Dockerfile

ARG BASE_IMAGE=alpine
ARG ALPINE_VERSION=3.10

FROM ${BASE_IMAGE}:${ALPINE_VERSION}
ARG BUILD_DATE
ARG VCS_REF
LABEL \
    org.opencontainers.image.authors="quentin.mcgaw@gmail.com" \
    org.opencontainers.image.created=$BUILD_DATE \
    org.opencontainers.image.version="" \
    org.opencontainers.image.revision=$VCS_REF \
    org.opencontainers.image.url="https://github.com/qdm12/private-internet-access-docker" \
    org.opencontainers.image.documentation="https://github.com/qdm12/private-internet-access-docker" \
    org.opencontainers.image.source="https://github.com/qdm12/private-internet-access-docker" \
    org.opencontainers.image.title="PIA client" \
    org.opencontainers.image.description="VPN client to tunnel to private internet access servers using OpenVPN, IPtables, DNS over TLS and Alpine Linux" \
    image-size="21.1MB" \
    image-size="19.9MB" \
    ram-usage="13MB to 80MB" \
    cpu-usage="Low to Medium"
ENV USER= \
    PASSWORD= \
    ENCRYPTION=strong \
    PROTOCOL=udp \
    REGION="CA Montreal" \
    NONROOT=no \
    DOT=on \
    BLOCK_MALICIOUS=off \
    BLOCK_NSA=off \
    UNBLOCK= \
    EXTRA_SUBNETS= \
    PORT_FORWARDING=false \
    PORT_FORWARDING_STATUS_FILE="/forwarded_port" \
    PROXY=on \
    PROXY_LOG_LEVEL=Critical \
    PROXY_PORT=8888 \
    PROXY_USER= \
    PROXY_PASSWORD=
ENTRYPOINT /entrypoint.sh
EXPOSE 8888
HEALTHCHECK --interval=3m --timeout=3s --start-period=20s --retries=1 CMD /healthcheck.sh
RUN apk add -q --progress --no-cache --update openvpn wget ca-certificates iptables unbound unzip tinyproxy jq && \
    wget -q https://www.privateinternetaccess.com/openvpn/openvpn.zip \
    https://www.privateinternetaccess.com/openvpn/openvpn-strong.zip \
    https://www.privateinternetaccess.com/openvpn/openvpn-tcp.zip \
    https://www.privateinternetaccess.com/openvpn/openvpn-strong-tcp.zip && \
    mkdir -p /openvpn/target && \
    unzip -q openvpn.zip -d /openvpn/udp-normal && \
    unzip -q openvpn-strong.zip -d /openvpn/udp-strong && \
    unzip -q openvpn-tcp.zip -d /openvpn/tcp-normal && \
    unzip -q openvpn-strong-tcp.zip -d /openvpn/tcp-strong && \
    apk del -q --progress --purge unzip && \
    rm -rf /*.zip /var/cache/apk/* /etc/unbound/* /usr/sbin/unbound-anchor /usr/sbin/unbound-checkconf /usr/sbin/unbound-control /usr/sbin/unbound-control-setup /usr/sbin/unbound-host /etc/tinyproxy/tinyproxy.conf && \
    adduser nonrootuser -D -H --uid 1000 && \
    wget -q https://raw.githubusercontent.com/qdm12/updated/master/files/named.root.updated -O /etc/unbound/root.hints && \
    wget -q https://raw.githubusercontent.com/qdm12/updated/master/files/root.key.updated -O /etc/unbound/root.key && \
    cd /tmp && \
    wget -q https://raw.githubusercontent.com/qdm12/updated/master/files/malicious-hostnames.updated -O malicious-hostnames && \
    wget -q https://raw.githubusercontent.com/qdm12/updated/master/files/nsa-hostnames.updated -O nsa-hostnames && \
    wget -q https://raw.githubusercontent.com/qdm12/updated/master/files/malicious-ips.updated -O malicious-ips && \
    while read hostname; do echo "local-zone: \""$hostname"\" static" >> blocks-malicious.conf; done < malicious-hostnames && \
    while read ip; do echo "private-address: $ip" >> blocks-malicious.conf; done < malicious-ips && \
    tar -cjf /etc/unbound/blocks-malicious.bz2 blocks-malicious.conf && \
    while read hostname; do echo "local-zone: \""$hostname"\" static" >> blocks-nsa.conf; done < nsa-hostnames && \
    tar -cjf /etc/unbound/blocks-nsa.bz2 blocks-nsa.conf && \
    rm -f /tmp/*
COPY unbound.conf /etc/unbound/unbound.conf
COPY tinyproxy.conf /etc/tinyproxy/tinyproxy.conf
COPY entrypoint.sh healthcheck.sh portforward.sh /
RUN chown nonrootuser -R /etc/unbound /etc/tinyproxy && \
    chmod 700 /etc/unbound /etc/tinyproxy && \
    chmod 600 /etc/unbound/unbound.conf /etc/tinyproxy/tinyproxy.conf && \
    chmod 500 /entrypoint.sh /healthcheck.sh /portforward.sh && \
    chmod 400 /etc/unbound/root.hints /etc/unbound/root.key /etc/unbound/*.bz2
Readme update and typo fixes 2019-04-26 21:43:26 +02:00			`ARG BASE_IMAGE=alpine`
Updated packages and Alpine to 3.10 2019-06-26 17:23:24 +02:00			`ARG ALPINE_VERSION=3.10`
Reworked labels, readme and added License 2018-10-29 16:32:11 +01:00
Readme update and typo fixes 2019-04-26 21:43:26 +02:00			`FROM ${BASE_IMAGE}:${ALPINE_VERSION}`
Reworked labels, readme and added License 2018-10-29 16:32:11 +01:00			`ARG BUILD_DATE`
			`ARG VCS_REF`
Adopted new opencontainers.org labelling scheme for Dockerfile 2019-09-09 11:50:06 -04:00			`LABEL \`
			`org.opencontainers.image.authors="quentin.mcgaw@gmail.com" \`
			`org.opencontainers.image.created=$BUILD_DATE \`
			`org.opencontainers.image.version="" \`
			`org.opencontainers.image.revision=$VCS_REF \`
			`org.opencontainers.image.url="https://github.com/qdm12/private-internet-access-docker" \`
			`org.opencontainers.image.documentation="https://github.com/qdm12/private-internet-access-docker" \`
			`org.opencontainers.image.source="https://github.com/qdm12/private-internet-access-docker" \`
			`org.opencontainers.image.title="PIA client" \`
			`org.opencontainers.image.description="VPN client to tunnel to private internet access servers using OpenVPN, IPtables, DNS over TLS and Alpine Linux" \`
			`image-size="21.1MB" \`
Large refactoring: proxy+firewall+readme - Cleaner logs - HTTP proxy is working... finally - Firewall was adjusted - Firewall cannot be turned off anymore - portforward script changes the firewall - readme reworked - Possibility to pass commands to Openvpn with Docker command 2019-06-29 13:42:44 +02:00			`image-size="19.9MB" \`
Updated packages and Alpine to 3.10 2019-06-26 17:23:24 +02:00			`ram-usage="13MB to 80MB" \`
			`cpu-usage="Low to Medium"`
Multiple additions and fixes #12 - Unbound ran as `nonrootuser` - Readme updated - auth.conf replaced by `USER` and `PASSWORD` env variables - Removed Nginx section from readme for now - Reworked entrypoint with more checks - Malicious IPs and hostnames building is done at Docker build to gain time at launch - docker-compose updated to reflect changes 2018-11-14 14:38:10 +02:00			`ENV USER= \`
			`PASSWORD= \`
			`ENCRYPTION=strong \`
			`PROTOCOL=udp \`
Big refactoring (more secured, more modular) - Region change to "CA Montreal" - Using external data images for malicious hostnames - Added malicious IP addresses blocking with Unbound - Unbound has DNS rebinding protection 2018-10-28 14:08:14 +01:00			`REGION="CA Montreal" \`
More modularity and reworked readme - Docker's init added to avoid zombie processes (i.e. Unbound) - Added environment variables to enable or disable features: `DOT`, `FIREWALL` - Reworked readme 2019-06-27 13:10:51 +02:00			`NONROOT=no \`
			`DOT=on \`
Multiple additions and fixes #12 - Unbound ran as `nonrootuser` - Readme updated - auth.conf replaced by `USER` and `PASSWORD` env variables - Removed Nginx section from readme for now - Reworked entrypoint with more checks - Malicious IPs and hostnames building is done at Docker build to gain time at launch - docker-compose updated to reflect changes 2018-11-14 14:38:10 +02:00			`BLOCK_MALICIOUS=off \`
Splitted `BLOCK_MALICIOUS` with `BLOCK_NSA` and `UNBLOCK` env variable 2019-04-23 10:29:44 +02:00			`BLOCK_NSA=off \`
			`UNBLOCK= \`
Added web HTTP proxy 2019-06-27 13:12:03 +02:00			`EXTRA_SUBNETS= \`
Fix/improve port forwarding handling 2019-07-15 22:02:40 +02:00			`PORT_FORWARDING=false \`
Make forwarded_port file location configurable (#43) * Make port forwarding status file dynamic * Readme updates 2019-09-02 16:38:41 +02:00			`PORT_FORWARDING_STATUS_FILE="/forwarded_port" \`
Added web HTTP proxy 2019-06-27 13:12:03 +02:00			`PROXY=on \`
			`PROXY_LOG_LEVEL=Critical \`
Fixes #28 allowing to set the port of Tinyproxy 2019-07-03 11:07:37 +02:00			`PROXY_PORT=8888 \`
Added web HTTP proxy 2019-06-27 13:12:03 +02:00			`PROXY_USER= \`
			`PROXY_PASSWORD=`
Multiple additions and fixes #12 - Unbound ran as `nonrootuser` - Readme updated - auth.conf replaced by `USER` and `PASSWORD` env variables - Removed Nginx section from readme for now - Reworked entrypoint with more checks - Malicious IPs and hostnames building is done at Docker build to gain time at launch - docker-compose updated to reflect changes 2018-11-14 14:38:10 +02:00			`ENTRYPOINT /entrypoint.sh`
Added web HTTP proxy 2019-06-27 13:12:03 +02:00			`EXPOSE 8888`
Changed healthcheck to only ping 1.1.1.1 to check connectivity This is because your VPN public IP might not be the VPN server entrance IP address, resulting in the container being unhealthy most of the time. 2019-01-15 14:40:28 +01:00			`HEALTHCHECK --interval=3m --timeout=3s --start-period=20s --retries=1 CMD /healthcheck.sh`
Fix/improve port forwarding handling 2019-07-15 22:02:40 +02:00			`RUN apk add -q --progress --no-cache --update openvpn wget ca-certificates iptables unbound unzip tinyproxy jq && \`
Added choice of UDP/TCP and level of encryption. Reworked readme and Dockerfile 2018-04-15 14:15:58 -04:00			`wget -q https://www.privateinternetaccess.com/openvpn/openvpn.zip \`
Updated packages and Alpine to 3.10 2019-06-26 17:23:24 +02:00			`https://www.privateinternetaccess.com/openvpn/openvpn-strong.zip \`
			`https://www.privateinternetaccess.com/openvpn/openvpn-tcp.zip \`
			`https://www.privateinternetaccess.com/openvpn/openvpn-strong-tcp.zip && \`
The target files are created in /openvpn/target - More resilience to failure - Less verbose - Works with start/stop 2018-11-27 17:50:08 +02:00			`mkdir -p /openvpn/target && \`
Fixed auth_failed error - Removed nonrootgroup - File directories are slightly different - Resolv-retry is removed as pointless as IP addresses are used - Fixed some arguments to openvpn 2018-11-17 14:44:17 +02:00			`unzip -q openvpn.zip -d /openvpn/udp-normal && \`
			`unzip -q openvpn-strong.zip -d /openvpn/udp-strong && \`
			`unzip -q openvpn-tcp.zip -d /openvpn/tcp-normal && \`
			`unzip -q openvpn-strong-tcp.zip -d /openvpn/tcp-strong && \`
Reworked labels, readme and added License 2018-10-29 16:32:11 +01:00			`apk del -q --progress --purge unzip && \`
Added web HTTP proxy 2019-06-27 13:12:03 +02:00			`rm -rf /.zip /var/cache/apk/ /etc/unbound/* /usr/sbin/unbound-anchor /usr/sbin/unbound-checkconf /usr/sbin/unbound-control /usr/sbin/unbound-control-setup /usr/sbin/unbound-host /etc/tinyproxy/tinyproxy.conf && \`
Replaced external docker images with Github hosted files 2019-01-01 23:14:36 +02:00			`adduser nonrootuser -D -H --uid 1000 && \`
			`wget -q https://raw.githubusercontent.com/qdm12/updated/master/files/named.root.updated -O /etc/unbound/root.hints && \`
			`wget -q https://raw.githubusercontent.com/qdm12/updated/master/files/root.key.updated -O /etc/unbound/root.key && \`
			`cd /tmp && \`
			`wget -q https://raw.githubusercontent.com/qdm12/updated/master/files/malicious-hostnames.updated -O malicious-hostnames && \`
Splitted `BLOCK_MALICIOUS` with `BLOCK_NSA` and `UNBLOCK` env variable 2019-04-23 10:29:44 +02:00			`wget -q https://raw.githubusercontent.com/qdm12/updated/master/files/nsa-hostnames.updated -O nsa-hostnames && \`
Replaced external docker images with Github hosted files 2019-01-01 23:14:36 +02:00			`wget -q https://raw.githubusercontent.com/qdm12/updated/master/files/malicious-ips.updated -O malicious-ips && \`
Multiple additions and fixes #12 - Unbound ran as `nonrootuser` - Readme updated - auth.conf replaced by `USER` and `PASSWORD` env variables - Removed Nginx section from readme for now - Reworked entrypoint with more checks - Malicious IPs and hostnames building is done at Docker build to gain time at launch - docker-compose updated to reflect changes 2018-11-14 14:38:10 +02:00			`while read hostname; do echo "local-zone: \""$hostname"\" static" >> blocks-malicious.conf; done < malicious-hostnames && \`
			`while read ip; do echo "private-address: $ip" >> blocks-malicious.conf; done < malicious-ips && \`
			`tar -cjf /etc/unbound/blocks-malicious.bz2 blocks-malicious.conf && \`
Splitted `BLOCK_MALICIOUS` with `BLOCK_NSA` and `UNBLOCK` env variable 2019-04-23 10:29:44 +02:00			`while read hostname; do echo "local-zone: \""$hostname"\" static" >> blocks-nsa.conf; done < nsa-hostnames && \`
			`tar -cjf /etc/unbound/blocks-nsa.bz2 blocks-nsa.conf && \`
Multiple additions and fixes #12 - Unbound ran as `nonrootuser` - Readme updated - auth.conf replaced by `USER` and `PASSWORD` env variables - Removed Nginx section from readme for now - Reworked entrypoint with more checks - Malicious IPs and hostnames building is done at Docker build to gain time at launch - docker-compose updated to reflect changes 2018-11-14 14:38:10 +02:00			`rm -f /tmp/*`
Reworked labels, readme and added License 2018-10-29 16:32:11 +01:00			`COPY unbound.conf /etc/unbound/unbound.conf`
Added web HTTP proxy 2019-06-27 13:12:03 +02:00			`COPY tinyproxy.conf /etc/tinyproxy/tinyproxy.conf`
Added port forwarding, fixes #14 2019-06-26 17:24:10 +02:00			`COPY entrypoint.sh healthcheck.sh portforward.sh /`
Added web HTTP proxy 2019-06-27 13:12:03 +02:00			`RUN chown nonrootuser -R /etc/unbound /etc/tinyproxy && \`
			`chmod 700 /etc/unbound /etc/tinyproxy && \`
			`chmod 600 /etc/unbound/unbound.conf /etc/tinyproxy/tinyproxy.conf && \`
Added port forwarding, fixes #14 2019-06-26 17:24:10 +02:00			`chmod 500 /entrypoint.sh /healthcheck.sh /portforward.sh && \`
Updated packages and Alpine to 3.10 2019-06-26 17:23:24 +02:00			`chmod 400 /etc/unbound/root.hints /etc/unbound/root.key /etc/unbound/*.bz2`