Basic functionality fully working

.gitignore

@@ -0,0 +1 @@
+*[~%]

Dockerfile

@@ -0,0 +1,12 @@
+FROM alpine:3.16
+
+RUN apk add --no-cache squid openssl darkhttpd
+RUN mkdir /ca
+COPY run.sh rewrite.awk /
+RUN chmod 0755 /run.sh /rewrite.awk
+COPY squid.conf /etc/squid/squid.conf
+
+VOLUME /var/cache/squid
+EXPOSE 3128
+
+CMD ["/run.sh"]

rewrite.awk

@@ -0,0 +1,20 @@
+#!/usr/bin/awk -f
+
+function handle_request(url, ip_fqdn, ident, method, kv)
+{
+    if (url == "http://proxy/ca.crt") {
+        return "OK rewrite-url=http://127.0.0.1:9999/ca.crt"
+    }
+    return "OK"
+}
+
+\$1 ~ /^[0-9]+$/ {request_id=\$1 " "; request_url=\$2; request_ip_fqdn=\$3, request_ident=\$4, request_method=\$5, first_pair=6}
+\$1 !~ /^[0-9]+$/ {request_id=""; request_url=\$1; request_ip_fqdn=\$2, request_ident=\$3, request_method=\$4, first_pair=5}
+{
+    split("", kv);
+    for (i=first_pair; i<=NF; i++) {
+        split(\$i, parts, sep="=")
+        kv[parts[1]]=parts[2]
+    }
+    print request_id handle_request(request_url, request_ip_fqdn, request_ident, request_method, kv)
+}

run.sh

@@ -0,0 +1,30 @@
+#!/bin/sh
+
+CA_DIR=/ca
+CERT_FILE="${CA_DIR}/cert.pem"
+KEY_FILE="${CA_DIR}/key.pem"
+
+[ -e "${CERT_FILE}" -a -e "${KEY_FILE}" ] || \
+    openssl req -new -newkey rsa:2048 -sha256 -days 1500 -nodes -x509 \
+        -extensions v3_ca -subj "/C=/ST=/L=/O=/OU=/CN=proxy" \
+        -keyout "${KEY_FILE}" -out "${CERT_FILE}"
+
+mkdir -p /static
+cp -f "${CERT_FILE}" /static/ca.crt
+
+[ -d /var/lib/ssl_db ] || /usr/lib/squid/security_file_certgen -c \
+    -s /var/lib/ssl_db -M 4MB
+chown -R squid:squid /var/lib/ssl_db
+
+[ -e /var/cache/squid/swap.state ] || squid -z
+while [ -e /var/run/squid.pid ] ; do
+    sleep 1
+done
+
+syslogd
+darkhttpd /static --port 9999 --chroot --daemon \
+    --uid nobody --gid nobody \
+    --no-listing 
+squid -s
+
+tail -f /var/log/messages

squid.conf

@@ -0,0 +1,61 @@
+acl localnet src 0.0.0.1-0.255.255.255
+acl localnet src 10.0.0.0/8
+acl localnet src 100.64.0.0/10
+acl localnet src 169.254.0.0/16
+acl localnet src 172.16.0.0/12
+acl localnet src 192.168.0.0/16
+acl localnet src fc00::/7
+acl localnet src fe80::/10
+
+acl SSL_ports port 443
+acl Safe_ports port 80
+acl Safe_ports port 21
+acl Safe_ports port 443
+acl Safe_ports port 70
+acl Safe_ports port 210
+acl Safe_ports port 1025-65535
+acl Safe_ports port 280
+acl Safe_ports port 488
+acl Safe_ports port 591
+acl Safe_ports port 777
+
+http_access deny !Safe_ports
+http_access deny CONNECT !SSL_ports
+http_access allow localhost manager
+http_access deny manager
+http_access allow localnet
+http_access allow localhost
+http_access deny all
+
+http_port 3128 ssl-bump \
+  cert=/ca/cert.pem key=/ca/key.pem \
+  generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
+
+cache_dir aufs /var/cache/squid 200000 16 256
+coredump_dir /var/cache/squid
+maximum_object_size 8 GB
+maximum_object_size_in_memory 4 MB
+
+refresh_pattern ^ftp: 1440 20% 10080
+refresh_pattern ^gopher: 1440 0% 1440
+refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
+refresh_pattern (Release|Packages)(\.[zZ]|\.gz|\.bz2?|\.xz|\.zstd?)?$ 15 100% 129600 override-expire ignore-no-cache reload-into-ims
+refresh_pattern /repomd\.xml(\.asc|\.metalink)?(\.[zZ]|\.gz|\.bz2?|\.xz|\.zstd?)?$ 15 100% 129600 override-expire ignore-no-cache reload-into-ims
+refresh_pattern /APKINDEX\.tar(\.[zZ]|\.gz|\.bz2?|\.xz|\.zstd?)?$ 15 100% 129600 override-expire ignore-no-cache reload-into-ims
+refresh_pattern \.u?deb$ 129600 100% 129600
+refresh_pattern \.rpm$ 129600 100% 129600
+refresh_pattern \.apk$ 129600 100% 129600
+refresh_pattern \.(tar|iso)(\.[zZ]|\.gz|\.bz2?|\.xz|\.zstd?)?(\.sig)?$ 129600 100% 129600
+refresh_pattern . 0 20% 4320
+
+url_rewrite_children 4
+url_rewrite_program /rewrite.awk
+
+sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/ssl_db -M 4MB
+acl step1 at_step SslBump1
+ssl_bump peek step1
+ssl_bump bump all
+
+logfile_rotate 0
+cache_log syslog:daemon.info squid
+access_log syslog:daemon.info squid