Files
57_Wolve e7ba68790b Done — the Squid deployment is fully built, wired in, and statically verified on the feat/squid-proxy branch. ## What landed deployments/squid/ (13 files) plus wiring into [automations.sh](automations.sh:51), [README.md](README.md), and [.gitignore](.gitignore). All six approved design decisions are implemented: - **Self-built minimal Alpine image** — apk add squid (ssl-bump compiled in), openssl/tini. [entrypoint.sh](deployments/squid/entrypoint.sh) renders squid.conf and generates the cache policy from the lists at start. - **SSL-bump** peek→splice→bump with [splice-domains.txt](deployments/squid/splice-domains.txt) passthrough. - **Wildcard hostname caching** — leading-dot [cache-domains.txt](deployments/squid/cache-domains.txt) + optional regex; CACHE_ONLY_LISTED boost/allowlist toggle. - **HTML/dynamic storage gate**, with query strings exempt on boosted domains. - **CA lifecycle** — generated on first deploy via the built image, key 0600 on the host, staged to tmpfs for the container, never embedded, git-ignored. - **Deny-by-default http_access + BIND_ADDR pinning** as the real access gate (Docker bypasses INPUT). ## One bug caught & fixed The test of the entrypoint's policy generation showed it emitting ubuntu.com with an **unescaped dot** — the s/\./\\./g double-backslash is sed-implementation-dependent and silently failed. Switched to a [.] character class (ubuntu[.]com), portable across busybox/git-bash, re-embedded, re-audited. ## Verified vs. pending **Verified locally:** bash -n on all scripts, LF endings, launcher parses, embedded archive byte-matches the loose files, and the cache-policy generation produces correct Squid directives in both modes. **Pending a Docker host** (this Windows box has none, as the plan anticipated): the container functional smoke test — build, CA mint, a bumped HTTPS fetch, a TCP_HIT, and a splice check. A few version-sensitive specifics get confirmed there: tls-cert=/tls-key= option names, the security_file_certgen path, busybox install -o/-g, ssl::server_name subdomain matching, and the squid -z flag. (All isolated and easy to adjust if any differ.) ## Commit (for you to GPG-sign) Staged and ready. Per your convention I haven't committed — here's the message: `` feat(squid): add SSL-bump caching forward-proxy deployment New deployments/squid/: an explicit forward proxy with SSL-bump TLS interception (local CA, generated on first deploy) and hostname-targeted static-content caching. Unlike the other stacks it is a forward proxy, not a Caddy/Let's-Encrypt inbound site. - Self-built minimal Alpine image (apk squid ships ssl-bump); entrypoint renders squid.conf and generates the cache policy from the domain lists. - Wildcard hostname caching (cache-domains.txt leading-dot + optional cache-domains.regex); boost vs strict-allowlist toggle (CACHE_ONLY_LISTED). - Storage gate never caches HTML or dynamic content; query strings exempt on boosted domains so versioned static assets still cache. - splice-domains.txt passthrough for pinned/banking domains. - Deny-by-default http_access (TRUSTED_CIDR) + BIND_ADDR pinning; CA key 0600 on host, never embedded, git-ignored. - Wired into automations.sh, README, .gitignore; cloud-init for fresh VMs. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> ` `bash git commit -S -F- <<'EOF' <paste message above> EOF ` Want me to **push feat/squid-proxy** once you've committed (you'd open the PR in Gitea), or hold? And if you can point me at a Docker host (or run docker compose build in /srv/squid` after a test deploy), I'll drive the functional smoke test and fix anything the live Squid version flags.
New deployments/squid/: an explicit forward proxy with SSL-bump TLS
interception (local CA, generated on first deploy) and hostname-targeted
static-content caching. Unlike the other stacks it is a forward proxy, not
a Caddy/Let's-Encrypt inbound site.
- Self-built minimal Alpine image (apk squid ships ssl-bump); entrypoint
  renders squid.conf and generates the cache policy from the domain lists.
- Wildcard hostname caching (cache-domains.txt leading-dot + optional
  cache-domains.regex); boost vs strict-allowlist toggle (CACHE_ONLY_LISTED).
- Storage gate never caches HTML or dynamic content; query strings exempt on
  boosted domains so versioned static assets still cache.
- splice-domains.txt passthrough for pinned/banking domains.
- Deny-by-default http_access (TRUSTED_CIDR) + BIND_ADDR pinning; CA key 0600
  on host, never embedded, git-ignored.
- Wired into automations.sh, README, .gitignore; cloud-init for fresh VMs.
2026-06-22 16:32:25 -05:00

42 lines
2.5 KiB
Bash

# Copy to .env and fill in. docker compose picks .env up automatically.
#
# Squid SSL-bump caching forward proxy. Unlike the other stacks there is NO
# public hostname / Let's Encrypt cert -- this is a forward proxy. The TLS
# interception CA is generated on first deploy (deploy.sh) and never overwritten.
# ─── Who may use the proxy ──────────────────────────────────────────────────
# Space-separated CIDR(s) allowed to connect (Squid http_access). This is the
# REAL access gate -- keep it tight. Examples: 100.64.0.0/10 (Tailscale CGNAT),
# 10.0.0.0/8, 192.168.0.0/16.
TRUSTED_CIDR=100.64.0.0/10
# Host interface/IP to publish the proxy on, and the host-side port. Pin
# BIND_ADDR to a trusted interface (e.g. your Tailscale IP) -- a published
# Docker port BYPASSES the host INPUT firewall, so 0.0.0.0 exposes the proxy to
# every reachable network. Use 0.0.0.0 only if TRUSTED_CIDR + upstream
# firewalling already cover you.
BIND_ADDR=0.0.0.0
PROXY_PORT=3128
# ─── Cache sizing ───────────────────────────────────────────────────────────
CACHE_SIZE_MB=5000 # on-disk cache budget (MB)
MAX_OBJECT_SIZE_MB=256 # largest single object to cache (raise for ISOs/images)
CACHE_MEM_MB=256 # in-memory hot cache (MB)
# ─── Cache scope ────────────────────────────────────────────────────────────
# 0 = boost mode (default): cache everything per normal HTTP rules, and
# force-cache the domains in cache-domains.txt / .regex with long TTLs.
# 1 = strict allowlist: store ONLY the listed domains; pass the rest through.
CACHE_ONLY_LISTED=0
# ─── TLS interception CA (generated on first deploy) ────────────────────────
CA_CN=Squid Proxy CA
CA_O=automations
CA_DAYS=3650
DYNAMIC_CERT_MEM_MB=8 # in-RAM cache of generated per-host leaf certs (MB)
# ─── Misc ───────────────────────────────────────────────────────────────────
VISIBLE_HOSTNAME=squid-proxy
# Local build tag for the image (built from ./Dockerfile).
SQUID_IMAGE_TAG=automations/squid:latest