This repo provides a Dockerfile for running Squid in a docker container. It configures Squid to use SSL bumping, a technique that permits Squid, among other things, to cache content for HTTPS sites. Without SSL bumping, Squid simply forwards connections without caching the content.
Run the container, mounting the certs directory accordingly:
docker run -t -p 3128:3128 -v $PWD/certs:/etc/squid/certs leg100/squid
This runs the container in the foreground, listening on port 3128. It also generates a self-signed certificate and key in ./certs
.
To test it is caching content, make requests in another terminal:
curl --cacert certs/cert.pem -x localhost:3128 https://news.ycombinator.com
If you make more than one request you should see the Squid logs report a cache hit the second time onwards:
1675241713.717 34 172.17.0.1 NONE_NONE/200 0 CONNECT news.ycombinator.com:443 - HIER_NONE/- -
1675241714.546 828 172.17.0.1 TCP_MISS/200 37150 GET https://news.ycombinator.com/ - HIER_DIRECT/209.216.230.240
text/html
1675241716.195 13 172.17.0.1 NONE_NONE/200 0 CONNECT news.ycombinator.com:443 - HIER_NONE/- -
1675241716.195 0 172.17.0.1 TCP_MEM_HIT/200 37156 GET https://news.ycombinator.com/ - HIER_NONE/- text/html
1675241717.876 11 172.17.0.1 NONE_NONE/200 0 CONNECT news.ycombinator.com:443 - HIER_NONE/- -
1675241717.877 0 172.17.0.1 TCP_MEM_HIT/200 37156 GET https://news.ycombinator.com/ - HIER_NONE/- text/html
To provide your own certificate authority, simply place the certificate and key in the mounted volume before starting the container.
For example, if you wanted to generate your own self-signed cert:
openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes -keyout key.pem -out cert.pem -subj "/CN=localhost"
Then copy the certificate and key into a directory:
mkdir certs
cp cert.pem key.pem certs/
And run squid as before:
docker run -t -p 3128:3128 -v $PWD/certs:/etc/squid/certs leg100/squid
The start script will detect that a certificate and key are already present.
Above we needed to explicitly instruct curl
to trust the certificate authority. To have curl, and other software too, implicitly trust the proxy you'll need to add the certificate to your system's certificate trust store.
For example, on Ubuntu:
sudo cp cert.pem /usr/local/share/ca-certificates/squid.crt
sudo update-ca-certificates
You can then run curl without the --cacert
flag:
curl -x localhost:3128 https://news.ycombinator.com