KostyaEsmukov/_ squid3_in_docker_as_caching_proxy.md

## _ squid3_in_docker_as_caching_proxy.md

      
    Raw
  

              _ squid3_in_docker_as_caching_proxy.md
            
          
    Squid3 in docker as caching proxy

Handy to speedup your CI builds.
Configuration

# create a directory for files cache
mkdir -p /var/yourproject/squid/spool

mkdir -p /etc/yourproject/squid/
# put config files here (attached below)

Generate root CA

mkdir -p /etc/yourproject/squid/ssl_cert
cd /etc/yourproject/squid/ssl_cert
openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes \
-x509 -keyout privkey.pem -out ca.pem \
-subj '/CN=docker-proxy/O=NULL/C=AU'
chown proxy.proxy privkey.pem
chmod 600 privkey.pem
openssl x509 -in ca.pem -outform DER -out ca.der

Start docker container

docker run \
    -d --restart=always \
    --name caching_proxy \
    -p 3128:3128 -p 3129:3129 \
    --log-driver=syslog --log-opt syslog-facility=local5 -v /dev/log:/dev/log \
    -v /etc/yourproject/squid/squid.conf:/etc/squid3/squid.user.conf:ro \
    -v /etc/yourproject/squid/mime.conf:/etc/squid3/mime.user.conf:ro \
    -v /etc/yourproject/squid/ssl_cert:/etc/squid3/ssl_cert \
    -v /var/yourproject/squid/spool:/var/spool/squid3 \
    --entrypoint=bash \
    sameersbn/squid \
    -c 'mkdir -p /usr/local/share/squid3 \
    && cat /usr/share/squid3/mime.conf > /usr/local/share/squid3/mime.conf \
    && cat /etc/squid3/mime.user.conf >> /usr/local/share/squid3/mime.conf \
    && cp /etc/squid3/ssl_cert/ca.* /usr/share/squid3/icons \
    && /sbin/entrypoint.sh'

Please note that you will end up with squid ports exposed!
Though squid's ACL will prevent any non-localnet user, you must be sure that you want this.
Better use all the fancy docker networks stuff - it will work perfectly here.
Usage

You should now be able to
http_proxy=http://localhost:3129 https_proxy=http://localhost:3129 wget --no-check-certificate -O- https://google.com 1>/dev/null

In order to make ssl happy again, download CA certificate from http://localhost:3128/squid-internal-static/icons/ca.pem and add it to your trusted CAs chain.
See also


https://github.com/silarsis/docker-proxy


## etc yourproject squid mime.conf
# These dummy types configure Squid to serve the certificate as a static file.
# This allows clients to download the certificate from the proxy server.
# The .pem file is the certificate; the .der file is for browsers.
\.pem$	application/x-pem-file1	ca.pem	-	ascii	+download
\.der$	application/x-der-file1	ca.der	-	image	+download

## etc yourproject squid squid.conf
access_log syslog:local5.info squid

mime_table /usr/local/share/squid3/mime.conf

acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 80       # npm wants to CONNECT registry.npmjs.org:80. weirdo.
acl SSL_ports port 443
acl Safe_ports port 80      # http
acl Safe_ports port 21      # ftp
acl Safe_ports port 443     # https
acl Safe_ports port 70      # gopher
acl Safe_ports port 210     # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280     # http-mgmt
acl Safe_ports port 488     # gss-http
acl Safe_ports port 591     # filemaker
acl Safe_ports port 777     # multiling http
acl CONNECT method CONNECT


http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny to_localhost
http_access allow localnet
http_access allow localhost
http_access deny all


ssl_bump server-first all


# Port 3128 is the HTTP Forwarding port, which allows for serving of error pages
# and icons, and in our case, the local CA cert. The other ports are used to
# intercept regular traffic and cache responses using firewall rules (listed
# elsewhere).

http_port 3128
http_port 3129 ssl-bump cert=/etc/squid3/ssl_cert/ca.pem key=/etc/squid3/ssl_cert/privkey.pem generate-host-certificates=on


maximum_object_size 512 MB
cache_dir aufs /var/spool/squid3 2024 16 256
cache_mem 200 MB
maximum_object_size_in_memory 100 MB
cache_replacement_policy heap LFUDA

#coredump_dir /var/spool/squid3

refresh_pattern (Packages|Sources|Release|InRelease|APKINDEX)[^/]*$ 0       20%     1 refresh-ims
refresh_pattern -i .(udeb|tar.gz|deb|rpm|exe|zip|tar|tgz|bz2|ram|rar|bin|apk|ts)$  129600 100% 129600 override-expire ignore-no-cache ignore-no-store
refresh_pattern -i .(jar|pom)$  129600 100% 129600 override-expire ignore-no-cache ignore-no-store ignore-must-revalidate
refresh_pattern .              0       20%     4320 refresh-ims
	# These dummy types configure Squid to serve the certificate as a static file.
	# This allows clients to download the certificate from the proxy server.
	# The .pem file is the certificate; the .der file is for browsers.
	\.pem$ application/x-pem-file1 ca.pem - ascii +download
	\.der$ application/x-der-file1 ca.der - image +download
	access_log syslog:local5.info squid

	mime_table /usr/local/share/squid3/mime.conf

	acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
	acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
	acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
	acl localnet src fc00::/7 # RFC 4193 local private network range
	acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines

	acl SSL_ports port 80 # npm wants to CONNECT registry.npmjs.org:80. weirdo.
	acl SSL_ports port 443
	acl Safe_ports port 80 # http
	acl Safe_ports port 21 # ftp
	acl Safe_ports port 443 # https
	acl Safe_ports port 70 # gopher
	acl Safe_ports port 210 # wais
	acl Safe_ports port 1025-65535 # unregistered ports
	acl Safe_ports port 280 # http-mgmt
	acl Safe_ports port 488 # gss-http
	acl Safe_ports port 591 # filemaker
	acl Safe_ports port 777 # multiling http
	acl CONNECT method CONNECT


	http_access deny !Safe_ports
	http_access deny CONNECT !SSL_ports
	http_access allow localhost manager
	http_access deny manager
	http_access deny to_localhost
	http_access allow localnet
	http_access allow localhost
	http_access deny all


	ssl_bump server-first all


	# Port 3128 is the HTTP Forwarding port, which allows for serving of error pages
	# and icons, and in our case, the local CA cert. The other ports are used to
	# intercept regular traffic and cache responses using firewall rules (listed
	# elsewhere).

	http_port 3128
	http_port 3129 ssl-bump cert=/etc/squid3/ssl_cert/ca.pem key=/etc/squid3/ssl_cert/privkey.pem generate-host-certificates=on


	maximum_object_size 512 MB
	cache_dir aufs /var/spool/squid3 2024 16 256
	cache_mem 200 MB
	maximum_object_size_in_memory 100 MB
	cache_replacement_policy heap LFUDA

	#coredump_dir /var/spool/squid3

	refresh_pattern (Packages\|Sources\|Release\|InRelease\|APKINDEX)[^/]*$ 0 20% 1 refresh-ims
	refresh_pattern -i .(udeb\|tar.gz\|deb\|rpm\|exe\|zip\|tar\|tgz\|bz2\|ram\|rar\|bin\|apk\|ts)$ 129600 100% 129600 override-expire ignore-no-cache ignore-no-store
	refresh_pattern -i .(jar\|pom)$ 129600 100% 129600 override-expire ignore-no-cache ignore-no-store ignore-must-revalidate
	refresh_pattern . 0 20% 4320 refresh-ims