diff --git a/.gitignore b/.gitignore index 54a14b2..3c3629e 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1 @@ -myCA/*.pem node_modules diff --git a/README.md b/README.md index b7e2942..3b9fc78 100644 --- a/README.md +++ b/README.md @@ -7,11 +7,12 @@ inspired by https://github.com/salrashid123/squid_proxy ## making a CA ```shell -cd myCA openssl genrsa -out CA_key.pem 2048 -openssl req -x509 -days 600 -new -nodes -key CA_key.pem -out CA_crt.pem -extensions v3_ca -config openssl.cnf -subj "/C=US/ST=California/L=Mountain View/O=Google/OU=Enterprise/CN=MyCA" +openssl req -x509 -days 600 -new -nodes -key CA_key.pem -out CA_crt.pem -extensions v3_ca -config openssl.cnf -subj "/C=UK/ST=Devon/L=Rose Ash/O=Google/OU=SiGyl/CN=Proxy-ca" ``` +then set secrets ca-crt and ca-key to the created files + ## releasing [see here](https://sigyl.com/releases/) \ No newline at end of file diff --git a/docker-compose.yml b/docker-compose.yml index 03f1c0f..07390ee 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,6 +1,6 @@ version: "3.7" services: - squid: + squid-4: deploy: placement: constraints: [node.labels.com.sigyl.git-stack == yes] @@ -18,10 +18,12 @@ services: EXTRA_CONFIG1=tls_outgoing_options capath=/etc/ssl/certs options=NO_SSLv3,NO_TLSv1 min-version=1.2 - - EXTRA_CONFIG2=sslproxy_cipher ECDHE+ECDSA+AESGCM:ECDHE+RSA+AESGCM:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM #:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS + # - EXTRA_CONFIG2=sslproxy_cipher ECDHE+ECDSA+AESGCM:ECDHE+RSA+AESGCM:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM #:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS # these are basically to make everything canched - - 'EXTRA_CONFIG3=refresh_pattern ^http: 999999999 1000000000% 999999999 ignore-no-cache override-expire ignore-reload' - - 'EXTRA_CONFIG4=refresh_pattern ^https: 999999999 1000000000% 999999999 ignore-no-cache override-expire ignore-reload' + - 'EXTRA_CONFIG2=refresh_pattern ^http: 999999999 1000000000% 999999999 ignore-no-cache override-expire ignore-reload' + - 'EXTRA_CONFIG3=refresh_pattern ^https: 999999999 1000000000% 999999999 ignore-no-cache override-expire ignore-reload' + volumes: + - squid-4-cache:/var/cache/squid4 ports: - 3128:3128 networks: @@ -46,7 +48,7 @@ services: - appnet - externalnet volumes: - squid-cache: + squid-4-cache: squid-deb-cache: networks: diff --git a/docker/Dockerfile b/docker/Dockerfile deleted file mode 100644 index e4bde17..0000000 --- a/docker/Dockerfile +++ /dev/null @@ -1,24 +0,0 @@ -FROM debian:8 -RUN apt-get -y update -RUN apt-get install -y curl git openssl build-essential libssl-dev wget vim curl -#RUN mkdir -p /var/log/supervisor -WORKDIR /apps/ -RUN wget -O - http://www.squid-cache.org/Versions/v4/squid-4.12.tar.gz | tar zxfv - \ - && CPU=$(( `nproc --all`-1 )) \ - && cd /apps/squid-4.12/ \ - && ./configure --prefix=/apps/squid --enable-icap-client --enable-ssl --with-openssl --enable-ssl-crtd --enable-auth --enable-basic-auth-helpers="NCSA" \ - && make -j$CPU \ - && make install \ - && cd /apps \ - && rm -rf /apps/squid-4.12 -ADD . /apps/ - -RUN chown -R nobody:nogroup /apps/ -RUN mkdir -p /apps/squid/var/lib/ -RUN /apps/squid/libexec/security_file_certgen -c -s /apps/squid/var/lib/ssl_db -M 4MB -RUN /apps/squid/sbin/squid -N -f /apps/squid.cache.conf -z -RUN chown -R nobody:nogroup /apps/ - -EXPOSE 3128 -ENTRYPOINT ["/apps/squid/sbin/squid", "-NsY", "-f"] -CMD ["/apps/squid.intercept.conf"] diff --git a/docker/README.md b/docker/README.md deleted file mode 100644 index 390f317..0000000 --- a/docker/README.md +++ /dev/null @@ -1,3 +0,0 @@ -I made dhparam.pem - - openssl dhparam -outform PEM -out dhparam.pem 2048 \ No newline at end of file diff --git a/docker/dhparam.pem b/docker/dhparam.pem deleted file mode 100644 index 91e78f7..0000000 --- a/docker/dhparam.pem +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN DH PARAMETERS----- -MIIBCAKCAQEAk5sKJOAoHj9bZCoUyN0pnYwjzS2vCZWcNOCGKVO+MuyVhbphVGez -UidUVK7OIFX5XUNfrHvxKeN2NkHHfOJXAYdVD/0Th6Ead+nh/xtBw9+ycRhmLR1F -tQY1Kbv23j8h+rJ0q5aiMnCEKevnbPBlV3ARK1oXjAHVuT08flGOcRLb3Qp+qLKQ -xX5WGQcFzVJf56MA/bl5bUbuo7e8O1eZYjdtzz+nvk8zaYqEhqrrPkJDPveGdVKu -FYB4vRfBuOHc/1K9+kwzfNsAYhj51Qs64KjukmpjxZPTVojvnKRqiavRmgBdMWiL -J8VStE1njcXhusk3jGJazeQ5EsJA9u41qwIBAg== ------END DH PARAMETERS----- diff --git a/docker/squid.cache.conf b/docker/squid.cache.conf deleted file mode 100644 index 1396189..0000000 --- a/docker/squid.cache.conf +++ /dev/null @@ -1,3 +0,0 @@ -cache_dir aufs /apps/squid/var/cache/squid 10000 16 256 - -coredump_dir /apps/squid/var/cache \ No newline at end of file diff --git a/docker/squid.intercept.conf b/docker/squid.intercept.conf deleted file mode 100644 index 71ac726..0000000 --- a/docker/squid.intercept.conf +++ /dev/null @@ -1,72 +0,0 @@ -always_direct allow all - -acl localhost src 127.0.0.1/32 -acl to_localhost dst 127.0.0.0/8 -acl localnet src 10.0.0.0/8 # RFC1918 possible internal network -acl localnet src 172.16.0.0/12 # RFC1918 possible internal network -acl localnet src 192.168.0.0/16 # RFC1918 possible internal network -acl SSL_ports port 443 -acl Safe_ports port 80 # http -acl Safe_ports port 21 # ftp -acl Safe_ports port 443 # https -acl Safe_ports port 70 # gopher -acl Safe_ports port 210 # wais -acl Safe_ports port 1025-65535 # unregistered ports -acl Safe_ports port 280 # http-mgmt -acl Safe_ports port 488 # gss-http -acl Safe_ports port 591 # filemaker -acl Safe_ports port 777 # multiling http -acl CONNECT method CONNECT - -http_access allow all -http_access allow manager localhost -http_access deny manager - -htcp_access allow localnet -htcp_access deny all - - -visible_hostname git.local-domain - -http_port 3128 ssl-bump generate-host-certificates=on cert=/apps/CA_crt.pem key=/apps/CA_key.pem version=4 -#http_port 3128 ssl-bump generate-host-certificates=on cert=/apps/CA_crt.pem key=/apps/CA_key.pem options=NO_SSLv3 dhparams=/apps/dhparam.pem -#https_port 3129 ssl-bump generate-host-certificates=on cert=/apps/CA_crt.pem key=/apps/CA_key.pem options=NO_SSLv3 dhparams=/apps/dhparam.pem - -always_direct allow all -acl excluded_sites ssl::server_name .wellsfargo.com -ssl_bump splice excluded_sites -ssl_bump bump all - -sslproxy_cert_error deny all -sslcrtd_program /apps/squid/libexec/ssl_crtd -s /apps/squid/var/lib/ssl_db -M 4MB sslcrtd_children 8 startup=1 idle=1 - -icap_enable on -icap_preview_enable on -icap_preview_size 128 -icap_send_client_ip on - -adaptation_access url_check allow all - -access_log /apps/squid/var/logs/access.log squid - -# these are basically to make everything canched -refresh_pattern ^http: 999999999 1000000000% 999999999 ignore-no-cache override-expire ignore-reload -refresh_pattern ^https: 999999999 1000000000% 999999999 ignore-no-cache override-expire ignore-reload - -debug_options 11,2 22,10 - -refresh_pattern ^ftp: 1440 20% 10080 -refresh_pattern ^gopher: 1440 0% 1440 -refresh_pattern (cgi-bin|\?) 0 0% 0 -refresh_pattern . 0 20% 4320 - -icp_port 3130 - - -coredump_dir /apps/squid/var/cache - - -cache_mem 1000 MB - -maximum_object_size 4096 MB -cache_dir aufs /apps/squid/var/cache/squid 10000 16 256 diff --git a/myCA/openssl.cnf b/openssl.cnf similarity index 100% rename from myCA/openssl.cnf rename to openssl.cnf diff --git a/squid-4/Dockerfile b/squid-4/Dockerfile deleted file mode 100644 index 8a2d15f..0000000 --- a/squid-4/Dockerfile +++ /dev/null @@ -1,121 +0,0 @@ -ARG DOCKER_PREFIX= - -FROM ${DOCKER_PREFIX}ubuntu:xenial - -ARG TRUST_CERT= - -RUN if [ ! -z "$TRUST_CERT" ]; then \ - echo "$TRUST_CERT" > /usr/local/share/ca-certificates/build-trust.crt ; \ - update-ca-certificates ; \ - fi - -# Normalize apt sources -RUN cat /etc/apt/sources.list | grep -v '^#' | sed /^$/d | sort | uniq > sources.tmp.1 && \ - cat /etc/apt/sources.list | sed s/deb\ /deb-src\ /g | grep -v '^#' | sed /^$/d | sort | uniq > sources.tmp.2 && \ - cat sources.tmp.1 sources.tmp.2 > /etc/apt/sources.list && \ - rm -f sources.tmp.1 sources.tmp.2 - -RUN apt-get update && \ - DEBIAN_FRONTEND=noninteractive apt-get build-dep -y squid && \ - DEBIAN_FRONTEND=noninteractive apt-get install -y wget tar xz-utils libssl-dev - -ARG SQUID_VERSION=4.0.21 - -# TODO: verify the squid download with the signing key -RUN mkdir /src \ - && cd /src \ - && wget http://www.squid-cache.org/Versions/v4/squid-$SQUID_VERSION.tar.xz \ - && mkdir squid \ - && tar -C squid --strip-components=1 -xvf squid-$SQUID_VERSION.tar.xz - -RUN cd /src/squid && \ - ./configure \ - --prefix=/usr \ - --datadir=/usr/share/squid4 \ - --sysconfdir=/etc/squid4 \ - --localstatedir=/var \ - --mandir=/usr/share/man \ - --enable-inline \ - --enable-async-io=8 \ - --enable-storeio="ufs,aufs,diskd,rock" \ - --enable-removal-policies="lru,heap" \ - --enable-delay-pools \ - --enable-cache-digests \ - --enable-underscores \ - --enable-icap-client \ - --enable-follow-x-forwarded-for \ - --enable-auth-basic="DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB" \ - --enable-auth-digest="file,LDAP" \ - --enable-auth-negotiate="kerberos,wrapper" \ - --enable-auth-ntlm="fake" \ - --enable-external-acl-helpers="file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group" \ - --enable-url-rewrite-helpers="fake" \ - --enable-eui \ - --enable-esi \ - --enable-icmp \ - --enable-zph-qos \ - --with-openssl \ - --enable-ssl \ - --enable-ssl-crtd \ - --disable-translation \ - --with-swapdir=/var/spool/squid4 \ - --with-logdir=/var/log/squid4 \ - --with-pidfile=/var/run/squid4.pid \ - --with-filedescriptors=65536 \ - --with-large-files \ - --with-default-user=proxy \ - --disable-arch-native - -ARG CONCURRENCY=1 - -RUN cd /src/squid && \ - make -j$CONCURRENCY && \ - make install - -# Download p2cli dependency -RUN wget -O /usr/local/bin/p2 \ - https://github.com/wrouesnel/p2cli/releases/download/r1/p2 && \ - chmod +x /usr/local/bin/p2 - -# Clone and build proxychains-ng for SSL upstream proxying -ARG PROXYCHAINS_COMMITTISH=7a233fb1f05bcbf3d7f5c91658932261de1e13cb - -RUN apt-get install -y git - -RUN git clone https://github.com/rofl0r/proxychains-ng.git /src/proxychains-ng && \ - cd /src/proxychains-ng && \ - git checkout $PROXYCHAINS_COMMITTISH && \ - ./configure --prefix=/usr --sysconfdir=/etc && \ - make -j$CONCURRENCY && make install - -ARG URL_DOH=https://github.com/wrouesnel/dns-over-https-proxy/releases/download/v0.0.2/dns-over-https-proxy_v0.0.2_linux-amd64.tar.gz - -RUN wget -O /tmp/doh.tgz \ - $URL_DOH && \ - tar -xvvf /tmp/doh.tgz --strip-components=1 -C /usr/local/bin/ && \ - chmod +x /usr/local/bin/dns-over-https-proxy - -COPY squid.conf.p2 /squid.conf.p2 -COPY squid.bsh /squid.bsh - -# Configuration environment -ENV HTTP_PORT=3128 \ - ICP_PORT= \ - HTCP_PORT= \ - MITM_PROXY= \ - MITM_CERT= \ - MITM_KEY= \ - VISIBLE_HOSTNAME=docker-squid4 \ - MAX_CACHE_SIZE=40000 \ - MAX_OBJECT_SIZE="1536 MB" \ - MEM_CACHE_SIZE="128 MB" \ - DNS_OVER_HTTPS_LISTEN_ADDR="127.0.0.153:53" \ - DNS_OVER_HTTPS_SERVER="https://dns.google.com/resolve" \ - DNS_OVER_HTTPS_NO_FALLTHROUGH="" \ - DNS_OVER_HTTPS_FALLTHROUGH_STATUSES=NXDOMAIN \ - DNS_OVER_HTTPS_PREFIX_SERVER= \ - DNS_OVER_HTTPS_SUFFIX_SERVER= - -EXPOSE 3128 - -ENTRYPOINT [ "/squid.bsh" ] \ No newline at end of file diff --git a/squid-4/README.md b/squid-4/README.md deleted file mode 100644 index 7777e56..0000000 --- a/squid-4/README.md +++ /dev/null @@ -1 +0,0 @@ -from https://github.com/wrouesnel/docker-squid4 diff --git a/squid-4/squid.bsh b/squid-4/squid.bsh deleted file mode 100644 index 33e6e6e..0000000 --- a/squid-4/squid.bsh +++ /dev/null @@ -1,134 +0,0 @@ -#!/bin/bash - -# Setup the ssl_cert directory -if [ ! -d /etc/squid4/ssl_cert ]; then - mkdir /etc/squid4/ssl_cert -fi - -chown -R proxy:proxy /etc/squid4 -chmod 700 /etc/squid4/ssl_cert - -# Setup the squid cache directory -if [ ! -d /var/cache/squid4 ]; then - mkdir -p /var/cache/squid4 -fi -chown -R proxy: /var/cache/squid4 -chmod -R 750 /var/cache/squid4 - -if [ ! -z $MITM_PROXY ]; then - if [ ! -z $MITM_KEY ]; then - echo "Copying $MITM_KEY as MITM key..." - cp $MITM_KEY /etc/squid4/ssl_cert/mitm.pem - chown root:proxy /etc/squid4/ssl_cert/mitm.pem - fi - - if [ ! -z $MITM_CERT ]; then - echo "Copying $MITM_CERT as MITM CA..." - cp $MITM_CERT /etc/squid4/ssl_cert/mitm.crt - chown root:proxy /etc/squid4/ssl_cert/mitm.crt - fi - - if [ -z $MITM_CERT ] || [ -z $MITM_KEY ]; then - echo "Must specify $MITM_CERT AND $MITM_KEY." 1>&2 - exit 1 - fi -fi - -chown proxy: /dev/stdout -chown proxy: /dev/stderr - -# Initialize the certificates database -/usr/libexec/security_file_certgen -c -s /var/spool/squid4/ssl_db -chown -R proxy: /var/spool/squid4/ssl_db - -#ssl_crtd -c -s -#ssl_db - -# Set the configuration -if [ "$CONFIG_DISABLE" != "yes" ]; then - p2 -t /squid.conf.p2 > /etc/squid4/squid.conf - - # Parse the cache peer lines from the environment and add them to the - # configuration - echo '# CACHE PEERS FROM DOCKER' >> /etc/squid4/squid.conf - env | grep 'CACHE_PEER' | sort | while read cacheline; do - echo "# $cacheline " >> /etc/squid4/squid.conf - line=$(echo $cacheline | cut -d'=' -f2-) - echo "cache_peer $line" >> /etc/squid4/squid.conf - done - - # Parse the extra config lines and append them to the configuration - echo '# EXTRA CONFIG FROM DOCKER' >> /etc/squid4/squid.conf - env | grep 'EXTRA_CONFIG' | sort | while read extraline; do - echo "# $extraline " >> /etc/squid4/squid.conf - line=$(echo $extraline | cut -d'=' -f2-) - echo "$line" >> /etc/squid4/squid.conf - done -else - echo "/etc/squid4/squid.conf: CONFIGURATION TEMPLATING IS DISABLED." -fi - -if [ "$DNS_OVER_HTTPS" = "yes" ]; then - echo "Starting DNS-over-HTTPS proxy..." - # TODO: find a way to tie this to the proxychains config - dns-over-https-proxy -default "$DNS_OVER_HTTPS_SERVER" \ - -address "$DNS_OVER_HTTPS_LISTEN_ADDR" \ - -primary-dns "$DNS_OVER_HTTPS_PREFIX_SERVER" \ - -fallback-dns "$DNS_OVER_HTTPS_SUFFIX_SERVER" \ - -no-fallthrough "$(echo $DNS_OVER_HTTPS_NO_FALLTHROUGH | tr -s ' ' ',')" \ - -fallthrough-statuses "$DNS_OVER_HTTPS_FALLTHROUGH_STATUSES" & - echo "Adding dns_nameservers line to squid.conf..." - echo "dns_nameservers $(echo $DNS_OVER_HTTPS_LISTEN_ADDR | cut -d':' -f1)" >> /etc/squid4/squid.conf -fi - -if [ ! -e /etc/squid4/squid.conf ]; then - echo "ERROR: /etc/squid4/squid.conf does not exist. Squid will not work." - exit 1 -fi - -# If proxychains is requested and config templating is active -if [ "$PROXYCHAIN" = "yes" ] && [ "$CONFIG_DISABLE" != "yes" ]; then - echo "# PROXYCHAIN CONFIG FROM DOCKER" > /etc/proxychains.conf - # Enable remote DNS proxy - if [ ! -z "$PROXYCHAIN_DNS" ]; then - echo "proxy_dns" >> /etc/proxychains.conf - fi - # Configure proxy type - if [ ! -z "$PROXYCHAIN_TYPE" ]; then - echo "$PROXYCHAIN_TYPE" >> /etc/proxychains.conf - else - echo "strict_chain" >> /etc/proxychains.conf - fi - - echo "[ProxyList]" >> /etc/proxychains.conf - env | grep 'PROXYCHAIN_PROXY' | sort | while read proxyline; do - echo "# $proxyline " >> /etc/squid4/squid.conf - line=$(echo $proxyline | cut -d'=' -f2-) - echo "$line" >> /etc/proxychains.conf - done -else - echo "/etc/proxychains.conf : CONFIGURATION TEMPLATING IS DISABLED" -fi - -# Build the configuration directories if needed -squid -z -N - -if [ "$PROXYCHAIN" = "yes" ]; then - if [ ! -e /etc/proxychains.conf ]; then - echo "ERROR: /etc/proxychains.conf does not exist. Squid with proxychains will not work." - exit 1 - fi - # Start squid with proxychains - proxychains4 -f /etc/proxychains.conf squid -N 2>&1 & - PID=$! -else - # Start squid normally - squid -N 2>&1 & - PID=$! -fi - -# This construct allows signals to kill the container successfully. -trap "kill -TERM $(jobs -p)" INT TERM -wait $PID -wait $PID -exit $? \ No newline at end of file diff --git a/squid-4/squid.conf.p2 b/squid-4/squid.conf.p2 deleted file mode 100644 index fa6e8cb..0000000 --- a/squid-4/squid.conf.p2 +++ /dev/null @@ -1,46 +0,0 @@ -# TEMPLATED CONFIGURATION FILE. UPDATED ON EACH RUN. - -# Default all logs to stdout and stderr -logfile_rotate 0 -access_log stdio:/dev/stdout combined -cache_store_log stdio:/dev/stdout -cache_log /dev/stderr -netdb_filename stdio:/var/cache/squid4/netdb.state - -# Visible hostname to allow multi-squid -visible_hostname {{VISIBLE_HOSTNAME|default:"docker-squid4"}} - -{% if DISABLE_CACHE|default:"" != "yes" %} -# Cache directory is fixed since we'll bind mount. -cache_dir aufs /var/cache/squid4 {{MAX_CACHE_SIZE|default:"40000"}} 16 256 -{% endif %} - -maximum_object_size {{MAX_OBJECT_SIZE|default:"1536 MB"}} -cache_mem {{MEM_CACHE_SIZE|default:"128 MB"}} - -tls_outgoing_options capath=/etc/ssl/certs \ - options={{TLS_OPTIONS|default:"NO_SSLv3,NO_TLSv1"}} \ - cipher=ALL:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS - -http_port {{HTTP_PORT}} {% if MITM_PROXY|default:"" == "yes" %} ssl-bump \ - generate-host-certificates=on \ - dynamic_cert_mem_cache_size=4MB \ - cert=/etc/squid4/ssl_cert/mitm.crt \ - key=/etc/squid4/ssl_cert/mitm.pem -{% endif %} - -{% if MITM_PROXY|default:"" == "yes" %} -ssl_bump server-first all -{% endif %} - -{% if ICP_PORT|default:"" != "" %} -icp_port {{ICP_PORT}} -icp_access allow all -{% endif %} - -{% if HTCP_PORT|default:"" != "" %} -htcp_port {{HTCP_PORT}} -htcp_access allow all -{% endif %} - -http_access allow all \ No newline at end of file diff --git a/squid-4/squid.intercept.conf b/squid-4/squid.intercept.conf deleted file mode 100644 index 0c39321..0000000 --- a/squid-4/squid.intercept.conf +++ /dev/null @@ -1,72 +0,0 @@ -always_direct allow all - -acl localhost src 127.0.0.1/32 -acl to_localhost dst 127.0.0.0/8 -acl localnet src 10.0.0.0/8 # RFC1918 possible internal network -acl localnet src 172.16.0.0/12 # RFC1918 possible internal network -acl localnet src 192.168.0.0/16 # RFC1918 possible internal network -acl SSL_ports port 443 -acl Safe_ports port 80 # http -acl Safe_ports port 21 # ftp -acl Safe_ports port 443 # https -acl Safe_ports port 70 # gopher -acl Safe_ports port 210 # wais -acl Safe_ports port 1025-65535 # unregistered ports -acl Safe_ports port 280 # http-mgmt -acl Safe_ports port 488 # gss-http -acl Safe_ports port 591 # filemaker -acl Safe_ports port 777 # multiling http -acl CONNECT method CONNECT - -http_access allow all -http_access allow manager localhost -http_access deny manager - -htcp_access allow localnet -htcp_access deny all - - -visible_hostname git.local-domain - -http_port 3128 ssl-bump generate-host-certificates=on cert=/apps/CA_crt.pem key=/apps/CA_key.pem version=4 -#http_port 3128 ssl-bump generate-host-certificates=on cert=/apps/CA_crt.pem key=/apps/CA_key.pem options=NO_SSLv3 dhparams=/apps/dhparam.pem -#https_port 3129 ssl-bump generate-host-certificates=on cert=/apps/CA_crt.pem key=/apps/CA_key.pem options=NO_SSLv3 dhparams=/apps/dhparam.pem - -always_direct allow all -acl excluded_sites ssl::server_name .wellsfargo.com -ssl_bump splice excluded_sites -ssl_bump bump all - -sslproxy_cert_error deny all -#sslcrtd_program /apps/squid/libexec/ssl_crtd -s /apps/squid/var/lib/ssl_db -M 4MB sslcrtd_children 8 startup=1 idle=1 - -icap_enable on -icap_preview_enable on -icap_preview_size 128 -icap_send_client_ip on - -adaptation_access url_check allow all - -access_log /apps/squid/var/logs/access.log squid - -# these are basically to make everything canched -refresh_pattern ^http: 999999999 1000000000% 999999999 ignore-no-cache override-expire ignore-reload -refresh_pattern ^https: 999999999 1000000000% 999999999 ignore-no-cache override-expire ignore-reload - -debug_options 11,2 22,10 - -refresh_pattern ^ftp: 1440 20% 10080 -refresh_pattern ^gopher: 1440 0% 1440 -refresh_pattern (cgi-bin|\?) 0 0% 0 -refresh_pattern . 0 20% 4320 - -icp_port 3130 - - -coredump_dir /apps/squid/var/cache - - -cache_mem 1000 MB - -maximum_object_size 4096 MB -cache_dir aufs /apps/squid/var/cache/squid 10000 16 256