From 9898b4268e54d72a09ac62c9efbc75659dfd75af Mon Sep 17 00:00:00 2001 From: PThorpe92 Date: Tue, 14 Jan 2025 18:42:15 -0500 Subject: [PATCH] feat: add squid proxy dockerfile and config --- config/entrypoint.sh | 4 +++ config/proxy.Dockerfile | 15 ++++++++ config/squid.conf | 65 ++++++++++++++++++++++++++++++++++ provider-middleware/Dockerfile | 3 +- 4 files changed, 85 insertions(+), 2 deletions(-) create mode 100755 config/entrypoint.sh create mode 100644 config/proxy.Dockerfile create mode 100644 config/squid.conf diff --git a/config/entrypoint.sh b/config/entrypoint.sh new file mode 100755 index 00000000..79ee8944 --- /dev/null +++ b/config/entrypoint.sh @@ -0,0 +1,4 @@ +#!/bin/ash +/usr/lib/squid/security_file_certgen -c -s /var/cache/squid/ssl_db -M 4MB +chown -R squid:squid /var/cache/squid/ssl_db /var/log/squid +squid -NYCd 1 -f /etc/squid/squid.conf diff --git a/config/proxy.Dockerfile b/config/proxy.Dockerfile new file mode 100644 index 00000000..1907e88a --- /dev/null +++ b/config/proxy.Dockerfile @@ -0,0 +1,15 @@ +FROM alpine:latest + +RUN apk add --no-cache \ + squid \ + gettext \ + libressl \ + ca-certificates && \ + update-ca-certificates + +RUN mkdir -p /etc/squid/ssl_cert /var/cache/squid/ /var/spool/squid /var/log/squid/ && \ + chown -R squid:squid /etc/squid/ssl_cert /var/cache/squid/ /var/log/squid/ /var/spool/squid + +EXPOSE 3128 +ENTRYPOINT ["entrypoint/entrypoint.sh"] +CMD ["squid", "-NYCd", "1"] diff --git a/config/squid.conf b/config/squid.conf new file mode 100644 index 00000000..0dcce976 --- /dev/null +++ b/config/squid.conf @@ -0,0 +1,65 @@ +acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) +acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN) +acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN) +acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines +acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN) +acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN) +acl localnet src fc00::/7 # RFC 4193 local private network range +acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines + +acl Safe_ports port 80 # http +acl Safe_ports port 21 # ftp +acl Safe_ports port 443 # https +acl Safe_ports port 70 # gopher +acl Safe_ports port 210 # wais +acl Safe_ports port 1025-65535 # unregistered ports +acl Safe_ports port 280 # http-mgmt +acl Safe_ports port 488 # gss-http +acl Safe_ports port 591 # filemaker +acl Safe_ports port 777 # multiling http + +cache_mem 64 MB +maximum_object_size_in_memory 512 KB + +http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/squid.pem key=/etc/squid/ssl_cert/squid.key + +http_access deny !Safe_ports + +acl step1 at_step SslBump1 + +acl ip_sni ssl::server_name_regex -i ^\d+\.\d+\.\d+\.\d+$ + +acl no_sni ssl::server_name none + +acl https_ip_url url_regex -i ^https?://([0-9]{1,3}\.){3}[0-9]{1,3} +acl ip_url url_regex -i ^([0-9]{1,3}\.){3}[0-9]{1,3} + +ssl_bump peek step1 +ssl_bump terminate ip_sni +ssl_bump terminate no_sni +ssl_bump splice all + +logfile_rotate 0 + +http_access deny https_ip_url +http_access deny ip_url +http_access deny ip_sni +http_access deny no_sni + +http_access allow localnet +http_access allow localhost + +http_access deny all + +# Uncomment and adjust the following to add a disk cache directory. +#cache_dir ufs /var/cache/squid 100 16 256 + +# Leave coredumps in the first cache dir +coredump_dir /var/cache/squid + +# +# Add any of your own refresh_pattern entries above these. +# +refresh_pattern ^ftp: 1440 20% 10080 +refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 +refresh_pattern . 0 20% 4320 diff --git a/provider-middleware/Dockerfile b/provider-middleware/Dockerfile index aeb2cae7..c034d51f 100644 --- a/provider-middleware/Dockerfile +++ b/provider-middleware/Dockerfile @@ -1,12 +1,11 @@ ARG FFMPEG_VERSION=7.1 ARG GOLANG_VERSION=1.23.2 # TODO The following variable needs to be reworked as it does not work within a shell curl command maybe -ARG YTDLP_VERSION=2024.12.23 FROM mwader/static-ffmpeg:$FFMPEG_VERSION AS ffmpeg FROM golang:$GOLANG_VERSION AS yt-dlp -RUN curl -L https://github.com/yt-dlp/yt-dlp/releases/download/2024.12.23/yt-dlp -o /yt-dlp && chmod a+x /yt-dlp +RUN curl -L https://github.com/yt-dlp/yt-dlp/releases/download/2024.01.12/yt-dlp -o /yt-dlp && chmod a+x /yt-dlp FROM golang:$GOLANG_VERSION-alpine as builder WORKDIR /app