squid/docker-compose.yml

version: "3.7"
services:
  squid-4:
    deploy:
      placement:
        constraints: [node.labels.com.sigyl.git-stack == yes]
      replicas: 1
      restart_policy:
        condition: any
    image: sigyl/squid-4:1.1.0
    environment:
      - MITM_PROXY=yes
      - HTTP_PORT=3128
      - MITM_CERT=/run/secrets/ca.crt
      - MITM_KEY=/run/secrets/ca.key
      - VISIBLE_HOSTNAME=$LOCAL_DOMAIN
      - >
        EXTRA_CONFIG1=tls_outgoing_options
        capath=/etc/ssl/certs
        options=NO_SSLv3,NO_TLSv1 min-version=1.2
      # - EXTRA_CONFIG2=sslproxy_cipher ECDHE+ECDSA+AESGCM:ECDHE+RSA+AESGCM:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM #:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
      # these are basically to make everything canched
      - 'EXTRA_CONFIG2=refresh_pattern ^http:  999999999     1000000000%    999999999 override-expire'
      - 'EXTRA_CONFIG3=refresh_pattern ^https:  999999999     1000000000%    999999999 override-expire'
      - EXTRA_CONFIG4= acl no_cache_domains dstdomain auth.docker.io
      - EXTRA_CONFIG5=cache deny no_cache_domains
    volumes:
      - squid-4-cache:/var/cache/squid4
    ports:
      - 3128:3128
    networks:
      - appnet
      - externalnet
    secrets:
      - ca.crt
      - ca.key
  squid-deb:
    deploy:
      placement:
        constraints: [node.labels.com.sigyl.git-stack == yes]
      replicas: 1
      restart_policy:
        condition: any
    image: sigyl/squid-deb-proxy:1.0.0
    volumes:
      - squid-deb-cache:/cachedir
    ports:
      - 8000:8000
    networks:
      - appnet
      - externalnet
volumes:
  squid-4-cache:
  squid-deb-cache:

networks:
  appnet:
    driver: overlay
  externalnet:
    driver: overlay
    external: true

secrets:
  'ca.crt':
    file: .secrets/ca.crt
  'ca.key':
    file: .secrets/ca.key