e7ba68790b
New deployments/squid/: an explicit forward proxy with SSL-bump TLS interception (local CA, generated on first deploy) and hostname-targeted static-content caching. Unlike the other stacks it is a forward proxy, not a Caddy/Let's-Encrypt inbound site. - Self-built minimal Alpine image (apk squid ships ssl-bump); entrypoint renders squid.conf and generates the cache policy from the domain lists. - Wildcard hostname caching (cache-domains.txt leading-dot + optional cache-domains.regex); boost vs strict-allowlist toggle (CACHE_ONLY_LISTED). - Storage gate never caches HTML or dynamic content; query strings exempt on boosted domains so versioned static assets still cache. - splice-domains.txt passthrough for pinned/banking domains. - Deny-by-default http_access (TRUSTED_CIDR) + BIND_ADDR pinning; CA key 0600 on host, never embedded, git-ignored. - Wired into automations.sh, README, .gitignore; cloud-init for fresh VMs.
51 lines
1.2 KiB
Bash
51 lines
1.2 KiB
Bash
#!/usr/bin/env bash
|
|
#
|
|
# build.sh -- (re)embed the loose deployment files into deploy.sh as a base64
|
|
# tar.gz payload after __ARCHIVE_BELOW__. Idempotent: strips any existing
|
|
# payload first.
|
|
#
|
|
# Run this after editing ANY embedded file below, then re-stage deploy.sh --
|
|
# the deployed stack uses the EMBEDDED copies, not the loose files.
|
|
|
|
set -euo pipefail
|
|
|
|
DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
|
|
SCRIPT="$DIR/deploy.sh"
|
|
MARKER="__ARCHIVE_BELOW__"
|
|
|
|
# The CA (ssl/), README, cloud-init, and the build/deploy scripts are NOT
|
|
# embedded -- the CA is generated on the host at deploy time.
|
|
FILES=(
|
|
docker-compose.yml
|
|
Dockerfile
|
|
entrypoint.sh
|
|
squid.conf.tmpl
|
|
splice-domains.txt
|
|
cache-domains.txt
|
|
cache-domains.regex
|
|
.env.example
|
|
)
|
|
|
|
[[ -f "$SCRIPT" ]] || { echo "deploy.sh not found at $SCRIPT" >&2; exit 1; }
|
|
for f in "${FILES[@]}"; do
|
|
[[ -f "$DIR/$f" ]] || { echo "Missing $DIR/$f" >&2; exit 1; }
|
|
done
|
|
|
|
PAYLOAD=$(tar -czf - -C "$DIR" "${FILES[@]}" | base64)
|
|
|
|
TMP=$(mktemp)
|
|
trap 'rm -f "$TMP"' EXIT
|
|
|
|
sed "/^${MARKER}\$/,\$d" "$SCRIPT" > "$TMP"
|
|
{
|
|
echo "$MARKER"
|
|
echo "$PAYLOAD"
|
|
} >> "$TMP"
|
|
|
|
mv "$TMP" "$SCRIPT"
|
|
chmod +x "$SCRIPT"
|
|
trap - EXIT
|
|
|
|
size=$(wc -c < "$SCRIPT")
|
|
echo "Built $SCRIPT (${size} bytes)"
|