sslbump: rootless (#125)

sslbump: shell script instead of long cmd add 'ssl-bump' image test add access_for_localnet for image test allow_all instead of localnet for test change test conf fix test compose
2024-01-23 22:45:13 +03:00 · 2024-01-23 22:45:13 +03:00 · 12abc8228d
parent 3ceca4d5f2
commit 12abc8228d
5 changed files with 58 additions and 5 deletions
--- a/.github/workflows/dockerimage.yml
+++ b/.github/workflows/dockerimage.yml
@ -65,13 +65,38 @@ jobs:
          mv /tmp/.buildx-cache-new /tmp/.buildx-cache

      - name: Test image
-        run: docker compose -f docker-compose.test.yml up --pull never sut
+        run: |
+          set -ex
+          docker compose -f docker-compose.test.yml up --pull never sut --exit-code-from sut
+          docker compose -f docker-compose.test.yml down

-      - name: Build 'ssl-bump' image     
+      - name: set base image for 'ssl-bump'
        run: |
          sed -i "s%FROM b4tman/squid%FROM $TEST_TAG%" ssl-bump/Dockerfile
-          docker build ssl-bump
+      
+      - name: Build 'ssl-bump' image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: false
+          load: true
+          tags: ${{ env.TEST_TAG }}-ssl-bump
+          cache-from: type=local,src=/tmp/.buildx-cache
+          cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max

+      # Temp fix
+      # https://github.com/docker/build-push-action/issues/252
+      # https://github.com/moby/buildkit/issues/1896
+      - name: Move cache
+        run: |
+          rm -rf /tmp/.buildx-cache
+          mv /tmp/.buildx-cache-new /tmp/.buildx-cache
+          
+      - name: Test 'ssl-bump' image
+        run: |
+          set -ex
+          TEST_TAG="${TEST_TAG}-ssl-bump" docker compose -f docker-compose.test.yml up --pull never sut --exit-code-from sut
+          docker compose -f docker-compose.test.yml down
  push:
    needs: test
    runs-on: ubuntu-20.04
--- a/docker-compose.test.yml
+++ b/docker-compose.test.yml
@ -2,6 +2,8 @@ version: '2.3'
 services:
  proxy:
    image: "${TEST_TAG}"
+    volumes:
+      - './test_localnet.conf:/etc/squid/conf.d/test_localnet.conf:ro'
    healthcheck:
      test: ["CMD", "sh", "-exc", "squidclient -T 3 mgr:info 2> /dev/null | grep -qF '200 OK'"]
      interval: 5s
--- a/ssl-bump/Dockerfile
+++ b/ssl-bump/Dockerfile
@ -1,4 +1,5 @@
 FROM b4tman/squid

-USER root
-CMD ["sh", "-c", "(test -d /var/cache/squid/ssl_db || /usr/lib/squid/security_file_certgen -c -s /var/cache/squid/ssl_db -M 4MB) && /usr/sbin/squid -f ${SQUID_CONFIG_FILE} --foreground -z && exec /usr/sbin/squid -f ${SQUID_CONFIG_FILE} --foreground -YCd 1"]
+COPY run.sh /
+
+CMD ["/run.sh"]
--- a/ssl-bump/run.sh
+++ b/ssl-bump/run.sh
@ -0,0 +1,14 @@
+#!/bin/sh
+
+set -x
+
+# init ssl_db
+if [ ! -d /var/cache/squid/ssl_db ]; then
+	/usr/lib/squid/security_file_certgen -c -s /var/cache/squid/ssl_db -M 4MB
+fi
+
+# init cache
+/usr/sbin/squid -f "${SQUID_CONFIG_FILE}" --foreground -z
+
+# run squid
+exec /usr/sbin/squid -f "${SQUID_CONFIG_FILE}" --foreground -YCd 1
--- a/test_localnet.conf
+++ b/test_localnet.conf
@ -0,0 +1,11 @@
+acl localnet1 src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
+acl localnet1 src 10.0.0.0/8            # RFC 1918 local private network (LAN)
+acl localnet1 src 100.64.0.0/10         # RFC 6598 shared address space (CGN)
+acl localnet1 src 169.254.0.0/16        # RFC 3927 link-local (directly plugged) machines
+acl localnet1 src 172.16.0.0/12         # RFC 1918 local private network (LAN)
+acl localnet1 src 192.168.0.0/16                # RFC 1918 local private network (LAN)
+acl localnet1 src fc00::/7              # RFC 4193 local private network range
+acl localnet1 src fe80::/10             # RFC 4291 link-local (directly plugged) machines
+
+http_access allow localnet1
+http_access allow localhost manager