Browser based supports Mutual TLS without ZAP
## Problem DAST uses Mutual TLS when the user specifies the CI/CD variables `DAST_PKCS12_CERTIFICATE_BASE64` and `DAST_PKCS12_PASSWORD`. The browser-based analyzer proxies HTTP requests through ZAP, so in order to remove ZAP an alternative Mutual TLS solution must be used. ## Proposal FIPS Browser-based DAST proxies all requests via Squid, which also provides Mutual TLS functionality. The same solution can be leveraged for non-FIPS browser-based DAST. ### dast-chromium 1. [x] Update `build-squid.sh` to work with both UBI & Ubuntu 1. [x] Update `.gitlab-ci.yml` to build squid similar to fips build 1. [x] Update `Dockerfile` to include squid similar to how `Dockerfile_fips` does 1. [x] Update `test/chromium_smoke_test.sh` so Squid tests also run for non-FIPS build 1. [x] Verify build works and tests pass 1. [x] Manually verify Squid is working in built image ### browserker 1. [x] Review fips build process and identify Squid related items 1. [x] Mirror Squid related items from fips build for regular build 1. [x] Create `entrypoint.sh` script based on `entrypoint-fips.sh` script 1. [x] Update `Dockerfile` entry point to be `entrypoint.sh` 1. [x] Enable `test/end-to-end/test-squid-forward-proxy-errors.sh` for regular builds 1. [x] Enable `test/end-to-end/test-mutual-tls.sh` for regular builds 1. [x] Verify tests are passing ### dast 1. [x] Create an `entrypoint.dast.sh` script based on `entrypoint-fips.dast.sh` or combine is possible 1. [x] Review `Dockerfile-fips` and identify all squid related items and mirror to `Dockerfile` 1. [x] Review `test-fips.sh` and extract squid related tests into it's own test file that runs for both builds 1. [ ] Add `Proxy` configuration parameter ([see comment](https://gitlab.com/gitlab-org/gitlab/-/issues/424856#note_1692324381)) 1. [ ] Verify all tests are passing 1. [ ] Are any additional tests needed? 1. [ ] Is there a Mutual TLS demo project to test with?
issue