From 90e4fae240a6b6dcb62fd2e33e39e2050802c67b Mon Sep 17 00:00:00 2001 From: Bassem Dghaidi <568794+Link-@users.noreply.github.com> Date: Fri, 30 Jan 2026 01:56:07 -0800 Subject: [PATCH 1/4] Rewrite and simplify --- .github/workflows/workflow.yml | 64 ++++++++++++++++++++++++++++++++-- 1 file changed, 62 insertions(+), 2 deletions(-) diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml index 3dbbc6f..0a95749 100644 --- a/.github/workflows/workflow.yml +++ b/.github/workflows/workflow.yml @@ -90,15 +90,45 @@ jobs: runs-on: ubuntu-latest container: image: ubuntu:latest - options: --dns 127.0.0.1 + options: --cap-add=NET_ADMIN --dns 127.0.0.1 services: squid-proxy: image: ubuntu/squid:latest ports: - 3128:3128 env: + http_proxy: http://squid-proxy:3128 https_proxy: http://squid-proxy:3128 steps: + - name: Install iptables + run: | + apt-get update + apt-get install -y iptables + - name: Block direct traffic (enforce proxy usage) + run: | + # Get the squid-proxy container IP + PROXY_IP=$(getent hosts squid-proxy | awk '{ print $1 }') + echo "Proxy IP: $PROXY_IP" + + # Allow loopback traffic + iptables -A OUTPUT -o lo -j ACCEPT + + # Allow traffic to the proxy container + iptables -A OUTPUT -d $PROXY_IP -j ACCEPT + + # Allow established connections + iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT + + # Allow DNS (needed for initial resolution) + iptables -A OUTPUT -p udp --dport 53 -j ACCEPT + iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT + + # Block all other outbound traffic (HTTP/HTTPS) + iptables -A OUTPUT -p tcp --dport 80 -j REJECT + iptables -A OUTPUT -p tcp --dport 443 -j REJECT + + # Log the iptables rules for debugging + iptables -L -v -n - name: Checkout uses: actions/checkout@v5 - name: Generate files @@ -114,15 +144,45 @@ jobs: runs-on: ubuntu-latest container: image: ubuntu:latest - options: --dns 127.0.0.1 + options: --cap-add=NET_ADMIN --dns 127.0.0.1 services: squid-proxy: image: ubuntu/squid:latest ports: - 3128:3128 env: + http_proxy: http://squid-proxy:3128 https_proxy: http://squid-proxy:3128 steps: + - name: Install iptables + run: | + apt-get update + apt-get install -y iptables + - name: Block direct traffic (enforce proxy usage) + run: | + # Get the squid-proxy container IP + PROXY_IP=$(getent hosts squid-proxy | awk '{ print $1 }') + echo "Proxy IP: $PROXY_IP" + + # Allow loopback traffic + iptables -A OUTPUT -o lo -j ACCEPT + + # Allow traffic to the proxy container + iptables -A OUTPUT -d $PROXY_IP -j ACCEPT + + # Allow established connections + iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT + + # Allow DNS (needed for initial resolution) + iptables -A OUTPUT -p udp --dport 53 -j ACCEPT + iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT + + # Block all other outbound traffic (HTTP/HTTPS) + iptables -A OUTPUT -p tcp --dport 80 -j REJECT + iptables -A OUTPUT -p tcp --dport 443 -j REJECT + + # Log the iptables rules for debugging + iptables -L -v -n - name: Checkout uses: actions/checkout@v5 - name: Restore cache From 95a07c51324af6001b4d6ab8dff29f4dfadc2531 Mon Sep 17 00:00:00 2001 From: Bassem Dghaidi <568794+Link-@users.noreply.github.com> Date: Fri, 30 Jan 2026 02:00:09 -0800 Subject: [PATCH 2/4] Add wait for proxy --- .github/workflows/workflow.yml | 50 +++++++++++++++++++++++++++++++--- 1 file changed, 46 insertions(+), 4 deletions(-) diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml index 0a95749..59eb05b 100644 --- a/.github/workflows/workflow.yml +++ b/.github/workflows/workflow.yml @@ -100,10 +100,31 @@ jobs: http_proxy: http://squid-proxy:3128 https_proxy: http://squid-proxy:3128 steps: - - name: Install iptables + - name: Wait for proxy to be ready + run: | + echo "Waiting for squid proxy to be ready..." + for i in $(seq 1 30); do + if nc -z squid-proxy 3128 2>/dev/null; then + echo "Proxy is ready!" + exit 0 + fi + echo "Attempt $i: Proxy not ready, waiting..." + sleep 1 + done + echo "Proxy failed to become ready" + exit 1 + env: + http_proxy: "" + https_proxy: "" + - name: Install dependencies run: | apt-get update - apt-get install -y iptables + apt-get install -y iptables curl + - name: Verify proxy is working + run: | + echo "Testing proxy connectivity..." + curl -s -o /dev/null -w "%{http_code}" --proxy http://squid-proxy:3128 http://github.com || true + echo "Proxy verification complete" - name: Block direct traffic (enforce proxy usage) run: | # Get the squid-proxy container IP @@ -154,10 +175,31 @@ jobs: http_proxy: http://squid-proxy:3128 https_proxy: http://squid-proxy:3128 steps: - - name: Install iptables + - name: Wait for proxy to be ready + run: | + echo "Waiting for squid proxy to be ready..." + for i in $(seq 1 30); do + if nc -z squid-proxy 3128 2>/dev/null; then + echo "Proxy is ready!" + exit 0 + fi + echo "Attempt $i: Proxy not ready, waiting..." + sleep 1 + done + echo "Proxy failed to become ready" + exit 1 + env: + http_proxy: "" + https_proxy: "" + - name: Install dependencies run: | apt-get update - apt-get install -y iptables + apt-get install -y iptables curl + - name: Verify proxy is working + run: | + echo "Testing proxy connectivity..." + curl -s -o /dev/null -w "%{http_code}" --proxy http://squid-proxy:3128 http://github.com || true + echo "Proxy verification complete" - name: Block direct traffic (enforce proxy usage) run: | # Get the squid-proxy container IP From acf2f1f76affe1ef80eee8e56dfddd3b3e5f0fba Mon Sep 17 00:00:00 2001 From: Bassem Dghaidi <568794+Link-@users.noreply.github.com> Date: Fri, 30 Jan 2026 02:03:12 -0800 Subject: [PATCH 3/4] Fix resolution --- .github/workflows/workflow.yml | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml index 59eb05b..2ba4d30 100644 --- a/.github/workflows/workflow.yml +++ b/.github/workflows/workflow.yml @@ -90,7 +90,7 @@ jobs: runs-on: ubuntu-latest container: image: ubuntu:latest - options: --cap-add=NET_ADMIN --dns 127.0.0.1 + options: --cap-add=NET_ADMIN services: squid-proxy: image: ubuntu/squid:latest @@ -101,15 +101,18 @@ jobs: https_proxy: http://squid-proxy:3128 steps: - name: Wait for proxy to be ready + shell: bash run: | echo "Waiting for squid proxy to be ready..." + echo "Resolving squid-proxy hostname:" + getent hosts squid-proxy || echo "DNS resolution failed" for i in $(seq 1 30); do - if nc -z squid-proxy 3128 2>/dev/null; then + if (echo > /dev/tcp/squid-proxy/3128) 2>/dev/null; then echo "Proxy is ready!" exit 0 fi echo "Attempt $i: Proxy not ready, waiting..." - sleep 1 + sleep 2 done echo "Proxy failed to become ready" exit 1 @@ -165,7 +168,7 @@ jobs: runs-on: ubuntu-latest container: image: ubuntu:latest - options: --cap-add=NET_ADMIN --dns 127.0.0.1 + options: --cap-add=NET_ADMIN services: squid-proxy: image: ubuntu/squid:latest @@ -176,15 +179,18 @@ jobs: https_proxy: http://squid-proxy:3128 steps: - name: Wait for proxy to be ready + shell: bash run: | echo "Waiting for squid proxy to be ready..." + echo "Resolving squid-proxy hostname:" + getent hosts squid-proxy || echo "DNS resolution failed" for i in $(seq 1 30); do - if nc -z squid-proxy 3128 2>/dev/null; then + if (echo > /dev/tcp/squid-proxy/3128) 2>/dev/null; then echo "Proxy is ready!" exit 0 fi echo "Attempt $i: Proxy not ready, waiting..." - sleep 1 + sleep 2 done echo "Proxy failed to become ready" exit 1 From 984a21b1cb176a0936f4edafb42be88978f93ef1 Mon Sep 17 00:00:00 2001 From: Bassem Dghaidi <568794+Link-@users.noreply.github.com> Date: Fri, 30 Jan 2026 02:05:51 -0800 Subject: [PATCH 4/4] Add traffic sanity check step --- .github/workflows/workflow.yml | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml index 2ba4d30..32c071d 100644 --- a/.github/workflows/workflow.yml +++ b/.github/workflows/workflow.yml @@ -153,6 +153,23 @@ jobs: # Log the iptables rules for debugging iptables -L -v -n + - name: Verify direct HTTPS is blocked + run: | + echo "Testing that direct HTTPS requests fail..." + if curl --noproxy '*' -s --connect-timeout 5 https://github.com > /dev/null 2>&1; then + echo "ERROR: Direct HTTPS request succeeded - blocking is not working!" + exit 1 + else + echo "SUCCESS: Direct HTTPS request was blocked as expected" + fi + + echo "Testing that HTTPS through proxy succeeds..." + if curl --proxy http://squid-proxy:3128 -s --connect-timeout 10 https://github.com > /dev/null 2>&1; then + echo "SUCCESS: HTTPS request through proxy succeeded" + else + echo "ERROR: HTTPS request through proxy failed!" + exit 1 + fi - name: Checkout uses: actions/checkout@v5 - name: Generate files @@ -231,6 +248,23 @@ jobs: # Log the iptables rules for debugging iptables -L -v -n + - name: Verify direct HTTPS is blocked + run: | + echo "Testing that direct HTTPS requests fail..." + if curl --noproxy '*' -s --connect-timeout 5 https://github.com > /dev/null 2>&1; then + echo "ERROR: Direct HTTPS request succeeded - blocking is not working!" + exit 1 + else + echo "SUCCESS: Direct HTTPS request was blocked as expected" + fi + + echo "Testing that HTTPS through proxy succeeds..." + if curl --proxy http://squid-proxy:3128 -s --connect-timeout 10 https://github.com > /dev/null 2>&1; then + echo "SUCCESS: HTTPS request through proxy succeeded" + else + echo "ERROR: HTTPS request through proxy failed!" + exit 1 + fi - name: Checkout uses: actions/checkout@v5 - name: Restore cache