HTTPS on proxy servers

claffin · claffin · commit 00f9b1b2696e · 2025-02-26T08:08:39.000Z
Fixes #3
diff --git a/cloudproxy/check.py b/cloudproxy/check.py
@@ -27,17 +27,17 @@ def requests_retry_session(
 def fetch_ip(ip_address):
     if settings.config["no_auth"]:
         proxies = {
-            "http": "http://" + ip_address + ":8899",
-            "https": "http://" + ip_address + ":8899",
+            "http": "https://" + ip_address + ":8899",
+            "https": "https://" + ip_address + ":8899",
         }
     else:
         auth = (
             settings.config["auth"]["username"] + ":" + settings.config["auth"]["password"]
         )
 
         proxies = {
-            "http": "http://" + auth + "@" + ip_address + ":8899",
-            "https": "http://" + auth + "@" + ip_address + ":8899",
+            "http": "https://" + auth + "@" + ip_address + ":8899",
+            "https": "https://" + auth + "@" + ip_address + ":8899",
         }
     
     s = requests.Session()
@@ -51,7 +51,7 @@ def fetch_ip(ip_address):
 
 def check_alive(ip_address):
     try:
-        result = requests.get("http://ipecho.net/plain", proxies={'http': "http://" + ip_address + ":8899"}, timeout=10)
+        result = requests.get("https://ipecho.net/plain", proxies={'http': "https://" + ip_address + ":8899", 'https': "https://" + ip_address + ":8899"}, timeout=10)
         if result.status_code in (200, 407):
             return True
         else:
diff --git a/cloudproxy/main.py b/cloudproxy/main.py
@@ -149,8 +149,8 @@ def set_url(cls, v, info):
         ip = str(values.get('ip'))
         port = values.get('port', 8899)
         if values.get('auth_enabled'):
-            return f"http://{settings.config['auth']['username']}:{settings.config['auth']['password']}@{ip}:{port}"
-        return f"http://{ip}:{port}"
+            return f"https://{settings.config['auth']['username']}:{settings.config['auth']['password']}@{ip}:{port}"
+        return f"https://{ip}:{port}"
 
 class ProxyList(BaseModel):
     metadata: Metadata = Field(default_factory=Metadata)
diff --git a/cloudproxy/providers/config.py b/cloudproxy/providers/config.py
@@ -12,10 +12,11 @@ def set_auth(username, password):
         filedata = file.read()
 
     if settings.config["no_auth"]:
-        # Remove auth configuration for tinyproxy
-        filedata = filedata.replace('\nBasicAuth PROXY_USERNAME PROXY_PASSWORD\n', '\n')
+        # Remove auth configuration for Squid
+        filedata = filedata.replace('acl authenticated proxy_auth REQUIRED\nhttp_access allow authenticated', 'http_access allow all')
+        filedata = filedata.replace('# Create password file\nsudo touch /etc/squid/passwd\nsudo htpasswd -b -c /etc/squid/passwd PROXY_USERNAME PROXY_PASSWORD\n', '')
     else:
-        # Replace username and password in tinyproxy config
+        # Replace username and password in Squid config
         filedata = filedata.replace("PROXY_USERNAME", username)
         filedata = filedata.replace("PROXY_PASSWORD", password)
 
@@ -24,7 +25,8 @@ def set_auth(username, password):
         # Update UFW rules
         filedata = filedata.replace("sudo ufw allow 22/tcp", f"sudo ufw allow from {ip_address} to any port 22 proto tcp")
         filedata = filedata.replace("sudo ufw allow 8899/tcp", f"sudo ufw allow from {ip_address} to any port 8899 proto tcp")
-        # Update tinyproxy access rule
-        filedata = filedata.replace("Allow 127.0.0.1", f"Allow 127.0.0.1\nAllow {ip_address}")
+        # Update Squid access rule for specific IP
+        filedata = filedata.replace("# Allow localhost", f"# Allow localhost and specific IP\nacl allowed_ip src {ip_address}")
+        filedata = filedata.replace("http_access allow localhost", f"http_access allow localhost\nhttp_access allow allowed_ip")
 
     return filedata
diff --git a/cloudproxy/providers/user_data.sh b/cloudproxy/providers/user_data.sh
@@ -2,40 +2,80 @@
 
 # Update package list and install required packages
 sudo apt-get update
-sudo apt-get install -y ca-certificates tinyproxy
-
-# Configure tinyproxy
-sudo cat > /etc/tinyproxy/tinyproxy.conf << EOF
-User tinyproxy
-Group tinyproxy
-Port 8899
-Timeout 600
-DefaultErrorFile "/usr/share/tinyproxy/default.html"
-StatFile "/usr/share/tinyproxy/stats.html"
-LogFile "/var/log/tinyproxy/tinyproxy.log"
-LogLevel Info
-PidFile "/run/tinyproxy/tinyproxy.pid"
-MaxClients 100
-MinSpareServers 5
-MaxSpareServers 20
-StartServers 10
-MaxRequestsPerChild 0
-Allow 127.0.0.1
-ViaProxyName "tinyproxy"
-ConnectPort 443
-ConnectPort 563
-BasicAuth PROXY_USERNAME PROXY_PASSWORD
+sudo apt-get install -y ca-certificates squid ssl-cert
+
+# Create self-signed SSL certificate
+sudo mkdir -p /etc/squid/ssl
+cd /etc/squid/ssl
+sudo openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout squid.pem -out squid.pem \
+    -subj "/C=US/ST=State/L=City/O=Organization/CN=cloudproxy"
+sudo chmod 400 squid.pem
+
+# Configure squid
+sudo cat > /etc/squid/squid.conf << EOF
+# Basic settings
+http_port 8899 ssl-bump cert=/etc/squid/ssl/squid.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
+
+# Access controls
+acl SSL_ports port 443
+acl Safe_ports port 80          # http
+acl Safe_ports port 21          # ftp
+acl Safe_ports port 443         # https
+acl Safe_ports port 70          # gopher
+acl Safe_ports port 210         # wais
+acl Safe_ports port 1025-65535  # unregistered ports
+acl Safe_ports port 280         # http-mgmt
+acl Safe_ports port 488         # gss-http
+acl Safe_ports port 591         # filemaker
+acl Safe_ports port 777         # multiling http
+
+# Authentication
+auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd
+auth_param basic realm Proxy
+acl authenticated proxy_auth REQUIRED
+http_access allow authenticated
+
+# Deny requests to certain unsafe ports
+http_access deny !Safe_ports
+
+# Deny CONNECT to other than secure SSL ports
+http_access deny CONNECT !SSL_ports
+
+# Allow localhost
+http_access allow localhost manager
+http_access allow localhost
+
+# SSL Bump rules
+acl step1 at_step SslBump1
+ssl_bump peek step1
+ssl_bump bump all
+
+# And finally deny all other access to this proxy
+http_access deny all
+
+# Cache settings
+cache_dir ufs /var/spool/squid 100 16 256
+coredump_dir /var/spool/squid
+refresh_pattern ^ftp:           1440    20%     10080
+refresh_pattern ^gopher:        1440    0%      1440
+refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
+refresh_pattern .               0       20%     4320
+visible_hostname cloudproxy
 EOF
 
+# Create password file
+sudo touch /etc/squid/passwd
+sudo htpasswd -b -c /etc/squid/passwd PROXY_USERNAME PROXY_PASSWORD
+
 # Setup firewall
 sudo ufw default deny incoming
 sudo ufw allow 22/tcp
 sudo ufw allow 8899/tcp
 sudo ufw --force enable
 
 # Enable and start service
-sudo systemctl enable tinyproxy
-sudo systemctl restart tinyproxy
+sudo systemctl enable squid
+sudo systemctl restart squid
 
 # Wait for service to start
 sleep 5
diff --git a/tests/test_check.py b/tests/test_check.py
@@ -120,8 +120,8 @@ def test_check_alive_success(mock_get):
     # Verify
     assert result is True
     mock_get.assert_called_once_with(
-        "http://ipecho.net/plain", 
-        proxies={'http': "http://10.0.0.1:8899"}, 
+        "https://ipecho.net/plain", 
+        proxies={'http': "https://10.0.0.1:8899", 'https': "https://10.0.0.1:8899"}, 
         timeout=10
     )
 
diff --git a/tests/test_check_multi_account.py b/tests/test_check_multi_account.py
@@ -81,9 +81,9 @@ def test_check_alive_for_different_instances(mock_requests_get, mock_proxy_data)
         assert result is True, f"check_alive for {proxy['ip']} from {proxy['provider']}/{proxy['instance']} should return True"
         
         # Verify correct proxy was used in the request
-        expected_proxy = {'http': f'http://{proxy["ip"]}:8899'}
+        expected_proxy = {'http': f'https://{proxy["ip"]}:8899', 'https': f'https://{proxy["ip"]}:8899'}
         mock_requests_get.assert_called_with(
-            "http://ipecho.net/plain", 
+            "https://ipecho.net/plain", 
             proxies=expected_proxy, 
             timeout=10
         )
diff --git a/tests/test_providers_config.py b/tests/test_providers_config.py
@@ -7,30 +7,42 @@
 
 # Create a mock user data script that represents the content of user_data.sh
 MOCK_USER_DATA = """#!/bin/bash
-# Install Tinyproxy
+# Install Squid with SSL
 sudo apt-get update
-sudo apt-get install -y tinyproxy ufw
-
-# Configure Tinyproxy
-sudo mv /etc/tinyproxy/tinyproxy.conf /etc/tinyproxy/tinyproxy.conf.bak
-sudo bash -c "cat > /etc/tinyproxy/tinyproxy.conf" << 'EOL'
-User nobody
-Group nogroup
-Port 8899
-Timeout 600
-DefaultErrorFile "/usr/share/tinyproxy/default.html"
-StatHost "127.0.0.1"
-StatFile "/usr/share/tinyproxy/stats.html"
-LogFile "/var/log/tinyproxy/tinyproxy.log"
-LogLevel Info
-PidFile "/run/tinyproxy/tinyproxy.pid"
-MaxClients 100
-Allow 127.0.0.1
-
-BasicAuth PROXY_USERNAME PROXY_PASSWORD
-
-ConnectPort 443
-ConnectPort 563
+sudo apt-get install -y squid ssl-cert
+
+# Create self-signed certificate
+sudo mkdir -p /etc/squid/ssl
+cd /etc/squid/ssl
+sudo openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout squid.pem -out squid.pem \
+    -subj "/C=US/ST=State/L=City/O=Organization/CN=cloudproxy"
+sudo chmod 400 squid.pem
+
+# Configure squid
+sudo cat > /etc/squid/squid.conf << 'EOL'
+# Basic settings
+http_port 8899 ssl-bump cert=/etc/squid/ssl/squid.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
+
+# Access controls
+acl SSL_ports port 443
+acl Safe_ports port 80          # http
+acl Safe_ports port 443         # https
+
+# Authentication
+auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd
+auth_param basic realm Proxy
+acl authenticated proxy_auth REQUIRED
+http_access allow authenticated
+
+# Allow localhost
+http_access allow localhost
+
+# SSL Bump rules
+ssl_bump bump all
+
+# Create password file
+sudo touch /etc/squid/passwd
+sudo htpasswd -b -c /etc/squid/passwd PROXY_USERNAME PROXY_PASSWORD
 EOL
 
 # Configure firewall
diff --git a/tests/test_proxy_model.py b/tests/test_proxy_model.py
@@ -84,7 +84,7 @@ def test_proxy_address_url_with_auth():
     print(f"Auth config: {settings.config.get('auth', {})}")
     
     # Manually set the expected URL
-    expected_url = f"http://testuser:testpass@192.168.1.1:8899"
+    expected_url = f"https://testuser:testpass@192.168.1.1:8899"
     
     # Create the proxy object with the URL set explicitly
     proxy = ProxyAddress(
@@ -109,7 +109,7 @@ def test_proxy_address_url_with_auth():
 def test_proxy_address_url_without_auth():
     """Test that the URL field doesn't include authentication when auth_enabled is False."""
     # Manually set the expected URL
-    expected_url = "http://192.168.1.1:8899"
+    expected_url = "https://192.168.1.1:8899"
     
     proxy = ProxyAddress(
         ip="192.168.1.1",
diff --git a/tests/test_user_data.sh b/tests/test_user_data.sh
@@ -2,40 +2,80 @@
 
 # Update package list and install required packages
 sudo apt-get update
-sudo apt-get install -y ca-certificates tinyproxy
-
-# Configure tinyproxy
-sudo cat > /etc/tinyproxy/tinyproxy.conf << EOF
-User tinyproxy
-Group tinyproxy
-Port 8899
-Timeout 600
-DefaultErrorFile "/usr/share/tinyproxy/default.html"
-StatFile "/usr/share/tinyproxy/stats.html"
-LogFile "/var/log/tinyproxy/tinyproxy.log"
-LogLevel Info
-PidFile "/run/tinyproxy/tinyproxy.pid"
-MaxClients 100
-MinSpareServers 5
-MaxSpareServers 20
-StartServers 10
-MaxRequestsPerChild 0
-Allow 127.0.0.1
-ViaProxyName "tinyproxy"
-ConnectPort 443
-ConnectPort 563
-BasicAuth testingusername testinguserpassword
+sudo apt-get install -y ca-certificates squid ssl-cert
+
+# Create self-signed SSL certificate
+sudo mkdir -p /etc/squid/ssl
+cd /etc/squid/ssl
+sudo openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout squid.pem -out squid.pem \
+    -subj "/C=US/ST=State/L=City/O=Organization/CN=cloudproxy"
+sudo chmod 400 squid.pem
+
+# Configure squid
+sudo cat > /etc/squid/squid.conf << EOF
+# Basic settings
+http_port 8899 ssl-bump cert=/etc/squid/ssl/squid.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
+
+# Access controls
+acl SSL_ports port 443
+acl Safe_ports port 80          # http
+acl Safe_ports port 21          # ftp
+acl Safe_ports port 443         # https
+acl Safe_ports port 70          # gopher
+acl Safe_ports port 210         # wais
+acl Safe_ports port 1025-65535  # unregistered ports
+acl Safe_ports port 280         # http-mgmt
+acl Safe_ports port 488         # gss-http
+acl Safe_ports port 591         # filemaker
+acl Safe_ports port 777         # multiling http
+
+# Authentication
+auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd
+auth_param basic realm Proxy
+acl authenticated proxy_auth REQUIRED
+http_access allow authenticated
+
+# Deny requests to certain unsafe ports
+http_access deny !Safe_ports
+
+# Deny CONNECT to other than secure SSL ports
+http_access deny CONNECT !SSL_ports
+
+# Allow localhost
+http_access allow localhost manager
+http_access allow localhost
+
+# SSL Bump rules
+acl step1 at_step SslBump1
+ssl_bump peek step1
+ssl_bump bump all
+
+# And finally deny all other access to this proxy
+http_access deny all
+
+# Cache settings
+cache_dir ufs /var/spool/squid 100 16 256
+coredump_dir /var/spool/squid
+refresh_pattern ^ftp:           1440    20%     10080
+refresh_pattern ^gopher:        1440    0%      1440
+refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
+refresh_pattern .               0       20%     4320
+visible_hostname cloudproxy
 EOF
 
+# Create password file
+sudo touch /etc/squid/passwd
+sudo htpasswd -b -c /etc/squid/passwd testingusername testinguserpassword
+
 # Setup firewall
 sudo ufw default deny incoming
 sudo ufw allow 22/tcp
 sudo ufw allow 8899/tcp
 sudo ufw --force enable
 
 # Enable and start service
-sudo systemctl enable tinyproxy
-sudo systemctl restart tinyproxy
+sudo systemctl enable squid
+sudo systemctl restart squid
 
 # Wait for service to start
 sleep 5
