.
 #
 Allow 127.0.0.1
+Allow 0.0.0.0/0
 
 #
 # AddHeader: Adds the specified headers to outgoing HTTP requests that
@@ -327,5 +328,3 @@ ViaProxyName "tinyproxy"
 # If not set then no rewriting occurs.
 #
 #ReverseBaseURL "http://localhost:8888/"
-
-Allow  0.0.0.0/0

connect

@@ -1,42 +0,0 @@
-#!/bin/bash
-
-# Edit this
-
-PASSWORD_FILE=
-OPENCONNECT_USER=
-OPENCONNECT_URL=
-OPENCONNECT_OPTIONS="--authgroup <VPN Group> --servercert <VPN Server Certificate> --protocol=pulse"
-HTTPS_PROXY_PORT=8888
-SOCKS5_PROXY_PORT=8889
-
-# Don't touch this
-
-container() {
-	if [ "$PASSWORD_FILE" ]; then
-		OPENCONNECT_PASSWORD="`cat $PASSWORD_FILE`"
-	else
-# Ask for password on the commandline
-		stty -echo
-		printf "VPN password: "
-		read OPENCONNECT_PASSWORD
-		stty echo
-		printf "\n\n"
-	fi
-
-	# Start container with proxy on specified port
-	until docker run -it --rm "$@" --privileged --name openconnect-proxy \
-		-e OPENCONNECT_URL="$OPENCONNECT_URL" \
-		-e OPENCONNECT_OPTIONS="$OPENCONNECT_OPTIONS" \
-		-e OPENCONNECT_USER="$OPENCONNECT_USER" \
-		-e OPENCONNECT_PASSWORD="$OPENCONNECT_PASSWORD" \
-		-e HTTPS_PROXY_PORT="$HTTPS_PROXY_PORT" \
-		-e SOCKS5_PROXY_PORT="$SOCKS5_PROXY_PORT" \
-		-p $HTTPS_PROXY_PORT:$HTTPS_PROXY_PORT \
-		-p $SOCKS5_PROXY_PORT:$SOCKS5_PROXY_PORT \
-		"wazum/openconnect-proxy:latest"; do
-    		echo "openconnect exited with code $?. Restarting process…" >&2
-    		sleep 1
-	done
-}
-
-container "$@"