Merge pull request #728 from PassiveLemon/hardening

Docker changes

.gitignore

@@ -29,8 +29,6 @@ src/Zoraxy_*_*
 src/certs/*
 src/rules/*
 src/README.md
-docker/ContainerTester.sh
-docker/docker-compose.yaml
 src/mod/acme/test/stackoverflow.pem
 /tools/dns_challenge_update/code-gen/acmedns
 /tools/dns_challenge_update/code-gen/lego
@@ -41,11 +39,15 @@ src/sys.uuid
 src/zoraxy
 src/log/
 
-
 # dev-tags
 /Dockerfile
 /Entrypoint.sh
 
+# docker testing stuff
+docker/test/
+docker/container-builder.sh
+docker/docker-compose.yaml
+
 # plugins
 example/plugins/ztnc/ztnc.db
 example/plugins/ztnc/authtoken.secret
@@ -57,3 +59,5 @@ tmp
 sys.*
 www/html/index.html
 *.exe
+/src/dist
+

CHANGELOG.md

@@ -1,3 +1,36 @@
+# v3.2.4 28 Jun 2025
+
+A big release since v3.1.9. Versions from 3.2.0 to 3.2.3 were prereleases.
+
+
++ Added Authentik support by [JokerQyou](https://github.com/tobychui/zoraxy/commits?author=JokerQyou)
++ Added pluginsystem and moved GAN and Zerotier to plugins
++ Add loopback detection [#573](https://github.com/tobychui/zoraxy/issues/573)
++ Fixed Dark theme not working with Advanced Option accordion [#591](https://github.com/tobychui/zoraxy/issues/591)
++ Update logger to include UserAgent by [Raithmir](https://github.com/Raithmir)
++ Fixed memory usage in UI [#600](https://github.com/tobychui/zoraxy/issues/600)
++ Added docker-compose.yml by [SamuelPalubaCZ](https://github.com/tobychui/zoraxy/commits?author=SamuelPalubaCZ)
++ Added more statistics for proxy hosts [#201](https://github.com/tobychui/zoraxy/issues/201) and [#608](https://github.com/tobychui/zoraxy/issues/608)
++ Fixed origin field in logs [#618](https://github.com/tobychui/zoraxy/issues/618)
++ Added FreeBSD support by Andreas Burri
++ Fixed HTTP proxy redirect [#626](https://github.com/tobychui/zoraxy/issues/626)
++ Fixed proxy handling #629](https://github.com/tobychui/zoraxy/issues/629)
++ Move Scope ID handling into CIDR check by [Nirostar](https://github.com/tobychui/zoraxy/commits?author=Nirostar)
++ Prevent the browser from filling the saved Zoraxy login account by [WHFo](https://github.com/tobychui/zoraxy/commits?author=WHFo)
++ Added port number and http proto to http proxy list link
++ Fixed headers for authelia by [james-d-elliott](https://github.com/tobychui/zoraxy/commits?author=james-d-elliott)
++ Refactored docker container list and UI improvements by [eyerrock](https://github.com/tobychui/zoraxy/commits?author=eyerrock)
++ Refactored Dockerfile by [PassiveLemon](https://github.com/tobychui/zoraxy/commits?author=PassiveLemon)
++ Added new HTTP proxy UI
++ Added inbound host name edit function
++ Added static web server option to disable listen to all interface
++ Merged SSO implementations (Oauth2) [#649](https://github.com/tobychui/zoraxy/pull/649)
++ Merged forward-auth optimization [#692(https://github.com/tobychui/zoraxy/pull/692)
++ Optimized SSO UI
++ Refactored docker image workflows by [PassiveLemon](https://github.com/tobychui/zoraxy/commits?author=PassiveLemon)
++ Added disable chunked transfer encoding checkbox (for upstreams that uses legacy HTTP implementations)
++ Bug fixes [#694](https://github.com/tobychui/zoraxy/issues/694), [#659](https://github.com/tobychui/zoraxy/issues/659) by [jemmy1794](https://github.com/tobychui/zoraxy/commits?author=jemmy1794), [#695](https://github.com/tobychui/zoraxy/issues/695)
+
 # v3.1.9 1 Mar 2025
 
 + Fixed netstat underflow bug

docker/Dockerfile

@@ -34,34 +34,18 @@ RUN curl -Lo ZeroTierOne.tar.gz https://codeload.github.com/zerotier/ZeroTierOne
     chmod 755 /usr/local/bin/zerotier-one
 
 
-## Fetch plugin
-FROM docker.io/golang:alpine AS fetch-plugin
-
-RUN mkdir -p /opt/zoraxy/zoraxy_plugin/
-
-RUN apk add --update --no-cache git
-
-WORKDIR /opt/zoraxy/
-
-RUN git clone https://github.com/aroz-online/zoraxy-official-plugins &&\
-    cp -r ./zoraxy-official-plugins/src/ztnc/mod/zoraxy_plugin/ /opt/zoraxy/zoraxy_plugin/
-
-
 ## Main
-FROM docker.io/golang:alpine
+FROM docker.io/alpine:latest
 
-# If you build it yourself, you will need to add the example directory into the docker directory.
+RUN apk add --update --no-cache python3 sudo netcat-openbsd libressl-dev openssh ca-certificates libc6-compat libstdc++ &&\
+    rm -rf /var/cache/apk/* /tmp/*
 
-COPY --chmod=700 ./entrypoint.sh /opt/zoraxy/
-COPY --chmod=700 ./build_plugins.sh /usr/local/bin/build_plugins
-
-COPY --from=fetch-plugin --chmod=700 /opt/zoraxy/zoraxy_plugin/ /opt/zoraxy/zoraxy_plugin/
+COPY --chmod=700 ./entrypoint.py /opt/zoraxy/
 
 COPY --from=build-zerotier /usr/local/bin/zerotier-one /usr/local/bin/zerotier-one
 COPY --from=build-zoraxy /usr/local/bin/zoraxy /usr/local/bin/zoraxy
 
-RUN apk add --update --no-cache bash sudo netcat-openbsd libressl-dev openssh ca-certificates libc6-compat libstdc++ &&\
-    mkdir -p /opt/zoraxy/plugin/ &&\
+RUN mkdir -p /opt/zoraxy/plugin/ &&\
     echo "tun" | tee -a /etc/modules
 
 WORKDIR /opt/zoraxy/config/
@@ -89,7 +73,7 @@ VOLUME [ "/opt/zoraxy/config/" ]
 
 LABEL com.imuslab.zoraxy.container-identifier="Zoraxy"
 
-ENTRYPOINT [ "/opt/zoraxy/entrypoint.sh" ]
+ENTRYPOINT [ "python3", "-u", "/opt/zoraxy/entrypoint.py" ]
 
 HEALTHCHECK --interval=15s --timeout=5s --start-period=10s --retries=3 CMD nc -vz 127.0.0.1 $PORT || exit 1
 

docker/README.md

@@ -119,18 +119,14 @@ Or for Docker Compose:
 
 ### Plugins
 
-You can find official plugins at https://github.com/aroz-online/zoraxy-official-plugins
-
-Place your plugins inside the volume `/path/to/zoraxy/plugin/:/opt/zoraxy/plugin/` (Adjust to your actual install location). Any plugins you have added will then be built and used on the next restart.
-
-> [!IMPORTANT]
-> Plugins are currently experimental.
+Zoraxy includes a (experimental) store to download and use official plugins right from inside Zoraxy, no preparation required.
+For those looking to use custom plugins, build your plugins and place them inside the volume `/path/to/zoraxy/plugin/:/opt/zoraxy/plugin/` (Adjust to your actual install location).
 
 ### Building
 
 To build the Docker image:
   - Check out the repository/branch.
-  - Copy the Zoraxy `src/` and `example/` directory into the `docker/` (here) directory.
+  - Copy the Zoraxy `src/` directory into the `docker/` (here) directory.
   - Run the build command with `docker build -t zoraxy_build .`
   - You can now use the image `zoraxy_build`
     - If you wish to change the image name, then modify`zoraxy_build` in the previous step and then build again.

docker/build_plugins.sh

@@ -1,19 +0,0 @@
-#!/usr/bin/env bash
-
-echo "Copying zoraxy_plugin to all mods..."
-for dir in "$1"/*; do
-  if [ -d "$dir" ]; then
-    cp -r "/opt/zoraxy/zoraxy_plugin/" "$dir/mod/"
-  fi
-done
-
-echo "Running go mod tidy and go build for all directories..."
-for dir in "$1"/*; do
-  if [ -d "$dir" ]; then
-    cd "$dir" || exit 1
-    go mod tidy
-    go build
-    cd "$1" || exit 1
-  fi
-done
-

docker/entrypoint.py

@@ -0,0 +1,128 @@
+#!/usr/bin/env python3
+
+import os
+import signal
+import subprocess
+import sys
+import time
+
+zoraxy_proc = None
+zerotier_proc = None
+
+def getenv(key, default=None):
+  return os.environ.get(key, default)
+
+def run(command):
+  try:
+    subprocess.run(command, check=True)
+  except subprocess.CalledProcessError as e:
+    print(f"Command failed: {command} - {e}")
+    sys.exit(1)
+
+def popen(command):
+  proc = subprocess.Popen(command)
+  time.sleep(1)
+  if proc.poll() is not None:
+    print(f"{command} exited early with code {proc.returncode}")
+    raise RuntimeError(f"Failed to start {command}")
+  return proc
+
+def cleanup(_signum, _frame):
+  print("Shutdown signal received. Cleaning up...")
+
+  global zoraxy_proc, zerotier_proc
+
+  if zoraxy_proc and zoraxy_proc.poll() is None:
+    print("Terminating Zoraxy...")
+    zoraxy_proc.terminate()
+
+  if zerotier_proc and zerotier_proc.poll() is None:
+    print("Terminating ZeroTier-One...")
+    zerotier_proc.terminate()
+
+  if zoraxy_proc:
+    try:
+      zoraxy_proc.wait(timeout=8)
+    except subprocess.TimeoutExpired:
+      zoraxy_proc.kill()
+      zoraxy_proc.wait()
+
+  if zerotier_proc:
+    try:
+      zerotier_proc.wait(timeout=8)
+    except subprocess.TimeoutExpired:
+      zerotier_proc.kill()
+      zerotier_proc.wait()
+
+  try:
+    os.unlink("/var/lib/zerotier-one")
+  except FileNotFoundError:
+    pass
+  except Exception as e:
+    print(f"Failed to unlink ZeroTier socket: {e}")
+
+  sys.exit(0)
+
+def start_zerotier():
+  print("Starting ZeroTier...")
+
+  global zerotier_proc
+
+  config_dir = "/opt/zoraxy/config/zerotier/"
+  zt_path = "/var/lib/zerotier-one"
+
+  os.makedirs(config_dir, exist_ok=True)
+
+  os.symlink(config_dir, zt_path, target_is_directory=True)
+
+  zerotier_proc = popen(["zerotier-one"])
+
+def start_zoraxy():
+  print("Starting Zoraxy...")
+
+  global zoraxy_proc
+
+  zoraxy_args = [
+    "zoraxy",
+    f"-autorenew={getenv('AUTORENEW', '86400')}",
+    f"-cfgupgrade={getenv('CFGUPGRADE', 'true')}",
+    f"-db={getenv('DB', 'auto')}",
+    f"-docker={getenv('DOCKER', 'true')}",
+    f"-earlyrenew={getenv('EARLYRENEW', '30')}",
+    f"-fastgeoip={getenv('FASTGEOIP', 'false')}",
+    f"-mdns={getenv('MDNS', 'true')}",
+    f"-mdnsname={getenv('MDNSNAME', "''")}",
+    f"-noauth={getenv('NOAUTH', 'false')}",
+    f"-plugin={getenv('PLUGIN', '/opt/zoraxy/plugin/')}",
+    f"-port=:{getenv('PORT', '8000')}",
+    f"-sshlb={getenv('SSHLB', 'false')}",
+    f"-update_geoip={getenv('UPDATE_GEOIP', 'false')}",
+    f"-version={getenv('VERSION', 'false')}",
+    f"-webfm={getenv('WEBFM', 'true')}",
+    f"-webroot={getenv('WEBROOT', './www')}",
+  ]
+
+  zoraxy_proc = popen(zoraxy_args)
+
+def main():
+  signal.signal(signal.SIGTERM, cleanup)
+  signal.signal(signal.SIGINT, cleanup)
+
+  print("Updating CA certificates...")
+  run(["update-ca-certificates"])
+
+  print("Updating GeoIP data...")
+  run(["zoraxy", "-update_geoip=true"])
+
+  os.chdir("/opt/zoraxy/config/")
+
+  if getenv("ZEROTIER", "false") == "true":
+    start_zerotier()
+
+  start_zoraxy()
+
+  signal.pause()
+
+if __name__ == "__main__":
+  main()
+

docker/entrypoint.sh

@@ -1,55 +0,0 @@
-#!/usr/bin/env bash
-
-cleanup() {
-  echo "Stop signal received. Shutting down..."
-  kill -TERM "$(pidof zoraxy)" &> /dev/null && echo "Zoraxy stopped."
-  kill -TERM "$(pidof zerotier-one)" &> /dev/null && echo "ZeroTier-One stopped."
-  unlink /var/lib/zerotier-one/zerotier/
-  exit 0
-}
-
-trap cleanup SIGTERM SIGINT TERM INT
-
-update-ca-certificates && echo "CA certificates updated."
-zoraxy -update_geoip=true && echo "GeoIP data updated ."
-
-echo "Building plugins..."
-cd /opt/zoraxy/plugin/ || exit 1
-build_plugins "$PWD"
-echo "Plugins built."
-cd /opt/zoraxy/config/ || exit 1
-
-if [ "$ZEROTIER" = "true" ]; then
-  if [ ! -d "/opt/zoraxy/config/zerotier/" ]; then
-    mkdir -p /opt/zoraxy/config/zerotier/
-  fi
-  ln -s /opt/zoraxy/config/zerotier/ /var/lib/zerotier-one
-  zerotier-one -d &
-  zerotierpid=$!
-  echo "ZeroTier daemon started."
-fi
-
-echo "Starting Zoraxy..."
-zoraxy \
-  -autorenew="$AUTORENEW" \
-  -cfgupgrade="$CFGUPGRADE" \
-  -db="$DB" \
-  -docker="$DOCKER" \
-  -earlyrenew="$EARLYRENEW" \
-  -fastgeoip="$FASTGEOIP" \
-  -mdns="$MDNS" \
-  -mdnsname="$MDNSNAME" \
-  -noauth="$NOAUTH" \
-  -plugin="$PLUGIN" \
-  -port=:"$PORT" \
-  -sshlb="$SSHLB" \
-  -update_geoip="$UPDATE_GEOIP" \
-  -version="$VERSION" \
-  -webfm="$WEBFM" \
-  -webroot="$WEBROOT" \
-  &
-
-zoraxypid=$!
-wait "$zoraxypid"
-wait "$zerotierpid"
-