squid/docker-compose.yml

66 lines
1.9 KiB
YAML

version: "3.7"
services:
squid:
deploy:
placement:
constraints: [node.labels.com.sigyl.git-stack == yes]
replicas: 1
restart_policy:
condition: any
image: wrouesnel/docker-squid4
environment:
- MITM_PROXY=yes
- HTTP_PORT=3128
- MITM_CERT=/run/secrets/ca.crt
- MITM_KEY=/run/secrets/ca.key
- VISIBLE_HOSTNAME=git.local-domain
- EXTRA_CONFIG1=tls_outgoing_options capath=/etc/ssl/certs \
options=NO_SSLv3,NO_TLSv1 \
min-version=1.2
#cipher=ECDHE+ECDSA \
#ALL:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS \
- EXTRA_CONFIG2=sslproxy_cipher ECDHE+ECDSA+AESGCM:ECDHE+RSA+AESGCM:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM #:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
- # these are basically to make everything canched
- 'EXTRA_CONFIG3=refresh_pattern ^http: 999999999 1000000000% 999999999 ignore-no-cache override-expire ignore-reload'
- 'EXTRA_CONFIG4=refresh_pattern ^https: 999999999 1000000000% 999999999 ignore-no-cache override-expire ignore-reload'
ports:
- 3128:3128
networks:
- appnet
- externalnet
secrets:
- ca.crt
- ca.key
squid-deb:
deploy:
placement:
constraints: [node.labels.com.sigyl.git-stack == yes]
replicas: 1
restart_policy:
condition: any
image: mikepurvis/squid-deb-proxy:latest
volumes:
- squid-deb-cache:/cachedir
ports:
- 8000:8000
networks:
- appnet
- externalnet
volumes:
squid-cache:
squid-deb-cache:
networks:
appnet:
driver: overlay
externalnet:
driver: overlay
external: true
secrets:
'ca.crt':
file: .secrets/ca.crt
'ca.key':
file: .secrets/ca.key