e7ba68790b
New deployments/squid/: an explicit forward proxy with SSL-bump TLS interception (local CA, generated on first deploy) and hostname-targeted static-content caching. Unlike the other stacks it is a forward proxy, not a Caddy/Let's-Encrypt inbound site. - Self-built minimal Alpine image (apk squid ships ssl-bump); entrypoint renders squid.conf and generates the cache policy from the domain lists. - Wildcard hostname caching (cache-domains.txt leading-dot + optional cache-domains.regex); boost vs strict-allowlist toggle (CACHE_ONLY_LISTED). - Storage gate never caches HTML or dynamic content; query strings exempt on boosted domains so versioned static assets still cache. - splice-domains.txt passthrough for pinned/banking domains. - Deny-by-default http_access (TRUSTED_CIDR) + BIND_ADDR pinning; CA key 0600 on host, never embedded, git-ignored. - Wired into automations.sh, README, .gitignore; cloud-init for fresh VMs.
23 lines
929 B
Docker
23 lines
929 B
Docker
# Minimal Squid image with SSL-bump.
|
|
#
|
|
# Alpine ships its `squid` package built `--with-openssl`, so ssl-bump,
|
|
# https_port and security_file_certgen are all compiled in -- no
|
|
# compile-from-source needed (Debian/Ubuntu, by contrast, build squid against
|
|
# GnuTLS and need the separate `squid-openssl` package). openssl is included so
|
|
# deploy.sh can mint the CA via this image without a host openssl dependency.
|
|
FROM alpine:3.21
|
|
|
|
RUN apk add --no-cache squid ca-certificates openssl tini \
|
|
&& update-ca-certificates
|
|
|
|
COPY squid.conf.tmpl /etc/squid/squid.conf.tmpl
|
|
COPY entrypoint.sh /usr/local/bin/entrypoint.sh
|
|
RUN chmod +x /usr/local/bin/entrypoint.sh
|
|
|
|
# Explicit forward-proxy port. Caching/inspection happen here; clients set
|
|
# HTTP(S)_PROXY to this host:3128.
|
|
EXPOSE 3128
|
|
|
|
# tini reaps zombies and forwards signals so `docker stop` shuts squid cleanly.
|
|
ENTRYPOINT ["/sbin/tini", "--", "/usr/local/bin/entrypoint.sh"]
|