Added web HTTP proxy
This commit is contained in:
Quentin McGaw
18
Dockerfile
18
Dockerfile
@@ -30,10 +30,15 @@ ENV USER= \
|
||||
BLOCK_NSA=off \
|
||||
UNBLOCK= \
|
||||
FIREWALL=on \
|
||||
EXTRA_SUBNETS=
|
||||
EXTRA_SUBNETS= \
|
||||
PROXY=on \
|
||||
PROXY_LOG_LEVEL=Critical \
|
||||
PROXY_USER= \
|
||||
PROXY_PASSWORD=
|
||||
ENTRYPOINT /entrypoint.sh
|
||||
EXPOSE 8888
|
||||
HEALTHCHECK --interval=3m --timeout=3s --start-period=20s --retries=1 CMD /healthcheck.sh
|
||||
RUN apk add -q --progress --no-cache --update openvpn wget ca-certificates iptables unbound unzip && \
|
||||
RUN apk add -q --progress --no-cache --update openvpn wget ca-certificates iptables unbound unzip tinyproxy && \
|
||||
wget -q https://www.privateinternetaccess.com/openvpn/openvpn.zip \
|
||||
https://www.privateinternetaccess.com/openvpn/openvpn-strong.zip \
|
||||
https://www.privateinternetaccess.com/openvpn/openvpn-tcp.zip \
|
||||
@@ -44,7 +49,7 @@ RUN apk add -q --progress --no-cache --update openvpn wget ca-certificates iptab
|
||||
unzip -q openvpn-tcp.zip -d /openvpn/tcp-normal && \
|
||||
unzip -q openvpn-strong-tcp.zip -d /openvpn/tcp-strong && \
|
||||
apk del -q --progress --purge unzip && \
|
||||
rm -rf /*.zip /var/cache/apk/* /etc/unbound/* /usr/sbin/unbound-anchor /usr/sbin/unbound-checkconf /usr/sbin/unbound-control /usr/sbin/unbound-control-setup /usr/sbin/unbound-host && \
|
||||
rm -rf /*.zip /var/cache/apk/* /etc/unbound/* /usr/sbin/unbound-anchor /usr/sbin/unbound-checkconf /usr/sbin/unbound-control /usr/sbin/unbound-control-setup /usr/sbin/unbound-host /etc/tinyproxy/tinyproxy.conf && \
|
||||
adduser nonrootuser -D -H --uid 1000 && \
|
||||
wget -q https://raw.githubusercontent.com/qdm12/updated/master/files/named.root.updated -O /etc/unbound/root.hints && \
|
||||
wget -q https://raw.githubusercontent.com/qdm12/updated/master/files/root.key.updated -O /etc/unbound/root.key && \
|
||||
@@ -59,9 +64,10 @@ RUN apk add -q --progress --no-cache --update openvpn wget ca-certificates iptab
|
||||
tar -cjf /etc/unbound/blocks-nsa.bz2 blocks-nsa.conf && \
|
||||
rm -f /tmp/*
|
||||
COPY unbound.conf /etc/unbound/unbound.conf
|
||||
COPY tinyproxy.conf /etc/tinyproxy/tinyproxy.conf
|
||||
COPY entrypoint.sh healthcheck.sh portforward.sh /
|
||||
RUN chown nonrootuser -R /etc/unbound && \
|
||||
chmod 700 /etc/unbound && \
|
||||
chmod 600 /etc/unbound/unbound.conf && \
|
||||
RUN chown nonrootuser -R /etc/unbound /etc/tinyproxy && \
|
||||
chmod 700 /etc/unbound /etc/tinyproxy && \
|
||||
chmod 600 /etc/unbound/unbound.conf /etc/tinyproxy/tinyproxy.conf && \
|
||||
chmod 500 /entrypoint.sh /healthcheck.sh /portforward.sh && \
|
||||
chmod 400 /etc/unbound/root.hints /etc/unbound/root.key /etc/unbound/*.bz2
|
||||
|
||||
27
README.md
27
README.md
@@ -31,6 +31,7 @@
|
||||
- [IPtables 1.8.3](https://pkgs.alpinelinux.org/package/v3.10/main/x86_64/iptables) enforces the container to communicate only through the VPN or with other containers in its virtual network (acts as a killswitch)
|
||||
- [Unbound 1.9.1](https://pkgs.alpinelinux.org/package/v3.10/main/x86_64/unbound) configured with Cloudflare's [1.1.1.1](https://1.1.1.1) DNS over TLS
|
||||
- [Files and blocking lists built periodically](https://github.com/qdm12/updated/tree/master/files) used with Unbound (see `BLOCK_MALICIOUS` and `BLOCK_NSA` environment variables)
|
||||
- [TinyProxy 1.10.0](https://pkgs.alpinelinux.org/package/v3.10/main/x86_64/tinyproxy)
|
||||
|
||||
</p></details>
|
||||
|
||||
@@ -45,7 +46,7 @@
|
||||
- DNS over TLS
|
||||
- Malicious DNS blocking
|
||||
- Internal firewall
|
||||
- Run openvpn without root (but will give reconnect problems)
|
||||
- Web HTTP proxy
|
||||
- Run openvpn without root
|
||||
|
||||
</p></details>
|
||||
@@ -57,6 +58,7 @@
|
||||
- OpenVPN can run *without root* but this disallows OpenVPN reconnecting, it can be set with `NONROOT=yes`
|
||||
- **ARM** compatible
|
||||
- Port forwarding
|
||||
- HTTP proxy for LAN devices
|
||||
|
||||
## Setup
|
||||
|
||||
@@ -124,6 +126,8 @@
|
||||
|
||||
Note that you can change all the [environment variables](#environment-variables).
|
||||
|
||||
If you want to use the **HTTP proxy**, add `-p 8888:8888/tcp` so that it is accessible from LAN devices.
|
||||
|
||||
## Testing
|
||||
|
||||
Check the PIA IP address matches your expectations
|
||||
@@ -148,6 +152,10 @@ docker run --rm --network=container:pia alpine:3.10 wget -qO- https://ipinfo.io
|
||||
| `UNBLOCK` | | comma separated string (i.e. `web.com,web2.ca`) to unblock hostnames |
|
||||
| `FIREWALL` | `on` | `on` or `off`, to switch the internal killswitch firewall (should be left `on`) |
|
||||
| `EXTRA_SUBNETS` | | comma separated subnets allowed in the container firewall (i.e. `192.168.1.0/24,192.168.10.121,10.0.0.5/28`) |
|
||||
| `PROXY` | `on` | `on` or `off`, to switch the internal HTTP proxy |
|
||||
| `PROXY_LOG_LEVEL` | `Critical` | `Info`, `Warning`, `Error` or `Critical` |
|
||||
| `PROXY_USER` | | Username to use to connect to the HTTP proxy |
|
||||
| `PROXY_PASSWORD` | | Passsword to use to connect to the HTTP proxy |
|
||||
|
||||
## Connect to it
|
||||
|
||||
@@ -331,9 +339,20 @@ There are various ways to achieve this, depending on your use case.
|
||||
```
|
||||
|
||||
</p></details>
|
||||
- <details><summary>Connect to the PIA through an HTTP proxy (i.e. with Firefox)</summary><p>
|
||||
- <details><summary>Connect to the PIA through an HTTP proxy (i.e. with Chrome, Kodi, etc.)</summary><p>
|
||||
|
||||
*This is in progress, using Tiny Proxy, thanks for waiting !*
|
||||
1. Setup a HTTP proxy client, such as [SwitchyOmega for Chrome](https://chrome.google.com/webstore/detail/proxy-switchyomega/padekgcemlokbadohgkifijomclgjgif?hl=en)
|
||||
1. Make sure the PIA container:
|
||||
- Has port 8888 published `-p 8888:8888/tcp`
|
||||
- **Has your LAN** in `EXTRA_SUBNETS`
|
||||
1. With your HTTP proxy client, connect to the Docker host (i.e. `192.168.1.10`) on port `8888`. You might need to enter your credentials if you set them with the environment variables `PROXY_USER` and `PROXY_PASSWORD`.
|
||||
1. If you set `PROXY_LOG_LEVEL` to `Info`, you can check the log output of tinyproxy with:
|
||||
|
||||
```sh
|
||||
docker exec -it pia cat /var/log/tinyproxy/tinyproxy.log
|
||||
```
|
||||
|
||||
`PROXY_LOG_LEVEL` defaults to `Critical` to avoid logging everything, for privacy purposes as well as to save storage.
|
||||
|
||||
</p></details>
|
||||
|
||||
@@ -365,8 +384,6 @@ Note that not all regions support port forwarding.
|
||||
|
||||
## TODOs
|
||||
|
||||
- [ ] Tiny proxy for LAN devices to use the container
|
||||
|
||||
## License
|
||||
|
||||
This repository is under an [MIT license](https://github.com/qdm12/private-internet-access-docker/master/license)
|
||||
|
||||
@@ -10,6 +10,8 @@ services:
|
||||
- /dev/net/tun
|
||||
network_mode: bridge
|
||||
init: true
|
||||
ports:
|
||||
- 8888:8888/tcp
|
||||
environment:
|
||||
- USER=js89ds7
|
||||
- PASSWORD=8fd9s239G
|
||||
|
||||
@@ -49,6 +49,7 @@ printf " == by github.com/qdm12 - Quentin McGaw ==\n\n"
|
||||
printf "OpenVPN version: $(openvpn --version | head -n 1 | grep -oE "OpenVPN [0-9\.]* " | cut -d" " -f2)\n"
|
||||
printf "Unbound version: $(unbound -h | grep "Version" | cut -d" " -f2)\n"
|
||||
printf "Iptables version: $(iptables --version | cut -d" " -f2)\n"
|
||||
printf "TinyProxy version: $(tinyproxy -v | cut -d" " -f2)\n"
|
||||
|
||||
############################################
|
||||
# CHECK PARAMETERS
|
||||
@@ -79,6 +80,15 @@ if [ "$DOT" == "off" ]; then
|
||||
fi
|
||||
fi
|
||||
exitIfNotIn FIREWALL "on,off"
|
||||
exitIfNotIn PROXY "on,off"
|
||||
exitIfNotIn PROXY_LOG_LEVEL "Info,Warning,Error,Critical"
|
||||
if [ ! -z "$PROXY_USER" ] && [ -z "$PROXY_PASSWORD" ]; then
|
||||
printf "PROXY_USER is set but PROXY_PASSWORD is unset\n"
|
||||
exit 1
|
||||
elif [ -z "$PROXY_USER" ] && [ ! -z "$PROXY_PASSWORD" ]; then
|
||||
printf "PROXY_USER is unset but PROXY_PASSWORD is set\n"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
#####################################################
|
||||
# Writes to protected file and remove USER, PASSWORD
|
||||
@@ -274,6 +284,24 @@ if [ "$FIREWALL" == "on" ]; then
|
||||
printf "DONE\n"
|
||||
fi
|
||||
|
||||
############################################
|
||||
# TINYPROXY LAUNCH
|
||||
############################################
|
||||
printf "HTTP proxy is $PROXY\n"
|
||||
if [ "$PROXY" == "on" ]; then
|
||||
printf "Setting TinyProxy log level to $PROXY_LOG_LEVEL\n"
|
||||
sed -i "/LogLevel /c\LogLevel $PROXY_LOG_LEVEL" /etc/tinyproxy/tinyproxy.conf
|
||||
if [ ! -z "$PROXY_USER" ]; then
|
||||
printf "Setting TinyProxy credentials\n"
|
||||
echo "BasicAuth $PROXY_USER $PROXY_PASSWORD" >> /etc/tinyproxy/tinyproxy.conf
|
||||
unset -v PROXY_USER
|
||||
unset -v PROXY_PASSWORD
|
||||
fi
|
||||
printf "Starting HTTP proxy TinyProxy\n"
|
||||
tinyproxy
|
||||
exitOnError $?
|
||||
fi
|
||||
|
||||
############################################
|
||||
# OPENVPN LAUNCH
|
||||
############################################
|
||||
|
||||
17
tinyproxy.conf
Normal file
17
tinyproxy.conf
Normal file
@@ -0,0 +1,17 @@
|
||||
User tinyproxy
|
||||
Group tinyproxy
|
||||
Port 8888
|
||||
Timeout 600
|
||||
DefaultErrorFile "/usr/share/tinyproxy/default.html"
|
||||
MaxClients 100
|
||||
MinSpareServers 5
|
||||
MaxSpareServers 20
|
||||
StartServers 10
|
||||
MaxRequestsPerChild 0
|
||||
DisableViaHeader Yes
|
||||
LogFile "/var/log/tinyproxy/tinyproxy.log"
|
||||
LogLevel Critical
|
||||
# BasicAuth user password
|
||||
|
||||
# StatFile "/usr/share/tinyproxy/stats.html"
|
||||
# ViaProxyName "tinyproxy"
|
||||
Reference in New Issue
Block a user