From a2b8b9fc61390c166546d7dab2d555134f7b9c73 Mon Sep 17 00:00:00 2001
From: Giles Bradshaw <giles.bradshaw@sigyl.com>
Date: Thu, 6 Aug 2020 11:34:15 +0100
Subject: [PATCH] .

---
 docker-compose.yml           |  5 ++-
 docker/squid.intercept.conf  |  4 +-
 squid-4/squid.intercept.conf | 72 ++++++++++++++++++++++++++++++++++++
 3 files changed, 78 insertions(+), 3 deletions(-)
 create mode 100644 squid-4/squid.intercept.conf

diff --git a/docker-compose.yml b/docker-compose.yml
index 48c87cb..d22c032 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -8,8 +8,11 @@ services:
       restart_policy:
         condition: any
     image: wrouesnel/docker-squid4
+    environment:
+      - CONFIG_DISABLE=yes
     volumes:
-      - squid-cache:/apps/squid/var/cache/squid
+      - ./squid-4/squid.intercept.conf:/etc/squid4/squid.conf
+      # - squid-cache:/apps/squid/var/cache/squid
       #- ./squid.intercept.conf:/etc/squid/squid.conf
       - ./myCA/CA_crt.pem:/apps/CA_crt.pem
       - ./myCA/CA_key.pem:/apps/CA_key.pem      
diff --git a/docker/squid.intercept.conf b/docker/squid.intercept.conf
index da6ea38..71ac726 100644
--- a/docker/squid.intercept.conf
+++ b/docker/squid.intercept.conf
@@ -28,8 +28,8 @@ htcp_access deny all
 
 visible_hostname git.local-domain
 
-#http_port 3128 ssl-bump generate-host-certificates=on cert=/apps/CA_crt.pem key=/apps/CA_key.pem version=4
-http_port 3128 ssl-bump generate-host-certificates=on cert=/apps/CA_crt.pem key=/apps/CA_key.pem options=NO_SSLv3 dhparams=/apps/dhparam.pem
+http_port 3128 ssl-bump generate-host-certificates=on cert=/apps/CA_crt.pem key=/apps/CA_key.pem version=4
+#http_port 3128 ssl-bump generate-host-certificates=on cert=/apps/CA_crt.pem key=/apps/CA_key.pem options=NO_SSLv3 dhparams=/apps/dhparam.pem
 #https_port 3129 ssl-bump generate-host-certificates=on cert=/apps/CA_crt.pem key=/apps/CA_key.pem options=NO_SSLv3 dhparams=/apps/dhparam.pem
 
 always_direct allow all
diff --git a/squid-4/squid.intercept.conf b/squid-4/squid.intercept.conf
new file mode 100644
index 0000000..59c0e78
--- /dev/null
+++ b/squid-4/squid.intercept.conf
@@ -0,0 +1,72 @@
+always_direct allow all
+
+acl localhost src 127.0.0.1/32
+acl to_localhost dst 127.0.0.0/8
+acl localnet src 10.0.0.0/8	# RFC1918 possible internal network
+acl localnet src 172.16.0.0/12	# RFC1918 possible internal network
+acl localnet src 192.168.0.0/16	# RFC1918 possible internal network
+acl SSL_ports port 443
+acl Safe_ports port 80		# http
+acl Safe_ports port 21		# ftp
+acl Safe_ports port 443		# https
+acl Safe_ports port 70		# gopher
+acl Safe_ports port 210		# wais
+acl Safe_ports port 1025-65535	# unregistered ports
+acl Safe_ports port 280		# http-mgmt
+acl Safe_ports port 488		# gss-http
+acl Safe_ports port 591		# filemaker
+acl Safe_ports port 777		# multiling http
+acl CONNECT method CONNECT
+
+http_access allow all
+http_access allow manager localhost
+http_access deny manager
+
+htcp_access allow localnet
+htcp_access deny all
+
+
+visible_hostname git.local-domain
+
+http_port 3128 ssl-bump generate-host-certificates=on cert=/apps/CA_crt.pem key=/apps/CA_key.pem version=4
+#http_port 3128 ssl-bump generate-host-certificates=on cert=/apps/CA_crt.pem key=/apps/CA_key.pem options=NO_SSLv3 dhparams=/apps/dhparam.pem
+#https_port 3129 ssl-bump generate-host-certificates=on cert=/apps/CA_crt.pem key=/apps/CA_key.pem options=NO_SSLv3 dhparams=/apps/dhparam.pem
+
+always_direct allow all
+acl excluded_sites ssl::server_name .wellsfargo.com
+ssl_bump splice excluded_sites
+ssl_bump bump all
+
+sslproxy_cert_error deny all
+// sslcrtd_program /apps/squid/libexec/ssl_crtd -s /apps/squid/var/lib/ssl_db -M 4MB sslcrtd_children 8 startup=1 idle=1
+
+icap_enable          on
+icap_preview_enable  on
+icap_preview_size    128
+icap_send_client_ip  on
+
+adaptation_access url_check  allow all
+
+access_log /apps/squid/var/logs/access.log squid
+
+# these are basically to make everything canched
+refresh_pattern ^http:  999999999     1000000000%    999999999 ignore-no-cache override-expire ignore-reload
+refresh_pattern ^https:  999999999     1000000000%    999999999 ignore-no-cache override-expire ignore-reload
+
+debug_options 11,2  22,10
+
+refresh_pattern ^ftp:		1440	20%	10080
+refresh_pattern ^gopher:	1440	0%	1440
+refresh_pattern (cgi-bin|\?)	0	0%	0
+refresh_pattern .		0	20%	4320
+
+icp_port 3130
+
+
+coredump_dir /apps/squid/var/cache
+
+
+cache_mem 1000 MB
+
+maximum_object_size 4096 MB
+cache_dir aufs /apps/squid/var/cache/squid 10000 16 256