So what we up to today? Running a Glype proxy in a Docker container. “You what?”, you may say. Let me expand. If your not sure what a glype proxy is, it’s a web based proxy that can be used for anonymous browsing, bypassing censorship and things of that nature. I won’t go into the ins and outs of why you may want to use technology like this, suffice to say that I think it’s a useful tool to have at your disposal but having said that, I rarely use it. And that’s exactly why I decided it would be a good candidate to use in a Docker container. What is the point on having something so rarely used up and running all the time wasting resources and exposing a port for potential hackers to exploit. If you can just fire up a container when it’s needed, problem solved.
It also gives me a good excuse to play around a bit more with Docker. Whilst there’s quite a few tutorials available on the Docker site I always prefer to work on something that may be actually useful. And frankly I found that running an Ubuntu container that echos “Hello World” then exits more confusing than explanatory!
So let’s get started. As always, if you just want to know how to do it, see our wiki article.
Before we start working on our container, there’s a few prereqs we need to attend to. Installing Glype would obviously be useful (we’ll install it on our host server rather than in the container for reasons explained later). You may also want to (and I did) use a dynamic DNS service so that you can connect easily with your Glype proxy once it’s up and running.
- Install glype onto your server under /var/www/htdocs
- Register for a DNS address with a service like NOIP which will make it easier to contact your proxy
- Add your DNS address to /etc/hosts on your server e.g.
127.0.0.1 localhost MicroServer myproxy.hopto.org justsomestuff-dev.co.uk puppet
Setting up the Docker Container
The approach we’ll use is to install a vendor supplied Docker image from Docker Hub. These are specifically built images made to run as containers so will provide us with a lightweight base for us to build on. We’ll need to customise the image, installing additional software and configuring an Apache server to run in the container. The way we can do that is to run our downloaded image as a bash shell so we have access to the container to do the installs and customising. Once we’ve finished, we can save it as are own custom image and launch it whenever we need it.
I decided to use a Docker Container based on Fedora for this test. The main reasons for this is I wanted a systemd based system for fast startup and an up to date distribution to ensure any container improvements are available. So we’re assuming you’ve already installed Docker on your server…if not you’ll need to do that now. Now download the official Fedora Docker image from Docker Hub.
:~$docker pull fedora:23
:~$docker images REPOSITORY TAG IMAGE ID CREATED SIZE fedora 23 ddd5c9c1d0f2 5 minutes ago 204.7 MB
The docker image will just be a cut down version for Fedora and will be missing some of the packages we need to get Glype to work. In particular Apache, PHP and OpenSSL. To install these and perform the other customisations we need, we need to launch our docker image running the bash shell:
:~$ docker run --name web-test -v /var/www/htdocs:/var/www/htdocs -it fedora:23 /bin/bash
NOTE: The -v /var/www/htdocs:/var/www/htdocs statement means that the server directory /var/www/htdocs directory will be mounted in the Docker container as /var/www/htdocs. As you’ll remember, this is where we installed Glype so this makes Glype available to the container. The idea behind this is that we can tweak Glype without having to update our Docker image every time. So let’s do our customisations, firstly installing the required packages:
[root@5f4313be03a3 /]# dnf -y install tar httpd php php-common php-xml openssl mod_ssl && dnf -y clean all
Now we need to configure our Apache server. We’ll use https so we need a virtual server that uses SSL
[root@5f4313be03a3 /]# sed -i.orig 's/#ServerName/ServerName/' /etc/httpd/conf/httpd.conf [root@5f4313be03a3 /]# cd /etc/httpd/conf.d [root@5f4313be03a3 /]# vi test-proxy.conf
<IfModule mod_ssl.c> <VirtualHost _default_:443> ServerAdmin firstname.lastname@example.org ServerName myproxy.hopto.org ServerAlias tony-proxy DocumentRoot /var/www/htdocs <Directory /var/www/htdocs/> Options Indexes FollowSymLinks MultiViews AllowOverride all Require all granted </Directory> #LogLevel info ssl:warn ErrorLog /var/log/httpd/error.log CustomLog /var/log/httpd/access.log combined #Include conf-available/serve-cgi-bin.conf SSLEngine on SSLCertificateFile /etc/httpd/ssl/apache.crt SSLCertificateKeyFile /etc/httpd/ssl/apache.key #SSLCertificateChainFile /etc/httpd/ssl.crt/server-ca.crt #SSLCACertificatePath /etc/ssl/certs/ #SSLCACertificateFile /etc/httpd/ssl.crt/ca-bundle.crt #SSLCARevocationPath /etc/httpd/ssl.crl/ #SSLCARevocationFile /etc/httpd/ssl.crl/ca-bundle.crl #SSLVerifyClient require #SSLVerifyDepth 10 #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory /usr/lib/cgi-bin> SSLOptions +StdEnvVars </Directory> BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 # MSIE 7 and newer should be able to use keepalive BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown </VirtualHost>
(I removed the documentary comments for brevity)
We need to run apache in foreground in our Docker container (as people familiar with Docker, each container will only really perform a single function and we want this container to run a web server) so we need to create a script to launch apache and set the permissions:
[root@5f4313be03a3 /]# vi /etc/httpd/run_apache_foreground
#!/bin/bash #set variables APACHE_LOG_DIR="/var/log/httpd" APACHE_LOCK_DIR="/var/lock/httpd" APACHE_RUN_USER="apache" APACHE_RUN_GROUP="apache" APACHE_PID_FILE="/var/run/httpd/httpd.pid" APACHE_RUN_DIR="/var/run/httpd" #create directories if necessary if ! [ -d /var/run/httpd ]; then mkdir /var/run/httpd;fi if ! [ -d /var/log/httpd ]; then mkdir /var/log/httpd;fi if ! [ -d /var/lock/httpd ]; then mkdir /var/lock/httpd;fi #run Apache httpd -D FOREGROUND
[root@5f4313be03a3 /]# chmod 755 /etc/httpd/run_apache_foreground
Then we have to generate the SSL certificate
root@5f4313be03a3 httpd]# mkdir /etc/httpd/ssl [root@5f4313be03a3 httpd]# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/httpd/ssl/apache.key -out /etc/httpd/ssl/apache.crt Generating a 2048 bit RSA private key ..............+++ .......................+++ writing new private key to '/etc/httpd/ssl/apache.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:GB State or Province Name (full name) :Cornwall Locality Name (eg, city) [Default City]:St Tudy Organization Name (eg, company) [Default Company Ltd]:JSS Organizational Unit Name (eg, section) : Common Name (eg, your name or your server's hostname) :glype-proxy Email Address :email@example.com
The Glype proxy requires ioncube so we need to install that. First we can copy the tar ball using docker cp , then install it:
docker cp ioncube_loaders_lin_x86-64_5.1.2.tar.gz 3f4e9fbc1b36:/var/tmp [root@5f4313be03a3 /]# cd /var/tmp [root@5f4313be03a3 tmp]# ls ioncube_loaders_lin_x86-64_5.1.2.tar.gz [root@5f4313be03a3 tmp]# tar xvzf ioncube_loaders_lin_x86-64_5.1.2.tar.gz
[root@5f4313be03a3 local]# cd ioncube [root@5f4313be03a3 ioncube]# cp loader-wizard.php /var/www/htdocs/glype [root@5f4313be03a3 ioncube]# cd /usr/lib64/php/modules [root@5f4313be03a3 modules]# cp /usr/local/ioncube/ioncube_loader_lin_5.6* . [root@5f4313be03a3 modules]# chmod 755 ioncube* [root@5f4313be03a3 modules]# cd /etc/php.d [root@5f4313be03a3 php.d]# vi 00-ioncube.ini add line: zend_extension = /usr/lib64/php/modules/ioncube_loader_lin_5.6.so ctrl+p ctrl+q docker commit web-test glype-proxy
We’ve finished the configuration of our container now so we have saved it. Note that we exited using ctrl+p then ctrl+q . This saves the changes, if you just exit all changes would be lost which would be a little annoying. We now ready to start out container:
docker run -v /var/www/htdocs:/var/www/htdocs -p 8443:443 -d -t glype-proxy /etc/httpd/run_apache_foreground
This command starts a docker container from the image we customised. It runs the script we created and will listen on port 8443 that will be mapped to 443 internally. Now if you connect to port 8443, you’ll see our Glype proxy front page, something like this: