From de8c64a650f89a75454bd011f89e135ae0eaba2b Mon Sep 17 00:00:00 2001 From: OCram85 Date: Thu, 13 Jul 2023 10:48:27 +0200 Subject: [PATCH 1/5] add full Swarmproxy example --- .vscode/dictionaries/project-words.txt | 4 ++ README.md | 44 +++++++------ docker-compose.yml | 88 +++++++++++++++----------- 3 files changed, 79 insertions(+), 57 deletions(-) diff --git a/.vscode/dictionaries/project-words.txt b/.vscode/dictionaries/project-words.txt index 8397afe..2ba4f30 100644 --- a/.vscode/dictionaries/project-words.txt +++ b/.vscode/dictionaries/project-words.txt @@ -1,10 +1,14 @@ +FOSS +gitea Gitea LOGLEVEL MAXCLIENTS +ocram Quickstart swarmproxy Swarmproxy tbd +tinyproxy Tinyproxy TINYPROXY UID diff --git a/README.md b/README.md index 483f703..416567a 100644 --- a/README.md +++ b/README.md @@ -16,12 +16,10 @@ 🦁 Swarmproxy is a simple http proxy to limit your outbound traffic.

-## ❓ FAQ - -### What ist Swarmproxy? +## 📖 About Swarmproxy is a simply way to integrate a http proxy in your Docker swarm cluster or any other container network. -It acts as an centralized proxy to limit your outbound / egress traffic. You can also enable a whitelist filter to +It acts as an centralized proxy to limit your outbound / egress traffic. You can also add a whitelist filter to limit the allowed domains. There is also an option to use a upstream proxy. ### What does Swarmproxy for you? @@ -31,16 +29,18 @@ Therefore, unfiltered Internet access may be prohibited. So Swarmproxy could help you with these features: -- Prevent direct web access from Container workload. -- Upstream proxy with or without authentication -- Optional domain based whitelist filter. +- ✔️ Prevent direct web access from Container workload. +- ✔️ Upstream proxy with or without authentication +- ✔️ Optional domain based whitelist filter. ### What does Swarmproxy not? Swarmproxy is just a supercharged Tinyproxy where you can point your container workload to. -> ☣️ Swarmproxy does not block the web access or other traffic if the proxy is not used. It's not a firewall, and it -> does not customize your iptables or so +- ☣️ Swarmproxy does not block the web access or other traffic if you workload doesn't use a proxy +- ☣️ It's not a firewall, thus it does not customize your iptables or any other firewall policies. + +## 🚀 Quickstart ### 1. ⚡ Get the image 📦 @@ -49,10 +49,13 @@ You can download the image from the Gitea embedded container registry: `gitea.oc - `latest`, `main` - Is based on the lasted master branch commit. - `1`, `0.1`, `0.1.0` - tag based version. -> **💡 NOTE: See the [packages page](https://gitea.ocram85.com/OCram85/-/packages/container/swarmproxy/latest) for latest version and all other available tags.** +> **💡 NOTE: See the [packages page](https://gitea.ocram85.com/OCram85/-/packages/container/swarmproxy/latest) +> for latest version and all other available tags.** ### 2. 🛡️ Run as Docker Swarm Stack +This example shows all available configuration keys / environment variables for Swarmproxy. + ```yaml version: "3.8" @@ -80,6 +83,7 @@ services: #secrets: # - upstream-proxy environment: + - LOGLEVEL=Info # Recommended settings # Use an optional upstream proxy #- UPSTREAM_PROXY= @@ -92,16 +96,15 @@ services: #- TINYPROXY_GID=5123 #- PORT=8888 #- TIMEOUT=600 - #- LOGLEVEL=Info #- MAXCLIENTS=600 #- FILTER_FILE=/app/filter volumes: # You can mount a single filter file into the container. # To reload the file use the docker kill -s USR1 command. - - ./filter.txt:/app/filter:ro - configs: - - source: filter_file - target: /app/filter + # - ./filter.txt:/app/filter:ro + #configs: + # - source: filter_file + # target: /app/filter networks: egress: aliases: @@ -109,7 +112,10 @@ services: - proxy ``` -### 3. Use the proxy form other containers +### 3. 🚀 Full example + +You can find a full example containing a fake upstream, swarmproxy and workload container in the +[docker-compose.yml](docker-compose.yml) file. ## 💣 Known Issues @@ -139,11 +145,11 @@ code in Copilot. ## 🙏 Credits -swarmproxy is based on the following projects and wouldn't be possible without them: +Swarmproxy is based on the following projects and wouldn't be possible without them: - [Tinyproxy](https://github.com/tinyproxy/tinyproxy) - The Tinyproxy project itself -- [docker-tinyproxy](https://github.com/kalaksi/docker-tinyproxy) - A containerized tinyproxy variant. -- [docker-tinyproxy](https://github.com/ajoergensen/docker-tinyproxy) - A containerized tinyproxy variant. +- [docker-tinyproxy](https://github.com/kalaksi/docker-tinyproxy) - A containerized Tinyproxy variant. +- [docker-tinyproxy](https://github.com/ajoergensen/docker-tinyproxy) - A containerized Tinyproxy variant. ## ⚖️ License (AGPLv3) diff --git a/docker-compose.yml b/docker-compose.yml index 4634b12..135cab2 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,54 +1,66 @@ version: "3.8" + +# Setting up 3 default networks to act as dummy: +# - backend : internal only network +# - dmz : dmz network with connections allowed from internal and external +# - egress : dummy egress zone with fake upstream proxy + networks: egress: attachable: true - #external: true - -#configs: -# filter_file: -# # config can be predefined / external or loaded from file -# #external: true -# file: ./filter.txt - -#secrets: -# upstream-proxy: -# external: true + dmz: + attachable: true + backend: + internal: true services: - swarmproxy: + # Creating a fake upstream proxy + upstream: image: gitea.ocram85.com/ocram85/swarmproxy:latest deploy: replicas: 1 - #secrets: - # - upstream-proxy environment: - # Recommended settings - - LOGLEVEL=Connect - - # Use an optional upstream proxy - #- UPSTREAM_PROXY= - # Set UPSTREAM_PROXY as docker secret if your upstream needs authentication - # Eg.: http://user:password@upstream.intra:3128 - #- UPSTREAM_PROXY_FILE=/run/secrets/UPSTREAM_PROXY - - # OPTIONAL config keys - #- TINYPROXY_UID=5123 - #- TINYPROXY_GID=5123 - #- PORT=8888 - #- TIMEOUT=600 - #- MAXCLIENTS=600 - #- FILTER_FILE=/app/filter - # You can mount a single filter file into the container. - # To reload the file use the docker kill -s USR1 command. - #volumes: - # - ./filter.txt:/app/filter:ro - # alenate filter file mount - #configs: - # - source: filter_file - # target: /app/filter + - LOGLEVEL=Info networks: egress: + aliases: + - upstream + + # Creating our swarmproxy instance to use the external upstream proxy + swarmproxy: + # Do not use the `latest` tag in production! + image: gitea.ocram85.com/ocram85/swarmproxy:latest + depends_on: + - upstream + deploy: + replicas: 1 + environment: + - UPSTREAM_PROXY=upstream:8888 + - LOGLEVEL=Info + networks: + dmz: aliases: - swarmproxy - proxy + egress: + + # container workload example whicht tries to communicate through our swarmproxy instance + # http request / response: + # [curl container] <---|req/res|---> [swarmproxy] <---|req/res|---> [upstream] <---|req/res|---> [target] + curl: + image: curlimages/curl:8.1.2 + command: ["-I", "-x", "proxy:8888", "https://google.com"] + depends_on: + - upstream + - swarmproxy + deploy: + replicas: 1 + restart_policy: + condition: any + delay: 10s + max_attempts: 5 + window: 120s + networks: + - backend + - dmz -- 2.45.2 From 7f2084b9607e4ad6844108449ce9f4a175966c25 Mon Sep 17 00:00:00 2001 From: OCram85 Date: Thu, 13 Jul 2023 10:50:19 +0200 Subject: [PATCH 2/5] upd changelog --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a70b14d..c19baf9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,4 @@ -## [v0.1.0](https://gitea.ocram85.com/OCram85/swarmproxy/releases/tag/v0.1.0) - 2023-07-12 +## [v0.1.0](https://gitea.ocram85.com/OCram85/swarmproxy/releases/tag/v0.1.0) - 2023-07-13 * ✨ FEATURES * Adds entrypoint (#6) @@ -11,4 +11,5 @@ * Use absolute urls for action calls (#10) * Adds renovate support (#8) * ⚙️ META + * Add Readme content (#11) * Adds initial readme (#4) -- 2.45.2 From 56a34e833e5aea44616044c8e0c794393bcae895 Mon Sep 17 00:00:00 2001 From: OCram85 Date: Thu, 13 Jul 2023 13:42:46 +0200 Subject: [PATCH 3/5] upate example docs --- README.md | 6 +- examples/1-minimal.yml | 35 ++ docker-compose.yml => examples/2-upstream.yml | 8 +- examples/3-external.yml | 101 +++++ examples/Readme.md | 402 ++++++++++++++++++ 5 files changed, 543 insertions(+), 9 deletions(-) create mode 100644 examples/1-minimal.yml rename docker-compose.yml => examples/2-upstream.yml (92%) create mode 100644 examples/3-external.yml create mode 100644 examples/Readme.md diff --git a/README.md b/README.md index 416567a..05ade0d 100644 --- a/README.md +++ b/README.md @@ -112,11 +112,9 @@ services: - proxy ``` -### 3. 🚀 Full example - -You can find a full example containing a fake upstream, swarmproxy and workload container in the -[docker-compose.yml](docker-compose.yml) file. +## 🚀 Examples +See the [Readme](./examples/README.md) docs in the examples folder... ## 💣 Known Issues diff --git a/examples/1-minimal.yml b/examples/1-minimal.yml new file mode 100644 index 0000000..becd6c7 --- /dev/null +++ b/examples/1-minimal.yml @@ -0,0 +1,35 @@ +version: "3.8" + +networks: + egress: + attachable: true + backend: + internal: true + +services: + swarmproxy: + image: gitea.ocram85.com/ocram85/swarmproxy:latest + deploy: + replicas: 1 + environment: + - LOGLEVEL=Info + networks: + egress: + aliases: + - proxy + + curl: + image: curlimages/curl:8.1.2 + command: ["-I", "-x", "proxy:8888", "https://google.com"] + depends_on: + - swarmproxy + deploy: + replicas: 1 + restart_policy: + condition: on-failure + delay: 10s + max_attempts: 5 + window: 120s + networks: + - backend + - egress diff --git a/docker-compose.yml b/examples/2-upstream.yml similarity index 92% rename from docker-compose.yml rename to examples/2-upstream.yml index 135cab2..878c4b1 100644 --- a/docker-compose.yml +++ b/examples/2-upstream.yml @@ -1,11 +1,9 @@ version: "3.8" - # Setting up 3 default networks to act as dummy: # - backend : internal only network # - dmz : dmz network with connections allowed from internal and external # - egress : dummy egress zone with fake upstream proxy - networks: egress: attachable: true @@ -36,8 +34,8 @@ services: deploy: replicas: 1 environment: - - UPSTREAM_PROXY=upstream:8888 - LOGLEVEL=Info + - UPSTREAM_PROXY=upstream:8888 networks: dmz: aliases: @@ -45,7 +43,7 @@ services: - proxy egress: - # container workload example whicht tries to communicate through our swarmproxy instance + # container workload example which tries to communicate through our swarmproxy instance # http request / response: # [curl container] <---|req/res|---> [swarmproxy] <---|req/res|---> [upstream] <---|req/res|---> [target] curl: @@ -57,7 +55,7 @@ services: deploy: replicas: 1 restart_policy: - condition: any + condition: on-failure delay: 10s max_attempts: 5 window: 120s diff --git a/examples/3-external.yml b/examples/3-external.yml new file mode 100644 index 0000000..e7d866d --- /dev/null +++ b/examples/3-external.yml @@ -0,0 +1,101 @@ +version: "3.8" + +# IMPORTANT: Run the following command to add the required filter config file: +# echo "google.com" | docker config create filter_file - +configs: + filter_file: + external: true + +# IMPORTANT: Run the following command to add the required filter config file: +# echo "upstream:8888" | docker secret create upstream-proxy - +secrets: + upstream-proxy: + external: true + +# Setting up 3 default networks to act as dummy: +# - backend : internal only network +# - dmz : dmz network with connections allowed from internal and external +# - egress : dummy egress zone with fake upstream proxy +networks: + egress: + attachable: true + dmz: + attachable: true + backend: + internal: true + +services: + # Creating a fake upstream proxy + upstream: + image: gitea.ocram85.com/ocram85/swarmproxy:latest + deploy: + replicas: 1 + environment: + - LOGLEVEL=Info + networks: + egress: + aliases: + - upstream + + # Creating our swarmproxy instance to use the external upstream proxy + swarmproxy: + # Do not use the `latest` tag in production! + image: gitea.ocram85.com/ocram85/swarmproxy:latest + depends_on: + - upstream + deploy: + replicas: 1 + environment: + - LOGLEVEL=Info + #- UPSTREAM_PROXY=upstream:8888 + - UPSTREAM_PROXY_FILE=/run/secrets/upstream-proxy + - FILTER_FILE=/app/filter + configs: + - source: filter_file + target: /app/filter + secrets: + - upstream-proxy + networks: + dmz: + aliases: + - swarmproxy + - proxy + egress: + + # container workload example whicht tries to communicate through our swarmproxy instance + # http request / response: + # [curl container] <---|req/res|---> [swarmproxy] <---|req/res|---> [upstream] <---|req/res|---> [target] + curl: + image: curlimages/curl:8.1.2 + command: ["-I", "-x", "proxy:8888", "https://google.com"] + depends_on: + - upstream + - swarmproxy + deploy: + replicas: 1 + restart_policy: + condition: on-failure + delay: 10s + max_attempts: 5 + window: 120s + networks: + - backend + - dmz + + # Example for blocked request if there is no matching domain in the filter file. + curl-blocked: + image: curlimages/curl:8.1.2 + command: ["-I", "-x", "proxy:8888", "https://amazon.com"] + depends_on: + - upstream + - swarmproxy + deploy: + replicas: 1 + restart_policy: + condition: on-failure + delay: 10s + max_attempts: 5 + window: 120s + networks: + - backend + - dmz diff --git a/examples/Readme.md b/examples/Readme.md new file mode 100644 index 0000000..3536088 --- /dev/null +++ b/examples/Readme.md @@ -0,0 +1,402 @@ +# 📘 Examples + +This folder contains some examples you can use to start building your Swarmproxy stack. + +## Basic example `(1-minimal.yml)` + +### Source + +> 🗄️ File: [1-minimal.yml](1-minimal.yml) + +### Description + +This is the mos basic example. It contains the Swarmproxy service and curl als helper. Just deploy the stack and +inspect the logs form the containers. + +### Usage + +```bash +docker stack deploy -c 1-minimal.yml swarmproxy-mini +``` + +### Container Logs + +- Swarmproxy: + +``` +🦁 FILTER_FILE not found or set. +🦁 Final Swarmproxy config 🦁 + +3 +Group 5123 + +8 +Timeout 600 +DefaultErrorFile "/usr/share/tinyproxy/default.html" +StatHost "tinyproxy.stats" +StatFile "/usr/share/tinyproxy/stats.html" +LogLevel Info +MaxClients 600 +ViaProxyName "Swarmproxy" +Allow 127.0.0.1/8 +Allow 10.0.0.0/8 +🦁 Starting Tinyproxy... +args count: 3 +args value: -c /app/proxy.conf -d +NOTICE Jul 13 11:10:23.360 [1]: Initializing tinyproxy ... +NOTICE Jul 13 11:10:23.360 [1]: Reloading config file +INFO Jul 13 11:10:23.360 [1]: Stathost set to "tinyproxy.stats" +INFO Jul 13 11:10:23.360 [1]: Setting "Via" header to 'Swarmproxy' +NOTICE Jul 13 11:10:23.360 [1]: Reloading config file finished +INFO Jul 13 11:10:23.360 [1]: listen_sock called with addr = '(NULL)' +INFO Jul 13 11:10:23.360 [1]: trying to listen on host[0.0.0.0], family[2], socktype[1], proto[6] +INFO Jul 13 11:10:23.360 [1]: listening on fd [3] +INFO Jul 13 11:10:23.360 [1]: trying to listen on host[::], family[10], socktype[1], proto[6] +INFO Jul 13 11:10:23.360 [1]: listening on fd [4] +INFO Jul 13 11:10:23.360 [1]: Not running as root, so not changing UID/GID. +INFO Jul 13 11:10:23.360 [1]: Setting the various signals. +INFO Jul 13 11:10:23.360 [1]: Starting main loop. Accepting connections. +CONNECT Jul 13 11:10:29.845 [1]: Connect (file descriptor 5): 10.0.35.4 +CONNECT Jul 13 11:10:29.845 [1]: Request (file descriptor 5): CONNECT google.com:443 HTTP/1.1 +INFO Jul 13 11:10:29.845 [1]: No upstream proxy for google.com +INFO Jul 13 11:10:29.845 [1]: opensock: opening connection to google.com:443 +INFO Jul 13 11:10:29.955 [1]: opensock: getaddrinfo returned for google.com:443 +CONNECT Jul 13 11:10:29.959 [1]: Established connection to host "google.com" using file descriptor 6. +INFO Jul 13 11:10:29.959 [1]: Not sending client headers to remote machine +INFO Jul 13 11:10:30.033 [1]: Closed connection between local client (fd:5) and remote client (fd:6) +``` + +- Curl: + +``` + % Total % Received % Xferd Average Speed Time Time Time Current + Dload Upload Total Spent Left Speed +HTTP/1.0 200 Connection established + + 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 + 0 220 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 +Proxy-agent: tinyproxy/1.11.1 + +HTTP/2 301 +location: https:xt/html; charset=UTF-8 +content-security//www.google.com/ +content-type: te-policy-report-only: object-src 'none';base-uri 'self';script-src 'nonce-gEktpIC_xSqk9njjM0KANA' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp +date: Thu, 13 Jul 2023 11:10:29 GMT +expires: Thu, 13 Jul 2023 11:10:29 GMT +cache-control: private, max-age=2592000 + +server: gws +content-length: 220 +x-xss-protection: 0 +x-frame-options: SAMEORIGIN +set-cookie: CONSENT=PENDING+663; expires=Sat, 12-Jul-2025 11:10:29 GMT; path=/; domain=.google.com; Secure +p3p: CP="This is not a P3P policy! See g.co/p3phelp for more info." +alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 +``` + +## Upstream proxy example `(2-upstream.yml)` + +### Source + +> 🗄️ File: [2-upstream.yml](2-upstream.yml) + +### Description + +The upstream example contains another Swarmproxy instance as fake upstream proxy. The client connects to it's +configured Swarmproxy instance which forwards the query to the upstream. + +### Usage + +```bash +docker stack deploy -c 2-upstream.yml swarmproxy-upstream +``` + +### Container Logs + +- Upstream + +``` +🦁 FILTER_FILE not found or set. +🦁 Final Swarmproxy config 🦁 + +3 +Group 5123 +8 +Timeout 600 +DefaultErrorFile "/usr/share/tinyproxy/default.html" +StatHost "tinyproxy.stats" +StatFile "/usr/share/tinyproxy/stats.html" +LogLevel Info +MaxClients 600 +ViaProxyName "Swarmproxy" +Allow 127.0.0.1/8 +Allow 10.0.0.0/8 +🦁 Starting Tinyproxy... +args count: 3 +args value: -c /app/proxy.conf -d +NOTICE Jul 13 11:18:50.279 [1]: Initializing tinyproxy ... +NOTICE Jul 13 11:18:50.279 [1]: Reloading config file +INFO Jul 13 11:18:50.279 [1]: Stathost set to "tinyproxy.stats" +INFO Jul 13 11:18:50.279 [1]: Setting "Via" header to 'Swarmproxy' +NOTICE Jul 13 11:18:50.279 [1]: Reloading config file finished +INFO Jul 13 11:18:50.279 [1]: listen_sock called with addr = '(NULL)' +INFO Jul 13 11:18:50.279 [1]: trying to listen on host[0.0.0.0], family[2], socktype[1], proto[6] +INFO Jul 13 11:18:50.279 [1]: listening on fd [3] +INFO Jul 13 11:18:50.279 [1]: trying to listen on host[::], family[10], socktype[1], proto[6] +INFO Jul 13 11:18:50.279 [1]: listening on fd [4] +INFO Jul 13 11:18:50.279 [1]: Not running as root, so not changing UID/GID. +INFO Jul 13 11:18:50.279 [1]: Setting the various signals. +INFO Jul 13 11:18:50.279 [1]: Starting main loop. Accepting connections. +``` + +- Swarmproxy + +``` +🦁 FILTER_FILE not found or set. +🦁 Final Swarmproxy config 🦁 +3 +Group 5123 +8 +Timeout 600 +DefaultErrorFile "/usr/share/tinyproxy/default.html" +StatHost "tinyproxy.stats" +StatFile "/usr/share/tinyproxy/stats.html" +LogLevel Info +MaxClients 600 +ViaProxyName "Swarmproxy" +Allow 127.0.0.1/8 +Allow 10.0.0.0/8 +Upstream http upstream:8888 +🦁 Starting Tinyproxy... +args count: 3 +args value: -c /app/proxy.conf -d +NOTICE Jul 13 11:22:46.583 [1]: Initializing tinyproxy ... +NOTICE Jul 13 11:22:46.583 [1]: Reloading config file +INFO Jul 13 11:22:46.583 [1]: Stathost set to "tinyproxy.stats" +INFO Jul 13 11:22:46.583 [1]: Setting "Via" header to 'Swarmproxy' +INFO Jul 13 11:22:46.583 [1]: Added upstream http upstream:8888 for [default] +NOTICE Jul 13 11:22:46.583 [1]: Reloading config file finished +INFO Jul 13 11:22:46.583 [1]: listen_sock called with addr = '(NULL)' +INFO Jul 13 11:22:46.583 [1]: trying to listen on host[0.0.0.0], family[2], socktype[1], proto[6] +INFO Jul 13 11:22:46.583 [1]: listening on fd [3] +INFO Jul 13 11:22:46.583 [1]: trying to listen on host[::], family[10], socktype[1], proto[6] +INFO Jul 13 11:22:46.583 [1]: listening on fd [4] +INFO Jul 13 11:22:46.583 [1]: Not running as root, so not changing UID/GID. +INFO Jul 13 11:22:46.583 [1]: Setting the various signals. +INFO Jul 13 11:22:46.583 [1]: Starting main loop. Accepting connections. +CONNECT Jul 13 11:23:02.916 [1]: Connect (file descriptor 5): 10.0.38.4 +CONNECT Jul 13 11:23:02.916 [1]: Request (file descriptor 5): CONNECT google.com:443 HTTP/1.1 +INFO Jul 13 11:23:02.916 [1]: Found upstream proxy http upstream:8888 for google.com +INFO Jul 13 11:23:02.916 [1]: opensock: opening connection to upstream:8888 +INFO Jul 13 11:23:02.916 [1]: opensock: getaddrinfo returned for upstream:8888 +CONNECT Jul 13 11:23:02.917 [1]: Established connection to upstream proxy "upstream" using file descriptor 6. +INFO Jul 13 11:23:03.182 [1]: Closed connection between local client (fd:5) and remote client (fd:6) +``` + +- Curl + +``` + % Total % Received % Xferd Average Speed Time Time Time Current + Dload Upload Total Spent Left Speed +HTTP/1.0 200 Connection established + + 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 + 0 220 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 +Via: 1.1 Swarmproxy (tinyproxy/1.11.1) +Proxy-agent: tinyproxy/1.11.1 + +HTTP/2 301 +location: https://www.google.com/ +content-type: text/html; charset=UTF-8 +content-security-policy-report-only: object-src 'none';base-uri 'self';script-src 'nonce-g1lolRpzk2b93t4bhY80uA' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp +date: Thu, 13 Jul 2023 11:23:03 GMT +expires: Thu, 13 Jul 2023 11:23:03 GMT +cache-control: private, max-age=2592000 + +server: gws +content-length: 220 +x-xss-protection: 0 +x-frame-options: SAMEORIGIN +set-cookie: CONSENT=PENDING+481; expires=Sat, 12-Jul-2025 11:23:03 GMT; path=/; domain=.google.com; Secure +p3p: CP="This is not a P3P policy! See g.co/p3phelp for more info." +alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 +``` + +## Fullstack example with external secrets and config `(3-external.yml)` + +### Source + +> 🗄️ File: [3-upstream.yml](3-upstream.yml) + +### Description + +This stack is based on the previous upstream example. It's modified to show these additional features: + +- Using external docker secret to set up an upstream proxy. Should be used when upstream needs authentication +- Mounting a docker config as filter file +- filtering queries by domains +- added curl-blocked service to show output if target domain is not in whitelist + +### Usage + +```bash +echo "google.com" | docker config create filter_file - +echo "upstream:8888" | docker secret create upstream-proxy - +docker stack deploy -c 1-minimal.yml swarmproxy-mini +``` + +### Container Logs + +- Upstream + +``` +🦁 FILTER_FILE not found or set. +🦁 Final Swarmproxy config 🦁 + +3 +Group 5123 + +8 +Timeout 600 +DefaultErrorFile "/usr/share/tinyproxy/default.html" +StatHost "tinyproxy.stats" +StatFile "/usr/share/tinyproxy/stats.html" +LogLevel Info +MaxClients 600 +ViaProxyName "Swarmproxy" +Allow 127.0.0.1/8 +Allow 10.0.0.0/8 +🦁 Starting Tinyproxy... +args count: 3 +args value: -c /app/proxy.conf -d +NOTICE Jul 13 11:37:47.554 [1]: Initializing tinyproxy ... +NOTICE Jul 13 11:37:47.554 [1]: Reloading config file +INFO Jul 13 11:37:47.554 [1]: Stathost set to "tinyproxy.stats" +INFO Jul 13 11:37:47.554 [1]: Setting "Via" header to 'Swarmproxy' +NOTICE Jul 13 11:37:47.554 [1]: Reloading config file finished +INFO Jul 13 11:37:47.554 [1]: listen_sock called with addr = '(NULL)' +INFO Jul 13 11:37:47.554 [1]: trying to listen on host[0.0.0.0], family[2], socktype[1], proto[6] +INFO Jul 13 11:37:47.554 [1]: listening on fd [3] +INFO Jul 13 11:37:47.554 [1]: trying to listen on host[::], family[10], socktype[1], proto[6] +INFO Jul 13 11:37:47.554 [1]: listening on fd [4] +INFO Jul 13 11:37:47.554 [1]: Not running as root, so not changing UID/GID. +INFO Jul 13 11:37:47.554 [1]: Setting the various signals. +INFO Jul 13 11:37:47.554 [1]: Starting main loop. Accepting connections. +CONNECT Jul 13 11:38:22.698 [1]: Connect (file descriptor 5): 10.0.40.4 +CONNECT Jul 13 11:38:22.699 [1]: Request (file descriptor 5): CONNECT google.com:443 HTTP/1.1 +INFO Jul 13 11:38:22.699 [1]: No upstream proxy for google.com +INFO Jul 13 11:38:22.699 [1]: opensock: opening connection to google.com:443 +INFO Jul 13 11:38:26.704 [1]: opensock: getaddrinfo returned for google.com:443 +CONNECT Jul 13 11:38:26.708 [1]: Established connection to host "google.com" using file descriptor 6. +INFO Jul 13 11:38:26.708 [1]: Not sending client headers to remote machine +INFO Jul 13 11:38:26.785 [1]: Closed connection between local client (fd:5) and remote client (fd:6) +``` + +- Swarmproxy + +``` +🦁 Final Swarmproxy config 🦁 + +3 +Group 5123 + +8 +Timeout 600 +DefaultErrorFile "/usr/share/tinyproxy/default.html" +StatHost "tinyproxy.stats" +StatFile "/usr/share/tinyproxy/stats.html" +LogLevel Info +MaxClients 600 +ViaProxyName "Swarmproxy" +Allow 127.0.0.1/8 +Allow 10.0.0.0/8 +Upstream http upstream:8888 +Filter "/app/filter" +FilterURLs Off +FilterCaseSensitive Off +FilterDefaultDeny Yes +🦁 Starting Tinyproxy... +args count: 3 +args value: -c /app/proxy.conf -d +NOTICE Jul 13 11:37:57.704 [1]: Initializing tinyproxy ... +NOTICE Jul 13 11:37:57.704 [1]: Reloading config file +INFO Jul 13 11:37:57.704 [1]: Stathost set to "tinyproxy.stats" +INFO Jul 13 11:37:57.704 [1]: Setting "Via" header to 'Swarmproxy' +INFO Jul 13 11:37:57.704 [1]: Added upstream http upstream:8888 for [default] +NOTICE Jul 13 11:37:57.704 [1]: Reloading config file finished +INFO Jul 13 11:37:57.704 [1]: listen_sock called with addr = '(NULL)' +INFO Jul 13 11:37:57.704 [1]: trying to listen on host[0.0.0.0], family[2], socktype[1], proto[6] +INFO Jul 13 11:37:57.704 [1]: listening on fd [3] +INFO Jul 13 11:37:57.704 [1]: trying to listen on host[::], family[10], socktype[1], proto[6] +INFO Jul 13 11:37:57.704 [1]: listening on fd [4] +INFO Jul 13 11:37:57.704 [1]: Not running as root, so not changing UID/GID. +INFO Jul 13 11:37:57.704 [1]: Setting the various signals. +INFO Jul 13 11:37:57.704 [1]: Starting main loop. Accepting connections. +CONNECT Jul 13 11:38:00.361 [1]: Connect (file descriptor 5): 10.0.39.4 +CONNECT Jul 13 11:38:00.361 [1]: Request (file descriptor 5): CONNECT amazon.com:443 HTTP/1.1 +NOTICE Jul 13 11:38:00.361 [1]: Proxying refused on filtered domain "amazon.com" +CONNECT Jul 13 11:38:14.022 [1]: Connect (file descriptor 5): 10.0.39.4 +CONNECT Jul 13 11:38:14.022 [1]: Request (file descriptor 5): CONNECT amazon.com:443 HTTP/1.1 +NOTICE Jul 13 11:38:14.022 [1]: Proxying refused on filtered domain "amazon.com" +CONNECT Jul 13 11:38:22.698 [1]: Connect (file descriptor 5): 10.0.39.4 +CONNECT Jul 13 11:38:22.698 [1]: Request (file descriptor 5): CONNECT google.com:443 HTTP/1.1 +INFO Jul 13 11:38:22.698 [1]: Found upstream proxy http upstream:8888 for google.com +INFO Jul 13 11:38:22.698 [1]: opensock: opening connection to upstream:8888 +INFO Jul 13 11:38:22.698 [1]: opensock: getaddrinfo returned for upstream:8888 +CONNECT Jul 13 11:38:22.698 [1]: Established connection to upstream proxy "upstream" using file descriptor 6. +CONNECT Jul 13 11:38:25.064 [1]: Connect (file descriptor 7): 10.0.39.4 +CONNECT Jul 13 11:38:25.064 [1]: Request (file descriptor 7): CONNECT amazon.com:443 HTTP/1.1 +NOTICE Jul 13 11:38:25.064 [1]: Proxying refused on filtered domain "amazon.com" +INFO Jul 13 11:38:26.785 [1]: Closed connection between local client (fd:5) and remote client (fd:6) +CONNECT Jul 13 11:38:36.285 [1]: Connect (file descriptor 5): 10.0.39.4 +CONNECT Jul 13 11:38:36.285 [1]: Request (file descriptor 5): CONNECT amazon.com:443 HTTP/1.1 +NOTICE Jul 13 11:38:36.285 [1]: Proxying refused on filtered domain "amazon.com" +``` + +- Curl + +``` + % Total % Received % Xferd Average Speed Time Time Time Current + Dload Upload Total Spent Left Speed +HTTP/1.0 200 Connection established + + 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 + 0 0 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:-- 0 + 0 0 0 0 0 0 0 0 --:--:-- 0:00:02 --:--:-- 0 + 0 0 0 0 0 0 0 0 --:--:-- 0:00:03 --:--:-- 0 + 0 0 0 0 0 0 0 0 --:--:-- 0:00:04 --:--:-- 0 + 0 220 0 0 0 0 0 0 --:--:-- 0:00:04 --:--:-- 0 +Via: 1.1 Swarmproxy (tinyproxy/1.11.1) +Proxy-agent: tinyproxy/1.11.1 + +HTTP/2 301 +location: https://www.google.com/ +content-type: text/html; charset=UTF-8 +content-security-policy-report-only: object-src 'none';base-uri 'self';script-src 'nonce-UGtC_QXXA9WxUVfYPZJkJA' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp +date: Thu, 13 Jul 2023 11:38:26 GMT +expires: Thu, 13 Jul 2023 11:38:26 GMT +cache-control: private, max-age=2592000 + +server: gws +content-length: 220 +x-xss-protection: 0 +x-frame-options: SAMEORIGIN +set-cookie: CONSENT=PENDING+670; expires=Sat, 12-Jul-2025 11:38:26 GMT; path=/; domain=.google.com; Secure +p3p: CP="This is not a P3P policy! See g.co/p3phelp for more info." +alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 +``` + +- Curl-blocked + +``` + % Total % Received % Xferd Average Speed Time Time Time Current + Dload Upload Total Spent Left Speed + + 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 + 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 +HTTP/1.1 403 Filtered +curl: (56) CONNECT tunnel failed, response 403 +Server: tinyproxy/1.11.1 +Content-Type: text/html +Connection: close +``` -- 2.45.2 From 12c9abc4de7f6d059e4504af6f0670cee5fbb0ab Mon Sep 17 00:00:00 2001 From: OCram85 Date: Thu, 13 Jul 2023 13:47:58 +0200 Subject: [PATCH 4/5] debug intenal link --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 05ade0d..7596cbd 100644 --- a/README.md +++ b/README.md @@ -114,7 +114,7 @@ services: ## 🚀 Examples -See the [Readme](./examples/README.md) docs in the examples folder... +See the [Readme](examples/) docs in the examples folder... ## 💣 Known Issues -- 2.45.2 From 7076d2c533d24f05521d9f2423f712c43065384b Mon Sep 17 00:00:00 2001 From: OCram85 Date: Thu, 13 Jul 2023 13:54:45 +0200 Subject: [PATCH 5/5] add toc --- examples/Readme.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/examples/Readme.md b/examples/Readme.md index 3536088..44f588f 100644 --- a/examples/Readme.md +++ b/examples/Readme.md @@ -1,3 +1,8 @@ +--- +gitea: none +include_toc: true +--- + # 📘 Examples This folder contains some examples you can use to start building your Swarmproxy stack. -- 2.45.2