Full functionality build, producing a heavy-weight image.

Future refinement shold include scripting the build and then stripping all
ephemeral dependencies.

README.md

@@ -0,0 +1,44 @@
+# Squid4 with SSL proxying
+
+This dockerfile builds a Squid 4.0.7 instance and includes all the necessary
+tooling to run it as a MITM (man-in-the-middle) SSL proxy.
+
+There's a number of reasons to do this - the big one being optimizing caching
+and delivery of objects during docker builds which might be downloading them
+from SSL protected endpoints.
+
+It will require you to generate your own CA and set it as trusted.
+
+The resulting docker image uses the following configuration environment
+variables:
+
+ * `HTTP_PORT`
+    Default: `3128`
+ * `ICP_PORT`
+    If set, enables ICP on the given port for all users.
+ * `HTCP_PORT`
+    If set, enables HTCP on the given port for all users.
+ * `MITM_PROXY`
+    If set, tries to enable MITM SSL proxy functionality (requires CERT and KEY)
+ * `MITM_CERT`
+    If set, the given PEM certificate is copied and used as the CA authority for 
+    MITM'ing connections.
+ *  `MITM_KEY`
+    If set, the given PEM certificate is copied and used as the signing key for 
+    the MITM CA.
+ * `VISIBLE_HOSTNAME`
+    Default: `docker-squid4`
+    Should be set to a unique value if you are chaining multiple proxy servers.
+ * `MAX_CACHE_SIZE`
+    Default: `40000`
+    Cache size in megabytes. The cache defaults to `/var/cache/squid4`. You 
+    should mount a volume here to make it persistent.
+ * `MAX_OBJECT_SIZE`
+    Default `"1536 MB"`
+    Maximum object size to store in the cache. This is set high as one of my
+    typical use cases is proxying distribution images.
+ * `MEM_CACHE_SIZE`
+    Default: `"128 MB"`
+    Default memory cache size. I've no real clue what this should be, but RAM
+    is plentiful so I like to keep it fairly large.
+    

docker-squid/Dockerfile

@@ -0,0 +1,68 @@
+FROM debian:jessie
+
+RUN sed s:deb:deb-src: /etc/apt/sources.list >> /etc/apt/sources.list
+
+RUN apt-get update && apt-get build-dep -y squid3 && apt-get install -y wget tar xz-utils libssl-dev
+
+RUN mkdir /src \
+    && cd /src \
+    && wget http://www.squid-cache.org/Versions/v4/squid-4.0.7.tar.xz \
+    && tar -xvvf squid-4.0.7.tar.xz
+    
+RUN cd /src/squid-4.0.7 && \
+    ./configure \
+        --prefix=/usr \
+        --datadir=/usr/share/squid4 \
+		--sysconfdir=/etc/squid4 \
+		--localstatedir=/var \
+		--mandir=/usr/share/man \
+		--enable-inline \
+		--enable-async-io=8 \
+		--enable-storeio="ufs,aufs,diskd,rock" \
+		--enable-removal-policies="lru,heap" \
+		--enable-delay-pools \
+		--enable-cache-digests \
+		--enable-underscores \
+		--enable-icap-client \
+		--enable-follow-x-forwarded-for \
+		--enable-auth-basic="DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB" \
+		--enable-auth-digest="file,LDAP" \
+		--enable-auth-negotiate="kerberos,wrapper" \
+		--enable-auth-ntlm="fake" \
+		--enable-external-acl-helpers="file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group" \
+		--enable-url-rewrite-helpers="fake" \
+		--enable-eui \
+		--enable-esi \
+		--enable-icmp \
+		--enable-zph-qos \
+		--with-openssl \
+		--enable-ssl \
+		--enable-ssl-crtd \ 
+		--disable-translation \
+		--with-swapdir=/var/spool/squid4 \
+		--with-logdir=/var/log/squid4 \
+		--with-pidfile=/var/run/squid4.pid \
+		--with-filedescriptors=65536 \
+		--with-large-files \
+		--with-default-user=proxy
+		
+ARG CONCURRENCY=1
+
+RUN cd /src/squid-4.0.7 && \
+    make -j$CONCURRENCY && \
+    make install
+
+# Download p2cli dependency
+RUN wget -O /usr/local/bin/p2 \
+    https://github.com/wrouesnel/p2cli/releases/download/r1/p2 && \
+    chmod +x /usr/local/bin/p2
+
+COPY squid.conf.p2 /squid.conf.p2
+COPY squid.bsh /squid.bsh
+
+# Configuration environment
+ENV HTTP_PORT=3128 ICP_PORT= HTCP_PORT= MITM_PROXY= MITM_CERT= MITM_KEY=  VISIBLE_HOSTNAME=docker-squid4 MAX_CACHE_SIZE=40000 MAX_OBJECT_SIZE="1536 MB" MEM_CACHE_SIZE="128 MB"
+
+EXPOSE 3128
+
+CMD /squid.bsh

docker-squid/squid.bsh

@@ -0,0 +1,49 @@
+#!/bin/bash
+
+# Setup the ssl_cert directory
+if [ ! -d /etc/squid4/ssl_cert ]; then
+    mkdir /etc/squid4/ssl_cert
+fi
+
+chown -R proxy:proxy /etc/squid4
+chmod 700 /etc/squid4/ssl_cert
+
+# Setup the squid cache directory
+if [ ! -d /var/cache/squid4 ]; then
+    mkdir -p /var/cache/squid4
+fi
+chown -R proxy: /var/cache/squid4
+chmod -R 750 /var/cache/squid4
+
+if [ ! -z $MITM_KEY ]; then
+    echo "Copying $MITM_KEY as MITM key..."
+    cp $MITM_KEY /etc/squid4/ssl_cert/mitm.pem
+    chown root:proxy /etc/squid4/ssl_cert/mitm.pem
+fi
+
+if [ ! -z $MITM_CERT ]; then
+    echo "Copying $MITM_CERT as MITM CA..."
+    cp $MITM_CERT /etc/squid4/ssl_cert/mitm.crt
+    chown root:proxy /etc/squid4/ssl_cert/mitm.crt
+fi
+
+if [ -z $MITM_CERT ] || [ -z $MITM_KEY ]; then
+    echo "Must specify $MITM_CERT AND $MITM_KEY." 1>&2
+    exit 1
+fi
+
+chown proxy: /dev/stdout
+chown proxy: /dev/stderr
+
+# Initialize the certificates database
+/usr/libexec/security_file_certgen -c -s /var/lib/ssl_db
+chown -R proxy: /var/lib/ssl_db
+
+#ssl_crtd -c -s
+#ssl_db
+
+# Set the configuration
+p2 -t /squid.conf.p2 > /etc/squid4/squid.conf
+
+squid -z -N
+squid -N

docker-squid/squid.conf.p2

@@ -0,0 +1,44 @@
+# TEMPLATED CONFIGURATION FILE. UPDATED ON EACH RUN.
+
+# Default all logs to stdout and stderr
+logfile_rotate 0
+access_log stdio:/dev/stdout combined
+cache_store_log stdio:/dev/stdout
+cache_log /dev/stderr
+netdb_filename stdio:/var/cache/squid4/netdb.state
+
+# Visible hostname to allow multi-squid
+visible_hostname {{VISIBLE_HOSTNAME|default:"docker-squid4"}}
+
+# Cache directory is fixed since we'll bind mount.
+cache_dir aufs /var/cache/squid4 {{MAX_CACHE_SIZE|default:"40000"}} 16 256
+
+maximum_object_size {{MAX_OBJECT_SIZE|default:"1536 MB"}}
+cache_mem {{MEM_CACHE_SIZE|default:"128 MB"}}
+
+tls_outgoing_options capath=/etc/ssl/certs \
+    options=NO_SSLv3,NO_TLSv1 \
+    cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
+
+http_port {{HTTP_PORT}} {% if MITM_PROXY|default:"" == "yes" %} ssl-bump \
+    generate-host-certificates=on \
+    dynamic_cert_mem_cache_size=4MB \
+    cert=/etc/squid4/ssl_cert/mitm.crt \
+    key=/etc/squid4/ssl_cert/mitm.pem
+{% endif %}
+
+{% if MITM_PROXY|default:"" == "yes" %}
+ssl_bump server-first all
+{% endif %}
+
+{% if ICP_PORT|default:"" != "" %}
+icp_port {{ICP_PORT}}
+icp_access allow all
+{% endif %}
+
+{% if HTCP_PORT|default:"" != "" %}
+htcp_port {{HTCP_PORT}}
+htcp_access allow all
+{% endif %}
+
+http_access allow all