From d4927c38675726089b4f50bc7586c56c6f5c10e3 Mon Sep 17 00:00:00 2001 From: Giles Bradshaw Date: Tue, 4 Aug 2020 20:48:14 +0100 Subject: [PATCH] feat: should now cache https --- .drone/drone-home.jsonnet | 6 +- .drone/drone-home.yml | 8 ++- .gitignore | 1 + README.md | 12 +++- docker-compose.yml | 6 +- docker/Dockerfile | 25 ++++++++ docker/squid.intercept.conf | 70 ++++++++++++++++++++ myCA/openssl.cnf | 124 ++++++++++++++++++++++++++++++++++++ package.json | 2 +- 9 files changed, 246 insertions(+), 8 deletions(-) create mode 100644 .gitignore create mode 100644 docker/Dockerfile create mode 100644 docker/squid.intercept.conf create mode 100644 myCA/openssl.cnf diff --git a/.drone/drone-home.jsonnet b/.drone/drone-home.jsonnet index fe17c27..34211ae 100644 --- a/.drone/drone-home.jsonnet +++ b/.drone/drone-home.jsonnet @@ -222,7 +222,11 @@ local images = { script +: [ 'set -e', "docker network prune -f", - "cd /stack/squid", + "cd /stack/squid/myCA", + 'cd myCA', + 'openssl genrsa -out CA_key.pem 2048', + 'openssl req -x509 -days 600 -new -nodes -key CA_key.pem -out CA_crt.pem -extensions v3_ca -config openssl.cnf -subj "/C=US/ST=California/L=Mountain View/O=Google/OU=Enterprise/CN=MyCA"', + 'cd ..', "docker stack rm squid", "sleep 30", "docker stack deploy -c docker-compose.yml squid", diff --git a/.drone/drone-home.yml b/.drone/drone-home.yml index 0538818..b28ada1 100644 --- a/.drone/drone-home.yml +++ b/.drone/drone-home.yml @@ -38,7 +38,6 @@ steps: - drone_build_number - drone_repo_name - drone_repo_namespace - - DRONE_GITEA_SERVER - ssh_host - ssh_user - ssh_root_user @@ -72,7 +71,6 @@ steps: - drone_build_number - drone_repo_name - drone_repo_namespace - - DRONE_GITEA_SERVER - ssh_host - ssh_user - ssh_root_user @@ -86,7 +84,11 @@ steps: script: - set -e - docker network prune -f - - cd /stack/squid + - cd /stack/squid/myCA + - cd myCA + - openssl genrsa -out CA_key.pem 2048 + - openssl req -x509 -days 600 -new -nodes -key CA_key.pem -out CA_crt.pem -extensions v3_ca -config openssl.cnf -subj "/C=US/ST=California/L=Mountain View/O=Google/OU=Enterprise/CN=MyCA" + - cd .. - docker stack rm squid - sleep 30 - docker stack deploy -c docker-compose.yml squid diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e81986e --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +myCA/*.pem diff --git a/README.md b/README.md index b460241..d2ee56f 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,13 @@ # squid -apt cacher for debian \ No newline at end of file +apt cacher for debian + +inspired by https://github.com/salrashid123/squid_proxy + +## making a CA + +```shell +cd myCA +openssl genrsa -out CA_key.pem 2048 +openssl req -x509 -days 600 -new -nodes -key CA_key.pem -out CA_crt.pem -extensions v3_ca -config openssl.cnf -subj "/C=US/ST=California/L=Mountain View/O=Google/OU=Enterprise/CN=MyCA" +``` diff --git a/docker-compose.yml b/docker-compose.yml index 17429e7..00e4153 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -7,10 +7,12 @@ services: replicas: 1 restart_policy: condition: any - image: sameersbn/squid:3.5.27-2 + image: squid volumes: - squid-cache:/var/spool/squid - - ./squid.conf:/etc/squid/squid.conf + #- ./squid.intercept.conf:/etc/squid/squid.conf + - ./myCA/CA_crt.pem:/apps/CA_crt.pem + - ./myCA/CA_key.pem:/apps/CA_key.pem ports: - 3128:3128 networks: diff --git a/docker/Dockerfile b/docker/Dockerfile new file mode 100644 index 0000000..99ff4f5 --- /dev/null +++ b/docker/Dockerfile @@ -0,0 +1,25 @@ +FROM debian:8 +RUN apt-get -y update +RUN apt-get install -y curl supervisor git openssl build-essential libssl-dev wget vim curl +RUN mkdir -p /var/log/supervisor +COPY supervisord.conf /etc/supervisor/conf.d/supervisord.conf +WORKDIR /apps/ +RUN wget -O - http://www.squid-cache.org/Versions/v3/3.5/squid-3.5.27.tar.gz | tar zxfv - \ + && CPU=$(( `nproc --all`-1 )) \ + && cd /apps/squid-3.5.27/ \ + && ./configure --prefix=/apps/squid --enable-icap-client --enable-ssl --with-openssl --enable-ssl-crtd --enable-auth --enable-basic-auth-helpers="NCSA" \ + && make -j$CPU \ + && make install \ + && cd /apps \ + && rm -rf /apps/squid-3.5.27 +ADD . /apps/ + +RUN chown -R nobody:nogroup /apps/ +RUN mkdir -p /apps/squid/var/lib/ +RUN /apps/squid/libexec/ssl_crtd -c -s /apps/squid/var/lib/ssl_db -M 4MB +RUN /apps/squid/sbin/squid -z -f /apps/squid.conf.cache +RUN chown -R nobody:nogroup /apps/ + +EXPOSE 3128 +ENTRYPOINT ["/apps/squid/sbin/squid", "-NsY", "-f"] +CMD ["/apps/squid.conf.intercept"] diff --git a/docker/squid.intercept.conf b/docker/squid.intercept.conf new file mode 100644 index 0000000..8e2e991 --- /dev/null +++ b/docker/squid.intercept.conf @@ -0,0 +1,70 @@ +always_direct allow all + +acl localhost src 127.0.0.1/32 +acl to_localhost dst 127.0.0.0/8 +acl localnet src 10.0.0.0/8 # RFC1918 possible internal network +acl localnet src 172.16.0.0/12 # RFC1918 possible internal network +acl localnet src 192.168.0.0/16 # RFC1918 possible internal network +acl SSL_ports port 443 +acl Safe_ports port 80 # http +acl Safe_ports port 21 # ftp +acl Safe_ports port 443 # https +acl Safe_ports port 70 # gopher +acl Safe_ports port 210 # wais +acl Safe_ports port 1025-65535 # unregistered ports +acl Safe_ports port 280 # http-mgmt +acl Safe_ports port 488 # gss-http +acl Safe_ports port 591 # filemaker +acl Safe_ports port 777 # multiling http +acl CONNECT method CONNECT + +http_access allow all +http_access allow manager localhost +http_access deny manager + +htcp_access allow localnet +htcp_access deny all + + +visible_hostname git.local-domain + +http_port 3128 ssl-bump generate-host-certificates=on cert=/apps/CA_crt.pem key=/apps/CA_key.pem + +always_direct allow all +acl excluded_sites ssl::server_name .wellsfargo.com +ssl_bump splice excluded_sites +ssl_bump bump all + +sslproxy_cert_error deny all +sslcrtd_program /apps/squid/libexec/ssl_crtd -s /apps/squid/var/lib/ssl_db -M 4MB sslcrtd_children 8 startup=1 idle=1 + +icap_enable on +icap_preview_enable on +icap_preview_size 128 +icap_send_client_ip on + +adaptation_access url_check allow all + +access_log /apps/squid/var/logs/access.log squid + +# these are basically to make everything canched +refresh_pattern ^http: 999999999 1000000000% 999999999 ignore-no-cache override-expire ignore-reload +refresh_pattern ^https: 999999999 1000000000% 999999999 ignore-no-cache override-expire ignore-reload + +debug_options 11,2 22,10 + +refresh_pattern ^ftp: 1440 20% 10080 +refresh_pattern ^gopher: 1440 0% 1440 +refresh_pattern (cgi-bin|\?) 0 0% 0 +refresh_pattern . 0 20% 4320 + +icp_port 3130 + + +coredump_dir /apps/squid/var/cache + + +cache_mem 1000 MB + +maximum_object_size 4096 MB +cache_dir aufs /apps/squid/var/cache/squid 10000 16 256 diff --git a/myCA/openssl.cnf b/myCA/openssl.cnf new file mode 100644 index 0000000..76efdc7 --- /dev/null +++ b/myCA/openssl.cnf @@ -0,0 +1,124 @@ +#HOME = . +#RANDFILE = $ENV::HOME/.rnd + +oid_section = new_oids + +extensions = v3_req + +[ new_oids ] + + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +dir = ./ +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file. +new_certs_dir = $dir/new_certs # default place for new certs. + +certificate = $dir/CA_crt.pem # The CA certificate +serial = $dir/serial # The current serial number +crl = $dir/CA_crl.pem # The current CRL +private_key = $dir/CA_key.pem +RANDFILE = $dir/.rand # private random number file + +x509_extensions = usr_cert # The extentions to add to the cert + +# crl_extensions = crl_ext + +default_days = 1825 # how long to certify for +default_crl_days= 365 # how long before next CRL +default_md = sha256 +preserve = no # keep passed DN ordering + +policy = policy_match + +# For the CA policy +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ req ] +default_bits = 1024 +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extentions to add to the self signed cert + +string_mask = nombstr + +#req_extensions = v3_req # The extensions to add to a certificate request + +[ req_distinguished_name ] + +countryName = country +countryName_default = US +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = province +stateOrProvinceName_default = California + +localityName = locality +localityName_default = Mountain View + +0.organizationName = O +0.organizationName_default = Google + + +organizationalUnitName = OU +organizationalUnitName_default = Enterprise + +commonName = CN +commonName_default = MyCA +commonName_max = 64 + +emailAddress = email +emailAddress_max = 40 + +# SET-ex3 = SET extension number 3 + +[ req_attributes ] +challengePassword = +challengePassword_min = 0 +challengePassword_max = 20 + +unstructuredName = An optional company name + +[ usr_cert ] +nsComment = "OpenSSL Generated Certificate" + +#subjectAltName = @alt_names +keyUsage = digitalSignature, nonRepudiation, keyEncipherment + +[alt_names] +DNS.1 = squid.yourdomain.com + +[ v3_req ] +basicConstraints = CA:false +keyUsage = digitalSignature, nonRepudiation, keyEncipherment + +[ v3_ca ] +basicConstraints = CA:true +keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign + +[ crl_ext ] +authorityKeyIdentifier=keyid:always,issuer:always \ No newline at end of file diff --git a/package.json b/package.json index ab343a8..ad5cee0 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "private": true, "scripts": { - "jsonnet:home": "drone jsonnet --source jsonnet/.drone-home.jsonnet --target jsonnet/.drone-home.yml --stream" + "jsonnet:home": "drone jsonnet --source .drone/drone-home.jsonnet --target .drone/drone-home.yml --stream" } } \ No newline at end of file