nuvious · nuvious · May 7, 2023 · May 7, 2023 · May 7, 2023
diff --git a/.gitignore b/.gitignore
@@ -1,2 +1,3 @@
 *.der
 *.pem
+squid.conf
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,18 @@
+FROM debian:bullseye-slim
+
+RUN apt-get update -y
+RUN apt-get install squid-common squidclient squid-openssl -y
+RUN /usr/lib/squid/security_file_certgen -c -s /var/spool/squid/ssl_db -M 16MB
+
+COPY entrypoint.sh /usr/local/bin/entrypoint.sh
+RUN chmod +x /usr/local/bin/entrypoint.sh
+RUN mkdir -p /var/spool/squid/data
+
+
+RUN chown proxy:proxy -R /usr/lib/squid
+RUN chown proxy:proxy -R /var/spool/squid
+RUN chown proxy:proxy -R /etc/squid
+
+ENTRYPOINT [ "entrypoint.sh" ]
+
+CMD ["-f", "/etc/squid/squid.conf", "-NYC"]
diff --git a/README.md b/README.md
@@ -0,0 +1,55 @@
+# Squid HTTPS Proxy
+
+A quick recipe for making a squid https proxy for all or specific domains.
+
+**WARNING** This implementation is very basic and has an `allow all` clause instead of specific ports. This was done in testing and will be removed in later itterations. This is proof-of-concept code; please regard it as such.
+
+## Quick Start
+
+### Generate Certs
+
+Generate certificates using the provided helper script; you may want to modify
+it to your liking with respect to openssl parameters.
+
+```bash
+/bin/bash generate-certs.sh
+# Follow prompts
+```
+
+Now you need to import the `squid-ca-cert.der` into your trusted root
+certificate authority cache for your OS.
+
+### Create Configuration
+
+Copy one of the template configuration files to `squid.conf` in the root of the
+directory.
+
+ - `squid-all.conf` - ssl_bumps all traffic
+ - `squid-bump-select.conf` - ssl_bumps traffic as specified by cachelist.txt and splices the rest
+ - `squid-splice-select.conf` - ssl_bumps all traffic except domains specified by splicelist.txt
+
+ After selecting a configuration to work with, modify the appropriate domain list and consider editing the cache directory and max object size limits.
+
+
+ ### Launch With Docker
+
+ ```bash
+#!/bin/bash
+docker build -t squid-cache-https .
+docker run -it --rm \
+    -v $PWD/squid-ca-cert-key.pem:/etc/squid/certs/squid-ca-cert-key.pem \
+    -p 3128:3128 \
+    -v $PWD/squid.conf:/etc/squid/squid.conf \
+    -v /PATH/TO/CACHE/DIR:/var/spool/squid/data \
+    -v $PWD/cachelist.txt:/etc/squid/cachelist.txt \
+    -v $PWD/splicelist.txt:/etc/squid/splicelist.txt \
+    squid-cache-https
+ ```
+
+ ### Launch With Docker-Compose
+
+ Modify the `PATH_TO_CACHE_STORAGE` placeholder in the docker-compose.yml. Then launch:
+
+ ```bash
+docker-compose up -d
+```
diff --git a/cachelist.txt b/cachelist.txt
@@ -0,0 +1 @@
+.github.com
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -0,0 +1,12 @@
+version: "3.3"
+services:
+  web:
+    build: .
+    ports:
+      - "3128:3128"
+    volumes:
+      - ./squid.conf:/etc/squid/squid.conf
+      - ./squid-ca-cert-key.pem:/etc/squid/certs/squid-ca-cert-key.pem
+      - PATH_TO_CACHE_STORAGE:/var/spool/squid/data
+      - ./cachelist.txt:/etc/squid/cachelist.txt
+      - ./splicelist.txt:/etc/squid/splicelist.txt
diff --git a/entrypoint.sh b/entrypoint.sh
@@ -0,0 +1,10 @@
+tail -F /var/log/squid/access.log &
+tail -F /var/log/squid/error.log &
+tail -F /var/log/squid/store.log &
+tail -F /var/log/squid/cache.log &
+
+# In the event the cache is on an NFS, CephFS, etc, ensure permissions are correct
+chown -R proxy:proxy /var/spool/squid/data
+
+/usr/sbin/squid -Nz
+/usr/sbin/squid "$@"
diff --git a/generate-certs.sh b/generate-certs.sh
@@ -0,0 +1,3 @@
+openssl req -new -newkey rsa:4096 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout squid-ca-key.pem -out squid-ca-cert.pem
+cat squid-ca-cert.pem squid-ca-key.pem >> squid-ca-cert-key.pem
+openssl x509 -in squid-ca-cert.pem -outform DER -out squid-ca-cert.der
diff --git a/run_test.sh b/run_test.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+set -e
+docker build -t temp .
+docker run -it --rm \
+    -v $PWD/squid-ca-cert-key.pem:/etc/squid/certs/squid-ca-cert-key.pem \
+    -p 3128:3128 \
+    -v $PWD/squid.conf:/etc/squid/squid.conf \
+    -v /mnt/ceph/squid-cache:/var/spool/squid/data \
+    -v $PWD/whitelist.txt:/etc/squid/whitelist.txt \
+    temp
+
+# --entrypoint /bin/bash \
diff --git a/splicelist.txt b/splicelist.txt
@@ -0,0 +1 @@
+.github.com
diff --git a/squid-all.conf b/squid-all.conf
@@ -0,0 +1,19 @@
+http_access allow all
+http_access deny all
+
+# http/https proxy port
+http_port 3128 ssl-bump cert=/etc/squid/certs/squid-ca-cert-key.pem \
+    generate-host-certificates=on \
+    dynamic_cert_mem_cache_size=4MB
+
+coredump_dir /var/spool/squid
+cache_dir ufs /var/spool/squid/data 1024 16 256
+maximum_object_size 100 MB
+
+cache allow all
+
+sslcrtd_children 5
+
+acl step1 at_step SslBump1
+ssl_bump peek step1
+ssl_bump bump all
diff --git a/squid-bump-select.conf b/squid-bump-select.conf
@@ -0,0 +1,22 @@
+acl cachelist dstdomain '/etc/squid/cachelist.txt'
+
+http_access allow all
+http_access deny all
+
+# http/https proxy port
+http_port 3128 ssl-bump cert=/etc/squid/certs/squid-ca-cert-key.pem \
+    generate-host-certificates=on \
+    dynamic_cert_mem_cache_size=4MB
+
+coredump_dir /var/spool/squid
+cache_dir ufs /var/spool/squid/data 1024 16 256
+maximum_object_size 100 MB
+
+cache allow all
+
+sslcrtd_children 5
+
+acl step1 at_step SslBump1
+ssl_bump peek step1
+ssl_bump bump cachelist
+ssl_bump splice all
diff --git a/squid-splice-select.conf b/squid-splice-select.conf
@@ -0,0 +1,22 @@
+acl splicelist dstdomain '/etc/squid/splicelist.txt'
+
+http_access allow all
+http_access deny all
+
+# http/https proxy port
+http_port 3128 ssl-bump cert=/etc/squid/certs/squid-ca-cert-key.pem \
+    generate-host-certificates=on \
+    dynamic_cert_mem_cache_size=4MB
+
+coredump_dir /var/spool/squid
+cache_dir ufs /var/spool/squid/data 1024 16 256
+maximum_object_size 100 MB
+
+cache allow all
+
+sslcrtd_children 5
+
+acl step1 at_step SslBump1
+ssl_bump peek step1
+ssl_bump splice splicelist
+ssl_bump bump all