Is it possible to make alpaca listen on all interfaces ?

[paulo-dc]

Hi,

Alpaca is a great tool, and replaces easily cntlm on my computer due to its ability to support proxypac.

Unfortunatly I'm facing one issue : I use docker inside wsl2, and because of the fact that alpaca only listens on the localhost interface, I can't use it from a container :(

tcp 0 0 127.0.0.1:3128 0.0.0.0:* LISTEN 111/alpaca

Is there a way to make alpaca listen on all interfaces (0.0.0.0) ?

BR

[keilin-anz]

Seems like it's currently hardcoded:

https://github.com/samuong/alpaca/blob/master/main.go#L94

But shouldn't be too hard to make it a flag, not sure of the broader implications to the system however

[samuong]

It is possible, but I would like to avoid it if we can. The reason is that alpaca authenticates to the upstream proxy on your behalf, so having it listen for external connections would allow other hosts to make use of your proxy credentials. Ideally we'd just open this up to the docker container, and not to other hosts on the local network.

A few options come to mind:

1. Can you run alpaca in the docker container? I think this would be the easiest way to do it, let me know if there's a reason this isn't possible?
2. If not, we could potentially add a flag to somehow just listen on the docker network interface. For example, on my machine, docker's virtual network interface is 172.17.0.1, and alpaca can be made to listen on that address only:

[sam@sam-desktop alpaca]$ ip addr show docker0
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:2c:d4:75:3f brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:2cff:fed4:753f/64 scope link 
       valid_lft forever preferred_lft forever
[sam@sam-desktop alpaca]$ git diff
diff --git a/main.go b/main.go
index b1d63c4..a0b75ef 100644
--- a/main.go
+++ b/main.go
@@ -99,7 +99,7 @@ func createServer(port int, pacurl string, a *authenticator) *http.Server {

        return &http.Server{
                // Set the addr to localhost so that we only listen locally.
-               Addr:    fmt.Sprintf("localhost:%d", port),
+               Addr:    fmt.Sprintf("172.17.0.1:%d", port),
                Handler: handler,
                // TODO: Implement HTTP/2 support. In the meantime, set TLSNextProto to a non-nil
                // value to disable HTTP/2.

Then you can access this from within the container (but not from other hosts on the local network):

[sam@sam-desktop alpaca]$ docker run -it golang
root@57e5b4b8d55d:/go# curl -x http://172.17.0.1:3128 google.com
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="http://www.google.com/">here</A>.
</BODY></HTML>

[lehcim]

It would be great to have an option on the command line to choose which interface to listen on, something like this:

$ alpaca -i 127.0.0.1    # listen only on localhost (this is the default)
$ alpaca -i 172.17.0.1  # listen only on docker0
$ alpaca -i 0.0.0.0        # listen on all interfaces

[samuong]

I just tried on my Mac, and I can do this inside a container:

https_proxy=http://host.docker.internal:3128 curl google.com

Not sure if this works with WSL2, @paulo-dc is this something you can try and let me know?

[paulo-dc]

Hi @samuong !

Sorry for my late response (was on holidays). The test you asked me does not work on my WSL2.

But I downloaded the last release of alpaca, and that make my day ! Works just perfectly ! Like a charm!

With the option to listen on a dedicated interface I can use it now from my containers. And I am not afraid about security, as my FW prevents others computers from using my services.

Many thx !! Alpaca is really a great tool !