.
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/push Build is passing
Details
This commit is contained in:
parent
a7cb95e166
commit
c0d5e0bc86
|
@ -1,2 +1 @@
|
||||||
myCA/*.pem
|
|
||||||
node_modules
|
node_modules
|
||||||
|
|
|
@ -7,11 +7,12 @@ inspired by https://github.com/salrashid123/squid_proxy
|
||||||
## making a CA
|
## making a CA
|
||||||
|
|
||||||
```shell
|
```shell
|
||||||
cd myCA
|
|
||||||
openssl genrsa -out CA_key.pem 2048
|
openssl genrsa -out CA_key.pem 2048
|
||||||
openssl req -x509 -days 600 -new -nodes -key CA_key.pem -out CA_crt.pem -extensions v3_ca -config openssl.cnf -subj "/C=US/ST=California/L=Mountain View/O=Google/OU=Enterprise/CN=MyCA"
|
openssl req -x509 -days 600 -new -nodes -key CA_key.pem -out CA_crt.pem -extensions v3_ca -config openssl.cnf -subj "/C=UK/ST=Devon/L=Rose Ash/O=Google/OU=SiGyl/CN=Proxy-ca"
|
||||||
```
|
```
|
||||||
|
|
||||||
|
then set secrets ca-crt and ca-key to the created files
|
||||||
|
|
||||||
## releasing
|
## releasing
|
||||||
|
|
||||||
[see here](https://sigyl.com/releases/)
|
[see here](https://sigyl.com/releases/)
|
|
@ -1,6 +1,6 @@
|
||||||
version: "3.7"
|
version: "3.7"
|
||||||
services:
|
services:
|
||||||
squid:
|
squid-4:
|
||||||
deploy:
|
deploy:
|
||||||
placement:
|
placement:
|
||||||
constraints: [node.labels.com.sigyl.git-stack == yes]
|
constraints: [node.labels.com.sigyl.git-stack == yes]
|
||||||
|
@ -18,10 +18,12 @@ services:
|
||||||
EXTRA_CONFIG1=tls_outgoing_options
|
EXTRA_CONFIG1=tls_outgoing_options
|
||||||
capath=/etc/ssl/certs
|
capath=/etc/ssl/certs
|
||||||
options=NO_SSLv3,NO_TLSv1 min-version=1.2
|
options=NO_SSLv3,NO_TLSv1 min-version=1.2
|
||||||
- EXTRA_CONFIG2=sslproxy_cipher ECDHE+ECDSA+AESGCM:ECDHE+RSA+AESGCM:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM #:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
|
# - EXTRA_CONFIG2=sslproxy_cipher ECDHE+ECDSA+AESGCM:ECDHE+RSA+AESGCM:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM #:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
|
||||||
# these are basically to make everything canched
|
# these are basically to make everything canched
|
||||||
- 'EXTRA_CONFIG3=refresh_pattern ^http: 999999999 1000000000% 999999999 ignore-no-cache override-expire ignore-reload'
|
- 'EXTRA_CONFIG2=refresh_pattern ^http: 999999999 1000000000% 999999999 ignore-no-cache override-expire ignore-reload'
|
||||||
- 'EXTRA_CONFIG4=refresh_pattern ^https: 999999999 1000000000% 999999999 ignore-no-cache override-expire ignore-reload'
|
- 'EXTRA_CONFIG3=refresh_pattern ^https: 999999999 1000000000% 999999999 ignore-no-cache override-expire ignore-reload'
|
||||||
|
volumes:
|
||||||
|
- squid-4-cache:/var/cache/squid4
|
||||||
ports:
|
ports:
|
||||||
- 3128:3128
|
- 3128:3128
|
||||||
networks:
|
networks:
|
||||||
|
@ -46,7 +48,7 @@ services:
|
||||||
- appnet
|
- appnet
|
||||||
- externalnet
|
- externalnet
|
||||||
volumes:
|
volumes:
|
||||||
squid-cache:
|
squid-4-cache:
|
||||||
squid-deb-cache:
|
squid-deb-cache:
|
||||||
|
|
||||||
networks:
|
networks:
|
||||||
|
|
|
@ -1,24 +0,0 @@
|
||||||
FROM debian:8
|
|
||||||
RUN apt-get -y update
|
|
||||||
RUN apt-get install -y curl git openssl build-essential libssl-dev wget vim curl
|
|
||||||
#RUN mkdir -p /var/log/supervisor
|
|
||||||
WORKDIR /apps/
|
|
||||||
RUN wget -O - http://www.squid-cache.org/Versions/v4/squid-4.12.tar.gz | tar zxfv - \
|
|
||||||
&& CPU=$(( `nproc --all`-1 )) \
|
|
||||||
&& cd /apps/squid-4.12/ \
|
|
||||||
&& ./configure --prefix=/apps/squid --enable-icap-client --enable-ssl --with-openssl --enable-ssl-crtd --enable-auth --enable-basic-auth-helpers="NCSA" \
|
|
||||||
&& make -j$CPU \
|
|
||||||
&& make install \
|
|
||||||
&& cd /apps \
|
|
||||||
&& rm -rf /apps/squid-4.12
|
|
||||||
ADD . /apps/
|
|
||||||
|
|
||||||
RUN chown -R nobody:nogroup /apps/
|
|
||||||
RUN mkdir -p /apps/squid/var/lib/
|
|
||||||
RUN /apps/squid/libexec/security_file_certgen -c -s /apps/squid/var/lib/ssl_db -M 4MB
|
|
||||||
RUN /apps/squid/sbin/squid -N -f /apps/squid.cache.conf -z
|
|
||||||
RUN chown -R nobody:nogroup /apps/
|
|
||||||
|
|
||||||
EXPOSE 3128
|
|
||||||
ENTRYPOINT ["/apps/squid/sbin/squid", "-NsY", "-f"]
|
|
||||||
CMD ["/apps/squid.intercept.conf"]
|
|
|
@ -1,3 +0,0 @@
|
||||||
I made dhparam.pem
|
|
||||||
|
|
||||||
openssl dhparam -outform PEM -out dhparam.pem 2048
|
|
|
@ -1,8 +0,0 @@
|
||||||
-----BEGIN DH PARAMETERS-----
|
|
||||||
MIIBCAKCAQEAk5sKJOAoHj9bZCoUyN0pnYwjzS2vCZWcNOCGKVO+MuyVhbphVGez
|
|
||||||
UidUVK7OIFX5XUNfrHvxKeN2NkHHfOJXAYdVD/0Th6Ead+nh/xtBw9+ycRhmLR1F
|
|
||||||
tQY1Kbv23j8h+rJ0q5aiMnCEKevnbPBlV3ARK1oXjAHVuT08flGOcRLb3Qp+qLKQ
|
|
||||||
xX5WGQcFzVJf56MA/bl5bUbuo7e8O1eZYjdtzz+nvk8zaYqEhqrrPkJDPveGdVKu
|
|
||||||
FYB4vRfBuOHc/1K9+kwzfNsAYhj51Qs64KjukmpjxZPTVojvnKRqiavRmgBdMWiL
|
|
||||||
J8VStE1njcXhusk3jGJazeQ5EsJA9u41qwIBAg==
|
|
||||||
-----END DH PARAMETERS-----
|
|
|
@ -1,3 +0,0 @@
|
||||||
cache_dir aufs /apps/squid/var/cache/squid 10000 16 256
|
|
||||||
|
|
||||||
coredump_dir /apps/squid/var/cache
|
|
|
@ -1,72 +0,0 @@
|
||||||
always_direct allow all
|
|
||||||
|
|
||||||
acl localhost src 127.0.0.1/32
|
|
||||||
acl to_localhost dst 127.0.0.0/8
|
|
||||||
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
|
|
||||||
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
|
|
||||||
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
|
|
||||||
acl SSL_ports port 443
|
|
||||||
acl Safe_ports port 80 # http
|
|
||||||
acl Safe_ports port 21 # ftp
|
|
||||||
acl Safe_ports port 443 # https
|
|
||||||
acl Safe_ports port 70 # gopher
|
|
||||||
acl Safe_ports port 210 # wais
|
|
||||||
acl Safe_ports port 1025-65535 # unregistered ports
|
|
||||||
acl Safe_ports port 280 # http-mgmt
|
|
||||||
acl Safe_ports port 488 # gss-http
|
|
||||||
acl Safe_ports port 591 # filemaker
|
|
||||||
acl Safe_ports port 777 # multiling http
|
|
||||||
acl CONNECT method CONNECT
|
|
||||||
|
|
||||||
http_access allow all
|
|
||||||
http_access allow manager localhost
|
|
||||||
http_access deny manager
|
|
||||||
|
|
||||||
htcp_access allow localnet
|
|
||||||
htcp_access deny all
|
|
||||||
|
|
||||||
|
|
||||||
visible_hostname git.local-domain
|
|
||||||
|
|
||||||
http_port 3128 ssl-bump generate-host-certificates=on cert=/apps/CA_crt.pem key=/apps/CA_key.pem version=4
|
|
||||||
#http_port 3128 ssl-bump generate-host-certificates=on cert=/apps/CA_crt.pem key=/apps/CA_key.pem options=NO_SSLv3 dhparams=/apps/dhparam.pem
|
|
||||||
#https_port 3129 ssl-bump generate-host-certificates=on cert=/apps/CA_crt.pem key=/apps/CA_key.pem options=NO_SSLv3 dhparams=/apps/dhparam.pem
|
|
||||||
|
|
||||||
always_direct allow all
|
|
||||||
acl excluded_sites ssl::server_name .wellsfargo.com
|
|
||||||
ssl_bump splice excluded_sites
|
|
||||||
ssl_bump bump all
|
|
||||||
|
|
||||||
sslproxy_cert_error deny all
|
|
||||||
sslcrtd_program /apps/squid/libexec/ssl_crtd -s /apps/squid/var/lib/ssl_db -M 4MB sslcrtd_children 8 startup=1 idle=1
|
|
||||||
|
|
||||||
icap_enable on
|
|
||||||
icap_preview_enable on
|
|
||||||
icap_preview_size 128
|
|
||||||
icap_send_client_ip on
|
|
||||||
|
|
||||||
adaptation_access url_check allow all
|
|
||||||
|
|
||||||
access_log /apps/squid/var/logs/access.log squid
|
|
||||||
|
|
||||||
# these are basically to make everything canched
|
|
||||||
refresh_pattern ^http: 999999999 1000000000% 999999999 ignore-no-cache override-expire ignore-reload
|
|
||||||
refresh_pattern ^https: 999999999 1000000000% 999999999 ignore-no-cache override-expire ignore-reload
|
|
||||||
|
|
||||||
debug_options 11,2 22,10
|
|
||||||
|
|
||||||
refresh_pattern ^ftp: 1440 20% 10080
|
|
||||||
refresh_pattern ^gopher: 1440 0% 1440
|
|
||||||
refresh_pattern (cgi-bin|\?) 0 0% 0
|
|
||||||
refresh_pattern . 0 20% 4320
|
|
||||||
|
|
||||||
icp_port 3130
|
|
||||||
|
|
||||||
|
|
||||||
coredump_dir /apps/squid/var/cache
|
|
||||||
|
|
||||||
|
|
||||||
cache_mem 1000 MB
|
|
||||||
|
|
||||||
maximum_object_size 4096 MB
|
|
||||||
cache_dir aufs /apps/squid/var/cache/squid 10000 16 256
|
|
|
@ -1,121 +0,0 @@
|
||||||
ARG DOCKER_PREFIX=
|
|
||||||
|
|
||||||
FROM ${DOCKER_PREFIX}ubuntu:xenial
|
|
||||||
|
|
||||||
ARG TRUST_CERT=
|
|
||||||
|
|
||||||
RUN if [ ! -z "$TRUST_CERT" ]; then \
|
|
||||||
echo "$TRUST_CERT" > /usr/local/share/ca-certificates/build-trust.crt ; \
|
|
||||||
update-ca-certificates ; \
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Normalize apt sources
|
|
||||||
RUN cat /etc/apt/sources.list | grep -v '^#' | sed /^$/d | sort | uniq > sources.tmp.1 && \
|
|
||||||
cat /etc/apt/sources.list | sed s/deb\ /deb-src\ /g | grep -v '^#' | sed /^$/d | sort | uniq > sources.tmp.2 && \
|
|
||||||
cat sources.tmp.1 sources.tmp.2 > /etc/apt/sources.list && \
|
|
||||||
rm -f sources.tmp.1 sources.tmp.2
|
|
||||||
|
|
||||||
RUN apt-get update && \
|
|
||||||
DEBIAN_FRONTEND=noninteractive apt-get build-dep -y squid && \
|
|
||||||
DEBIAN_FRONTEND=noninteractive apt-get install -y wget tar xz-utils libssl-dev
|
|
||||||
|
|
||||||
ARG SQUID_VERSION=4.0.21
|
|
||||||
|
|
||||||
# TODO: verify the squid download with the signing key
|
|
||||||
RUN mkdir /src \
|
|
||||||
&& cd /src \
|
|
||||||
&& wget http://www.squid-cache.org/Versions/v4/squid-$SQUID_VERSION.tar.xz \
|
|
||||||
&& mkdir squid \
|
|
||||||
&& tar -C squid --strip-components=1 -xvf squid-$SQUID_VERSION.tar.xz
|
|
||||||
|
|
||||||
RUN cd /src/squid && \
|
|
||||||
./configure \
|
|
||||||
--prefix=/usr \
|
|
||||||
--datadir=/usr/share/squid4 \
|
|
||||||
--sysconfdir=/etc/squid4 \
|
|
||||||
--localstatedir=/var \
|
|
||||||
--mandir=/usr/share/man \
|
|
||||||
--enable-inline \
|
|
||||||
--enable-async-io=8 \
|
|
||||||
--enable-storeio="ufs,aufs,diskd,rock" \
|
|
||||||
--enable-removal-policies="lru,heap" \
|
|
||||||
--enable-delay-pools \
|
|
||||||
--enable-cache-digests \
|
|
||||||
--enable-underscores \
|
|
||||||
--enable-icap-client \
|
|
||||||
--enable-follow-x-forwarded-for \
|
|
||||||
--enable-auth-basic="DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB" \
|
|
||||||
--enable-auth-digest="file,LDAP" \
|
|
||||||
--enable-auth-negotiate="kerberos,wrapper" \
|
|
||||||
--enable-auth-ntlm="fake" \
|
|
||||||
--enable-external-acl-helpers="file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group" \
|
|
||||||
--enable-url-rewrite-helpers="fake" \
|
|
||||||
--enable-eui \
|
|
||||||
--enable-esi \
|
|
||||||
--enable-icmp \
|
|
||||||
--enable-zph-qos \
|
|
||||||
--with-openssl \
|
|
||||||
--enable-ssl \
|
|
||||||
--enable-ssl-crtd \
|
|
||||||
--disable-translation \
|
|
||||||
--with-swapdir=/var/spool/squid4 \
|
|
||||||
--with-logdir=/var/log/squid4 \
|
|
||||||
--with-pidfile=/var/run/squid4.pid \
|
|
||||||
--with-filedescriptors=65536 \
|
|
||||||
--with-large-files \
|
|
||||||
--with-default-user=proxy \
|
|
||||||
--disable-arch-native
|
|
||||||
|
|
||||||
ARG CONCURRENCY=1
|
|
||||||
|
|
||||||
RUN cd /src/squid && \
|
|
||||||
make -j$CONCURRENCY && \
|
|
||||||
make install
|
|
||||||
|
|
||||||
# Download p2cli dependency
|
|
||||||
RUN wget -O /usr/local/bin/p2 \
|
|
||||||
https://github.com/wrouesnel/p2cli/releases/download/r1/p2 && \
|
|
||||||
chmod +x /usr/local/bin/p2
|
|
||||||
|
|
||||||
# Clone and build proxychains-ng for SSL upstream proxying
|
|
||||||
ARG PROXYCHAINS_COMMITTISH=7a233fb1f05bcbf3d7f5c91658932261de1e13cb
|
|
||||||
|
|
||||||
RUN apt-get install -y git
|
|
||||||
|
|
||||||
RUN git clone https://github.com/rofl0r/proxychains-ng.git /src/proxychains-ng && \
|
|
||||||
cd /src/proxychains-ng && \
|
|
||||||
git checkout $PROXYCHAINS_COMMITTISH && \
|
|
||||||
./configure --prefix=/usr --sysconfdir=/etc && \
|
|
||||||
make -j$CONCURRENCY && make install
|
|
||||||
|
|
||||||
ARG URL_DOH=https://github.com/wrouesnel/dns-over-https-proxy/releases/download/v0.0.2/dns-over-https-proxy_v0.0.2_linux-amd64.tar.gz
|
|
||||||
|
|
||||||
RUN wget -O /tmp/doh.tgz \
|
|
||||||
$URL_DOH && \
|
|
||||||
tar -xvvf /tmp/doh.tgz --strip-components=1 -C /usr/local/bin/ && \
|
|
||||||
chmod +x /usr/local/bin/dns-over-https-proxy
|
|
||||||
|
|
||||||
COPY squid.conf.p2 /squid.conf.p2
|
|
||||||
COPY squid.bsh /squid.bsh
|
|
||||||
|
|
||||||
# Configuration environment
|
|
||||||
ENV HTTP_PORT=3128 \
|
|
||||||
ICP_PORT= \
|
|
||||||
HTCP_PORT= \
|
|
||||||
MITM_PROXY= \
|
|
||||||
MITM_CERT= \
|
|
||||||
MITM_KEY= \
|
|
||||||
VISIBLE_HOSTNAME=docker-squid4 \
|
|
||||||
MAX_CACHE_SIZE=40000 \
|
|
||||||
MAX_OBJECT_SIZE="1536 MB" \
|
|
||||||
MEM_CACHE_SIZE="128 MB" \
|
|
||||||
DNS_OVER_HTTPS_LISTEN_ADDR="127.0.0.153:53" \
|
|
||||||
DNS_OVER_HTTPS_SERVER="https://dns.google.com/resolve" \
|
|
||||||
DNS_OVER_HTTPS_NO_FALLTHROUGH="" \
|
|
||||||
DNS_OVER_HTTPS_FALLTHROUGH_STATUSES=NXDOMAIN \
|
|
||||||
DNS_OVER_HTTPS_PREFIX_SERVER= \
|
|
||||||
DNS_OVER_HTTPS_SUFFIX_SERVER=
|
|
||||||
|
|
||||||
EXPOSE 3128
|
|
||||||
|
|
||||||
ENTRYPOINT [ "/squid.bsh" ]
|
|
|
@ -1 +0,0 @@
|
||||||
from https://github.com/wrouesnel/docker-squid4
|
|
|
@ -1,134 +0,0 @@
|
||||||
#!/bin/bash
|
|
||||||
|
|
||||||
# Setup the ssl_cert directory
|
|
||||||
if [ ! -d /etc/squid4/ssl_cert ]; then
|
|
||||||
mkdir /etc/squid4/ssl_cert
|
|
||||||
fi
|
|
||||||
|
|
||||||
chown -R proxy:proxy /etc/squid4
|
|
||||||
chmod 700 /etc/squid4/ssl_cert
|
|
||||||
|
|
||||||
# Setup the squid cache directory
|
|
||||||
if [ ! -d /var/cache/squid4 ]; then
|
|
||||||
mkdir -p /var/cache/squid4
|
|
||||||
fi
|
|
||||||
chown -R proxy: /var/cache/squid4
|
|
||||||
chmod -R 750 /var/cache/squid4
|
|
||||||
|
|
||||||
if [ ! -z $MITM_PROXY ]; then
|
|
||||||
if [ ! -z $MITM_KEY ]; then
|
|
||||||
echo "Copying $MITM_KEY as MITM key..."
|
|
||||||
cp $MITM_KEY /etc/squid4/ssl_cert/mitm.pem
|
|
||||||
chown root:proxy /etc/squid4/ssl_cert/mitm.pem
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ ! -z $MITM_CERT ]; then
|
|
||||||
echo "Copying $MITM_CERT as MITM CA..."
|
|
||||||
cp $MITM_CERT /etc/squid4/ssl_cert/mitm.crt
|
|
||||||
chown root:proxy /etc/squid4/ssl_cert/mitm.crt
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ -z $MITM_CERT ] || [ -z $MITM_KEY ]; then
|
|
||||||
echo "Must specify $MITM_CERT AND $MITM_KEY." 1>&2
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
chown proxy: /dev/stdout
|
|
||||||
chown proxy: /dev/stderr
|
|
||||||
|
|
||||||
# Initialize the certificates database
|
|
||||||
/usr/libexec/security_file_certgen -c -s /var/spool/squid4/ssl_db
|
|
||||||
chown -R proxy: /var/spool/squid4/ssl_db
|
|
||||||
|
|
||||||
#ssl_crtd -c -s
|
|
||||||
#ssl_db
|
|
||||||
|
|
||||||
# Set the configuration
|
|
||||||
if [ "$CONFIG_DISABLE" != "yes" ]; then
|
|
||||||
p2 -t /squid.conf.p2 > /etc/squid4/squid.conf
|
|
||||||
|
|
||||||
# Parse the cache peer lines from the environment and add them to the
|
|
||||||
# configuration
|
|
||||||
echo '# CACHE PEERS FROM DOCKER' >> /etc/squid4/squid.conf
|
|
||||||
env | grep 'CACHE_PEER' | sort | while read cacheline; do
|
|
||||||
echo "# $cacheline " >> /etc/squid4/squid.conf
|
|
||||||
line=$(echo $cacheline | cut -d'=' -f2-)
|
|
||||||
echo "cache_peer $line" >> /etc/squid4/squid.conf
|
|
||||||
done
|
|
||||||
|
|
||||||
# Parse the extra config lines and append them to the configuration
|
|
||||||
echo '# EXTRA CONFIG FROM DOCKER' >> /etc/squid4/squid.conf
|
|
||||||
env | grep 'EXTRA_CONFIG' | sort | while read extraline; do
|
|
||||||
echo "# $extraline " >> /etc/squid4/squid.conf
|
|
||||||
line=$(echo $extraline | cut -d'=' -f2-)
|
|
||||||
echo "$line" >> /etc/squid4/squid.conf
|
|
||||||
done
|
|
||||||
else
|
|
||||||
echo "/etc/squid4/squid.conf: CONFIGURATION TEMPLATING IS DISABLED."
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ "$DNS_OVER_HTTPS" = "yes" ]; then
|
|
||||||
echo "Starting DNS-over-HTTPS proxy..."
|
|
||||||
# TODO: find a way to tie this to the proxychains config
|
|
||||||
dns-over-https-proxy -default "$DNS_OVER_HTTPS_SERVER" \
|
|
||||||
-address "$DNS_OVER_HTTPS_LISTEN_ADDR" \
|
|
||||||
-primary-dns "$DNS_OVER_HTTPS_PREFIX_SERVER" \
|
|
||||||
-fallback-dns "$DNS_OVER_HTTPS_SUFFIX_SERVER" \
|
|
||||||
-no-fallthrough "$(echo $DNS_OVER_HTTPS_NO_FALLTHROUGH | tr -s ' ' ',')" \
|
|
||||||
-fallthrough-statuses "$DNS_OVER_HTTPS_FALLTHROUGH_STATUSES" &
|
|
||||||
echo "Adding dns_nameservers line to squid.conf..."
|
|
||||||
echo "dns_nameservers $(echo $DNS_OVER_HTTPS_LISTEN_ADDR | cut -d':' -f1)" >> /etc/squid4/squid.conf
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ ! -e /etc/squid4/squid.conf ]; then
|
|
||||||
echo "ERROR: /etc/squid4/squid.conf does not exist. Squid will not work."
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
# If proxychains is requested and config templating is active
|
|
||||||
if [ "$PROXYCHAIN" = "yes" ] && [ "$CONFIG_DISABLE" != "yes" ]; then
|
|
||||||
echo "# PROXYCHAIN CONFIG FROM DOCKER" > /etc/proxychains.conf
|
|
||||||
# Enable remote DNS proxy
|
|
||||||
if [ ! -z "$PROXYCHAIN_DNS" ]; then
|
|
||||||
echo "proxy_dns" >> /etc/proxychains.conf
|
|
||||||
fi
|
|
||||||
# Configure proxy type
|
|
||||||
if [ ! -z "$PROXYCHAIN_TYPE" ]; then
|
|
||||||
echo "$PROXYCHAIN_TYPE" >> /etc/proxychains.conf
|
|
||||||
else
|
|
||||||
echo "strict_chain" >> /etc/proxychains.conf
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo "[ProxyList]" >> /etc/proxychains.conf
|
|
||||||
env | grep 'PROXYCHAIN_PROXY' | sort | while read proxyline; do
|
|
||||||
echo "# $proxyline " >> /etc/squid4/squid.conf
|
|
||||||
line=$(echo $proxyline | cut -d'=' -f2-)
|
|
||||||
echo "$line" >> /etc/proxychains.conf
|
|
||||||
done
|
|
||||||
else
|
|
||||||
echo "/etc/proxychains.conf : CONFIGURATION TEMPLATING IS DISABLED"
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Build the configuration directories if needed
|
|
||||||
squid -z -N
|
|
||||||
|
|
||||||
if [ "$PROXYCHAIN" = "yes" ]; then
|
|
||||||
if [ ! -e /etc/proxychains.conf ]; then
|
|
||||||
echo "ERROR: /etc/proxychains.conf does not exist. Squid with proxychains will not work."
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
# Start squid with proxychains
|
|
||||||
proxychains4 -f /etc/proxychains.conf squid -N 2>&1 &
|
|
||||||
PID=$!
|
|
||||||
else
|
|
||||||
# Start squid normally
|
|
||||||
squid -N 2>&1 &
|
|
||||||
PID=$!
|
|
||||||
fi
|
|
||||||
|
|
||||||
# This construct allows signals to kill the container successfully.
|
|
||||||
trap "kill -TERM $(jobs -p)" INT TERM
|
|
||||||
wait $PID
|
|
||||||
wait $PID
|
|
||||||
exit $?
|
|
|
@ -1,46 +0,0 @@
|
||||||
# TEMPLATED CONFIGURATION FILE. UPDATED ON EACH RUN.
|
|
||||||
|
|
||||||
# Default all logs to stdout and stderr
|
|
||||||
logfile_rotate 0
|
|
||||||
access_log stdio:/dev/stdout combined
|
|
||||||
cache_store_log stdio:/dev/stdout
|
|
||||||
cache_log /dev/stderr
|
|
||||||
netdb_filename stdio:/var/cache/squid4/netdb.state
|
|
||||||
|
|
||||||
# Visible hostname to allow multi-squid
|
|
||||||
visible_hostname {{VISIBLE_HOSTNAME|default:"docker-squid4"}}
|
|
||||||
|
|
||||||
{% if DISABLE_CACHE|default:"" != "yes" %}
|
|
||||||
# Cache directory is fixed since we'll bind mount.
|
|
||||||
cache_dir aufs /var/cache/squid4 {{MAX_CACHE_SIZE|default:"40000"}} 16 256
|
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
maximum_object_size {{MAX_OBJECT_SIZE|default:"1536 MB"}}
|
|
||||||
cache_mem {{MEM_CACHE_SIZE|default:"128 MB"}}
|
|
||||||
|
|
||||||
tls_outgoing_options capath=/etc/ssl/certs \
|
|
||||||
options={{TLS_OPTIONS|default:"NO_SSLv3,NO_TLSv1"}} \
|
|
||||||
cipher=ALL:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
|
|
||||||
|
|
||||||
http_port {{HTTP_PORT}} {% if MITM_PROXY|default:"" == "yes" %} ssl-bump \
|
|
||||||
generate-host-certificates=on \
|
|
||||||
dynamic_cert_mem_cache_size=4MB \
|
|
||||||
cert=/etc/squid4/ssl_cert/mitm.crt \
|
|
||||||
key=/etc/squid4/ssl_cert/mitm.pem
|
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
{% if MITM_PROXY|default:"" == "yes" %}
|
|
||||||
ssl_bump server-first all
|
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
{% if ICP_PORT|default:"" != "" %}
|
|
||||||
icp_port {{ICP_PORT}}
|
|
||||||
icp_access allow all
|
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
{% if HTCP_PORT|default:"" != "" %}
|
|
||||||
htcp_port {{HTCP_PORT}}
|
|
||||||
htcp_access allow all
|
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
http_access allow all
|
|
|
@ -1,72 +0,0 @@
|
||||||
always_direct allow all
|
|
||||||
|
|
||||||
acl localhost src 127.0.0.1/32
|
|
||||||
acl to_localhost dst 127.0.0.0/8
|
|
||||||
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
|
|
||||||
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
|
|
||||||
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
|
|
||||||
acl SSL_ports port 443
|
|
||||||
acl Safe_ports port 80 # http
|
|
||||||
acl Safe_ports port 21 # ftp
|
|
||||||
acl Safe_ports port 443 # https
|
|
||||||
acl Safe_ports port 70 # gopher
|
|
||||||
acl Safe_ports port 210 # wais
|
|
||||||
acl Safe_ports port 1025-65535 # unregistered ports
|
|
||||||
acl Safe_ports port 280 # http-mgmt
|
|
||||||
acl Safe_ports port 488 # gss-http
|
|
||||||
acl Safe_ports port 591 # filemaker
|
|
||||||
acl Safe_ports port 777 # multiling http
|
|
||||||
acl CONNECT method CONNECT
|
|
||||||
|
|
||||||
http_access allow all
|
|
||||||
http_access allow manager localhost
|
|
||||||
http_access deny manager
|
|
||||||
|
|
||||||
htcp_access allow localnet
|
|
||||||
htcp_access deny all
|
|
||||||
|
|
||||||
|
|
||||||
visible_hostname git.local-domain
|
|
||||||
|
|
||||||
http_port 3128 ssl-bump generate-host-certificates=on cert=/apps/CA_crt.pem key=/apps/CA_key.pem version=4
|
|
||||||
#http_port 3128 ssl-bump generate-host-certificates=on cert=/apps/CA_crt.pem key=/apps/CA_key.pem options=NO_SSLv3 dhparams=/apps/dhparam.pem
|
|
||||||
#https_port 3129 ssl-bump generate-host-certificates=on cert=/apps/CA_crt.pem key=/apps/CA_key.pem options=NO_SSLv3 dhparams=/apps/dhparam.pem
|
|
||||||
|
|
||||||
always_direct allow all
|
|
||||||
acl excluded_sites ssl::server_name .wellsfargo.com
|
|
||||||
ssl_bump splice excluded_sites
|
|
||||||
ssl_bump bump all
|
|
||||||
|
|
||||||
sslproxy_cert_error deny all
|
|
||||||
#sslcrtd_program /apps/squid/libexec/ssl_crtd -s /apps/squid/var/lib/ssl_db -M 4MB sslcrtd_children 8 startup=1 idle=1
|
|
||||||
|
|
||||||
icap_enable on
|
|
||||||
icap_preview_enable on
|
|
||||||
icap_preview_size 128
|
|
||||||
icap_send_client_ip on
|
|
||||||
|
|
||||||
adaptation_access url_check allow all
|
|
||||||
|
|
||||||
access_log /apps/squid/var/logs/access.log squid
|
|
||||||
|
|
||||||
# these are basically to make everything canched
|
|
||||||
refresh_pattern ^http: 999999999 1000000000% 999999999 ignore-no-cache override-expire ignore-reload
|
|
||||||
refresh_pattern ^https: 999999999 1000000000% 999999999 ignore-no-cache override-expire ignore-reload
|
|
||||||
|
|
||||||
debug_options 11,2 22,10
|
|
||||||
|
|
||||||
refresh_pattern ^ftp: 1440 20% 10080
|
|
||||||
refresh_pattern ^gopher: 1440 0% 1440
|
|
||||||
refresh_pattern (cgi-bin|\?) 0 0% 0
|
|
||||||
refresh_pattern . 0 20% 4320
|
|
||||||
|
|
||||||
icp_port 3130
|
|
||||||
|
|
||||||
|
|
||||||
coredump_dir /apps/squid/var/cache
|
|
||||||
|
|
||||||
|
|
||||||
cache_mem 1000 MB
|
|
||||||
|
|
||||||
maximum_object_size 4096 MB
|
|
||||||
cache_dir aufs /apps/squid/var/cache/squid 10000 16 256
|
|
Loading…
Reference in New Issue