Our transparent TLS proxy
PolarProxy is gaining lots of popularity
due to how effective it is at generating decrypted PCAP files in combination with how easy it is to deploy.
In this blog post we will show how to run PolarProxy in Docker.
Create a Dockerfile with the following contents:
VOLUME [“/var/log/PolarProxy/”, “/home/polarproxy/”]USER polarproxy
ENTRYPOINT [“dotnet”, “PolarProxy.dll”]CMD [“-v”,
Save the Docker file as “Dockerfile” (no extension) in an empty directory and start a shell in that directory with root privileges.
Build the PolarProxy Docker image with:
Next, create a Docker container named “polarproxy”:
The “-p” switches in this command define three DNAT rules that will get activated when the polarproxy container is started. The first DNAT rule forwards incoming TCP port 443 traffic to the polarproxy Docker container’s transparent TLS proxy service on TCP port 10443. The second one does the same thing, but for incoming traffic to TCP 10443. The last one forwards TCP port 10080 traffic to a web server that delivers the public X.509 certificate of the proxy.
It is now time to start the polarproxy container:
Verify that PolarProxy is running:
Try fetching PolarProxy’s public root CA certificate with curl and then connect to a website over HTTPS through the proxy:
Redirect HTTPS and Trust the Root CA
You can now redirect outgoing TCP 443 traffic from your network to your Docker host.
Review the “Routing HTTPS Traffic to the Proxy” section on the
PolarProxy page for recommendations on how to redirect outgoing traffic to PolarProxy.
Finally, configure the operating system, browsers and other applications that will get their TLS traffic proxied by PolarProxy
to trust the root CA of the PolarProxy service running in your Docker container.
Follow the steps in the “Trusting the PolarProxy root CA” section of the
PolarProxy documentation in order to install the root cert.
The Docker file we used in this blog post defines two volumes.
The first volume is mounted on “/var/log/PolarProxy” in the container,
which is where the decrypted network traffic will be stored as hourly rotated PCAP files.
The second volume is the polarproxy home directory, under which PolarProxy will store its private root CA certificate.
The volumes are typically located under “/var/lib/docker/volumes” on the Docker host’s file system.
You can find the exact path by running:
Or use find to list *.pcap files in the Docker volumes directory:
The full path of your private PolarProxy Root CA certificate, which is located under “/home/polarproxy/” in the Docker container, can also be located using find:
We recommend reusing the “/home/polarproxy/” volume, when deploying new PolarProxy instances or upgrading to a new version of PolarProxy,
in order to avoid having to re-configure clients to trust a new root CA every time a new PolarProxy container is created.
PolarProxy in Docker on ARM Linux
PolarProxy can also run on ARM Linux installations, such as a Raspberry Pi.
However, the Dockerfile must be modified slightly in order to do so.
Don’t know if you’re running a 32-bit or 64-bit OS?
Run “uname -m” and check if the output says “armv7*” (arm32) or “armv8*” (arm64).
See our blog post “Raspberry PI WiFi Access Point with TLS Inspection” for more details about deploying PolarProxy on a Raspberry Pi (without Docker).
We’d like to thank Jonas Lejon for contacting us back in February
about the work he had done to get PolarProxy running in Docker.
We used Jonas’ work as a starting point when building the installation instructions in this how-to guide.
We also want to thank Erik Ahlström for providing valuable feedback on the instructions in this guide.
ʕ•ᴥ•ʔ + 🐳 = 💜
*** This is a Security Bloggers Network syndicated blog from NETRESEC Network Security Blog authored by Erik Hjelmvik. Read the original post at: http://www.netresec.com/?page=Blog&month=2020-10&post=PolarProxy-in-Docker