Optional Squid proxy on port 3128 to access from remote scanner

Dockerfile

@@ -22,6 +22,7 @@ ARG CERTIFICATE_KEY=none
 ARG HTTPS=true
 ARG TZ=Etc/UTC
 ARG SSHD=false
+ARG SQUID=false
 ARG DB_PASSWORD=none
 
 
@@ -49,6 +50,7 @@ ENV SUPVISD=${SUPVISD:-supervisorctl} \
     CERTIFICATE_KEY=${CERTIFICATE_KEY:-none} \
     TZ=${TZ:-Etc/UTC} \
     SSHD=${SSHD:-false} \
+    SQUID=${SQUID:-false} \
     DB_PASSWORD=${DB_PASSWORD:-none} \
     DB_PASSWORD_FILE=${DB_PASSWORD:-none} \
     LANG=en_US.UTF-8 \
@@ -82,7 +84,7 @@ RUN { \
     && cd .. && rm -r musl-locales \
     && apk del --no-cache .locale_build \
     && sleep 10 \
-    && apk add --no-cache --allow-untrusted logrotate curl wget su-exec tzdata postfix mailx bash openssh supervisor openssh-client-common libxslt xmlstarlet zip sshpass socat net-snmp-tools samba-client py3-lxml py3-gvm@custcom openvas@custcom openvas-smb@custcom openvas-config@custcom gvmd@custcom gvm-libs@custcom greenbone-security-assistant@custcom ospd-openvas@custcom \
+    && apk add --no-cache --allow-untrusted logrotate curl wget su-exec tzdata postfix mailx bash openssh supervisor openssh-client-common libxslt xmlstarlet zip sshpass socat net-snmp-tools samba-client py3-lxml squid py3-gvm@custcom openvas@custcom openvas-smb@custcom openvas-config@custcom gvmd@custcom gvm-libs@custcom greenbone-security-assistant@custcom ospd-openvas@custcom \
     && mkdir -p /var/log/supervisor/ \
     && su -c "mkdir -p /var/lib/gvm/.ssh/ && chmod 700 /var/lib/gvm/.ssh/ && touch /var/lib/gvm/.ssh/authorized_keys && chmod 644 /var/lib/gvm/.ssh/authorized_keys" gvm 
 
@@ -92,11 +94,12 @@ COPY report_formats/* /report_formats/
 #COPY config /opt/setup/
 #COPY scripts /opt/setup/scripts/
 #RUN chmod -R +x /opt/setup/scripts/*.sh
-#COPY scripts/* /
+COPY scripts/* /
 #COPY config/supervisord.conf /etc/supervisord.conf
 #COPY config/logrotate-gvm.conf /etc/logrotate.d/gvm
 #COPY config/redis-openvas.conf /etc/redis/redis-openvas.conf
 #COPY config/sshd_config /etc/ssh/sshd_config
+#COPY config/squid.conf /etc/squid/squid.conf
 #COPY config/* /opt/config/
 
 

Makefile

@@ -81,6 +81,7 @@ run-full:
 	--env DB_PASSWORD="postgres DB password" \
 	--env PASSWORD="webUI password" \
 	--env SSHD="true" \
+	--env SQUID="true" \
 	--volume "${PWD}/storage/postgres-db:/opt/database" \
 	--volume "${PWD}/storage/openvas-plugins:/var/lib/openvas/plugins" \
 	--volume "${PWD}/storage/gvm:/var/lib/gvm" \
@@ -96,6 +97,7 @@ run-latest:
 	--env DB_PASSWORD="postgres DB password" \
 	--env PASSWORD="webUI password" \
 	--env SSHD="true" \
+	--env SQUID="true" \
 	--volume "${PWD}/storage/postgres-db:/opt/database" \
 	--volume "${PWD}/storage/openvas-plugins:/var/lib/openvas/plugins" \
 	--volume "${PWD}/storage/gvm:/var/lib/gvm" \

config/squid.conf

@@ -0,0 +1,26 @@
+acl Safe_ports port 80          # http
+acl Safe_ports port 21          # ftp
+acl Safe_ports port 443         # https
+acl Safe_ports port 70          # gopher
+acl Safe_ports port 210         # wais
+acl Safe_ports port 1025-65535  # unregistered ports
+acl Safe_ports port 280         # http-mgmt
+acl Safe_ports port 488         # gss-http
+acl Safe_ports port 591         # filemaker
+acl Safe_ports port 777         # multiling http
+acl Safe_ports port 873         # for rsync 
+
+http_access deny !Safe_ports
+http_access allow localhost manager
+http_access deny manager
+http_access deny to_localhost
+http_access allow localhost
+http_access deny all
+
+http_port 127.0.0.1:3128
+coredump_dir /var/cache/squid
+
+refresh_pattern ^ftp:           1440    20%     10080
+refresh_pattern ^gopher:        1440    0%      1440
+refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
+refresh_pattern .               0       20%     4320

config/supervisord.conf

@@ -59,6 +59,18 @@ stopsignal=TERM
 stopasgroup=true
 killasgroup=true
 
+[program:squid]
+priority=5
+command=/usr/sbin/squid -f /etc/squid/squid.conf -N
+stdout_logfile=/var/log/supervisor/%(program_name)s.log
+stderr_logfile=/var/log/supervisor/%(program_name)s_err.log
+startsecs=10
+autorestart=true
+autostart=false
+stopsignal=TERM
+stopasgroup=true
+killasgroup=true
+
 # todo: maybe a wrapper with traps are better here
 # currently postfix is started in entrypoint.sh
 [program:postfix]

scripts/entrypoint.sh

@@ -22,6 +22,7 @@ export CERTIFICATE_KEY=${CERTIFICATE_KEY:-none}
 export TZ=${TZ:-Etc/UTC}
 export DEBUG=${DEBUG:-N}
 export SSHD=${SSHD:-false}
+export SQUID=${SQUID:-false}
 export DB_PASSWORD=${DB_PASSWORD:-none}
 export DB_PASSWORD_FILE=${DB_PASSWORD_FILE:-none}
 
@@ -32,6 +33,8 @@ if [ "$1" == "/usr/bin/supervisord" ]; then
     mkdir -p /etc/redis/
     cp /opt/setup/redis-openvas.conf /etc/redis/redis-openvas.conf
     cp /opt/setup/sshd_config /etc/ssh/sshd_config
+    cp -f /opt/setup/squid.conf /etc/squid/squid.conf
+    mkdir -p /var/spool/squid
 
     echo "Starting Postfix for report delivery by email"
     #sed -i "s/^relayhost.*$/relayhost = ${RELAYHOST}:${SMTPPORT}/" /etc/postfix/main.cf

scripts/start.sh

@@ -15,6 +15,7 @@ export CERTIFICATE=${CERTIFICATE:-none}
 export CERTIFICATE_KEY=${CERTIFICATE_KEY:-none}
 export TZ=${TZ:-Etc/UTC}
 export SSHD=${SSHD:-false}
+export SQUID=${SQUID:-false}
 export SETUP=${SETUP:-0}
 export DB_PASSWORD=${DB_PASSWORD:-none}
 export DB_PASSWORD_FILE=${DB_PASSWORD_FILE:-none}
@@ -316,6 +317,14 @@ if [ "$SSHD" == "true" ]; then
 		${SUPVISD} status sshd
 	fi
 fi
+
+if [ "$SQUID" == "true" ]; then
+	echo "Starting Squid Proxy Server..."
+	${SUPVISD} start squid
+	if [ "${DEBUG}" == "Y" ]; then
+		${SUPVISD} status squid
+	fi
+fi
 
 ${SUPVISD} start GVMUpdate
 if [ "${DEBUG}" == "Y" ]; then