(~)

docker-compose.yml

@@ -2,10 +2,9 @@ version: "3.9"
 
 services:
     trail:
-        image: ubuntu/squid:5.2-22.04_beta
+        image: josiahdc/trail
+        build: ./trail
         ports:
             -   target: 3128
                 published: 3128
         restart: always
-        environment:
-            - TZ=UTC

gyfu.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-TAG="0.20"
+TAG="0.21"
 
 # build image
 docker buildx build --platform linux/amd64 -t josiahdc/trail:${TAG} ./trail --push

trail/Dockerfile

@@ -1,6 +1,7 @@
-FROM ubuntu:22.04
+FROM ubuntu:jammy
 
 RUN apt -y update
+RUN apt -y upgrade
 RUN apt -y install \
     bash \
     git \
@@ -15,31 +16,19 @@ RUN apt -y install \
     sudo
 
 
-WORKDIR /bough
+WORKDIR /app
 
-# configure openvpn
-RUN apt -y install openvpn
+# configure squid
+RUN apt -y install squid
+COPY squid.conf /etc/squid/squid.conf
+RUN systemctl enable squid
 
 # install requirements
-COPY requirements.txt .
-RUN pip3 install -r requirements.txt
-
-RUN apt -y install tinyproxy
-COPY tinyproxy.conf /etc/tinyproxy/tinyproxy.conf
-
-# configure openvpn
-COPY openvpn ./openvpn
-
-## (~) might come in handy maybe?
-## copy in update-resolv-conf
-## needed by at least proton
-#RUN apt -y install openresolv
-#RUN mkdir -p /etc/openvpn/
-#COPY update-resolv-conf.sh /etc/openvpn/update-resolv-conf
-#RUN chmod 777 /etc/openvpn/update-resolv-conf
+COPY ./requirements.txt ./
+RUN pip install --no-cache-dir -r requirements.txt
 
 # grab source
-RUN touch __init__.py
-COPY trail.py .
+COPY ./src ./src
+COPY ./bootstrapper.sh ./bootstrapper.sh
 
-ENTRYPOINT ["gunicorn", "-b 0.0.0.0:33710", "-w 1", "trail:create_app()", "--threads 1"]
+CMD ./bootstrapper.sh

trail/bootstrapper.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+sudo systemctl restart squid
+sleep infinity

trail/squid.conf

@@ -1330,27 +1330,27 @@
 # Example rule allowing access from your local networks.
 # Adapt to list your (internal) IP networks from where browsing
 # should be allowed
-acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
-acl localnet src 10.0.0.0/8    # RFC 1918 local private network (LAN)
-acl localnet src 100.64.0.0/10    # RFC 6598 shared address space (CGN)
-acl localnet src 169.254.0.0/16  # RFC 3927 link-local (directly plugged) machines
-acl localnet src 172.16.0.0/12    # RFC 1918 local private network (LAN)
-acl localnet src 192.168.0.0/16    # RFC 1918 local private network (LAN)
-acl localnet src fc00: :/7        # RFC 4193 local private network range
-acl localnet src fe80: :/10        # RFC 4291 link-local (directly plugged) machines
+acl localnet src 0.0.0.1-0.255.255.255	# RFC 1122 "this" network (LAN)
+acl localnet src 10.0.0.0/8		# RFC 1918 local private network (LAN)
+acl localnet src 100.64.0.0/10		# RFC 6598 shared address space (CGN)
+acl localnet src 169.254.0.0/16 	# RFC 3927 link-local (directly plugged) machines
+acl localnet src 172.16.0.0/12		# RFC 1918 local private network (LAN)
+acl localnet src 192.168.0.0/16		# RFC 1918 local private network (LAN)
+acl localnet src fc00::/7       	# RFC 4193 local private network range
+acl localnet src fe80::/10      	# RFC 4291 link-local (directly plugged) machines
 
 
 acl SSL_ports port 443
-acl Safe_ports port 80    # http
-acl Safe_ports port 21    # ftp
-acl Safe_ports port 443    # https
-acl Safe_ports port 70    # gopher
-acl Safe_ports port 210    # wais
-acl Safe_ports port 1025-65535  # unregistered ports
-acl Safe_ports port 280    # http-mgmt
-acl Safe_ports port 488    # gss-http
-acl Safe_ports port 591    # filemaker
-acl Safe_ports port 777    # multiling http
+acl Safe_ports port 80		# http
+acl Safe_ports port 21		# ftp
+acl Safe_ports port 443		# https
+acl Safe_ports port 70		# gopher
+acl Safe_ports port 210		# wais
+acl Safe_ports port 1025-65535	# unregistered ports
+acl Safe_ports port 280		# http-mgmt
+acl Safe_ports port 488		# gss-http
+acl Safe_ports port 591		# filemaker
+acl Safe_ports port 777		# multiling http
 
 #  TAG: proxy_protocol_access
 #	Determine which client proxies can be trusted to provide correct
@@ -1549,7 +1549,7 @@ include /etc/squid/conf.d/*.conf
 # Example rule allowing access from your local networks.
 # Adapt localnet in the ACL section to list your (internal) IP networks
 # from where browsing should be allowed
-#http_access allow localnet
+http_access allow localnet
 http_access allow localhost
 
 # And finally deny all other access to this proxy
@@ -5615,8 +5615,8 @@ coredump_dir /var/spool/squid
 #
 # Add any of your own refresh_pattern entries above these.
 #
-refresh_pattern ^ftp: 1440	20%	10080
-refresh_pattern ^gopher: 1440	0%	1440
+refresh_pattern ^ftp:		1440	20%	10080
+refresh_pattern ^gopher:	1440	0%	1440
 refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
 refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
 refresh_pattern \/Release(|\.gpg)$ 0 0% 0 refresh-ims

trail/trail.py → trail/src/trail.py

@@ -1,4 +1,3 @@
-import subprocess
 from time import sleep
 
 import requests as requests
@@ -7,53 +6,23 @@
 
 MAX_ATTEMPTS = 7
 
+app = Flask(__name__)
+
 
 class Trail:
     def __init__(self):
         logger.info("( ) initializing trail")
-        self.config_path = "/bough/openvpn/config"
-        self.auth_path = "/bough/openvpn/auth"
         self.reflector_url = "https://api.ipify.org?format=json"
         self.overhill_address = self.collect_overhill_address()
-        self.connect_openvpn()
-        self.force_cloudflare_dns()
-        self.start_proxy()
         self.confirm_connection()
-
-        # prep flask
-        self.flask_app = Flask("trail")
-        self.flask_app.add_url_rule("/condemn", view_func=self.condemn, methods=["POST"])
         logger.info("(*) initialized trail")
 
-    def condemn(self):
-        logger.info("( ) shutting down")
-        raise Exception("Shutdown!")
-
     def collect_overhill_address(self):
         logger.info(f"( ) collecting overhill address")
         overhill_address = requests.get(self.reflector_url).json()["ip"]
         logger.info(f"(*) collected overhill address: {overhill_address}")
         return overhill_address
 
-    def connect_openvpn(self):
-        logger.info("( ) starting openvpn")
-        command = f"nohup openvpn --config {self.config_path} --auth-user-pass {self.auth_path} &"
-        self.shell_exec(command)
-        logger.info("(*) started openvpn")
-
-    def force_cloudflare_dns(self):
-        logger.info("( ) forcing cloudflare dns resolution")
-        command = "echo 'nameserver 1.1.1.1\nnameserver 1.0.0.1\noptions edns0 trust-ad' > /etc/resolv.conf"
-        self.shell_exec(command)
-        logger.info("(*) forced cloudflare dns resolution")
-
-    def start_proxy(self):
-        logger.info("( ) starting proxy")
-        command = "tinyproxy"
-        # (~) if you want to debug, use `tinyproxy -d` instead
-        self.shell_exec(command)
-        logger.info("(*) started proxy")
-
     def confirm_connection(self):
         logger.info("( ) confirming disguise")
         proxy_settings = {
@@ -74,22 +43,3 @@ def confirm_connection(self):
         if current_attempts >= MAX_ATTEMPTS:
             raise Exception("Could not verify ipv4 address had changed (~) check vpn")
         logger.info(f"(*) confirmed disguise: {self.overhill_address} -> {underhill_address}")
-
-    def shell_exec(self, command):
-        subprocess.run(
-            command,
-            shell=True,
-            encoding="UTF-8",
-            check=True,
-            capture_output=False
-        )
-
-
-def create_app():
-    trail = Trail()
-    return trail.flask_app
-
-
-if __name__ == '__main__':
-    trail = Trail()
-    trail.flask_app.run(host="0.0.0.0", port=33700, threaded=False, processes=1)