Basic functionality fully working
This commit is contained in:
commit
b6d6756bf3
|
@ -0,0 +1 @@
|
|||
*[~%]
|
|
@ -0,0 +1,12 @@
|
|||
FROM alpine:3.16
|
||||
|
||||
RUN apk add --no-cache squid openssl darkhttpd
|
||||
RUN mkdir /ca
|
||||
COPY run.sh rewrite.awk /
|
||||
RUN chmod 0755 /run.sh /rewrite.awk
|
||||
COPY squid.conf /etc/squid/squid.conf
|
||||
|
||||
VOLUME /var/cache/squid
|
||||
EXPOSE 3128
|
||||
|
||||
CMD ["/run.sh"]
|
|
@ -0,0 +1,20 @@
|
|||
#!/usr/bin/awk -f
|
||||
|
||||
function handle_request(url, ip_fqdn, ident, method, kv)
|
||||
{
|
||||
if (url == "http://proxy/ca.crt") {
|
||||
return "OK rewrite-url=http://127.0.0.1:9999/ca.crt"
|
||||
}
|
||||
return "OK"
|
||||
}
|
||||
|
||||
\$1 ~ /^[0-9]+$/ {request_id=\$1 " "; request_url=\$2; request_ip_fqdn=\$3, request_ident=\$4, request_method=\$5, first_pair=6}
|
||||
\$1 !~ /^[0-9]+$/ {request_id=""; request_url=\$1; request_ip_fqdn=\$2, request_ident=\$3, request_method=\$4, first_pair=5}
|
||||
{
|
||||
split("", kv);
|
||||
for (i=first_pair; i<=NF; i++) {
|
||||
split(\$i, parts, sep="=")
|
||||
kv[parts[1]]=parts[2]
|
||||
}
|
||||
print request_id handle_request(request_url, request_ip_fqdn, request_ident, request_method, kv)
|
||||
}
|
|
@ -0,0 +1,30 @@
|
|||
#!/bin/sh
|
||||
|
||||
CA_DIR=/ca
|
||||
CERT_FILE="${CA_DIR}/cert.pem"
|
||||
KEY_FILE="${CA_DIR}/key.pem"
|
||||
|
||||
[ -e "${CERT_FILE}" -a -e "${KEY_FILE}" ] || \
|
||||
openssl req -new -newkey rsa:2048 -sha256 -days 1500 -nodes -x509 \
|
||||
-extensions v3_ca -subj "/C=/ST=/L=/O=/OU=/CN=proxy" \
|
||||
-keyout "${KEY_FILE}" -out "${CERT_FILE}"
|
||||
|
||||
mkdir -p /static
|
||||
cp -f "${CERT_FILE}" /static/ca.crt
|
||||
|
||||
[ -d /var/lib/ssl_db ] || /usr/lib/squid/security_file_certgen -c \
|
||||
-s /var/lib/ssl_db -M 4MB
|
||||
chown -R squid:squid /var/lib/ssl_db
|
||||
|
||||
[ -e /var/cache/squid/swap.state ] || squid -z
|
||||
while [ -e /var/run/squid.pid ] ; do
|
||||
sleep 1
|
||||
done
|
||||
|
||||
syslogd
|
||||
darkhttpd /static --port 9999 --chroot --daemon \
|
||||
--uid nobody --gid nobody \
|
||||
--no-listing
|
||||
squid -s
|
||||
|
||||
tail -f /var/log/messages
|
|
@ -0,0 +1,61 @@
|
|||
acl localnet src 0.0.0.1-0.255.255.255
|
||||
acl localnet src 10.0.0.0/8
|
||||
acl localnet src 100.64.0.0/10
|
||||
acl localnet src 169.254.0.0/16
|
||||
acl localnet src 172.16.0.0/12
|
||||
acl localnet src 192.168.0.0/16
|
||||
acl localnet src fc00::/7
|
||||
acl localnet src fe80::/10
|
||||
|
||||
acl SSL_ports port 443
|
||||
acl Safe_ports port 80
|
||||
acl Safe_ports port 21
|
||||
acl Safe_ports port 443
|
||||
acl Safe_ports port 70
|
||||
acl Safe_ports port 210
|
||||
acl Safe_ports port 1025-65535
|
||||
acl Safe_ports port 280
|
||||
acl Safe_ports port 488
|
||||
acl Safe_ports port 591
|
||||
acl Safe_ports port 777
|
||||
|
||||
http_access deny !Safe_ports
|
||||
http_access deny CONNECT !SSL_ports
|
||||
http_access allow localhost manager
|
||||
http_access deny manager
|
||||
http_access allow localnet
|
||||
http_access allow localhost
|
||||
http_access deny all
|
||||
|
||||
http_port 3128 ssl-bump \
|
||||
cert=/ca/cert.pem key=/ca/key.pem \
|
||||
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
|
||||
|
||||
cache_dir aufs /var/cache/squid 200000 16 256
|
||||
coredump_dir /var/cache/squid
|
||||
maximum_object_size 8 GB
|
||||
maximum_object_size_in_memory 4 MB
|
||||
|
||||
refresh_pattern ^ftp: 1440 20% 10080
|
||||
refresh_pattern ^gopher: 1440 0% 1440
|
||||
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
|
||||
refresh_pattern (Release|Packages)(\.[zZ]|\.gz|\.bz2?|\.xz|\.zstd?)?$ 15 100% 129600 override-expire ignore-no-cache reload-into-ims
|
||||
refresh_pattern /repomd\.xml(\.asc|\.metalink)?(\.[zZ]|\.gz|\.bz2?|\.xz|\.zstd?)?$ 15 100% 129600 override-expire ignore-no-cache reload-into-ims
|
||||
refresh_pattern /APKINDEX\.tar(\.[zZ]|\.gz|\.bz2?|\.xz|\.zstd?)?$ 15 100% 129600 override-expire ignore-no-cache reload-into-ims
|
||||
refresh_pattern \.u?deb$ 129600 100% 129600
|
||||
refresh_pattern \.rpm$ 129600 100% 129600
|
||||
refresh_pattern \.apk$ 129600 100% 129600
|
||||
refresh_pattern \.(tar|iso)(\.[zZ]|\.gz|\.bz2?|\.xz|\.zstd?)?(\.sig)?$ 129600 100% 129600
|
||||
refresh_pattern . 0 20% 4320
|
||||
|
||||
url_rewrite_children 4
|
||||
url_rewrite_program /rewrite.awk
|
||||
|
||||
sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/ssl_db -M 4MB
|
||||
acl step1 at_step SslBump1
|
||||
ssl_bump peek step1
|
||||
ssl_bump bump all
|
||||
|
||||
logfile_rotate 0
|
||||
cache_log syslog:daemon.info squid
|
||||
access_log syslog:daemon.info squid
|
Loading…
Reference in New Issue