Include openssl, cryptography and paramiko in default DockerHub image (#1409)

abhinavsingh · pre-commit-ci[bot] · web-flow · commit 7bb04c020a5b · 2024-05-16T00:34:26.000+05:30
* Include `openssl` in docker images to let users try TLS interception using dockerhub images * Include `requirements-tunnel.txt` within docker image to let users try tunneling using docker images * Docker is always using py311+, hardcode for now * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci * Simply `apk add py-cryptography` * --prefer-binary * Build deps for cryptography * make required by pynacl * Prepare to use base image once it has been published * Prepare image from `ghcr.io/abhinavsingh/proxy.py:base` * --no-cache-dir to avoid pip cache bloating * Optimize base image size * Use find * `-y` * Cut final image `FROM python:3.11-alpine` * Remove global setuptools and local pip too * wheel it too * end and flush * Try `42.0.4` in next base * Full path cleanup * SSL in final copy --------- Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
diff --git a/.github/workflows/test-library.yml b/.github/workflows/test-library.yml
@@ -952,7 +952,6 @@ jobs:
       with:
         username: abhinavsingh
         password: ${{ secrets.DOCKER_ACCESS_TOKEN }}
-    # TODO: openssl image is not published on DockerHub
     - name: Push to DockerHub
       run: >-
         REGISTRY_URL="abhinavsingh/proxy.py";
@@ -964,7 +963,6 @@ jobs:
         --platform ${{
           needs.pre-setup.outputs.container-platforms
         }}
-        --build-arg SKIP_OPENSSL=1
         --build-arg PROXYPY_PKG_PATH='dist/${{
           needs.pre-setup.outputs.wheel-artifact-name
         }}'
diff --git a/Dockerfile b/Dockerfile
@@ -1,33 +1,54 @@
-FROM python:3.11-alpine as base
+FROM ghcr.io/abhinavsingh/proxy.py:base as builder
 
 LABEL com.abhinavsingh.name="abhinavsingh/proxy.py" \
-  com.abhinavsingh.description="⚡ Fast • 🪶 Lightweight • 0️⃣ Dependency • 🔌 Pluggable • \
+  org.opencontainers.image.title="proxy.py" \
+  org.opencontainers.image.description="⚡ Fast • 🪶 Lightweight • 0️⃣ Dependency • 🔌 Pluggable • \
   😈 TLS interception • 🔒 DNS-over-HTTPS • 🔥 Poor Man's VPN • ⏪ Reverse & ⏩ Forward • \
   👮🏿 \"Proxy Server\" framework • 🌐 \"Web Server\" framework • ➵ ➶ ➷ ➠ \"PubSub\" framework • \
   👷 \"Work\" acceptor & executor framework" \
-  com.abhinavsingh.url="https://github.com/abhinavsingh/proxy.py" \
-  com.abhinavsingh.vcs-url="https://github.com/abhinavsingh/proxy.py" \
+  org.opencontainers.url="https://github.com/abhinavsingh/proxy.py" \
+  org.opencontainers.image.source="https://github.com/abhinavsingh/proxy.py" \
   com.abhinavsingh.docker.cmd="docker run -it --rm -p 8899:8899 abhinavsingh/proxy.py" \
-  org.opencontainers.image.source="https://github.com/abhinavsingh/proxy.py"
+  org.opencontainers.image.licenses="BSD-3-Clause" \
+  org.opencontainers.image.authors="Abhinav Singh <mailsforabhinav@gmail.com>" \
+  org.opencontainers.image.vendor="Abhinav Singh"
 
 ENV PYTHONUNBUFFERED 1
+ENV PYTHONDONTWRITEBYTECODE 1
 
 ARG SKIP_OPENSSL
 ARG PROXYPY_PKG_PATH
 
 COPY README.md /
 COPY $PROXYPY_PKG_PATH /
 
-RUN pip install --upgrade pip && \
-  pip install \
+# proxy.py itself needs no external dependencies
+# Optionally, include openssl to allow
+# users to use TLS interception features using Docker
+# Use `--build-arg SKIP_OPENSSL=1` to disable openssl installation
+RUN /proxy/venv/bin/pip install --no-compile --no-cache-dir \
+  -U pip && \
+  /proxy/venv/bin/pip install --no-compile --no-cache-dir \
   --no-index \
   --find-links file:/// \
   proxy.py && \
-  rm *.whl
-
-# Use `--build-arg SKIP_OPENSSL=1` to disable openssl installation
-RUN if [[ -z "$SKIP_OPENSSL" ]]; then apk update && apk add openssl; fi
+  rm *.whl && \
+  find . -type d -name '__pycache__' | xargs rm -rf && \
+  rm -rf /var/cache/apk/* && \
+  rm -rf /root/.cache/ && \
+  /proxy/venv/bin/pip uninstall -y wheel setuptools pip && \
+  /usr/local/bin/pip uninstall -y wheel setuptools pip
 
+FROM python:3.11-alpine
+COPY --from=builder /README.md /README.md
+COPY --from=builder /proxy /proxy
+RUN if [[ -z "$SKIP_OPENSSL" ]]; then \
+  apk update && \
+  apk --no-cache add openssl && \
+  rm -rf /var/cache/apk/* && \
+  rm -rf /root/.cache/; \
+  fi
+ENV PATH="/proxy/venv/bin:${PATH}"
 EXPOSE 8899/tcp
 ENTRYPOINT [ "proxy" ]
 CMD [ \
diff --git a/DockerfileBase b/DockerfileBase
@@ -33,7 +33,7 @@ RUN python -m venv /proxy/venv && \
     -U pip wheel && \
     /proxy/venv/bin/pip install --no-compile --no-cache-dir \
     paramiko==3.4.0 \
-    cryptography==39.0.1 \
+    cryptography==42.0.4 \
     --prefer-binary && \
     apk del .builddeps && \
     find . -type d -name '__pycache__' | xargs rm -rf && \
diff --git a/proxy/proxy.py b/proxy/proxy.py
@@ -402,18 +402,27 @@ def _clear_line() -> None:
         print('\r' + ' ' * 60, end='', flush=True)
 
     def _env(scheme: bytes, host: bytes, port: int) -> Optional[Dict[str, Any]]:
-        response = client(
-            scheme=scheme,
-            host=host,
-            port=port,
-            path=b'/env/',
-            method=httpMethods.BIND,
-            body='v={0}&u={1}&h={2}'.format(
-                __version__,
-                os.environ.get('USER', getpass.getuser()),
-                socket.gethostname(),
-            ).encode(),
-        )
+        try:
+            response = client(
+                scheme=scheme,
+                host=host,
+                port=port,
+                path=b'/env/',
+                method=httpMethods.BIND,
+                body='v={0}&u={1}&h={2}'.format(
+                    __version__,
+                    os.environ.get('USER', getpass.getuser()),
+                    socket.gethostname(),
+                ).encode(),
+            )
+        except socket.gaierror:
+            _clear_line()
+            print(
+                '\r\033[91mUnable to resolve\033[0m',
+                end='',
+                flush=True,
+            )
+            return None
         if response:
             if (
                 response.code is not None
@@ -445,7 +454,11 @@ def _env(scheme: bytes, host: bytes, port: int) -> Optional[Dict[str, Any]]:
                 )
         else:
             _clear_line()
-            print('\r\033[91mUnable to connect\033[0m')
+            print(
+                '\r\033[91mUnable to connect\033[0m',
+                end='',
+                flush=True,
+            )
         return None
 
     def _parse() -> Tuple[str, int]:
diff --git a/requirements-tunnel.txt b/requirements-tunnel.txt
@@ -3,3 +3,4 @@ paramiko==3.4.0; python_version >= '3.11'
 types-paramiko==2.11.3; python_version < '3.11'
 types-paramiko==3.4.0.20240311; python_version >= '3.11'
 cryptography==36.0.2; python_version <= '3.6'
+cryptography==39.0.1; python_version > '3.6'
