diff --git a/Dockerfile b/Dockerfile
index 6702adc..941d514 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -3,6 +3,7 @@ FROM alpine:3.16
 # hadolint ignore=DL3018
 RUN apk add --no-cache squid openssl darkhttpd
 COPY run.sh rewrite.awk /
+COPY install-ca.sh /static/
 COPY squid.conf /etc/squid/squid.conf
 RUN chmod 0755 /run.sh /rewrite.awk ; mkdir /ca
 
diff --git a/install-ca.sh b/install-ca.sh
new file mode 100644
index 0000000..49e76f8
--- /dev/null
+++ b/install-ca.sh
@@ -0,0 +1,51 @@
+#!/bin/sh
+
+CA_CRT_URL=http://proxy/ca.crt
+
+
+download_ca_cert()
+{
+    [ -e "$1" ] && return
+    type curl >/dev/null 2>&1 && curl -so "$1" "${CA_CRT_URL}"
+    [ -e "$1" ] && return
+    type wget >/dev/null 2>&1 && wget -qO "$1" "${CA_CRT_URL}"
+    [ -e "$1" ] && return
+    if type bash >/dev/null 2>&1 ; then
+        # shellcheck disable=SC2154
+        host_slash_port=$(echo "${http_proxy##http://}" | tr : /)
+        printf "exec 42<>/dev/tcp/%s ; echo -ne 'GET %s HTTP/1.0\r\nConnection: close\r\n\r\n' >&42 ; sed '0,/^\r$/d' <&42" "${host_slash_port}" "${CA_CRT_URL}" | bash
+    fi
+}
+
+install_alpine()
+{
+    mkdir -p /usr/local/share/ca-certificates
+    download_ca_cert /usr/local/share/ca-certificates/proxy.crt
+    cat /usr/local/share/ca-certificates/proxy.crt >> /etc/ssl/certs/ca-certificates.crt
+    apk add ca-certificates
+    update-ca-certificates
+}
+
+install_arch()
+{
+    download_ca_cert /etc/ca-certificates/trust-source/anchors/proxy.crt
+    update-ca-trust
+}
+
+install_debian()
+{
+    mkdir -p /usr/local/share/ca-certificates
+    download_ca_cert /usr/local/share/ca-certificates/proxy.crt
+    update-ca-certificates
+}
+
+install_redhat()
+{
+    download_ca_cert /etc/pki/ca-trust/source/anchors/proxy.crt
+    update-ca-trust
+}
+
+[ -e /etc/alpine-release ] && install_alpine
+[ -e /etc/arch-release ] && install_arch
+[ -e /etc/debian_version ] && install_debian
+[ -e /etc/redhat-release ] && install_redhat
diff --git a/rewrite.awk b/rewrite.awk
index fb0de0b..8281587 100755
--- a/rewrite.awk
+++ b/rewrite.awk
@@ -2,8 +2,9 @@
 
 function handle_request(url, ip_fqdn, ident, method, kv)
 {
-    if (url == "http://proxy/ca.crt") {
-        return "OK rewrite-url=http://127.0.0.1:9999/ca.crt"
+    if (index(url, "http://proxy/") == 1) {
+        sub(/http:\/\/proxy\//, "http://127.0.0.1:9999/", url)
+        return "OK rewrite-url=" url
     }
     return "OK"
 }
diff --git a/run.sh b/run.sh
index c49ad30..b4a22e1 100755
--- a/run.sh
+++ b/run.sh
@@ -24,10 +24,12 @@ while [ -e /var/run/squid.pid ] ; do
     sleep 1
 done
 
-syslogd
-darkhttpd /static --port 9999 --chroot --daemon \
-    --uid nobody --gid nobody \
-    --no-listing 
-squid -s
+(
+    sleep 1
+    darkhttpd /static --port 9999 --chroot --daemon \
+        --uid nobody --gid nobody \
+        --no-listing 
+    squid -s
+) &
 
-tail -f /var/log/messages
+syslogd -n -O -