e7ba68790b
New deployments/squid/: an explicit forward proxy with SSL-bump TLS interception (local CA, generated on first deploy) and hostname-targeted static-content caching. Unlike the other stacks it is a forward proxy, not a Caddy/Let's-Encrypt inbound site. - Self-built minimal Alpine image (apk squid ships ssl-bump); entrypoint renders squid.conf and generates the cache policy from the domain lists. - Wildcard hostname caching (cache-domains.txt leading-dot + optional cache-domains.regex); boost vs strict-allowlist toggle (CACHE_ONLY_LISTED). - Storage gate never caches HTML or dynamic content; query strings exempt on boosted domains so versioned static assets still cache. - splice-domains.txt passthrough for pinned/banking domains. - Deny-by-default http_access (TRUSTED_CIDR) + BIND_ADDR pinning; CA key 0600 on host, never embedded, git-ignored. - Wired into automations.sh, README, .gitignore; cloud-init for fresh VMs.
42 lines
2.5 KiB
Bash
42 lines
2.5 KiB
Bash
# Copy to .env and fill in. docker compose picks .env up automatically.
|
|
#
|
|
# Squid SSL-bump caching forward proxy. Unlike the other stacks there is NO
|
|
# public hostname / Let's Encrypt cert -- this is a forward proxy. The TLS
|
|
# interception CA is generated on first deploy (deploy.sh) and never overwritten.
|
|
|
|
# ─── Who may use the proxy ──────────────────────────────────────────────────
|
|
# Space-separated CIDR(s) allowed to connect (Squid http_access). This is the
|
|
# REAL access gate -- keep it tight. Examples: 100.64.0.0/10 (Tailscale CGNAT),
|
|
# 10.0.0.0/8, 192.168.0.0/16.
|
|
TRUSTED_CIDR=100.64.0.0/10
|
|
|
|
# Host interface/IP to publish the proxy on, and the host-side port. Pin
|
|
# BIND_ADDR to a trusted interface (e.g. your Tailscale IP) -- a published
|
|
# Docker port BYPASSES the host INPUT firewall, so 0.0.0.0 exposes the proxy to
|
|
# every reachable network. Use 0.0.0.0 only if TRUSTED_CIDR + upstream
|
|
# firewalling already cover you.
|
|
BIND_ADDR=0.0.0.0
|
|
PROXY_PORT=3128
|
|
|
|
# ─── Cache sizing ───────────────────────────────────────────────────────────
|
|
CACHE_SIZE_MB=5000 # on-disk cache budget (MB)
|
|
MAX_OBJECT_SIZE_MB=256 # largest single object to cache (raise for ISOs/images)
|
|
CACHE_MEM_MB=256 # in-memory hot cache (MB)
|
|
|
|
# ─── Cache scope ────────────────────────────────────────────────────────────
|
|
# 0 = boost mode (default): cache everything per normal HTTP rules, and
|
|
# force-cache the domains in cache-domains.txt / .regex with long TTLs.
|
|
# 1 = strict allowlist: store ONLY the listed domains; pass the rest through.
|
|
CACHE_ONLY_LISTED=0
|
|
|
|
# ─── TLS interception CA (generated on first deploy) ────────────────────────
|
|
CA_CN=Squid Proxy CA
|
|
CA_O=automations
|
|
CA_DAYS=3650
|
|
DYNAMIC_CERT_MEM_MB=8 # in-RAM cache of generated per-host leaf certs (MB)
|
|
|
|
# ─── Misc ───────────────────────────────────────────────────────────────────
|
|
VISIBLE_HOSTNAME=squid-proxy
|
|
# Local build tag for the image (built from ./Dockerfile).
|
|
SQUID_IMAGE_TAG=automations/squid:latest
|