Compare commits
1 Commits
master
...
tmp/ssh-se
Author | SHA1 | Date | |
---|---|---|---|
|
44b05a7074 |
37
README.md
37
README.md
@ -1,6 +1,6 @@
|
|||||||
# openconnect + tinyproxy + microsocks
|
# openconnect + tinyproxy + microsocks
|
||||||
|
|
||||||
This Docker image contains an [openconnect client](http://www.infradead.org/openconnect/) (version 8.04 with pulse/juniper support) and the [tinyproxy proxy server](https://tinyproxy.github.io/) for http/s connections (default on port 8888) and the [microsocks proxy](https://github.com/rofl0r/microsocks) for socks5 connections (default on port 8889) in a very small [alpine linux](https://www.alpinelinux.org/) image (around 20 MB).
|
This Docker image contains an [openconnect client](http://www.infradead.org/openconnect/) (version 8.04 with pulse/juniper support) and the [tinyproxy proxy server](https://tinyproxy.github.io/) for http/s connections (on port 8888) and the [microsocks proxy](https://github.com/rofl0r/microsocks) for socks5 connections (on port 8889) and a sshd server (on port 22) in a very small [alpine linux](https://www.alpinelinux.org/) image (around 20 MB).
|
||||||
|
|
||||||
You can find the image on docker hub:
|
You can find the image on docker hub:
|
||||||
https://hub.docker.com/r/wazum/openconnect-proxy
|
https://hub.docker.com/r/wazum/openconnect-proxy
|
||||||
@ -25,24 +25,44 @@ Optionally set a multi factor authentication code:
|
|||||||
|
|
||||||
OPENCONNECT_MFA_CODE=<Multi factor authentication code>
|
OPENCONNECT_MFA_CODE=<Multi factor authentication code>
|
||||||
|
|
||||||
You can also change the ports the proxies are listening on (these are the default values):
|
# SSH server
|
||||||
|
|
||||||
|
To use the ssh server, mount your public key as volume with the `-v` option:
|
||||||
|
|
||||||
|
docker run … -v ~/.ssh/id_rsa.pub:/tmp/public_key …
|
||||||
|
|
||||||
|
or use the root password `docker`. The ssh server is listening on port 22.
|
||||||
|
|
||||||
|
Set
|
||||||
|
|
||||||
|
Host 127.0.0.1
|
||||||
|
StrictHostKeyChecking no
|
||||||
|
UserKnownHostsFile=/dev/null
|
||||||
|
|
||||||
|
in your `~/.ssh/config` on the host.
|
||||||
|
|
||||||
HTTPS_PROXY_PORT=8888
|
|
||||||
SOCKS5_PROXY_PORT=8889
|
|
||||||
|
|
||||||
# Run container in foreground
|
# Run container in foreground
|
||||||
|
|
||||||
To start the container in foreground run:
|
To start the container in foreground run:
|
||||||
|
|
||||||
docker run -it --rm --privileged --env-file=.env --net host wazum/openconnect-proxy
|
docker run -it --rm --privileged --env-file=.env --net host wazum/openconnect-proxy:latest
|
||||||
|
|
||||||
|
The proxies are listening on ports 8888 (http/https) and 8889 (socks).
|
||||||
|
Either use `--net host` or `-p <local port>:8888 -p <local port>:8889` to make the proxy ports available on the host.
|
||||||
|
|
||||||
|
Another example:
|
||||||
|
|
||||||
|
docker run -it --rm --privileged --env-file=.env \
|
||||||
|
-v ~/.ssh/id_rsa.pub:/tmp/public_key \
|
||||||
|
-p 8888:8888 -p 8889:8889 -p 2222:22 wazum/openconnect-proxy:latest
|
||||||
|
|
||||||
Either use `--net host` or `-p 8888:8888 -p 8889:8889` to make the proxy ports available on the host.
|
|
||||||
|
|
||||||
Without using a `.env` file set the environment variables on the command line with the docker run option `-e`:
|
Without using a `.env` file set the environment variables on the command line with the docker run option `-e`:
|
||||||
|
|
||||||
docker run … -e OPENCONNECT_URL=vpn.gateway.com/example \
|
docker run … -e OPENCONNECT_URL=vpn.gateway.com/example \
|
||||||
-e OPENCONNECT_OPTIONS='<Openconnect Options>' \
|
-e OPENCONNECT_OPTIONS='<Openconnect Options>' \
|
||||||
-e OPENCONNECT_USER=<Username> …
|
-e OPENCONNECT_USER=<Username> …
|
||||||
|
|
||||||
# Run container in background
|
# Run container in background
|
||||||
|
|
||||||
@ -66,6 +86,7 @@ In daemon mode you can view the stderr log with `docker logs`:
|
|||||||
ports:
|
ports:
|
||||||
- 8888:8888
|
- 8888:8888
|
||||||
- 8889:8889
|
- 8889:8889
|
||||||
|
- 22:2222
|
||||||
networks:
|
networks:
|
||||||
- mynetwork
|
- mynetwork
|
||||||
```
|
```
|
||||||
|
@ -19,6 +19,13 @@ RUN apk add --no-cache ca-certificates wget \
|
|||||||
&& make install \
|
&& make install \
|
||||||
&& apk del .build-deps wget
|
&& apk del .build-deps wget
|
||||||
|
|
||||||
|
RUN apk add --no-cache openssh \
|
||||||
|
&& echo "root:docker" | chpasswd \
|
||||||
|
&& mkdir -p /root/.ssh \
|
||||||
|
&& touch /root/.ssh/authorized_keys \
|
||||||
|
&& chmod 700 /root/.ssh \
|
||||||
|
&& chmod 600 /root/.ssh/authorized_keys
|
||||||
|
|
||||||
# Use an up-to-date version of vpnc-script
|
# Use an up-to-date version of vpnc-script
|
||||||
# https://www.infradead.org/openconnect/vpnc-script.html
|
# https://www.infradead.org/openconnect/vpnc-script.html
|
||||||
COPY vpnc-script /etc/vpnc/vpnc-script
|
COPY vpnc-script /etc/vpnc/vpnc-script
|
||||||
@ -29,10 +36,8 @@ COPY tinyproxy.conf /etc/tinyproxy.conf
|
|||||||
COPY entrypoint.sh /entrypoint.sh
|
COPY entrypoint.sh /entrypoint.sh
|
||||||
RUN chmod +x /entrypoint.sh
|
RUN chmod +x /entrypoint.sh
|
||||||
|
|
||||||
ENV HTTPS_PROXY_PORT=${HTTPS_PROXY_PORT:-8888}
|
EXPOSE 8888
|
||||||
ENV SOCKS5_PROXY_PORT=${SOCKS5_PROXY_PORT:-8889}
|
EXPOSE 8889
|
||||||
|
EXPOSE 22
|
||||||
EXPOSE ${HTTPS_PROXY_PORT}
|
|
||||||
EXPOSE ${SOCKS5_PROXY_PORT}
|
|
||||||
|
|
||||||
ENTRYPOINT ["/entrypoint.sh"]
|
ENTRYPOINT ["/entrypoint.sh"]
|
||||||
|
@ -1,14 +1,27 @@
|
|||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
|
|
||||||
|
# Copy possibly mounted public key for ssh
|
||||||
|
if test -f "/tmp/public_key"; then
|
||||||
|
cat /tmp/public_key > /root/.ssh/authorized_keys
|
||||||
|
fi
|
||||||
|
|
||||||
# Set proxy port
|
# Set proxy port
|
||||||
sed "s/^Port .*$/Port $HTTPS_PROXY_PORT/" -i /etc/tinyproxy.conf
|
sed "s/^Port .*$/Port 8888/" -i /etc/tinyproxy.conf
|
||||||
|
|
||||||
# Start proxy
|
# Start proxy
|
||||||
/usr/bin/tinyproxy -c /etc/tinyproxy.conf && echo "HTTP/S proxy listening on $HTTPS_PROXY_PORT"
|
/usr/bin/tinyproxy -c /etc/tinyproxy.conf
|
||||||
|
|
||||||
# Start socks5 proxy
|
# Start socks5 proxy
|
||||||
/usr/local/bin/microsocks -i 0.0.0.0 -p $SOCKS5_PROXY_PORT &
|
/usr/local/bin/microsocks -i 0.0.0.0 -p 8889 &
|
||||||
echo "socks5 proxy listening on $SOCKS5_PROXY_PORT"
|
|
||||||
|
# Start ssh server
|
||||||
|
sed -i s/#PermitRootLogin.*/PermitRootLogin\ yes/ /etc/ssh/sshd_config
|
||||||
|
sed -i s/#AllowTCPForwarding.*/AllowTCPForwarding\ yes/ /etc/ssh/sshd_config
|
||||||
|
sed -i s/#PermitTunnel.*/PermitTunnel\ yes/ /etc/ssh/sshd_config
|
||||||
|
sed -i s/#AllowAgentForwarding.*/AllowAgentForwarding\ yes/ /etc/ssh/sshd_config
|
||||||
|
sed -i s/#GatewayPorts.*/GatewayPorts\ yes/ /etc/ssh/sshd_config
|
||||||
|
ssh-keygen -A
|
||||||
|
/usr/sbin/sshd -4 -e
|
||||||
|
|
||||||
# Start openconnect
|
# Start openconnect
|
||||||
if [[ -z "${OPENCONNECT_PASSWORD}" ]]; then
|
if [[ -z "${OPENCONNECT_PASSWORD}" ]]; then
|
||||||
@ -21,3 +34,4 @@ elif [[ ! -z "${OPENCONNECT_PASSWORD}" ]]; then
|
|||||||
# Standard authentication
|
# Standard authentication
|
||||||
echo $OPENCONNECT_PASSWORD | openconnect -u $OPENCONNECT_USER $OPENCONNECT_OPTIONS --passwd-on-stdin $OPENCONNECT_URL
|
echo $OPENCONNECT_PASSWORD | openconnect -u $OPENCONNECT_USER $OPENCONNECT_OPTIONS --passwd-on-stdin $OPENCONNECT_URL
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user