diff --git a/Dockerfile b/Dockerfile index 227079e0..52b7f0ee 100644 --- a/Dockerfile +++ b/Dockerfile @@ -22,6 +22,7 @@ ARG CERTIFICATE_KEY=none ARG HTTPS=true ARG TZ=Etc/UTC ARG SSHD=false +ARG SQUID=false ARG DB_PASSWORD=none @@ -49,6 +50,7 @@ ENV SUPVISD=${SUPVISD:-supervisorctl} \ CERTIFICATE_KEY=${CERTIFICATE_KEY:-none} \ TZ=${TZ:-Etc/UTC} \ SSHD=${SSHD:-false} \ + SQUID=${SQUID:-false} \ DB_PASSWORD=${DB_PASSWORD:-none} \ DB_PASSWORD_FILE=${DB_PASSWORD:-none} \ LANG=en_US.UTF-8 \ @@ -82,7 +84,7 @@ RUN { \ && cd .. && rm -r musl-locales \ && apk del --no-cache .locale_build \ && sleep 10 \ - && apk add --no-cache --allow-untrusted logrotate curl wget su-exec tzdata postfix mailx bash openssh supervisor openssh-client-common libxslt xmlstarlet zip sshpass socat net-snmp-tools samba-client py3-lxml py3-gvm@custcom openvas@custcom openvas-smb@custcom openvas-config@custcom gvmd@custcom gvm-libs@custcom greenbone-security-assistant@custcom ospd-openvas@custcom \ + && apk add --no-cache --allow-untrusted logrotate curl wget su-exec tzdata postfix mailx bash openssh supervisor openssh-client-common libxslt xmlstarlet zip sshpass socat net-snmp-tools samba-client py3-lxml squid py3-gvm@custcom openvas@custcom openvas-smb@custcom openvas-config@custcom gvmd@custcom gvm-libs@custcom greenbone-security-assistant@custcom ospd-openvas@custcom \ && mkdir -p /var/log/supervisor/ \ && su -c "mkdir -p /var/lib/gvm/.ssh/ && chmod 700 /var/lib/gvm/.ssh/ && touch /var/lib/gvm/.ssh/authorized_keys && chmod 644 /var/lib/gvm/.ssh/authorized_keys" gvm @@ -92,11 +94,12 @@ COPY report_formats/* /report_formats/ #COPY config /opt/setup/ #COPY scripts /opt/setup/scripts/ #RUN chmod -R +x /opt/setup/scripts/*.sh -#COPY scripts/* / +COPY scripts/* / #COPY config/supervisord.conf /etc/supervisord.conf #COPY config/logrotate-gvm.conf /etc/logrotate.d/gvm #COPY config/redis-openvas.conf /etc/redis/redis-openvas.conf #COPY config/sshd_config /etc/ssh/sshd_config +#COPY config/squid.conf /etc/squid/squid.conf #COPY config/* /opt/config/ diff --git a/Makefile b/Makefile index c52895e4..0740272d 100644 --- a/Makefile +++ b/Makefile @@ -81,6 +81,7 @@ run-full: --env DB_PASSWORD="postgres DB password" \ --env PASSWORD="webUI password" \ --env SSHD="true" \ + --env SQUID="true" \ --volume "${PWD}/storage/postgres-db:/opt/database" \ --volume "${PWD}/storage/openvas-plugins:/var/lib/openvas/plugins" \ --volume "${PWD}/storage/gvm:/var/lib/gvm" \ @@ -96,6 +97,7 @@ run-latest: --env DB_PASSWORD="postgres DB password" \ --env PASSWORD="webUI password" \ --env SSHD="true" \ + --env SQUID="true" \ --volume "${PWD}/storage/postgres-db:/opt/database" \ --volume "${PWD}/storage/openvas-plugins:/var/lib/openvas/plugins" \ --volume "${PWD}/storage/gvm:/var/lib/gvm" \ diff --git a/config/squid.conf b/config/squid.conf new file mode 100644 index 00000000..7b082a52 --- /dev/null +++ b/config/squid.conf @@ -0,0 +1,26 @@ +acl Safe_ports port 80 # http +acl Safe_ports port 21 # ftp +acl Safe_ports port 443 # https +acl Safe_ports port 70 # gopher +acl Safe_ports port 210 # wais +acl Safe_ports port 1025-65535 # unregistered ports +acl Safe_ports port 280 # http-mgmt +acl Safe_ports port 488 # gss-http +acl Safe_ports port 591 # filemaker +acl Safe_ports port 777 # multiling http +acl Safe_ports port 873 # for rsync + +http_access deny !Safe_ports +http_access allow localhost manager +http_access deny manager +http_access deny to_localhost +http_access allow localhost +http_access deny all + +http_port 127.0.0.1:3128 +coredump_dir /var/cache/squid + +refresh_pattern ^ftp: 1440 20% 10080 +refresh_pattern ^gopher: 1440 0% 1440 +refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 +refresh_pattern . 0 20% 4320 diff --git a/config/supervisord.conf b/config/supervisord.conf index af1f4e91..1d5cc606 100644 --- a/config/supervisord.conf +++ b/config/supervisord.conf @@ -59,6 +59,18 @@ stopsignal=TERM stopasgroup=true killasgroup=true +[program:squid] +priority=5 +command=/usr/sbin/squid -f /etc/squid/squid.conf -N +stdout_logfile=/var/log/supervisor/%(program_name)s.log +stderr_logfile=/var/log/supervisor/%(program_name)s_err.log +startsecs=10 +autorestart=true +autostart=false +stopsignal=TERM +stopasgroup=true +killasgroup=true + # todo: maybe a wrapper with traps are better here # currently postfix is started in entrypoint.sh [program:postfix] diff --git a/scripts/entrypoint.sh b/scripts/entrypoint.sh index cb303540..a795cdb9 100755 --- a/scripts/entrypoint.sh +++ b/scripts/entrypoint.sh @@ -22,6 +22,7 @@ export CERTIFICATE_KEY=${CERTIFICATE_KEY:-none} export TZ=${TZ:-Etc/UTC} export DEBUG=${DEBUG:-N} export SSHD=${SSHD:-false} +export SQUID=${SQUID:-false} export DB_PASSWORD=${DB_PASSWORD:-none} export DB_PASSWORD_FILE=${DB_PASSWORD_FILE:-none} @@ -32,6 +33,8 @@ if [ "$1" == "/usr/bin/supervisord" ]; then mkdir -p /etc/redis/ cp /opt/setup/redis-openvas.conf /etc/redis/redis-openvas.conf cp /opt/setup/sshd_config /etc/ssh/sshd_config + cp -f /opt/setup/squid.conf /etc/squid/squid.conf + mkdir -p /var/spool/squid echo "Starting Postfix for report delivery by email" #sed -i "s/^relayhost.*$/relayhost = ${RELAYHOST}:${SMTPPORT}/" /etc/postfix/main.cf diff --git a/scripts/start.sh b/scripts/start.sh index bf086518..350787f5 100755 --- a/scripts/start.sh +++ b/scripts/start.sh @@ -15,6 +15,7 @@ export CERTIFICATE=${CERTIFICATE:-none} export CERTIFICATE_KEY=${CERTIFICATE_KEY:-none} export TZ=${TZ:-Etc/UTC} export SSHD=${SSHD:-false} +export SQUID=${SQUID:-false} export SETUP=${SETUP:-0} export DB_PASSWORD=${DB_PASSWORD:-none} export DB_PASSWORD_FILE=${DB_PASSWORD_FILE:-none} @@ -316,6 +317,14 @@ if [ "$SSHD" == "true" ]; then ${SUPVISD} status sshd fi fi + +if [ "$SQUID" == "true" ]; then + echo "Starting Squid Proxy Server..." + ${SUPVISD} start squid + if [ "${DEBUG}" == "Y" ]; then + ${SUPVISD} status squid + fi +fi ${SUPVISD} start GVMUpdate if [ "${DEBUG}" == "Y" ]; then