silarsis / docker-proxy Goto Github PK
View Code? Open in Web Editor NEWTransparent proxy for docker containers, run in a docker container
License: Apache License 2.0
Transparent proxy for docker containers, run in a docker container
License: Apache License 2.0
i installed this on my work machine when i was tinkering with docker dns stuff, but now it binds to all the ports i need when i start docker and and i'm not sure how to get rid of it.
an attempt to find the executable using ll /proc/$(ps aux | grep docker-proxy | head -n 1 | cut -d ' ' -f 7)/exe
just shows the docker executable
this is killing me, any ideas?
I understand that this project does not primarily targets docker deployments that are behind boo2docker. However, it would be incredibly useful if it could :-)
I tried to run it, but I have an issue with iptables:
root@boot2docker:/mnt/sda1/var/lib/boot2docker/docker-proxy# ./run.sh
Uploading context 504.3 kB
Uploading context
Step 0 : FROM silarsis/base
---> d78443c9993f
Step 1 : MAINTAINER Kevin Littlejohn <[email protected]>
---> Using cache
---> b2313d309b50
Step 2 : RUN apt-get -yq update
---> Running in 3b6f2a71bf69
---> c8e44f2f6744
Removing intermediate container 3b6f2a71bf69
Step 3 : RUN apt-get -yq install squid iptables
---> Running in e21f974d3c0b
---> dc3f0c8b2812
Removing intermediate container e21f974d3c0b
Step 4 : ADD squid.conf /etc/squid3/squid.conf
---> e16b84e92822
Removing intermediate container e65d993e3c64
Step 5 : ADD start_squid.sh /usr/local/bin/start_squid.sh
---> d89b7455ff31
Removing intermediate container 1f67371c6516
Step 6 : EXPOSE 3128
---> Running in d07a4bb1d1fe
---> c4f54c81632d
Removing intermediate container d07a4bb1d1fe
Step 7 : CMD ["/usr/local/bin/start_squid.sh"]
---> Running in 0895e1196938
---> e8aef7262148
Removing intermediate container 0895e1196938
Successfully built e8aef7262148
Error: argument "TRANSPROXY" is wrong: invalid table ID
The problem is with the following command:
sudo ip route add default via ${IPADDR} dev docker0 table TRANSPROXY
I updated the path for the rt_tables
to point to /usr/local/etc/rt_tables
which seems to be the default one on the tiny core linux.
Any suggestions?
trap not execute on debian with /bin/sh link to /bin/dash
workarround create link /bin/sh to /bin/bash
Greetings
When I run the command 'sudo docker build -t docker-proxy .' , it fails because it cant reach index.docker.io through our corporate proxy.
This is the problem I am trying to solve using docker-proxy! (Accessing internet using docker containers.).
I may be missing something simple.
How do I get past this?
Thanks
pj
Would you mind adding the link to docker hub on this project description? It would make it easier for us to go back and forth between github and hub.
and kudos for making this docker image public ๐
Line 8 in ca22003
To be more concise I would use IMAGE_NAME in stead of CONTAINER_NAME in the beginning of this script.
Hi there,
I'm trying to test your module in a Ubuntu 16.04 virtual machine.
When I run "sudo docker build -t docker-proxy, it hangs for a while and then I get this :
Err http://archive.ubuntu.com trusty InRelease
Err http://archive.ubuntu.com trusty-updates InRelease
Err http://archive.ubuntu.com trusty-security InRelease
Err http://archive.ubuntu.com trusty Release.gpg
Could not resolve 'archive.ubuntu.com'
Err http://archive.ubuntu.com trusty-updates Release.gpg
Could not resolve 'archive.ubuntu.com'
Err http://archive.ubuntu.com trusty-security Release.gpg
Could not resolve 'archive.ubuntu.com'
Reading package lists...
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/trusty/InRelease
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/trusty-updates/InRelease
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/trusty-security/InRelease
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/trusty/Release.gpg Could not resolve 'archive.ubuntu.com'
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/trusty-updates/Release.gpg Could not resolve 'archive.ubuntu.com'
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/trusty-security/Release.gpg Could not resolve 'archive.ubuntu.com'
W: Some index files failed to download. They have been ignored, or old ones used instead.
Reading package lists...
Building dependency tree...
Reading state information...
Package dpkg-dev is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source
E: Unable to locate package build-essential
E: Unable to locate package curl
E: Package 'dpkg-dev' has no installation candidate
E: Unable to locate package iptables
E: Unable to locate package libssl-dev
E: Unable to locate package patch
E: Unable to locate package squid-langpack
E: Unable to locate package ssl-cert
The command '/bin/sh -c export DEBIAN_FRONTEND=noninteractive TERM=linux && apt-get update && apt-get install -y --no-install-recommends build-essential curl dpkg-dev iptables libssl-dev patch squid-langpack ssl-cert && apt-get source -y squid3 squid-langpack && apt-get build-dep -y squid3 squid-langpack' returned a non-zero code: 100
I have configured proper proxy settings in /etc/systemd/system/docker.service.d and I am able to download other images, as well as access the web from my VM. Do you thing this could be a connection issue on my VM or something else is wrong ?
The title of this issue might be a bit misleading, but I don't know exactly where the problem is. It has been working well before, but today I accidentally upgraded docker to 1.0 and run into the following issues (I guess it is not because of docker 1.0 but because I had to upgrade also the boot2docker and your proxy image):
ifconfig
not found - apparently the image does not contain ifconfig
any more. In order to grab the IPADDR
in start_squid.sh
I used following:
IPADDR=$(/sbin/ip -o -f inet addr show eth0 | awk '{ sub(/\/.+/,"",$4); print $4 }')
When I run it, all starts up fine, but then no HTTP communication on port 80 works and in the squid long I get
1402420835.817 31168 172.17.0.21 TCP_MISS_ABORTED/000 0 GET http://mirrorlist.centos.org/? - HIER_DIRECT/204.15.73.243 -
1402421193.719 31152 172.17.0.21 TCP_MISS_ABORTED/000 0 GET http://mirrorlist.centos.org/? - HIER_DIRECT/72.232.223.58 -
All request are timed-out.
As a reference to others (and possibly myself), i explain how it worked for me.
i run this docker (docker-proxy) like this:
sudo docker build -t docker-proxy .
./run.sh ssl
Then i copy test/detect-proxy.sh to the root directory of my own docker containers sources.
My own docker containers Dockerfile looks like this:
# Base image
FROM python:2-slim
MAINTAINER me <[email protected]>
WORKDIR /src
# We need info about available system packages
RUN apt-get update
# These are required by detect-proxy.sh
RUN apt-get install -y --no-install-recommends ca-certificates net-tools netcat
ADD ./detect-proxy.sh /src/detect-proxy.sh
RUN /src/detect-proxy.sh
# These are required by one of our python dependencies
RUN apt-get install -y gcc libreadline-dev
# Install python requirements
# ... option 1 (final solution):
ADD ./requirements.txt /src/requirements.txt
RUN pip --cert /etc/ssl/certs/ca-certificates.crt install -r requirements.txt
# option 2 (may make sense during development):
RUN pip --cert /etc/ssl/certs/ca-certificates.crt install numpy
RUN pip --cert /etc/ssl/certs/ca-certificates.crt install enum34
# Execute the python script
CMD ["python", "/src/my_script.py"]
This way, all downloads (at least by apt-get
and pip
) done while building and running the docker,
go through the proxy.
One thing that might be clear anyway, but worth to note: The proxy cache is lost whenever we shut the docker-proxy
container down (with Ctrl+C
).
Is there a way to prevent that? In other words, can we keep/carry over proxy cache between different runs of ./run.sh
?
I would like to use docker behind a corporate, authenticating firewall.
It is not clear to me how to achieve that.
I've tried to use cache_peer proxy.acme.corp parent 8080 0 no-query default login=user:pass
, but that fails with temporary disabling (Bad Gateway) digest from proxy.acme.corp
.
Also, it logs ERROR: No forward-proxy ports configured.
Hi,
I'm getting this error when attempting to start the docker-proxy (on a work network behind a proxy). Any ideas?
[...]/docker-proxy (master)$ sudo ./run.sh
Sending build context to Docker daemon 429.1 kB
Step 0 : FROM silarsis/base
---> b1e0761ebf68
Step 1 : MAINTAINER Kevin Littlejohn <[email protected]>
---> Using cache
---> bd1c2e9d8109
Step 2 : RUN apt-get -yq update
---> Using cache
---> f893ebae8e59
Step 3 : RUN apt-get -yq install squid iptables
---> Running in 9f6dc112263e
The command '/bin/sh -c apt-get -yq install squid iptables' returned a non-zero code: 100
The docker build
step currently fails with an error:
E: Unable to find a source package for squid3
This is apparently because the Docker image for Ubuntu 14.04 was at some point changed to comment out the deb-src
lines in sources.list
, as most Dockerfiles did not need source packages and it was slowing down apt-get update
.
The problem can be fixed by adding this line before the apt-get
one:
RUN sed -i 's/^# deb-src/deb-src/' /etc/apt/sources.list
This uncomments the deb-src
lines and allows the squid3
source package to be located.
Provide an example of how to use docker-proxy
There is still some clean up missing I guess:
run.sh
- everything works finerun.sh
again - the proxy stops working and there is no HTTP trafic possible - getting TCP_MISS_ABORTED in the squid.conf log file (similarly to the #3)I can repeat steps 3 and 4 and it is still the same. If I restart boot2docker
everything works fine again.
Thanks!
I know you said it needs to run in the foreground, but here's an idea I wondered if you could implement:
Require the container to run in host mode so that the container can edit the host's iptables. Then to allow for "on-off" proxying, create a simple apache web server in the container with a simple on-off switch. When set to off, it removes the iptable rules. When set to on, it adds the rules. This would allow us to just run the container and leave it permanently for our projects.
Hi,
I'm relatively new to Squid. I was hoping for some expansion on the HTTPS instructions relating to NPM. I am looking to intercept/cache ONLY npm SSL connections.
I modified squid.conf
, rebuilt, and started my squid server with run.sh ssl
.
My other docker images run detect_proxy.sh
and npm config set cafile /usr/local/share/ca-certificates/docker-proxy.crt
I've tried a number of variations for my acl:
#acl npmjs url_regex npmjs
#acl npmjs dstdomain .npmjs.org
acl npmjs dst 151.101.56.162 # ip displayed when pinging registry.npmjs.org
...
ssl_bump server-first npmjs
ssl_bump none all
...
Any ideas on where I am going wrong?
Thanks,
~ Jesse
Ubuntu /bin/sh links to dash which doesn't support the pseudo-signal ERR,
trap: SIGINT: bad trap
You could use #!/bin/bash instead.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.