# Minimal Squid image with SSL-bump.
#
# Alpine ships its `squid` package built `--with-openssl`, so ssl-bump,
# https_port and security_file_certgen are all compiled in -- no
# compile-from-source needed (Debian/Ubuntu, by contrast, build squid against
# GnuTLS and need the separate `squid-openssl` package). openssl is included so
# deploy.sh can mint the CA via this image without a host openssl dependency.
FROM alpine:3.21

RUN apk add --no-cache squid ca-certificates openssl tini \
    && update-ca-certificates

COPY squid.conf.tmpl /etc/squid/squid.conf.tmpl
COPY entrypoint.sh   /usr/local/bin/entrypoint.sh
RUN chmod +x /usr/local/bin/entrypoint.sh

# Explicit forward-proxy port. Caching/inspection happen here; clients set
# HTTP(S)_PROXY to this host:3128.
EXPOSE 3128

# tini reaps zombies and forwards signals so `docker stop` shuts squid cleanly.
ENTRYPOINT ["/sbin/tini", "--", "/usr/local/bin/entrypoint.sh"]
