e7ba68790b
New deployments/squid/: an explicit forward proxy with SSL-bump TLS interception (local CA, generated on first deploy) and hostname-targeted static-content caching. Unlike the other stacks it is a forward proxy, not a Caddy/Let's-Encrypt inbound site. - Self-built minimal Alpine image (apk squid ships ssl-bump); entrypoint renders squid.conf and generates the cache policy from the domain lists. - Wildcard hostname caching (cache-domains.txt leading-dot + optional cache-domains.regex); boost vs strict-allowlist toggle (CACHE_ONLY_LISTED). - Storage gate never caches HTML or dynamic content; query strings exempt on boosted domains so versioned static assets still cache. - splice-domains.txt passthrough for pinned/banking domains. - Deny-by-default http_access (TRUSTED_CIDR) + BIND_ADDR pinning; CA key 0600 on host, never embedded, git-ignored. - Wired into automations.sh, README, .gitignore; cloud-init for fresh VMs.
52 lines
1.8 KiB
YAML
52 lines
1.8 KiB
YAML
# Squid SSL-bump caching forward proxy.
|
|
#
|
|
# Built locally from ./Dockerfile (the repo's one self-built image) -- there is
|
|
# no upstream ssl-bump image we want to trust in a hardened setup. The TLS
|
|
# interception CA lives on the host in ./ssl (generated by deploy.sh, mounted
|
|
# read-only); the leaf-cert DB, cache, and logs are named volumes.
|
|
#
|
|
# A published Docker port BYPASSES the host INPUT firewall, so BIND_ADDR should
|
|
# pin the listener to a trusted interface and TRUSTED_CIDR (Squid http_access)
|
|
# is the real access gate.
|
|
|
|
name: squid
|
|
|
|
volumes:
|
|
squid-cache:
|
|
squid-ssl-db:
|
|
squid-logs:
|
|
|
|
services:
|
|
squid:
|
|
build:
|
|
context: .
|
|
image: ${SQUID_IMAGE_TAG:-automations/squid:latest}
|
|
container_name: squid
|
|
restart: unless-stopped
|
|
ports:
|
|
- "${BIND_ADDR:-0.0.0.0}:${PROXY_PORT:-3128}:3128"
|
|
environment:
|
|
TRUSTED_CIDR: "${TRUSTED_CIDR}"
|
|
CACHE_SIZE_MB: "${CACHE_SIZE_MB:-5000}"
|
|
MAX_OBJECT_SIZE_MB: "${MAX_OBJECT_SIZE_MB:-256}"
|
|
CACHE_MEM_MB: "${CACHE_MEM_MB:-256}"
|
|
DYNAMIC_CERT_MEM_MB: "${DYNAMIC_CERT_MEM_MB:-8}"
|
|
CACHE_ONLY_LISTED: "${CACHE_ONLY_LISTED:-0}"
|
|
VISIBLE_HOSTNAME: "${VISIBLE_HOSTNAME:-squid-proxy}"
|
|
volumes:
|
|
- ./ssl:/etc/squid/ssl:ro
|
|
- ./splice-domains.txt:/etc/squid/splice-domains.txt:ro
|
|
- ./cache-domains.txt:/etc/squid/cache-domains.txt:ro
|
|
- ./cache-domains.regex:/etc/squid/cache-domains.regex:ro
|
|
- squid-cache:/var/cache/squid
|
|
- squid-ssl-db:/var/lib/squid/ssl_db
|
|
- squid-logs:/var/log/squid
|
|
healthcheck:
|
|
# `squid -k check` signals the running master process via its pid file --
|
|
# reliable and always present (no dependency on squidclient/nc).
|
|
test: ["CMD-SHELL", "squid -k check -f /etc/squid/squid.conf || exit 1"]
|
|
interval: 30s
|
|
timeout: 5s
|
|
retries: 3
|
|
start_period: 20s
|