Merge pull request #28 from lwthiker/alpine

Add Alpine Linux images and push automatically to DockerHub
lwthiker · Mar 10, 2022 · 0952bca · 0952bca
2 parents 91c906f + aba67a4
commit 0952bca
Show file tree

Hide file tree

Showing 9 changed files with 432 additions and 25 deletions.
diff --git a/.github/workflows/publish-docker-image.yml b/.github/workflows/publish-docker-image.yml
@@ -0,0 +1,62 @@
+# Build an Alpine Linux image containing curl-impersonate and push to
+# Docker hub.
+name: Publish Docker image
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+jobs:
+  push-docker-image:
+    name: Push Docker image to Docker Hub
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v2
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Extract metadata (tags, labels) for Docker (chrome)
+        id: meta_chrome
+        uses: docker/metadata-action@v3
+        with:
+          images: lwthiker/curl-impersonate
+          tags: |
+            type=semver,pattern={{version}},suffix=-chrome-alpine
+            type=semver,pattern={{version}},suffix=-chrome
+            type=semver,pattern={{major}}.{{minor}},suffix=-chrome-alpine
+            type=semver,pattern={{major}}.{{minor}},suffix=-chrome
+
+      - name: Build and push the Chrome version of curl-impersonate
+        uses: docker/build-push-action@v2
+        with:
+          push: true
+          context: chrome/
+          file: chrome/Dockerfile.alpine
+          tags: ${{ steps.meta_chrome.outputs.tags }}
+          labels: ${{ steps.meta_chrome.outputs.labels }}
+
+      - name: Extract metadata (tags, labels) for Docker (firefox)
+        id: meta_firefox
+        uses: docker/metadata-action@v3
+        with:
+          images: lwthiker/curl-impersonate
+          tags: |
+            type=semver,pattern={{version}},suffix=-ff-alpine
+            type=semver,pattern={{version}},suffix=-ff
+            type=semver,pattern={{major}}.{{minor}},suffix=-ff-alpine
+            type=semver,pattern={{major}}.{{minor}},suffix=-ff
+
+      - name: Build and push the Firefox version of curl-impersonate
+        uses: docker/build-push-action@v2
+        with:
+          push: true
+          context: firefox/
+          file: firefox/Dockerfile.alpine
+          tags: ${{ steps.meta_firefox.outputs.tags }}
+          labels: ${{ steps.meta_firefox.outputs.labels }}
diff --git a/Dockerfile.template b/Dockerfile.template
@@ -5,36 +5,62 @@
 # PLEASE DO NOT EDIT IT DIRECTLY.
 #
 
+{{#debian}}
 # Python is needed for building libnss.
 # Use it as a common base.
 FROM python:3.10.1-slim-buster
+{{/debian}}
+{{#alpine}}
+FROM alpine:3.15.0 as builder
+{{/alpine}}
 
 WORKDIR /build
 
 # Common dependencies
+{{#debian}}
 RUN apt-get update && \
     apt-get install -y git ninja-build cmake curl zlib1g-dev
+{{/debian}}
+{{#alpine}}
+RUN apk add git build-base make cmake ninja curl zlib-dev patch linux-headers python3 python3-dev
+{{/alpine}}
+
+# The following are needed because we are going to change some autoconf scripts,
+# both for libnghttp2 and curl.
+{{#debian}}
+RUN apt-get install -y autoconf automake autotools-dev pkg-config libtool
+{{/debian}}
+{{#alpine}}
+RUN apk add autoconf automake pkgconfig libtool
+{{/alpine}}
 
 {{#firefox}}
 # Dependencies for building libnss
 # See https://firefox-source-docs.mozilla.org/security/nss/build.html#mozilla-projects-nss-building
+    {{#debian}}
 RUN apt-get install -y mercurial python3-pip
+    {{/debian}}
+    {{#alpine}}
+RUN apk add mercurial py3-pip clang-analyzer
+    {{/alpine}}
 
+    {{#debian}}
 # curl tries to load the CA certificates for libnss.
 # It loads them from /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so,
 # which is supplied by libnss3 on Debian/Ubuntu
 RUN apt-get install -y libnss3
+    {{/debian}}
 {{/firefox}}
-
 {{#chrome}}
 # Dependencies for downloading and building BoringSSL
+    {{#debian}}
 RUN apt-get install -y g++ golang-go unzip
+    {{/debian}}
+    {{#alpine}}
+RUN apk add g++ go unzip
+    {{/alpine}}
 {{/chrome}}
 
-# The following are needed because we are going to change some autoconf scripts,
-# both for libnghttp2 and curl.
-RUN apt-get install -y autoconf automake autotools-dev pkg-config libtool
-
 # Download and compile libbrotli
 ARG BROTLI_VERSION=1.0.9
 RUN curl -L https://github.com/google/brotli/archive/refs/tags/v${BROTLI_VERSION}.tar.gz -o brotli-${BROTLI_VERSION}.tar.gz && \
@@ -56,9 +82,12 @@ ARG NSS_URL=https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_74_RTM/src/n
 RUN curl -o ${NSS_VERSION}.tar.gz ${NSS_URL}
 RUN tar xf ${NSS_VERSION}.tar.gz && \
     cd ${NSS_VERSION}/nss && \
+{{#alpine}}
+    # Hack to make nss compile on alpine with python3
+    ln -sf python3 /usr/bin/python && \
+{{/alpine}}
     ./build.sh -o --disable-tests --static
 {{/firefox}}
-
 {{#chrome}}
 # BoringSSL doesn't have versions. Choose a commit that is used in a stable
 # Chromium version.
@@ -168,4 +197,28 @@ COPY curl_ff* out/
 {{#chrome}}
 COPY curl_chrome* curl_edge* curl_safari* out/
 {{/chrome}}
+{{#alpine}}
+# Replace /bin/bash with /bin/ash
+RUN sed -i 's@/bin/bash@/bin/ash@' out/curl_*
+{{/alpine}}
 RUN chmod +x out/curl_*
+{{#alpine}}
+
+# When using alpine, create a final, minimal image with the compiled binaries
+# only.
+FROM alpine:3.15.0
+{{#firefox}}
+# curl tries to load the CA certificates for libnss.
+# It loads them from /usr/lib/libnssckbi.so,
+# which is supplied by 'nss' on alpine.
+RUN apk add --no-cache nss
+{{/firefox}}
+
+# Copy curl-impersonate from the builder image
+COPY --from=builder /build/out/curl-impersonate /usr/local/bin/
+# Wrapper scripts
+COPY --from=builder /build/out/curl_* /usr/local/bin/
+
+# Copy libcurl-impersonate from the builder image
+COPY --from=builder /build/out/libcurl-impersonate.so /usr/local/lib/
+{{/alpine}}
diff --git a/README.md b/README.md
@@ -45,10 +45,29 @@ You can add command line flags and they will be passed on to curl. However, some
 See [Advanced usage](#Advanced-usage) for more options.
 
 ## Installation
-This repository maintains two separate build systems for technical reasons. The **chrome** build is used to impersonate Chrome, Edge and Safari. The **firefox** build is used to impersonate Firefox.
+There are two versions of `curl-impersonate` for technical reasons. The **chrome** version is used to impersonate Chrome, Edge and Safari. The **firefox** version is used to impersonate Firefox.
+
+### Docker images
+Docker images based on Alpine Linux with `curl-impersonate` compiled and ready to use are available on [Docker Hub](https://hub.docker.com/r/lwthiker/curl-impersonate). The images contain the binary and all the wrapper scripts. Use like the following:
+```bash
+# Firefox version
+docker pull lwthiker/curl-impersonate:0.3-ff
+docker run --rm lwthiker/curl-impersonate:0.3-ff curl_ff95 https://www.wikipedia.org
+
+# Chrome version
+docker pull lwthiker/curl-impersonate:0.3-chrome
+docker run --rm lwthiker/curl-impersonate:0.3-chrome curl_chrome99 https://www.wikipedia.org
+```
+
+### Distro packages
+
+AUR packages are available to Arch users: [curl-impersonate-chrome](https://aur.archlinux.org/packages/curl-impersonate-chrome), [curl-impersonate-firefox](https://aur.archlinux.org/packages/curl-impersonate-firefox).
+
+## Building from source
+As mentioned there are two separate build systems. The **chrome** build is used to impersonate Chrome, Edge and Safari. The **firefox** build is used to impersonate Firefox.
 
 ### Chrome build
-[`chrome/Dockerfile`](chrome/Dockerfile) is a Dockerfile that will build curl with all the necessary modifications and patches. Build it like the following:
+[`chrome/Dockerfile`](chrome/Dockerfile) is a debian-based Dockerfile that will build curl with all the necessary modifications and patches. Build it like the following:
 ```
 docker build -t curl-impersonate-chrome chrome/
 ```
@@ -72,10 +91,6 @@ The resulting image contains:
 If you use it outside the container, install the following dependency:
 * `sudo apt install libnss3`.  Even though nss is statically compiled into `curl-impersonate`, it is still necessary to install libnss3 because curl dynamically loads `libnssckbi.so`, a file containing Mozilla's list of trusted root certificates. Alternatively, use `curl -k` to disable certificate verification.
 
-### Distro packages
-
-AUR packages are available to Arch users: [curl-impersonate-chrome](https://aur.archlinux.org/packages/curl-impersonate-chrome), [curl-impersonate-firefox](https://aur.archlinux.org/packages/curl-impersonate-firefox).
-
 ## Advanced usage
 ### libcurl-impersonate
 `libcurl-impersonate.so` is libcurl compiled with the same changes as the command line `curl-impersonate`.

diff --git a/chrome/Dockerfile b/chrome/Dockerfile
@@ -15,14 +15,13 @@ WORKDIR /build
 RUN apt-get update && \
     apt-get install -y git ninja-build cmake curl zlib1g-dev
 
-
-# Dependencies for downloading and building BoringSSL
-RUN apt-get install -y g++ golang-go unzip
-
 # The following are needed because we are going to change some autoconf scripts,
 # both for libnghttp2 and curl.
 RUN apt-get install -y autoconf automake autotools-dev pkg-config libtool
 
+# Dependencies for downloading and building BoringSSL
+RUN apt-get install -y g++ golang-go unzip
+
 # Download and compile libbrotli
 ARG BROTLI_VERSION=1.0.9
 RUN curl -L https://github.com/google/brotli/archive/refs/tags/v${BROTLI_VERSION}.tar.gz -o brotli-${BROTLI_VERSION}.tar.gz && \
@@ -32,7 +31,6 @@ RUN cd brotli-${BROTLI_VERSION} && \
     cmake -DCMAKE_BUILD_TYPE=Release -DCMAKE_INSTALL_PREFIX=./installed .. && \
     cmake --build . --config Release --target install
 
-
 # BoringSSL doesn't have versions. Choose a commit that is used in a stable
 # Chromium version.
 ARG BORING_SSL_COMMIT=3a667d10e94186fd503966f5638e134fe9fb4080
@@ -50,7 +48,7 @@ RUN cd boringssl && \
     ninja
 
 # Fix the directory structure so that curl can compile against it.
-# See https://everything.curl.dev/source/build/tls/boringssl 
+# See https://everything.curl.dev/source/build/tls/boringssl
 RUN mkdir boringssl/build/lib && \
     ln -s ../crypto/libcrypto.a boringssl/build/lib/libcrypto.a && \
     ln -s ../ssl/libssl.a boringssl/build/lib/libssl.a && \

diff --git a/chrome/Dockerfile.alpine b/chrome/Dockerfile.alpine
@@ -0,0 +1,135 @@
+#
+# NOTE: THIS DOCKERFILE IS GENERATED FROM "Dockerfile.template" VIA
+# "generate-dockerfiles.sh".
+#
+# PLEASE DO NOT EDIT IT DIRECTLY.
+#
+
+FROM alpine:3.15.0 as builder
+
+WORKDIR /build
+
+# Common dependencies
+RUN apk add git build-base make cmake ninja curl zlib-dev patch linux-headers python3 python3-dev
+
+# The following are needed because we are going to change some autoconf scripts,
+# both for libnghttp2 and curl.
+RUN apk add autoconf automake pkgconfig libtool
+
+# Dependencies for downloading and building BoringSSL
+RUN apk add g++ go unzip
+
+# Download and compile libbrotli
+ARG BROTLI_VERSION=1.0.9
+RUN curl -L https://github.com/google/brotli/archive/refs/tags/v${BROTLI_VERSION}.tar.gz -o brotli-${BROTLI_VERSION}.tar.gz && \
+    tar xf brotli-${BROTLI_VERSION}.tar.gz
+RUN cd brotli-${BROTLI_VERSION} && \
+    mkdir build && cd build && \
+    cmake -DCMAKE_BUILD_TYPE=Release -DCMAKE_INSTALL_PREFIX=./installed .. && \
+    cmake --build . --config Release --target install
+
+# BoringSSL doesn't have versions. Choose a commit that is used in a stable
+# Chromium version.
+ARG BORING_SSL_COMMIT=3a667d10e94186fd503966f5638e134fe9fb4080
+RUN curl -L https://github.com/google/boringssl/archive/${BORING_SSL_COMMIT}.zip -o boringssl.zip && \
+    unzip boringssl && \
+    mv boringssl-${BORING_SSL_COMMIT} boringssl
+
+# Compile BoringSSL.
+# See https://boringssl.googlesource.com/boringssl/+/HEAD/BUILDING.md
+COPY patches/boringssl-*.patch boringssl/
+RUN cd boringssl && \
+    for p in $(ls boringssl-*.patch); do patch -p1 < $p; done && \
+    mkdir build && cd build && \
+    cmake -DCMAKE_BUILD_TYPE=Release -DCMAKE_POSITION_INDEPENDENT_CODE=on -GNinja .. && \
+    ninja
+
+# Fix the directory structure so that curl can compile against it.
+# See https://everything.curl.dev/source/build/tls/boringssl
+RUN mkdir boringssl/build/lib && \
+    ln -s ../crypto/libcrypto.a boringssl/build/lib/libcrypto.a && \
+    ln -s ../ssl/libssl.a boringssl/build/lib/libssl.a && \
+    cp -R boringssl/include boringssl/build
+
+ARG NGHTTP2_VERSION=nghttp2-1.46.0
+ARG NGHTTP2_URL=https://github.com/nghttp2/nghttp2/releases/download/v1.46.0/nghttp2-1.46.0.tar.bz2
+
+# Download nghttp2 for HTTP/2.0 support.
+RUN curl -o ${NGHTTP2_VERSION}.tar.bz2 -L ${NGHTTP2_URL}
+RUN tar xf ${NGHTTP2_VERSION}.tar.bz2
+
+# Patch nghttp2 pkg config file to support static builds.
+COPY patches/libnghttp2-*.patch ${NGHTTP2_VERSION}/
+RUN cd ${NGHTTP2_VERSION} && \
+    for p in $(ls libnghttp2-*.patch); do patch -p1 < $p; done && \
+    autoreconf -i && automake && autoconf
+
+# Compile nghttp2
+RUN cd ${NGHTTP2_VERSION} && \
+    ./configure --with-pic && \
+    make && make install
+
+# Download curl.
+ARG CURL_VERSION=curl-7.81.0
+RUN curl -o ${CURL_VERSION}.tar.xz https://curl.se/download/${CURL_VERSION}.tar.xz
+RUN tar xf ${CURL_VERSION}.tar.xz
+
+# Patch curl and re-generate the configure script
+COPY patches/curl-*.patch ${CURL_VERSION}/
+RUN cd ${CURL_VERSION} && \
+    for p in $(ls curl-*.patch); do patch -p1 < $p; done && \
+    autoreconf -fi
+
+# Compile curl with nghttp2, libbrotli and nss (firefox) or boringssl (chrome).
+# Enable keylogfile for debugging of TLS traffic.
+RUN cd ${CURL_VERSION} && \
+    ./configure --enable-static \
+                --disable-shared \
+                --with-nghttp2=/usr/local \
+                --with-brotli=/build/brotli-${BROTLI_VERSION}/build/installed \
+                --with-openssl=/build/boringssl/build \
+                LIBS="-pthread" \
+                CFLAGS="-I/build/boringssl/build" \
+                USE_CURL_SSLKEYLOGFILE=true && \
+    make
+
+RUN mkdir out && \
+    cp ${CURL_VERSION}/src/curl out/curl-impersonate && \
+    strip out/curl-impersonate
+
+# Re-compile libcurl dynamically
+RUN cd ${CURL_VERSION} && \
+    ./configure --with-nghttp2=/usr/local \
+                --with-brotli=/build/brotli-${BROTLI_VERSION}/build/installed \
+                --with-openssl=/build/boringssl/build \
+                LIBS="-pthread" \
+                CFLAGS="-I/build/boringssl/build" \
+                USE_CURL_SSLKEYLOGFILE=true && \
+    make clean && make
+
+# Rename to 'libcurl-impersonate' to avoid confusion, and recreate the
+# symbolic links.
+RUN ver=$(readlink -f curl-7.81.0/lib/.libs/libcurl.so | sed 's/.*so\.//') && \
+    major=$(echo -n $ver | cut -d'.' -f1) && \
+    cp "${CURL_VERSION}/lib/.libs/libcurl.so.$ver" "out/libcurl-impersonate.so.$ver" && \
+    ln -s "libcurl-impersonate.so.$ver" "out/libcurl-impersonate.so.$major" && \
+    ln -s "libcurl-impersonate.so.$ver" "out/libcurl-impersonate.so" && \
+    strip "out/libcurl-impersonate.so.$ver"
+
+# Wrapper scripts
+COPY curl_chrome* curl_edge* curl_safari* out/
+# Replace /bin/bash with /bin/ash
+RUN sed -i 's@/bin/bash@/bin/ash@' out/curl_*
+RUN chmod +x out/curl_*
+
+# When using alpine, create a final, minimal image with the compiled binaries
+# only.
+FROM alpine:3.15.0
+
+# Copy curl-impersonate from the builder image
+COPY --from=builder /build/out/curl-impersonate /usr/local/bin/
+# Wrapper scripts
+COPY --from=builder /build/out/curl_* /usr/local/bin/
+
+# Copy libcurl-impersonate from the builder image
+COPY --from=builder /build/out/libcurl-impersonate.so /usr/local/lib/