https image

Running a Glype proxy in a Docker container

So what we up to today? Running a Glype proxy in a Docker container. “You what?”, you may say. Let me expand. If your not sure what a glype proxy is, it’s a web based proxy that can be used for anonymous browsing, bypassing censorship and things of that nature. I won’t go into the ins and outs of why you may want to use technology like this, suffice to say that I think it’s a useful tool to have at your disposal but having said that, I rarely use it. And that’s exactly why I decided it would be a good candidate to use in a Docker container. What is the point on having something so rarely used up and running all the time wasting resources and exposing a port for potential hackers to exploit. If you can just fire up a container when it’s needed, problem solved.

It also gives me a good excuse to play around a bit more with Docker. Whilst there’s quite a few tutorials available on the Docker site I always prefer to work on something that may be actually useful. And frankly I found that running an Ubuntu container that echos “Hello World” then exits more confusing than explanatory!

So let’s get started. As always, if you just want to know how to do it, see our wiki article.

Prerequisites

Before we start working on our container, there’s a few prereqs we need to attend to. Installing Glype would obviously be useful (we’ll install it on our host server rather than in the container for reasons explained later). You may also want to (and I did) use a dynamic DNS service so that you can connect easily with your Glype proxy once it’s up and running.

  • Install glype onto your server under /var/www/htdocs
  • Register for a DNS address with a service like NOIP which will make it easier to contact your proxy
  • Add your DNS address to /etc/hosts on your server e.g.
   127.0.0.1       localhost MicroServer myproxy.hopto.org justsomestuff-dev.co.uk puppet


Setting up the Docker Container

The approach we’ll use is to install a vendor supplied Docker image from Docker Hub. These are specifically built images made to run as containers so will provide us with a lightweight base for us to build on. We’ll need to customise the image, installing additional software and configuring an Apache server to run in the container. The way we can do that is to run our downloaded image as a bash shell so we have access to the container to do the installs and customising. Once we’ve finished, we can save it as are own custom image and launch it whenever we need it.

I decided to use a Docker Container based on Fedora for this test. The main reasons for this is I wanted a systemd  based system for fast startup and an up to date distribution to ensure any container improvements are available. So we’re assuming you’ve already installed Docker on your server…if not you’ll need to do that now. Now download the official Fedora Docker image from Docker Hub.

:~$docker pull fedora:23
:~$docker images
 REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
 fedora              23                  ddd5c9c1d0f2        5 minutes ago       204.7 MB

The docker image will just be a cut down version for Fedora and will be missing some of the packages we need to get Glype to work. In particular Apache, PHP and OpenSSL. To install these and perform the other customisations we need, we need to launch our docker image running the bash shell:

:~$ docker run --name web-test -v /var/www/htdocs:/var/www/htdocs -it fedora:23 /bin/bash

NOTE: The -v /var/www/htdocs:/var/www/htdocs  statement means that the server directory /var/www/htdocs directory will be mounted in the Docker container as /var/www/htdocs. As you’ll remember, this is where we installed Glype so this makes Glype available to the container. The idea behind this is that we can tweak Glype without having to update our Docker image every time. So let’s do our customisations, firstly installing the required packages:

[root@5f4313be03a3 /]# dnf -y install tar httpd php php-common php-xml openssl mod_ssl && dnf -y clean all

Now we need to configure our Apache server. We’ll use https so we need a virtual server that uses SSL

[root@5f4313be03a3 /]# sed -i.orig 's/#ServerName/ServerName/' /etc/httpd/conf/httpd.conf
[root@5f4313be03a3 /]# cd /etc/httpd/conf.d
[root@5f4313be03a3 /]# vi test-proxy.conf
<IfModule mod_ssl.c>
      <VirtualHost _default_:443>
              ServerAdmin someplace@yahoo.com
              ServerName  myproxy.hopto.org
              ServerAlias tony-proxy
 
              DocumentRoot /var/www/htdocs
              <Directory /var/www/htdocs/>
                 Options Indexes FollowSymLinks MultiViews
                 AllowOverride all
                 Require all granted
              </Directory>
              
              #LogLevel info ssl:warn

              ErrorLog /var/log/httpd/error.log
              CustomLog /var/log/httpd/access.log combined

              #Include conf-available/serve-cgi-bin.conf
           
              SSLEngine on

              SSLCertificateFile      /etc/httpd/ssl/apache.crt
              SSLCertificateKeyFile /etc/httpd/ssl/apache.key

              #SSLCertificateChainFile /etc/httpd/ssl.crt/server-ca.crt

              #SSLCACertificatePath /etc/ssl/certs/
              #SSLCACertificateFile /etc/httpd/ssl.crt/ca-bundle.crt

              #SSLCARevocationPath /etc/httpd/ssl.crl/
              #SSLCARevocationFile /etc/httpd/ssl.crl/ca-bundle.crl

              #SSLVerifyClient require
              #SSLVerifyDepth  10
 
              #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
              <FilesMatch "\.(cgi|shtml|phtml|php)$">
                              SSLOptions +StdEnvVars
              </FilesMatch>
              <Directory /usr/lib/cgi-bin>
                              SSLOptions +StdEnvVars
              </Directory>
              
              BrowserMatch "MSIE [2-6]" \
                              nokeepalive ssl-unclean-shutdown \
                              downgrade-1.0 force-response-1.0
              # MSIE 7 and newer should be able to use keepalive
              BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
 
      </VirtualHost>
 </IfModule>

(I removed the documentary comments for brevity)

We need to run apache in foreground in our Docker container (as people familiar with Docker, each container will only really perform a single function and we want this container to run a web server) so we need to create a script to launch apache and set the permissions:

[root@5f4313be03a3 /]# vi /etc/httpd/run_apache_foreground 

#!/bin/bash
 
 #set variables
 APACHE_LOG_DIR="/var/log/httpd"
 APACHE_LOCK_DIR="/var/lock/httpd"
 APACHE_RUN_USER="apache"
 APACHE_RUN_GROUP="apache"
 APACHE_PID_FILE="/var/run/httpd/httpd.pid"
 APACHE_RUN_DIR="/var/run/httpd"
 
 #create directories if necessary
 if ! [ -d /var/run/httpd ]; then mkdir /var/run/httpd;fi
 if ! [ -d /var/log/httpd ]; then mkdir /var/log/httpd;fi
 if ! [ -d /var/lock/httpd ]; then mkdir /var/lock/httpd;fi
 
 #run Apache
 httpd -D FOREGROUND
[root@5f4313be03a3 /]# chmod 755 /etc/httpd/run_apache_foreground

Then we have to generate the SSL certificate

root@5f4313be03a3 httpd]# mkdir /etc/httpd/ssl
 [root@5f4313be03a3 httpd]# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/httpd/ssl/apache.key -out /etc/httpd/ssl/apache.crt
 Generating a 2048 bit RSA private key
 ..............+++
 .......................+++
 writing new private key to '/etc/httpd/ssl/apache.key'
 -----
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 -----
 Country Name (2 letter code) [XX]:GB
 State or Province Name (full name) []:Cornwall
 Locality Name (eg, city) [Default City]:St Tudy
 Organization Name (eg, company) [Default Company Ltd]:JSS
 Organizational Unit Name (eg, section) []:
 Common Name (eg, your name or your server's hostname) []:glype-proxy
 Email Address []:someplace@yahoo.com

The Glype proxy requires ioncube so we need to install that. First we can copy the tar ball using docker cp , then install it:

docker cp ioncube_loaders_lin_x86-64_5.1.2.tar.gz 3f4e9fbc1b36:/var/tmp
 
 [root@5f4313be03a3 /]# cd /var/tmp
 [root@5f4313be03a3 tmp]# ls
 ioncube_loaders_lin_x86-64_5.1.2.tar.gz
 [root@5f4313be03a3 tmp]# tar xvzf ioncube_loaders_lin_x86-64_5.1.2.tar.gz
[root@5f4313be03a3 local]# cd ioncube
 [root@5f4313be03a3 ioncube]# cp loader-wizard.php /var/www/htdocs/glype
 [root@5f4313be03a3 ioncube]# cd /usr/lib64/php/modules
 [root@5f4313be03a3 modules]# cp /usr/local/ioncube/ioncube_loader_lin_5.6* . 
 [root@5f4313be03a3 modules]# chmod 755 ioncube*
 [root@5f4313be03a3 modules]# cd /etc/php.d
 [root@5f4313be03a3 php.d]# vi 00-ioncube.ini
 add line: zend_extension = /usr/lib64/php/modules/ioncube_loader_lin_5.6.so
 
 ctrl+p ctrl+q
 docker commit web-test glype-proxy

We’ve finished the configuration of our container now so we have saved it. Note that we exited using ctrl+p then ctrl+q . This saves the changes, if you just exit all changes would be lost which would be a little annoying. We now ready to start out container:

 docker run -v /var/www/htdocs:/var/www/htdocs -p 8443:443 -d -t glype-proxy /etc/httpd/run_apache_foreground

This command starts a docker container from the image we customised. It runs the script we created and will listen on port 8443 that will be mapped to 443 internally. Now if you connect to port 8443, you’ll see our Glype proxy front page, something like this:

glype-frontpage-500x347


Leave a Reply