From 951183b7da6575ef2b6ec525e8167795975661ab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?A=C3=B0alsteinn=20R=C3=BAnarsson?= Date: Thu, 14 Oct 2021 17:55:29 +0000 Subject: [PATCH 1/4] Switch to OpenSSL package & Rootless To use SSLBump features, switch to debian base image and install squid-openssl package instead. Updated image to run as proxy user instead of root. The entrypoint script has been updated acordingly. Entrypoint script also modified to initalize ssl_db in case SSLBump is used. Logging moved to stdout. Since the process is no longer started by root it enables logging to stdout without issue. Also added default allow rule for local networks. --- Dockerfile | 20 +++++++++++++------- VERSION | 2 +- conf.d/docker.conf | 6 ++++++ docker-compose.yml | 2 +- entrypoint.sh | 18 ++++-------------- 5 files changed, 25 insertions(+), 23 deletions(-) create mode 100644 conf.d/docker.conf diff --git a/Dockerfile b/Dockerfile index 1b6a562..46d6f62 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,17 +1,23 @@ -FROM ubuntu:bionic-20190612 +FROM debian:bullseye-20210111-slim LABEL maintainer="sameer@damagehead.com" -ENV SQUID_VERSION=3.5.27 \ +ENV SQUID_VERSION=4.13-10 \ SQUID_CACHE_DIR=/var/spool/squid \ - SQUID_LOG_DIR=/var/log/squid \ SQUID_USER=proxy RUN apt-get update \ - && DEBIAN_FRONTEND=noninteractive apt-get install -y squid=${SQUID_VERSION}* \ + && DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y \ + squid-openssl=${SQUID_VERSION}* \ + ca-certificates \ && rm -rf /var/lib/apt/lists/* -COPY entrypoint.sh /sbin/entrypoint.sh -RUN chmod 755 /sbin/entrypoint.sh +RUN sed '/^#http_access allow localnet/s/^#//' -i /etc/squid/squid.conf \ + && mkdir -p /var/run/squid \ + && chown -R ${SQUID_USER}:${SQUID_USER} /var/run/squid + +COPY conf.d/ /etc/squid/conf.d/ +COPY entrypoint.sh /usr/sbin/entrypoint.sh EXPOSE 3128/tcp -ENTRYPOINT ["/sbin/entrypoint.sh"] +USER ${SQUID_USER} +ENTRYPOINT ["/usr/sbin/entrypoint.sh"] diff --git a/VERSION b/VERSION index 36daaac..c168f0f 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -3.5.27-2 +4.13-10 diff --git a/conf.d/docker.conf b/conf.d/docker.conf new file mode 100644 index 0000000..bff7cb2 --- /dev/null +++ b/conf.d/docker.conf @@ -0,0 +1,6 @@ +pid_filename /var/run/squid/squid.pid + +logfile_rotate 0 +cache_log stdio:/dev/null +access_log stdio:/dev/stdout +cache_store_log stdio:/dev/stdout diff --git a/docker-compose.yml b/docker-compose.yml index fabba23..2556dc6 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,5 +1,5 @@ Squid: - image: sameersbn/squid:3.5.27-2 + image: sameersbn/squid:4.13-10 ports: - "3128:3128" volumes: diff --git a/entrypoint.sh b/entrypoint.sh index 7991227..525abbe 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,20 +1,6 @@ #!/bin/bash set -e -create_log_dir() { - mkdir -p ${SQUID_LOG_DIR} - chmod -R 755 ${SQUID_LOG_DIR} - chown -R ${SQUID_USER}:${SQUID_USER} ${SQUID_LOG_DIR} -} - -create_cache_dir() { - mkdir -p ${SQUID_CACHE_DIR} - chown -R ${SQUID_USER}:${SQUID_USER} ${SQUID_CACHE_DIR} -} - -create_log_dir -create_cache_dir - # allow arguments to be passed to squid if [[ ${1:0:1} = '-' ]]; then EXTRA_ARGS="$@" @@ -26,6 +12,10 @@ fi # default behaviour is to launch squid if [[ -z ${1} ]]; then + if [[ ! -d ${SQUID_CACHE_DIR}/ssl_db ]]; then + /usr/lib/squid/security_file_certgen -c -s ${SQUID_CACHE_DIR}/ssl_db -M 4MB + chown -R ${SQUID_USER}:${SQUID_USER} ${SQUID_CACHE_DIR}/ssl_db + fi if [[ ! -d ${SQUID_CACHE_DIR}/00 ]]; then echo "Initializing cache..." $(which squid) -N -f /etc/squid/squid.conf -z From bb9fd1c7a9744b07cc1e0845fcb48cbafc58ff6e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?A=C3=B0alsteinn=20R=C3=BAnarsson?= Date: Thu, 14 Oct 2021 17:58:47 +0000 Subject: [PATCH 2/4] Update README --- README.md | 79 ++++++++++++++++++++++++++++++++++--------------------- 1 file changed, 49 insertions(+), 30 deletions(-) diff --git a/README.md b/README.md index 59d8f86..c547bae 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,6 @@ [![Circle CI](https://circleci.com/gh/sameersbn/docker-squid.svg?style=shield)](https://circleci.com/gh/sameersbn/docker-squid) [![Docker Repository on Quay.io](https://quay.io/repository/sameersbn/squid/status "Docker Repository on Quay.io")](https://quay.io/repository/sameersbn/squid) + # sameersbn/squid:3.5.27-2 - [Introduction](#introduction) @@ -17,13 +18,13 @@ - [Upgrading](#upgrading) - [Shell Access](#shell-access) -# Introduction +## Introduction `Dockerfile` to create a [Docker](https://www.docker.com/) container image for [Squid proxy server](http://www.squid-cache.org/). Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator. -## Contributing +### Contributing If you find this image useful here's how you can help: @@ -31,37 +32,35 @@ If you find this image useful here's how you can help: - Help users resolve their [issues](../../issues?q=is%3Aopen+is%3Aissue). - Support the development of this image with a [donation](http://www.damagehead.com/donate/) -## Issues +### Issues -Before reporting your issue please try updating Docker to the latest version and check if it resolves the issue. Refer to the Docker [installation guide](https://docs.docker.com/installation) for instructions. +Before reporting your issue please try updating Docker to the latest version and check if it resolves the issue. Refer to the Docker [installation guide](https://docs.docker.com/get-docker/) for instructions. -SELinux users should try disabling SELinux using the command `setenforce 0` to see if it resolves the issue. - -If the above recommendations do not help then [report your issue](../../issues/new) along with the following information: +If the above documentation does not help then [report your issue](../../issues/new) along with the following information: - Output of the `docker version` and `docker info` commands - The `docker run` command or `docker-compose.yml` used to start the image. Mask out the sensitive bits. -- Please state if you are using [Boot2Docker](http://www.boot2docker.io), [VirtualBox](https://www.virtualbox.org), etc. +- Please state if you are using [Docker Desktop](https://www.docker.com/products/docker-desktop), [VirtualBox](https://www.virtualbox.org), etc. -# Getting started +## Getting started -## Installation +### Installation Automated builds of the image are available on [Dockerhub](https://hub.docker.com/r/sameersbn/squid) and is the recommended method of installation. > **Note**: Builds are also available on [Quay.io](https://quay.io/repository/sameersbn/squid) ```bash -docker pull sameersbn/squid:3.5.27-2 +docker pull sameersbn/squid:4.13-10 ``` Alternatively you can build the image yourself. ```bash -docker build -t sameersbn/squid github.com/sameersbn/docker-squid +docker build -t squid github.com/sameersbn/docker-squid ``` -## Quickstart +### Quickstart Start Squid using: @@ -69,12 +68,12 @@ Start Squid using: docker run --name squid -d --restart=always \ --publish 3128:3128 \ --volume /srv/docker/squid/cache:/var/spool/squid \ - sameersbn/squid:3.5.27-2 + sameersbn/squid:4.13-10 ``` *Alternatively, you can use the sample [docker-compose.yml](docker-compose.yml) file to start the container using [Docker Compose](https://docs.docker.com/compose/)* -## Command-line arguments +### Command-line arguments You can customize the launch command of the Squid server by specifying arguments to `squid` on the `docker run` command. For example the following command prints the help menu of `squid` command: @@ -82,10 +81,10 @@ You can customize the launch command of the Squid server by specifying arguments docker run --name squid -it --rm \ --publish 3128:3128 \ --volume /srv/docker/squid/cache:/var/spool/squid \ - sameersbn/squid:3.5.27-2 -h + sameersbn/squid:4.13-10 -h ``` -## Persistence +### Persistence For the cache to preserve its state across container shutdown and startup you should mount a volume at `/var/spool/squid`. @@ -98,7 +97,7 @@ mkdir -p /srv/docker/squid chcon -Rt svirt_sandbox_file_t /srv/docker/squid ``` -## Configuration +### Configuration Squid is a full featured caching proxy server and a large number of configuration parameters. To configure Squid as per your requirements mount your custom configuration at `/etc/squid/squid.conf`. @@ -107,7 +106,7 @@ docker run --name squid -d --restart=always \ --publish 3128:3128 \ --volume /path/to/squid.conf:/etc/squid/squid.conf \ --volume /srv/docker/squid/cache:/var/spool/squid \ - sameersbn/squid:3.5.27-2 + sameersbn/squid:4.13-10 ``` To reload the Squid configuration on a running instance you can send the `HUP` signal to the container. @@ -116,7 +115,26 @@ To reload the Squid configuration on a running instance you can send the `HUP` s docker kill -s HUP squid ``` -## Usage +**IMPORTANT NOTE:** Some required configuration options are stored at `/etc/squid/conf.d` and need to be included in any custom config. These are needed so that the image can be run as a non root user. + +To make sure these options are loaded add the following line to the configuration. + +```squid.conf +include /etc/squid/conf.d/* +``` + +Alternatively you can also add the required configuration options in your own config. + +```squid.conf +pid_filename /var/run/squid/squid.pid + +logfile_rotate 0 +cache_log stdio:/dev/null +access_log stdio:/dev/stdout +cache_store_log stdio:/dev/stdout +``` + +### Usage Configure your web browser network/connection settings to use the proxy server which is available at `172.17.0.1:3128` @@ -136,26 +154,27 @@ ENV http_proxy=http://172.17.0.1:3128 \ ftp_proxy=http://172.17.0.1:3128 ``` -## Logs +### Logs -To access the Squid logs, located at `/var/log/squid/`, you can use `docker exec`. For example, if you want to tail the access logs: +The default configuration will log to stdout so the logs can be viewed via `docker logs`. ```bash -docker exec -it squid tail -f /var/log/squid/access.log +docker logs squid ``` -You can also mount a volume at `/var/log/squid/` so that the logs are directly accessible on the host. +## Maintenance -# Maintenance +Using the `latest` tag is discouraged for any production or stable usage so using a specific version is recommended, for example `sameersbn/squid:4.13`. +### Upgrading -## Upgrading +Example process for updating between versions. If you are running for example 4.13 and want to update to 4.14: To upgrade to newer releases: 1. Download the updated Docker image: ```bash - docker pull sameersbn/squid:3.5.27-2 + docker pull sameersbn/squid:4.13-10 ``` 2. Stop the currently running image: @@ -175,12 +194,12 @@ To upgrade to newer releases: ```bash docker run -name squid -d \ [OPTIONS] \ - sameersbn/squid:3.5.27-2 + sameersbn/squid:4.14-10 ``` -## Shell Access +### Shell Access -For debugging and maintenance purposes you may want access the containers shell. If you are using Docker version `1.3.0` or higher you can access a running containers shell by starting `bash` using `docker exec`: +For debugging and maintenance purposes you may want access the containers shell. You can access a running containers shell by starting `bash` using `docker exec`: ```bash docker exec -it squid bash From 39e097539a67ed0b7059fa025fdaff36d17c899a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?A=C3=B0alsteinn=20R=C3=BAnarsson?= Date: Thu, 14 Oct 2021 17:59:01 +0000 Subject: [PATCH 3/4] Update .dockerignore --- .dockerignore | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/.dockerignore b/.dockerignore index 810979f..5cad9ff 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,7 +1,4 @@ -.git -circle.yml -LICENSE -VERSION -README.md -Changelog.md -Makefile +** +!Dockerfile +!entrypoint.sh +!conf.d From cd89c83ea5ec48c3db0f3b02160fdfde2e6c3819 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?A=C3=B0alsteinn=20R=C3=BAnarsson?= Date: Thu, 14 Oct 2021 18:00:01 +0000 Subject: [PATCH 4/4] Update kuberntes deployment Changed from standalone pod to Deployment. Also added the possibility to supply config and certificates via configMap and secret. --- kubernetes/config.yaml | 33 +++++++++++++++++++++++++++ kubernetes/deployment.yaml | 46 ++++++++++++++++++++++++++++++++++++++ kubernetes/pod.yml | 19 ---------------- kubernetes/secret.yaml | 6 +++++ kubernetes/service.yaml | 14 ++++++++++++ kubernetes/service.yml | 14 ------------ 6 files changed, 99 insertions(+), 33 deletions(-) create mode 100644 kubernetes/config.yaml create mode 100644 kubernetes/deployment.yaml delete mode 100644 kubernetes/pod.yml create mode 100644 kubernetes/secret.yaml create mode 100644 kubernetes/service.yaml delete mode 100644 kubernetes/service.yml diff --git a/kubernetes/config.yaml b/kubernetes/config.yaml new file mode 100644 index 0000000..7abd17e --- /dev/null +++ b/kubernetes/config.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: squid-config + namespace: squid +data: + squid.conf: "acl localnet src 10.0.0.0/8\t # RFC1918 possible internal network\nacl + localnet src 172.16.0.0/12\t# RFC1918 possible internal network\nacl localnet + src 192.168.0.0/16\t# RFC1918 possible internal network\nacl localnet src fc00::/7 + \ # RFC 4193 local private network range\nacl localnet src fe80::/10 # + RFC 4291 link-local (directly plugged) machines\n\nacl SSL_ports port 443\nacl + Safe_ports port 80\t\t# http\nacl Safe_ports port 21\t\t# ftp\nacl Safe_ports + port 443\t\t# https\nacl Safe_ports port 70\t\t# gopher\nacl Safe_ports port 210\t\t# + wais\nacl Safe_ports port 1025-65535\t# unregistered ports\nacl Safe_ports port + 280\t\t# http-mgmt\nacl Safe_ports port 488\t\t# gss-http\nacl Safe_ports port + 591\t\t# filemaker\nacl Safe_ports port 777\t\t# multiling http\nacl CONNECT method + CONNECT\n\n# Deny requests to certain unsafe ports\nhttp_access deny !Safe_ports\n\n# + Deny CONNECT to other than secure SSL ports\nhttp_access deny CONNECT !SSL_ports\n\n# + Only allow cachemgr access from localhost\nhttp_access allow localhost manager\nhttp_access + deny manager\n\n# We strongly recommend the following be uncommented to protect + innocent\n# web applications running on the proxy server who think the only\n# + one who can access services on \"localhost\" is a local user\nhttp_access deny + to_localhost\n\n# Example rule allowing access from your local networks.\n# Adapt + localnet in the ACL section to list your (internal) IP networks\n# from where + browsing should be allowed\nhttp_access allow localnet\nhttp_access allow localhost\n\n# + And finally deny all other access to this proxy\nhttp_access deny all\n\n# Squid + normally listens to port 3128\nhttp_port 3128\n\n# Uncomment and adjust the following + to add a disk cache directory.\ncache_dir ufs /var/spool/squid 100 16 256\n\n# + Leave coredumps in the first cache dir\ncoredump_dir /var/spool/squid\n\n\n# Add + any of your own refresh_pattern entries above these.\nrefresh_pattern ^ftp:\t\t1440\t20%\t10080\nrefresh_pattern + ^gopher:\t1440\t0%\t1440\nrefresh_pattern -i (/cgi-bin/|\\?) 0\t0%\t0\nrefresh_pattern + (Release|Packages(.gz)*)$ 0 20% 2880\nrefresh_pattern .\t\t0 20% 4320\n\n# + Include additional config files from conf.d\ninclude /etc/squid/conf.d/*\n" diff --git a/kubernetes/deployment.yaml b/kubernetes/deployment.yaml new file mode 100644 index 0000000..b35fb37 --- /dev/null +++ b/kubernetes/deployment.yaml @@ -0,0 +1,46 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: squid + name: squid +spec: + replicas: 1 + selector: + matchLabels: + app: squid + template: + metadata: + labels: + app: squid + spec: + containers: + - image: sameersbn/squid:4.13-10 + imagePullPolicy: Always + name: squid + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 1000m + memory: 512Mi + volumeMounts: + - mountPath: /var/spool/squid + name: cache-volume + - mountPath: /etc/squid/certs + name: cert-volume + - mountPath: /etc/squid/squid.conf + name: config-volume + subPath: squid.conf + volumes: + - name: cache-volume + emptyDir: {} + - name: cert-volume + secret: + defaultMode: 420 + secretName: squid-cert + - name: config-volume + configMap: + defaultMode: 320 + name: squid-config diff --git a/kubernetes/pod.yml b/kubernetes/pod.yml deleted file mode 100644 index 58a7e0c..0000000 --- a/kubernetes/pod.yml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: squid - labels: - name: squid -spec: - containers: - - name: squid - image: sameersbn/squid:3.5.27-2 - ports: - - containerPort: 3128 - protocol: TCP - volumeMounts: - - mountPath: /var/spool/squid - name: data - volumes: - - name: data - emptyDir: {} diff --git a/kubernetes/secret.yaml b/kubernetes/secret.yaml new file mode 100644 index 0000000..692bc72 --- /dev/null +++ b/kubernetes/secret.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Secret +metadata: + name: squid-cert +type: Opaque +data: {} diff --git a/kubernetes/service.yaml b/kubernetes/service.yaml new file mode 100644 index 0000000..c2ef5a1 --- /dev/null +++ b/kubernetes/service.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: squid + name: squid +spec: + ports: + - port: 3128 + targetPort: 3128 + protocol: TCP + name: squid-http + selector: + app: squid diff --git a/kubernetes/service.yml b/kubernetes/service.yml deleted file mode 100644 index 01ccf5d..0000000 --- a/kubernetes/service.yml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: squid - labels: - name: squid -spec: - type: LoadBalancer - ports: - - port: 3128 - targetPort: 3128 - protocol: TCP - selector: - name: squid