PolarProxy in Podman

by Erik Hjelmvik on October 27, 2020

PolarProxy + Podman Logo

Podman is a daemonless Linux container engine, which can be used as a more secure alternative to Docker.
This blog post demonstrates how to run PolarProxy in a rootless container using Podman.
If you still prefer to run PolarProxy in Docker, then please read our blog post “PolarProxy in Docker” instead.

Install Podman and fuse-overlayfs

Install Podman according to the official Podman installation instructions.
Then install fuse-overlayfs, which is an overlay file system for rootless containers.
Fuse-overlayfs can be installed in Debian/Ubuntu with “sudo apt install fuse-overlayfs”
and in CentOS with “sudo yum install fuse-overlayfs“.

Create a Podman Image for PolarProxy

Create a Dockerfile with the following contents:

FROM mcr.microsoft.com/dotnet/core/runtime:2.2

EXPOSE 10443

EXPOSE 10080

EXPOSE 57012

RUN
groupadd -g 31337 polarproxy &&
useradd -m -u 31337 -g polarproxy polarproxy &&
mkdir -p /var/log/PolarProxy /opt/polarproxy &&
chown polarproxy:polarproxy /var/log/PolarProxy &&
curl -s https://www.netresec.com/?download=PolarProxy | tar -xzf – -C /opt/polarproxy

USER polarproxy

WORKDIR /opt/polarproxy/

ENTRYPOINT [“dotnet”, “PolarProxy.dll”]
CMD [“-v”, “-p”, “10443,80,443”, “-o”, “/var/log/PolarProxy/”, “–certhttp”, “10080”, “–pcapoverip”, “57012”]

Save the Docker file as “Dockerfile” (no extension) in an empty directory and start a shell in that directory.
Build a PolarProxy Podman image with:

          podman build -f Dockerfile -t polarproxy        

Test the PolarProxy Podman Image

Take the polarproxy Podman image for a test run. Start it with:

          podman run -it –rm –name polarproxy -p 10443 localhost/polarproxy        

Establish an HTTPS connection through PolarProxy by running this curl command from another shell on the same machine:

          curl –insecure –connect-to www.netresec.com:443:127.0.0.1:10443 https://www.netresec.com/        

If everything works alright, then curl should output HTML
and the interactive Podman session running the polarproxy image should print something like:

<6>[10443] 127.0.0.1 -> N/A Connection from: 127.0.0.1:44122
<6>[10443] 127.0.0.1 -> www.netresec.com Connection request for: www.netresec.com from 127.0.0.1:44122
<6>[10443] 127.0.0.1 -> www.netresec.com Action: DECRYPT

Create a Podman Container for PolarProxy

Create directories “pcap” and “polarproxy”, where PolarProxy should store the decrypted network traffic and its root CA certificate.

              mkdir pcap polarproxy

              podman unshare chown 31337:31337 pcap polarproxy

Create a container called “polarproxy”, which has the “pcap” and “polarproxy” directories mounted as volumes.
The service on TCP 10080 will serve the proxy’s public root cert over HTTP.
The localhost:57012 service is a Pcap-over-IP server, from which the decrypted network traffic can be streamed in real-time.

            podman create –name polarproxy -v $(pwd)/pcap:/var/log/PolarProxy -v $(pwd)/polarproxy:/home/polarproxy -p 10443 -p 10080 -p 127.0.0.1:57012:57012 localhost/polarproxy          

Create and enable a systemd user service that will run the container.

              mkdir -p ~/.config/systemd/user/

              podman generate systemd -n polarproxy > ~/.config/systemd/user/container-polarproxy.service

              systemctl –user enable container-polarproxy.service

Start the systemd user service to activate the PolarProxy container.

        systemctl –user start container-polarproxy.service      

Verify that the service is running and that you can view the logs from PolarProxy.

            systemctl –user status container-polarproxy.service

            podman logs polarproxy

Expose PolarProxy to the Network

Create a firewall rule to redirect incoming TCP 443 packets to the PolarProxy service listening on port 10443.

          sudo iptables -t nat -A PREROUTING -d 10.11.12.13 -p tcp –dport 443 -j REDIRECT –to 10443        

Note: Replace “10.11.12.13” with the IP of the PolarProxy machine

Try making an HTTPS connection via PolarProxy from another PC on the network.

          C:\> curl –insecure –resolve www.netresec.com:443:10.11.12.13 https://www.netresec.com/        

Note: Replace “10.11.12.13” with the IP of the PolarProxy machine

Don’t forget to save the firewall redirect rule if it is working as desired!

Redirect HTTPS and Trust the Root CA

You can now redirect outgoing TCP 443 traffic from your network to your Podman/PolarProxy host.
Review the “Routing HTTPS Traffic to the Proxy” section on the
PolarProxy page for recommendations on how to redirect outgoing traffic to PolarProxy.

Finally, configure the operating system, browsers and other applications that will get their TLS traffic proxied by PolarProxy
to trust the root CA of the PolarProxy service running in your Podman container.
Follow the steps in the “Trusting the PolarProxy root CA” section of the
PolarProxy documentation in order to install the root cert.

Accessing Decrypted TLS Traffic

You should be able to access PCAP files with the decrypted HTTPS traffic in the “pcap” directory.

It is also possible view the decrypted traffic in real-time by using netcat and tcpdump as a Pcap-over-IP client like this:

          nc localhost 57012 | tcpdump -nr – -X        

It probably makes more sense to forward the decrypted traffic to an IDS or other type of network security monitoring tool though.
See our blog post “Sniffing Decrypted TLS Traffic with Security Onion”
for instructions on how to use netcat and tcpreplay to send the decrypted traffic to a monitor interface.

PolarProxy in Podman on ARM Linux

PolarProxy can also run on ARM Linux installations, such as a Raspberry Pi.
However, the Dockerfile must be modified slightly in order to do so.

ARM 32-bit / AArch32 / ARMv7

If you’re running an “arm32” Linux OS, then change the download link in the “RUN” instruction to the following URL: