Skip to content

Commit 00f9b1b

Browse files
committed
HTTPS on proxy servers
Fixes #3
1 parent 99177b0 commit 00f9b1b

File tree

9 files changed

+185
-91
lines changed

9 files changed

+185
-91
lines changed

cloudproxy/check.py

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -27,17 +27,17 @@ def requests_retry_session(
2727
def fetch_ip(ip_address):
2828
if settings.config["no_auth"]:
2929
proxies = {
30-
"http": "http://" + ip_address + ":8899",
31-
"https": "http://" + ip_address + ":8899",
30+
"http": "https://" + ip_address + ":8899",
31+
"https": "https://" + ip_address + ":8899",
3232
}
3333
else:
3434
auth = (
3535
settings.config["auth"]["username"] + ":" + settings.config["auth"]["password"]
3636
)
3737

3838
proxies = {
39-
"http": "http://" + auth + "@" + ip_address + ":8899",
40-
"https": "http://" + auth + "@" + ip_address + ":8899",
39+
"http": "https://" + auth + "@" + ip_address + ":8899",
40+
"https": "https://" + auth + "@" + ip_address + ":8899",
4141
}
4242

4343
s = requests.Session()
@@ -51,7 +51,7 @@ def fetch_ip(ip_address):
5151

5252
def check_alive(ip_address):
5353
try:
54-
result = requests.get("http://ipecho.net/plain", proxies={'http': "http://" + ip_address + ":8899"}, timeout=10)
54+
result = requests.get("https://ipecho.net/plain", proxies={'http': "https://" + ip_address + ":8899", 'https': "https://" + ip_address + ":8899"}, timeout=10)
5555
if result.status_code in (200, 407):
5656
return True
5757
else:

cloudproxy/main.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -149,8 +149,8 @@ def set_url(cls, v, info):
149149
ip = str(values.get('ip'))
150150
port = values.get('port', 8899)
151151
if values.get('auth_enabled'):
152-
return f"http://{settings.config['auth']['username']}:{settings.config['auth']['password']}@{ip}:{port}"
153-
return f"http://{ip}:{port}"
152+
return f"https://{settings.config['auth']['username']}:{settings.config['auth']['password']}@{ip}:{port}"
153+
return f"https://{ip}:{port}"
154154

155155
class ProxyList(BaseModel):
156156
metadata: Metadata = Field(default_factory=Metadata)

cloudproxy/providers/config.py

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -12,10 +12,11 @@ def set_auth(username, password):
1212
filedata = file.read()
1313

1414
if settings.config["no_auth"]:
15-
# Remove auth configuration for tinyproxy
16-
filedata = filedata.replace('\nBasicAuth PROXY_USERNAME PROXY_PASSWORD\n', '\n')
15+
# Remove auth configuration for Squid
16+
filedata = filedata.replace('acl authenticated proxy_auth REQUIRED\nhttp_access allow authenticated', 'http_access allow all')
17+
filedata = filedata.replace('# Create password file\nsudo touch /etc/squid/passwd\nsudo htpasswd -b -c /etc/squid/passwd PROXY_USERNAME PROXY_PASSWORD\n', '')
1718
else:
18-
# Replace username and password in tinyproxy config
19+
# Replace username and password in Squid config
1920
filedata = filedata.replace("PROXY_USERNAME", username)
2021
filedata = filedata.replace("PROXY_PASSWORD", password)
2122

@@ -24,7 +25,8 @@ def set_auth(username, password):
2425
# Update UFW rules
2526
filedata = filedata.replace("sudo ufw allow 22/tcp", f"sudo ufw allow from {ip_address} to any port 22 proto tcp")
2627
filedata = filedata.replace("sudo ufw allow 8899/tcp", f"sudo ufw allow from {ip_address} to any port 8899 proto tcp")
27-
# Update tinyproxy access rule
28-
filedata = filedata.replace("Allow 127.0.0.1", f"Allow 127.0.0.1\nAllow {ip_address}")
28+
# Update Squid access rule for specific IP
29+
filedata = filedata.replace("# Allow localhost", f"# Allow localhost and specific IP\nacl allowed_ip src {ip_address}")
30+
filedata = filedata.replace("http_access allow localhost", f"http_access allow localhost\nhttp_access allow allowed_ip")
2931

3032
return filedata

cloudproxy/providers/user_data.sh

Lines changed: 65 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -2,40 +2,80 @@
22

33
# Update package list and install required packages
44
sudo apt-get update
5-
sudo apt-get install -y ca-certificates tinyproxy
6-
7-
# Configure tinyproxy
8-
sudo cat > /etc/tinyproxy/tinyproxy.conf << EOF
9-
User tinyproxy
10-
Group tinyproxy
11-
Port 8899
12-
Timeout 600
13-
DefaultErrorFile "/usr/share/tinyproxy/default.html"
14-
StatFile "/usr/share/tinyproxy/stats.html"
15-
LogFile "/var/log/tinyproxy/tinyproxy.log"
16-
LogLevel Info
17-
PidFile "/run/tinyproxy/tinyproxy.pid"
18-
MaxClients 100
19-
MinSpareServers 5
20-
MaxSpareServers 20
21-
StartServers 10
22-
MaxRequestsPerChild 0
23-
Allow 127.0.0.1
24-
ViaProxyName "tinyproxy"
25-
ConnectPort 443
26-
ConnectPort 563
27-
BasicAuth PROXY_USERNAME PROXY_PASSWORD
5+
sudo apt-get install -y ca-certificates squid ssl-cert
6+
7+
# Create self-signed SSL certificate
8+
sudo mkdir -p /etc/squid/ssl
9+
cd /etc/squid/ssl
10+
sudo openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout squid.pem -out squid.pem \
11+
-subj "/C=US/ST=State/L=City/O=Organization/CN=cloudproxy"
12+
sudo chmod 400 squid.pem
13+
14+
# Configure squid
15+
sudo cat > /etc/squid/squid.conf << EOF
16+
# Basic settings
17+
http_port 8899 ssl-bump cert=/etc/squid/ssl/squid.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
18+
19+
# Access controls
20+
acl SSL_ports port 443
21+
acl Safe_ports port 80 # http
22+
acl Safe_ports port 21 # ftp
23+
acl Safe_ports port 443 # https
24+
acl Safe_ports port 70 # gopher
25+
acl Safe_ports port 210 # wais
26+
acl Safe_ports port 1025-65535 # unregistered ports
27+
acl Safe_ports port 280 # http-mgmt
28+
acl Safe_ports port 488 # gss-http
29+
acl Safe_ports port 591 # filemaker
30+
acl Safe_ports port 777 # multiling http
31+
32+
# Authentication
33+
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd
34+
auth_param basic realm Proxy
35+
acl authenticated proxy_auth REQUIRED
36+
http_access allow authenticated
37+
38+
# Deny requests to certain unsafe ports
39+
http_access deny !Safe_ports
40+
41+
# Deny CONNECT to other than secure SSL ports
42+
http_access deny CONNECT !SSL_ports
43+
44+
# Allow localhost
45+
http_access allow localhost manager
46+
http_access allow localhost
47+
48+
# SSL Bump rules
49+
acl step1 at_step SslBump1
50+
ssl_bump peek step1
51+
ssl_bump bump all
52+
53+
# And finally deny all other access to this proxy
54+
http_access deny all
55+
56+
# Cache settings
57+
cache_dir ufs /var/spool/squid 100 16 256
58+
coredump_dir /var/spool/squid
59+
refresh_pattern ^ftp: 1440 20% 10080
60+
refresh_pattern ^gopher: 1440 0% 1440
61+
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
62+
refresh_pattern . 0 20% 4320
63+
visible_hostname cloudproxy
2864
EOF
2965

66+
# Create password file
67+
sudo touch /etc/squid/passwd
68+
sudo htpasswd -b -c /etc/squid/passwd PROXY_USERNAME PROXY_PASSWORD
69+
3070
# Setup firewall
3171
sudo ufw default deny incoming
3272
sudo ufw allow 22/tcp
3373
sudo ufw allow 8899/tcp
3474
sudo ufw --force enable
3575

3676
# Enable and start service
37-
sudo systemctl enable tinyproxy
38-
sudo systemctl restart tinyproxy
77+
sudo systemctl enable squid
78+
sudo systemctl restart squid
3979

4080
# Wait for service to start
4181
sleep 5

tests/test_check.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -120,8 +120,8 @@ def test_check_alive_success(mock_get):
120120
# Verify
121121
assert result is True
122122
mock_get.assert_called_once_with(
123-
"http://ipecho.net/plain",
124-
proxies={'http': "http://10.0.0.1:8899"},
123+
"https://ipecho.net/plain",
124+
proxies={'http': "https://10.0.0.1:8899", 'https': "https://10.0.0.1:8899"},
125125
timeout=10
126126
)
127127

tests/test_check_multi_account.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -81,9 +81,9 @@ def test_check_alive_for_different_instances(mock_requests_get, mock_proxy_data)
8181
assert result is True, f"check_alive for {proxy['ip']} from {proxy['provider']}/{proxy['instance']} should return True"
8282

8383
# Verify correct proxy was used in the request
84-
expected_proxy = {'http': f'http://{proxy["ip"]}:8899'}
84+
expected_proxy = {'http': f'https://{proxy["ip"]}:8899', 'https': f'https://{proxy["ip"]}:8899'}
8585
mock_requests_get.assert_called_with(
86-
"http://ipecho.net/plain",
86+
"https://ipecho.net/plain",
8787
proxies=expected_proxy,
8888
timeout=10
8989
)

tests/test_providers_config.py

Lines changed: 35 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -7,30 +7,42 @@
77

88
# Create a mock user data script that represents the content of user_data.sh
99
MOCK_USER_DATA = """#!/bin/bash
10-
# Install Tinyproxy
10+
# Install Squid with SSL
1111
sudo apt-get update
12-
sudo apt-get install -y tinyproxy ufw
13-
14-
# Configure Tinyproxy
15-
sudo mv /etc/tinyproxy/tinyproxy.conf /etc/tinyproxy/tinyproxy.conf.bak
16-
sudo bash -c "cat > /etc/tinyproxy/tinyproxy.conf" << 'EOL'
17-
User nobody
18-
Group nogroup
19-
Port 8899
20-
Timeout 600
21-
DefaultErrorFile "/usr/share/tinyproxy/default.html"
22-
StatHost "127.0.0.1"
23-
StatFile "/usr/share/tinyproxy/stats.html"
24-
LogFile "/var/log/tinyproxy/tinyproxy.log"
25-
LogLevel Info
26-
PidFile "/run/tinyproxy/tinyproxy.pid"
27-
MaxClients 100
28-
Allow 127.0.0.1
29-
30-
BasicAuth PROXY_USERNAME PROXY_PASSWORD
31-
32-
ConnectPort 443
33-
ConnectPort 563
12+
sudo apt-get install -y squid ssl-cert
13+
14+
# Create self-signed certificate
15+
sudo mkdir -p /etc/squid/ssl
16+
cd /etc/squid/ssl
17+
sudo openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout squid.pem -out squid.pem \
18+
-subj "/C=US/ST=State/L=City/O=Organization/CN=cloudproxy"
19+
sudo chmod 400 squid.pem
20+
21+
# Configure squid
22+
sudo cat > /etc/squid/squid.conf << 'EOL'
23+
# Basic settings
24+
http_port 8899 ssl-bump cert=/etc/squid/ssl/squid.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
25+
26+
# Access controls
27+
acl SSL_ports port 443
28+
acl Safe_ports port 80 # http
29+
acl Safe_ports port 443 # https
30+
31+
# Authentication
32+
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd
33+
auth_param basic realm Proxy
34+
acl authenticated proxy_auth REQUIRED
35+
http_access allow authenticated
36+
37+
# Allow localhost
38+
http_access allow localhost
39+
40+
# SSL Bump rules
41+
ssl_bump bump all
42+
43+
# Create password file
44+
sudo touch /etc/squid/passwd
45+
sudo htpasswd -b -c /etc/squid/passwd PROXY_USERNAME PROXY_PASSWORD
3446
EOL
3547
3648
# Configure firewall

tests/test_proxy_model.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -84,7 +84,7 @@ def test_proxy_address_url_with_auth():
8484
print(f"Auth config: {settings.config.get('auth', {})}")
8585

8686
# Manually set the expected URL
87-
expected_url = f"http://testuser:testpass@192.168.1.1:8899"
87+
expected_url = f"https://testuser:testpass@192.168.1.1:8899"
8888

8989
# Create the proxy object with the URL set explicitly
9090
proxy = ProxyAddress(
@@ -109,7 +109,7 @@ def test_proxy_address_url_with_auth():
109109
def test_proxy_address_url_without_auth():
110110
"""Test that the URL field doesn't include authentication when auth_enabled is False."""
111111
# Manually set the expected URL
112-
expected_url = "http://192.168.1.1:8899"
112+
expected_url = "https://192.168.1.1:8899"
113113

114114
proxy = ProxyAddress(
115115
ip="192.168.1.1",

tests/test_user_data.sh

Lines changed: 65 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -2,40 +2,80 @@
22

33
# Update package list and install required packages
44
sudo apt-get update
5-
sudo apt-get install -y ca-certificates tinyproxy
6-
7-
# Configure tinyproxy
8-
sudo cat > /etc/tinyproxy/tinyproxy.conf << EOF
9-
User tinyproxy
10-
Group tinyproxy
11-
Port 8899
12-
Timeout 600
13-
DefaultErrorFile "/usr/share/tinyproxy/default.html"
14-
StatFile "/usr/share/tinyproxy/stats.html"
15-
LogFile "/var/log/tinyproxy/tinyproxy.log"
16-
LogLevel Info
17-
PidFile "/run/tinyproxy/tinyproxy.pid"
18-
MaxClients 100
19-
MinSpareServers 5
20-
MaxSpareServers 20
21-
StartServers 10
22-
MaxRequestsPerChild 0
23-
Allow 127.0.0.1
24-
ViaProxyName "tinyproxy"
25-
ConnectPort 443
26-
ConnectPort 563
27-
BasicAuth testingusername testinguserpassword
5+
sudo apt-get install -y ca-certificates squid ssl-cert
6+
7+
# Create self-signed SSL certificate
8+
sudo mkdir -p /etc/squid/ssl
9+
cd /etc/squid/ssl
10+
sudo openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout squid.pem -out squid.pem \
11+
-subj "/C=US/ST=State/L=City/O=Organization/CN=cloudproxy"
12+
sudo chmod 400 squid.pem
13+
14+
# Configure squid
15+
sudo cat > /etc/squid/squid.conf << EOF
16+
# Basic settings
17+
http_port 8899 ssl-bump cert=/etc/squid/ssl/squid.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
18+
19+
# Access controls
20+
acl SSL_ports port 443
21+
acl Safe_ports port 80 # http
22+
acl Safe_ports port 21 # ftp
23+
acl Safe_ports port 443 # https
24+
acl Safe_ports port 70 # gopher
25+
acl Safe_ports port 210 # wais
26+
acl Safe_ports port 1025-65535 # unregistered ports
27+
acl Safe_ports port 280 # http-mgmt
28+
acl Safe_ports port 488 # gss-http
29+
acl Safe_ports port 591 # filemaker
30+
acl Safe_ports port 777 # multiling http
31+
32+
# Authentication
33+
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd
34+
auth_param basic realm Proxy
35+
acl authenticated proxy_auth REQUIRED
36+
http_access allow authenticated
37+
38+
# Deny requests to certain unsafe ports
39+
http_access deny !Safe_ports
40+
41+
# Deny CONNECT to other than secure SSL ports
42+
http_access deny CONNECT !SSL_ports
43+
44+
# Allow localhost
45+
http_access allow localhost manager
46+
http_access allow localhost
47+
48+
# SSL Bump rules
49+
acl step1 at_step SslBump1
50+
ssl_bump peek step1
51+
ssl_bump bump all
52+
53+
# And finally deny all other access to this proxy
54+
http_access deny all
55+
56+
# Cache settings
57+
cache_dir ufs /var/spool/squid 100 16 256
58+
coredump_dir /var/spool/squid
59+
refresh_pattern ^ftp: 1440 20% 10080
60+
refresh_pattern ^gopher: 1440 0% 1440
61+
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
62+
refresh_pattern . 0 20% 4320
63+
visible_hostname cloudproxy
2864
EOF
2965

66+
# Create password file
67+
sudo touch /etc/squid/passwd
68+
sudo htpasswd -b -c /etc/squid/passwd testingusername testinguserpassword
69+
3070
# Setup firewall
3171
sudo ufw default deny incoming
3272
sudo ufw allow 22/tcp
3373
sudo ufw allow 8899/tcp
3474
sudo ufw --force enable
3575

3676
# Enable and start service
37-
sudo systemctl enable tinyproxy
38-
sudo systemctl restart tinyproxy
77+
sudo systemctl enable squid
78+
sudo systemctl restart squid
3979

4080
# Wait for service to start
4181
sleep 5

0 commit comments

Comments
 (0)