# Squid SSL-bump caching forward proxy. # # Built locally from ./Dockerfile (the repo's one self-built image) -- there is # no upstream ssl-bump image we want to trust in a hardened setup. The TLS # interception CA lives on the host in ./ssl (generated by deploy.sh, mounted # read-only); the leaf-cert DB, cache, and logs are named volumes. # # A published Docker port BYPASSES the host INPUT firewall, so BIND_ADDR should # pin the listener to a trusted interface and TRUSTED_CIDR (Squid http_access) # is the real access gate. name: squid volumes: squid-cache: squid-ssl-db: squid-logs: services: squid: build: context: . image: ${SQUID_IMAGE_TAG:-automations/squid:latest} container_name: squid restart: unless-stopped ports: - "${BIND_ADDR:-0.0.0.0}:${PROXY_PORT:-3128}:3128" environment: TRUSTED_CIDR: "${TRUSTED_CIDR}" CACHE_SIZE_MB: "${CACHE_SIZE_MB:-5000}" MAX_OBJECT_SIZE_MB: "${MAX_OBJECT_SIZE_MB:-256}" CACHE_MEM_MB: "${CACHE_MEM_MB:-256}" DYNAMIC_CERT_MEM_MB: "${DYNAMIC_CERT_MEM_MB:-8}" CACHE_ONLY_LISTED: "${CACHE_ONLY_LISTED:-0}" VISIBLE_HOSTNAME: "${VISIBLE_HOSTNAME:-squid-proxy}" volumes: - ./ssl:/etc/squid/ssl:ro - ./splice-domains.txt:/etc/squid/splice-domains.txt:ro - ./cache-domains.txt:/etc/squid/cache-domains.txt:ro - ./cache-domains.regex:/etc/squid/cache-domains.regex:ro - squid-cache:/var/cache/squid - squid-ssl-db:/var/lib/squid/ssl_db - squid-logs:/var/log/squid healthcheck: # `squid -k check` signals the running master process via its pid file -- # reliable and always present (no dependency on squidclient/nc). test: ["CMD-SHELL", "squid -k check -f /etc/squid/squid.conf || exit 1"] interval: 30s timeout: 5s retries: 3 start_period: 20s