0

I'm trying to use Docker with a proxy server that has its own CA cert. I can't figure out how to configure the proxy for all containers running under my user without installing the certificate on each one. Any help with this would be much appreciated!

I'm using Docker Desktop Docker version 19.03.13, build 4484c46d9d, on OS X Catalina 10.15.4. Burp Suite proxies all the HTTP requests on my computer. I have the Burp Suite CA certificate installed in my OS X Login and System keychains. When I configure the proxy in my ~/.docker/config.json file, it points to the correct proxy but I get an error:

Errno::ECONNREFUSED: Failed to open TCP connection to 127.0.0.1:8080

When I install the Burp Suite certificate directly in the Docker container, I'm able to proxy requests with no additional config necessary (including environment variables or config.json changes). However, I run a lot of Docker containers, most of them standardised for multiple dev environments, and don't want to modify every Dockerfile when only my machine needs this.

This is the relevant part of my ~/.docker/config.json file:

{
  "proxies": {
    "default": {
      "httpProxy": "http://127.0.0.1:8080",
      "httpsProxy": "https://127.0.0.1:8080"
    }
  }
}

And this is my Dockerfile:

FROM ruby:2
RUN gem install ronin-support
COPY rails_rce.rb .

Finally, this is the total output when I run docker build .:

Sending build context to Docker daemon  11.26kB
Step 1/3 : FROM ruby:2
 ---> 343d2dc24f38
Step 2/3 : RUN gem install ronin-support
 ---> Running in 150bf40c6ad8
ERROR:  Could not find a valid gem 'ronin-support' (>= 0), here is why:
          Unable to download data from https://rubygems.org/ - Errno::ECONNREFUSED: Failed to open TCP connection to 127.0.0.1:8080 (Connection refused - connect(2) for "127.0.0.1" port 8080) (https://rubygems.org/specs.4.8.gz)
The command '/bin/sh -c gem install ronin-support' returned a non-zero code: 2

I'm new to creating my own Dockerfiles and config.

halfer
  • 19,824
  • 17
  • 99
  • 186
Dana Scheider
  • 389
  • 3
  • 15

1 Answers1

1

It's same thing when you need to connect from the container to the host on Mac.

You should use host.docker.internal instead of localhost

So the config will be

{
  "proxies": {
    "default": {
      "httpProxy": "http://host.docker.internal:8080",
      "httpsProxy": "http://host.docker.internal:8080"
    }
  }
}

Also, you need to add BurpSuite CA to your container.

Firstly, convert it to PEM.

openssl x509 -inform der -in cacert.der  -out burp_cert.crt

Then add one to trusted CAs in the container with Dockerfile

FROM ruby:2
COPY burp_cert.crt /usr/local/share/ca-certificates/burp.crt 
RUN update-ca-certificates
RUN gem install ronin-support
COPY rails_rce.rb
Andrei Kovrov
  • 2,087
  • 1
  • 18
  • 28
  • Thanks, that helped, but now I'm getting this error again if I don't install the cert in the Docker container: ERROR: SSL verification error at depth 1: self signed certificate in certificate chain (19) ERROR: Root certificate is not trusted (/C=PortSwigger/ST=PortSwigger/L=PortSwigger/O=PortSwigger/OU=PortSwigger CA/CN=PortSwigger CA) – Dana Scheider Nov 10 '20 at 00:39
  • @Dana Scheider It happens because your container doesn't know anything about your 'trusted' CA. You should also install the CA cert into the container. – Andrei Kovrov Nov 10 '20 at 00:52
  • Yeah, the issue is that I need this for every container I run on my machine, and that includes containers that have set configurations that need to be shared between dev environments. There has to be a way other than adding this to every single Dockerfile and then checking out before commit, right? – Dana Scheider Nov 10 '20 at 01:57
  • @Dana Scheider Either way, you have to add the cert to the container's trusted store. You can only simplify this process. For instance, you could create a parent image with a configurable parameter (add or don't add the cert to CA when a container is starting) and inherit all your images from this one. – Andrei Kovrov Nov 10 '20 at 02:33
  • Oh how annoying! Well I appreciate your time answering my questions! – Dana Scheider Nov 10 '20 at 02:49