# Minimal Squid image with SSL-bump. # # Alpine ships its `squid` package built `--with-openssl`, so ssl-bump, # https_port and security_file_certgen are all compiled in -- no # compile-from-source needed (Debian/Ubuntu, by contrast, build squid against # GnuTLS and need the separate `squid-openssl` package). openssl is included so # deploy.sh can mint the CA via this image without a host openssl dependency. FROM alpine:3.21 RUN apk add --no-cache squid ca-certificates openssl tini \ && update-ca-certificates COPY squid.conf.tmpl /etc/squid/squid.conf.tmpl COPY entrypoint.sh /usr/local/bin/entrypoint.sh RUN chmod +x /usr/local/bin/entrypoint.sh # Explicit forward-proxy port. Caching/inspection happen here; clients set # HTTP(S)_PROXY to this host:3128. EXPOSE 3128 # tini reaps zombies and forwards signals so `docker stop` shuts squid cleanly. ENTRYPOINT ["/sbin/tini", "--", "/usr/local/bin/entrypoint.sh"]