feat: should now cache https
continuous-integration/drone/push Build is failing Details

This commit is contained in:
Giles Bradshaw 2020-08-04 20:48:14 +01:00
parent 892b1e36bd
commit d4927c3867
9 changed files with 246 additions and 8 deletions

View File

@ -222,7 +222,11 @@ local images = {
script +: [
'set -e',
"docker network prune -f",
"cd /stack/squid",
"cd /stack/squid/myCA",
'cd myCA',
'openssl genrsa -out CA_key.pem 2048',
'openssl req -x509 -days 600 -new -nodes -key CA_key.pem -out CA_crt.pem -extensions v3_ca -config openssl.cnf -subj "/C=US/ST=California/L=Mountain View/O=Google/OU=Enterprise/CN=MyCA"',
'cd ..',
"docker stack rm squid",
"sleep 30",
"docker stack deploy -c docker-compose.yml squid",

View File

@ -38,7 +38,6 @@ steps:
- drone_build_number
- drone_repo_name
- drone_repo_namespace
- DRONE_GITEA_SERVER
- ssh_host
- ssh_user
- ssh_root_user
@ -72,7 +71,6 @@ steps:
- drone_build_number
- drone_repo_name
- drone_repo_namespace
- DRONE_GITEA_SERVER
- ssh_host
- ssh_user
- ssh_root_user
@ -86,7 +84,11 @@ steps:
script:
- set -e
- docker network prune -f
- cd /stack/squid
- cd /stack/squid/myCA
- cd myCA
- openssl genrsa -out CA_key.pem 2048
- openssl req -x509 -days 600 -new -nodes -key CA_key.pem -out CA_crt.pem -extensions v3_ca -config openssl.cnf -subj "/C=US/ST=California/L=Mountain View/O=Google/OU=Enterprise/CN=MyCA"
- cd ..
- docker stack rm squid
- sleep 30
- docker stack deploy -c docker-compose.yml squid

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
myCA/*.pem

View File

@ -1,3 +1,13 @@
# squid
apt cacher for debian
inspired by https://github.com/salrashid123/squid_proxy
## making a CA
```shell
cd myCA
openssl genrsa -out CA_key.pem 2048
openssl req -x509 -days 600 -new -nodes -key CA_key.pem -out CA_crt.pem -extensions v3_ca -config openssl.cnf -subj "/C=US/ST=California/L=Mountain View/O=Google/OU=Enterprise/CN=MyCA"
```

View File

@ -7,10 +7,12 @@ services:
replicas: 1
restart_policy:
condition: any
image: sameersbn/squid:3.5.27-2
image: squid
volumes:
- squid-cache:/var/spool/squid
- ./squid.conf:/etc/squid/squid.conf
#- ./squid.intercept.conf:/etc/squid/squid.conf
- ./myCA/CA_crt.pem:/apps/CA_crt.pem
- ./myCA/CA_key.pem:/apps/CA_key.pem
ports:
- 3128:3128
networks:

25
docker/Dockerfile Normal file
View File

@ -0,0 +1,25 @@
FROM debian:8
RUN apt-get -y update
RUN apt-get install -y curl supervisor git openssl build-essential libssl-dev wget vim curl
RUN mkdir -p /var/log/supervisor
COPY supervisord.conf /etc/supervisor/conf.d/supervisord.conf
WORKDIR /apps/
RUN wget -O - http://www.squid-cache.org/Versions/v3/3.5/squid-3.5.27.tar.gz | tar zxfv - \
&& CPU=$(( `nproc --all`-1 )) \
&& cd /apps/squid-3.5.27/ \
&& ./configure --prefix=/apps/squid --enable-icap-client --enable-ssl --with-openssl --enable-ssl-crtd --enable-auth --enable-basic-auth-helpers="NCSA" \
&& make -j$CPU \
&& make install \
&& cd /apps \
&& rm -rf /apps/squid-3.5.27
ADD . /apps/
RUN chown -R nobody:nogroup /apps/
RUN mkdir -p /apps/squid/var/lib/
RUN /apps/squid/libexec/ssl_crtd -c -s /apps/squid/var/lib/ssl_db -M 4MB
RUN /apps/squid/sbin/squid -z -f /apps/squid.conf.cache
RUN chown -R nobody:nogroup /apps/
EXPOSE 3128
ENTRYPOINT ["/apps/squid/sbin/squid", "-NsY", "-f"]
CMD ["/apps/squid.conf.intercept"]

View File

@ -0,0 +1,70 @@
always_direct allow all
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow all
http_access allow manager localhost
http_access deny manager
htcp_access allow localnet
htcp_access deny all
visible_hostname git.local-domain
http_port 3128 ssl-bump generate-host-certificates=on cert=/apps/CA_crt.pem key=/apps/CA_key.pem
always_direct allow all
acl excluded_sites ssl::server_name .wellsfargo.com
ssl_bump splice excluded_sites
ssl_bump bump all
sslproxy_cert_error deny all
sslcrtd_program /apps/squid/libexec/ssl_crtd -s /apps/squid/var/lib/ssl_db -M 4MB sslcrtd_children 8 startup=1 idle=1
icap_enable on
icap_preview_enable on
icap_preview_size 128
icap_send_client_ip on
adaptation_access url_check allow all
access_log /apps/squid/var/logs/access.log squid
# these are basically to make everything canched
refresh_pattern ^http: 999999999 1000000000% 999999999 ignore-no-cache override-expire ignore-reload
refresh_pattern ^https: 999999999 1000000000% 999999999 ignore-no-cache override-expire ignore-reload
debug_options 11,2 22,10
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320
icp_port 3130
coredump_dir /apps/squid/var/cache
cache_mem 1000 MB
maximum_object_size 4096 MB
cache_dir aufs /apps/squid/var/cache/squid 10000 16 256

124
myCA/openssl.cnf Normal file
View File

@ -0,0 +1,124 @@
#HOME = .
#RANDFILE = $ENV::HOME/.rnd
oid_section = new_oids
extensions = v3_req
[ new_oids ]
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = ./
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/new_certs # default place for new certs.
certificate = $dir/CA_crt.pem # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/CA_crl.pem # The current CRL
private_key = $dir/CA_key.pem
RANDFILE = $dir/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# crl_extensions = crl_ext
default_days = 1825 # how long to certify for
default_crl_days= 365 # how long before next CRL
default_md = sha256
preserve = no # keep passed DN ordering
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
string_mask = nombstr
#req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = country
countryName_default = US
countryName_min = 2
countryName_max = 2
stateOrProvinceName = province
stateOrProvinceName_default = California
localityName = locality
localityName_default = Mountain View
0.organizationName = O
0.organizationName_default = Google
organizationalUnitName = OU
organizationalUnitName_default = Enterprise
commonName = CN
commonName_default = MyCA
commonName_max = 64
emailAddress = email
emailAddress_max = 40
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword =
challengePassword_min = 0
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
nsComment = "OpenSSL Generated Certificate"
#subjectAltName = @alt_names
keyUsage = digitalSignature, nonRepudiation, keyEncipherment
[alt_names]
DNS.1 = squid.yourdomain.com
[ v3_req ]
basicConstraints = CA:false
keyUsage = digitalSignature, nonRepudiation, keyEncipherment
[ v3_ca ]
basicConstraints = CA:true
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign
[ crl_ext ]
authorityKeyIdentifier=keyid:always,issuer:always

View File

@ -1,6 +1,6 @@
{
"private": true,
"scripts": {
"jsonnet:home": "drone jsonnet --source jsonnet/.drone-home.jsonnet --target jsonnet/.drone-home.yml --stream"
"jsonnet:home": "drone jsonnet --source .drone/drone-home.jsonnet --target .drone/drone-home.yml --stream"
}
}