feat: should now cache https

2020-08-04 20:48:14 +01:00 · 2020-08-04 20:48:14 +01:00 · d4927c3867
parent 892b1e36bd
commit d4927c3867
9 changed files with 246 additions and 8 deletions
--- a/.drone/drone-home.jsonnet
+++ b/.drone/drone-home.jsonnet
@ -222,7 +222,11 @@ local images = {
            script +: [
              'set -e',
              "docker network prune -f",
-              "cd /stack/squid",
+              "cd /stack/squid/myCA",
+              'cd myCA',
+              'openssl genrsa -out CA_key.pem 2048',
+              'openssl req -x509 -days 600 -new -nodes -key CA_key.pem -out CA_crt.pem -extensions v3_ca -config openssl.cnf    -subj "/C=US/ST=California/L=Mountain View/O=Google/OU=Enterprise/CN=MyCA"',
+              'cd ..',
              "docker stack rm squid",
              "sleep 30",
              "docker stack deploy -c docker-compose.yml squid",
--- a/.drone/drone-home.yml
+++ b/.drone/drone-home.yml
@ -38,7 +38,6 @@ steps:
    - drone_build_number
    - drone_repo_name
    - drone_repo_namespace
-    - DRONE_GITEA_SERVER
    - ssh_host
    - ssh_user
    - ssh_root_user
@ -72,7 +71,6 @@ steps:
    - drone_build_number
    - drone_repo_name
    - drone_repo_namespace
-    - DRONE_GITEA_SERVER
    - ssh_host
    - ssh_user
    - ssh_root_user
@ -86,7 +84,11 @@ steps:
    script:
    - set -e
    - docker network prune -f
-    - cd /stack/squid
+    - cd /stack/squid/myCA
+    - cd myCA
+    - openssl genrsa -out CA_key.pem 2048
+    - openssl req -x509 -days 600 -new -nodes -key CA_key.pem -out CA_crt.pem -extensions v3_ca -config openssl.cnf    -subj "/C=US/ST=California/L=Mountain View/O=Google/OU=Enterprise/CN=MyCA"
+    - cd ..
    - docker stack rm squid
    - sleep 30
    - docker stack deploy -c docker-compose.yml squid
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
+myCA/*.pem
--- a/README.md
+++ b/README.md
@ -1,3 +1,13 @@
 # squid

 apt cacher for debian
+
+inspired by https://github.com/salrashid123/squid_proxy
+
+## making a CA
+
+```shell
+cd myCA
+openssl genrsa -out CA_key.pem 2048
+openssl req -x509 -days 600 -new -nodes -key CA_key.pem -out CA_crt.pem -extensions v3_ca -config openssl.cnf    -subj "/C=US/ST=California/L=Mountain View/O=Google/OU=Enterprise/CN=MyCA"
+```
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -7,10 +7,12 @@ services:
      replicas: 1
      restart_policy:
        condition: any
-    image: sameersbn/squid:3.5.27-2
+    image: squid
    volumes:
      - squid-cache:/var/spool/squid
-      - ./squid.conf:/etc/squid/squid.conf
+      #- ./squid.intercept.conf:/etc/squid/squid.conf
+      - ./myCA/CA_crt.pem:/apps/CA_crt.pem
+      - ./myCA/CA_key.pem:/apps/CA_key.pem      
    ports:
      - 3128:3128
    networks:
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@ -0,0 +1,25 @@
+FROM debian:8
+RUN apt-get -y update
+RUN apt-get install -y curl supervisor git openssl  build-essential libssl-dev wget vim curl
+RUN mkdir -p /var/log/supervisor
+COPY supervisord.conf /etc/supervisor/conf.d/supervisord.conf
+WORKDIR /apps/
+RUN wget -O - http://www.squid-cache.org/Versions/v3/3.5/squid-3.5.27.tar.gz | tar zxfv - \
+    && CPU=$(( `nproc --all`-1 )) \
+    && cd /apps/squid-3.5.27/ \
+    && ./configure --prefix=/apps/squid --enable-icap-client --enable-ssl --with-openssl --enable-ssl-crtd --enable-auth --enable-basic-auth-helpers="NCSA" \
+    && make -j$CPU \
+    && make install \
+    && cd /apps \
+    && rm -rf /apps/squid-3.5.27
+ADD . /apps/
+
+RUN chown -R nobody:nogroup /apps/
+RUN mkdir -p  /apps/squid/var/lib/
+RUN /apps/squid/libexec/ssl_crtd -c -s /apps/squid/var/lib/ssl_db -M 4MB
+RUN /apps/squid/sbin/squid -z -f /apps/squid.conf.cache
+RUN chown -R nobody:nogroup /apps/
+
+EXPOSE 3128
+ENTRYPOINT ["/apps/squid/sbin/squid", "-NsY", "-f"]
+CMD ["/apps/squid.conf.intercept"]
--- a/docker/squid.intercept.conf
+++ b/docker/squid.intercept.conf
@ -0,0 +1,70 @@
+always_direct allow all
+
+acl localhost src 127.0.0.1/32
+acl to_localhost dst 127.0.0.0/8
+acl localnet src 10.0.0.0/8	# RFC1918 possible internal network
+acl localnet src 172.16.0.0/12	# RFC1918 possible internal network
+acl localnet src 192.168.0.0/16	# RFC1918 possible internal network
+acl SSL_ports port 443
+acl Safe_ports port 80		# http
+acl Safe_ports port 21		# ftp
+acl Safe_ports port 443		# https
+acl Safe_ports port 70		# gopher
+acl Safe_ports port 210		# wais
+acl Safe_ports port 1025-65535	# unregistered ports
+acl Safe_ports port 280		# http-mgmt
+acl Safe_ports port 488		# gss-http
+acl Safe_ports port 591		# filemaker
+acl Safe_ports port 777		# multiling http
+acl CONNECT method CONNECT
+
+http_access allow all
+http_access allow manager localhost
+http_access deny manager
+
+htcp_access allow localnet
+htcp_access deny all
+
+
+visible_hostname git.local-domain
+
+http_port 3128 ssl-bump generate-host-certificates=on cert=/apps/CA_crt.pem key=/apps/CA_key.pem
+
+always_direct allow all
+acl excluded_sites ssl::server_name .wellsfargo.com
+ssl_bump splice excluded_sites
+ssl_bump bump all
+
+sslproxy_cert_error deny all
+sslcrtd_program /apps/squid/libexec/ssl_crtd -s /apps/squid/var/lib/ssl_db -M 4MB sslcrtd_children 8 startup=1 idle=1
+
+icap_enable          on
+icap_preview_enable  on
+icap_preview_size    128
+icap_send_client_ip  on
+
+adaptation_access url_check  allow all
+
+access_log /apps/squid/var/logs/access.log squid
+
+# these are basically to make everything canched
+refresh_pattern ^http:  999999999     1000000000%    999999999 ignore-no-cache override-expire ignore-reload
+refresh_pattern ^https:  999999999     1000000000%    999999999 ignore-no-cache override-expire ignore-reload
+
+debug_options 11,2  22,10
+
+refresh_pattern ^ftp:		1440	20%	10080
+refresh_pattern ^gopher:	1440	0%	1440
+refresh_pattern (cgi-bin|\?)	0	0%	0
+refresh_pattern .		0	20%	4320
+
+icp_port 3130
+
+
+coredump_dir /apps/squid/var/cache
+
+
+cache_mem 1000 MB
+
+maximum_object_size 4096 MB
+cache_dir aufs /apps/squid/var/cache/squid 10000 16 256
--- a/myCA/openssl.cnf
+++ b/myCA/openssl.cnf
@ -0,0 +1,124 @@
+#HOME			= .
+#RANDFILE		= $ENV::HOME/.rnd
+
+oid_section		= new_oids
+
+extensions = v3_req 
+
+[ new_oids ]
+
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= ./
+certs		= $dir/certs 		# Where the issued certs are kept
+crl_dir		= $dir/crl		# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+new_certs_dir	= $dir/new_certs	# default place for new certs.
+
+certificate	= $dir/CA_crt.pem	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crl		= $dir/CA_crl.pem 		# The current CRL
+private_key	= $dir/CA_key.pem
+RANDFILE	= $dir/.rand	# private random number file
+
+x509_extensions	= usr_cert		# The extentions to add to the cert
+
+# crl_extensions	= crl_ext
+
+default_days	= 1825			# how long to certify for
+default_crl_days= 365 			# how long before next CRL
+default_md  = sha256 
+preserve	= no			# keep passed DN ordering
+
+policy		= policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+[ req ]
+default_bits		= 1024
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+
+string_mask = nombstr
+
+#req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+
+countryName			= country
+countryName_default		= US
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= province
+stateOrProvinceName_default	= California
+
+localityName			= locality
+localityName_default		= Mountain View
+
+0.organizationName              = O
+0.organizationName_default      = Google
+
+
+organizationalUnitName		= OU
+organizationalUnitName_default	= Enterprise
+
+commonName			= CN
+commonName_default		= MyCA
+commonName_max			= 64
+
+emailAddress			= email
+emailAddress_max		= 40
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		=
+challengePassword_min		= 0
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+nsComment			= "OpenSSL Generated Certificate"
+
+#subjectAltName = @alt_names
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment
+
+[alt_names]
+DNS.1 = squid.yourdomain.com
+
+[ v3_req ]
+basicConstraints = CA:false
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment
+
+[ v3_ca ]
+basicConstraints = CA:true
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign
+
+[ crl_ext ]
+authorityKeyIdentifier=keyid:always,issuer:always
--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
  "private": true,
  "scripts": {
-    "jsonnet:home": "drone jsonnet --source jsonnet/.drone-home.jsonnet --target jsonnet/.drone-home.yml --stream"
+    "jsonnet:home": "drone jsonnet --source .drone/drone-home.jsonnet --target .drone/drone-home.yml --stream"
  }
 }