Skip to content

leg100/squid

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits

.github/workflows

.github/workflows

 
 

.gitignore

.gitignore

 
 

Dockerfile

Dockerfile

 
 

README.md

README.md

 
 

squid.conf

squid.conf

 
 

start.sh

start.sh

 
 

Repository files navigation

Squid caching proxy with SSL bumping enabled

This repo provides a Dockerfile for running Squid in a docker container. It configures Squid to use SSL bumping, a technique that permits Squid, among other things, to cache content for HTTPS sites. Without SSL bumping, Squid simply forwards connections without caching the content.

Quickstart

Run the container, mounting the certs directory accordingly:

docker run -t -p 3128:3128 -v $PWD/certs:/etc/squid/certs leg100/squid

This runs the container in the foreground, listening on port 3128. It also generates a self-signed certificate and key in ./certs.

To test it is caching content, make requests in another terminal:

curl --cacert certs/cert.pem -x localhost:3128 https://news.ycombinator.com

If you make more than one request you should see the Squid logs report a cache hit the second time onwards:

1675241713.717     34 172.17.0.1 NONE_NONE/200 0 CONNECT news.ycombinator.com:443 - HIER_NONE/- -
1675241714.546    828 172.17.0.1 TCP_MISS/200 37150 GET https://news.ycombinator.com/ - HIER_DIRECT/209.216.230.240
text/html
1675241716.195     13 172.17.0.1 NONE_NONE/200 0 CONNECT news.ycombinator.com:443 - HIER_NONE/- -
1675241716.195      0 172.17.0.1 TCP_MEM_HIT/200 37156 GET https://news.ycombinator.com/ - HIER_NONE/- text/html
1675241717.876     11 172.17.0.1 NONE_NONE/200 0 CONNECT news.ycombinator.com:443 - HIER_NONE/- -
1675241717.877      0 172.17.0.1 TCP_MEM_HIT/200 37156 GET https://news.ycombinator.com/ - HIER_NONE/- text/html

Provide own certificate authority

To provide your own certificate authority, simply place the certificate and key in the mounted volume before starting the container.

For example, if you wanted to generate your own self-signed cert:

openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes -keyout key.pem -out cert.pem -subj "/CN=localhost"

Then copy the certificate and key into a directory:

mkdir certs
cp cert.pem key.pem certs/

And run squid as before:

docker run -t -p 3128:3128 -v $PWD/certs:/etc/squid/certs leg100/squid

The start script will detect that a certificate and key are already present.

Instruct clients to trust proxy

Above we needed to explicitly instruct curl to trust the certificate authority. To have curl, and other software too, implicitly trust the proxy you'll need to add the certificate to your system's certificate trust store.

For example, on Ubuntu:

sudo cp cert.pem /usr/local/share/ca-certificates/squid.crt
sudo update-ca-certificates

You can then run curl without the --cacert flag:

curl -x localhost:3128 https://news.ycombinator.com

About

SSL bumping Squid cache proxy

Resources

Readme
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

7 tags

Packages

No packages published

Languages