Use OpenSSL package & Rootless image

.dockerignore

@@ -1,7 +1,4 @@
-.git
-circle.yml
-LICENSE
-VERSION
-README.md
-Changelog.md
-Makefile
+**
+!Dockerfile
+!entrypoint.sh
+!conf.d

Dockerfile

@@ -1,17 +1,23 @@
-FROM ubuntu:bionic-20190612
+FROM debian:bullseye-20210111-slim
 LABEL maintainer="[email protected]"
 
-ENV SQUID_VERSION=3.5.27 \
+ENV SQUID_VERSION=4.13-10 \
     SQUID_CACHE_DIR=/var/spool/squid \
-    SQUID_LOG_DIR=/var/log/squid \
     SQUID_USER=proxy
 
 RUN apt-get update \
- && DEBIAN_FRONTEND=noninteractive apt-get install -y squid=${SQUID_VERSION}* \
+ && DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y \
+   squid-openssl=${SQUID_VERSION}* \
+   ca-certificates \
  && rm -rf /var/lib/apt/lists/*
 
-COPY entrypoint.sh /sbin/entrypoint.sh
-RUN chmod 755 /sbin/entrypoint.sh
+RUN sed '/^#http_access allow localnet/s/^#//' -i /etc/squid/squid.conf \
+  && mkdir -p /var/run/squid \
+  && chown -R ${SQUID_USER}:${SQUID_USER} /var/run/squid
+
+COPY conf.d/ /etc/squid/conf.d/
+COPY entrypoint.sh /usr/sbin/entrypoint.sh
 
 EXPOSE 3128/tcp
-ENTRYPOINT ["/sbin/entrypoint.sh"]
+USER ${SQUID_USER}
+ENTRYPOINT ["/usr/sbin/entrypoint.sh"]

README.md

@@ -1,5 +1,6 @@
 [![Circle CI](https://circleci.com/gh/sameersbn/docker-squid.svg?style=shield)](https://circleci.com/gh/sameersbn/docker-squid) [![Docker Repository on Quay.io](https://quay.io/repository/sameersbn/squid/status "Docker Repository on Quay.io")](https://quay.io/repository/sameersbn/squid)
 
+<!-- omit in toc -->
 # sameersbn/squid:3.5.27-2
 
 - [Introduction](#introduction)
@@ -17,75 +18,73 @@
   - [Upgrading](#upgrading)
   - [Shell Access](#shell-access)
 
-# Introduction
+## Introduction
 
 `Dockerfile` to create a [Docker](https://www.docker.com/) container image for [Squid proxy server](http://www.squid-cache.org/).
 
 Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator.
 
-## Contributing
+### Contributing
 
 If you find this image useful here's how you can help:
 
 - Send a pull request with your awesome features and bug fixes
 - Help users resolve their [issues](../../issues?q=is%3Aopen+is%3Aissue).
 - Support the development of this image with a [donation](http://www.damagehead.com/donate/)
 
-## Issues
+### Issues
 
-Before reporting your issue please try updating Docker to the latest version and check if it resolves the issue. Refer to the Docker [installation guide](https://docs.docker.com/installation) for instructions.
+Before reporting your issue please try updating Docker to the latest version and check if it resolves the issue. Refer to the Docker [installation guide](https://docs.docker.com/get-docker/) for instructions.
 
-SELinux users should try disabling SELinux using the command `setenforce 0` to see if it resolves the issue.
-
-If the above recommendations do not help then [report your issue](../../issues/new) along with the following information:
+If the above documentation does not help then [report your issue](../../issues/new) along with the following information:
 
 - Output of the `docker version` and `docker info` commands
 - The `docker run` command or `docker-compose.yml` used to start the image. Mask out the sensitive bits.
-- Please state if you are using [Boot2Docker](http://www.boot2docker.io), [VirtualBox](https://www.virtualbox.org), etc.
+- Please state if you are using [Docker Desktop](https://www.docker.com/products/docker-desktop), [VirtualBox](https://www.virtualbox.org), etc.
 
-# Getting started
+## Getting started
 
-## Installation
+### Installation
 
 Automated builds of the image are available on [Dockerhub](https://hub.docker.com/r/sameersbn/squid) and is the recommended method of installation.
 
 > **Note**: Builds are also available on [Quay.io](https://quay.io/repository/sameersbn/squid)
 
 ```bash
-docker pull sameersbn/squid:3.5.27-2
+docker pull sameersbn/squid:4.13-10
 ```
 
 Alternatively you can build the image yourself.
 
 ```bash
-docker build -t sameersbn/squid github.com/sameersbn/docker-squid
+docker build -t squid github.com/sameersbn/docker-squid
 ```
 
-## Quickstart
+### Quickstart
 
 Start Squid using:
 
 ```bash
 docker run --name squid -d --restart=always \
   --publish 3128:3128 \
   --volume /srv/docker/squid/cache:/var/spool/squid \
-  sameersbn/squid:3.5.27-2
+  sameersbn/squid:4.13-10
 ```
 
 *Alternatively, you can use the sample [docker-compose.yml](docker-compose.yml) file to start the container using [Docker Compose](https://docs.docker.com/compose/)*
 
-## Command-line arguments
+### Command-line arguments
 
 You can customize the launch command of the Squid server by specifying arguments to `squid` on the `docker run` command. For example the following command prints the help menu of `squid` command:
 
 ```bash
 docker run --name squid -it --rm \
   --publish 3128:3128 \
   --volume /srv/docker/squid/cache:/var/spool/squid \
-  sameersbn/squid:3.5.27-2 -h
+  sameersbn/squid:4.13-10 -h
 ```
 
-## Persistence
+### Persistence
 
 For the cache to preserve its state across container shutdown and startup you should mount a volume at `/var/spool/squid`.
 
@@ -98,7 +97,7 @@ mkdir -p /srv/docker/squid
 chcon -Rt svirt_sandbox_file_t /srv/docker/squid
 ```
 
-## Configuration
+### Configuration
 
 Squid is a full featured caching proxy server and a large number of configuration parameters. To configure Squid as per your requirements mount your custom configuration at `/etc/squid/squid.conf`.
 
@@ -107,7 +106,7 @@ docker run --name squid -d --restart=always \
   --publish 3128:3128 \
   --volume /path/to/squid.conf:/etc/squid/squid.conf \
   --volume /srv/docker/squid/cache:/var/spool/squid \
-  sameersbn/squid:3.5.27-2
+  sameersbn/squid:4.13-10
 ```
 
 To reload the Squid configuration on a running instance you can send the `HUP` signal to the container.
@@ -116,7 +115,26 @@ To reload the Squid configuration on a running instance you can send the `HUP` s
 docker kill -s HUP squid
 ```
 
-## Usage
+**IMPORTANT NOTE:** Some required configuration options are stored at `/etc/squid/conf.d` and need to be included in any custom config. These are needed so that the image can be run as a non root user.
+
+To make sure these options are loaded add the following line to the configuration.
+
+```squid.conf
+include /etc/squid/conf.d/*
+```
+
+Alternatively you can also add the required configuration options in your own config.
+
+```squid.conf
+pid_filename /var/run/squid/squid.pid
+
+logfile_rotate 0
+cache_log stdio:/dev/null
+access_log stdio:/dev/stdout
+cache_store_log stdio:/dev/stdout
+```
+
+### Usage
 
 Configure your web browser network/connection settings to use the proxy server which is available at `172.17.0.1:3128`
 
@@ -136,26 +154,27 @@ ENV http_proxy=http://172.17.0.1:3128 \
     ftp_proxy=http://172.17.0.1:3128
 ```
 
-## Logs
+### Logs
 
-To access the Squid logs, located at `/var/log/squid/`, you can use `docker exec`. For example, if you want to tail the access logs:
+The default configuration will log to stdout so the logs can be viewed via `docker logs`.
 
 ```bash
-docker exec -it squid tail -f /var/log/squid/access.log
+docker logs squid
 ```
 
-You can also mount a volume at `/var/log/squid/` so that the logs are directly accessible on the host.
+## Maintenance
 
-# Maintenance
+Using the `latest` tag is discouraged for any production or stable usage so using a specific version is recommended, for example `sameersbn/squid:4.13`.
+### Upgrading
 
-## Upgrading
+Example process for updating between versions. If you are running for example 4.13 and want to update to 4.14:
 
 To upgrade to newer releases:
 
   1. Download the updated Docker image:
 
   ```bash
-  docker pull sameersbn/squid:3.5.27-2
+  docker pull sameersbn/squid:4.13-10
   ```
 
   2. Stop the currently running image:
@@ -175,12 +194,12 @@ To upgrade to newer releases:
   ```bash
   docker run -name squid -d \
     [OPTIONS] \
-    sameersbn/squid:3.5.27-2
+    sameersbn/squid:4.14-10
   ```
 
-## Shell Access
+### Shell Access
 
-For debugging and maintenance purposes you may want access the containers shell. If you are using Docker version `1.3.0` or higher you can access a running containers shell by starting `bash` using `docker exec`:
+For debugging and maintenance purposes you may want access the containers shell. You can access a running containers shell by starting `bash` using `docker exec`:
 
 ```bash
 docker exec -it squid bash

VERSION

@@ -1 +1 @@
-3.5.27-2
+4.13-10

conf.d/docker.conf

@@ -0,0 +1,6 @@
+pid_filename /var/run/squid/squid.pid
+
+logfile_rotate 0
+cache_log stdio:/dev/null
+access_log stdio:/dev/stdout
+cache_store_log stdio:/dev/stdout

docker-compose.yml

@@ -1,5 +1,5 @@
 Squid:
-  image: sameersbn/squid:3.5.27-2
+  image: sameersbn/squid:4.13-10
   ports:
     - "3128:3128"
   volumes:

entrypoint.sh

@@ -1,20 +1,6 @@
 #!/bin/bash
 set -e
 
-create_log_dir() {
-  mkdir -p ${SQUID_LOG_DIR}
-  chmod -R 755 ${SQUID_LOG_DIR}
-  chown -R ${SQUID_USER}:${SQUID_USER} ${SQUID_LOG_DIR}
-}
-
-create_cache_dir() {
-  mkdir -p ${SQUID_CACHE_DIR}
-  chown -R ${SQUID_USER}:${SQUID_USER} ${SQUID_CACHE_DIR}
-}
-
-create_log_dir
-create_cache_dir
-
 # allow arguments to be passed to squid
 if [[ ${1:0:1} = '-' ]]; then
   EXTRA_ARGS="$@"
@@ -26,6 +12,10 @@ fi
 
 # default behaviour is to launch squid
 if [[ -z ${1} ]]; then
+  if [[ ! -d ${SQUID_CACHE_DIR}/ssl_db ]]; then
+    /usr/lib/squid/security_file_certgen -c -s ${SQUID_CACHE_DIR}/ssl_db -M 4MB
+    chown -R ${SQUID_USER}:${SQUID_USER} ${SQUID_CACHE_DIR}/ssl_db
+  fi
   if [[ ! -d ${SQUID_CACHE_DIR}/00 ]]; then
     echo "Initializing cache..."
     $(which squid) -N -f /etc/squid/squid.conf -z

kubernetes/config.yaml

@@ -0,0 +1,33 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: squid-config
+  namespace: squid
+data:
+  squid.conf: "acl localnet src 10.0.0.0/8\t    # RFC1918 possible internal network\nacl
+    localnet src 172.16.0.0/12\t# RFC1918 possible internal network\nacl localnet
+    src 192.168.0.0/16\t# RFC1918 possible internal network\nacl localnet src fc00::/7
+    \      # RFC 4193 local private network range\nacl localnet src fe80::/10      #
+    RFC 4291 link-local (directly plugged) machines\n\nacl SSL_ports port 443\nacl
+    Safe_ports port 80\t\t# http\nacl Safe_ports port 21\t\t# ftp\nacl Safe_ports
+    port 443\t\t# https\nacl Safe_ports port 70\t\t# gopher\nacl Safe_ports port 210\t\t#
+    wais\nacl Safe_ports port 1025-65535\t# unregistered ports\nacl Safe_ports port
+    280\t\t# http-mgmt\nacl Safe_ports port 488\t\t# gss-http\nacl Safe_ports port
+    591\t\t# filemaker\nacl Safe_ports port 777\t\t# multiling http\nacl CONNECT method
+    CONNECT\n\n# Deny requests to certain unsafe ports\nhttp_access deny !Safe_ports\n\n#
+    Deny CONNECT to other than secure SSL ports\nhttp_access deny CONNECT !SSL_ports\n\n#
+    Only allow cachemgr access from localhost\nhttp_access allow localhost manager\nhttp_access
+    deny manager\n\n# We strongly recommend the following be uncommented to protect
+    innocent\n# web applications running on the proxy server who think the only\n#
+    one who can access services on \"localhost\" is a local user\nhttp_access deny
+    to_localhost\n\n# Example rule allowing access from your local networks.\n# Adapt
+    localnet in the ACL section to list your (internal) IP networks\n# from where
+    browsing should be allowed\nhttp_access allow localnet\nhttp_access allow localhost\n\n#
+    And finally deny all other access to this proxy\nhttp_access deny all\n\n# Squid
+    normally listens to port 3128\nhttp_port 3128\n\n# Uncomment and adjust the following
+    to add a disk cache directory.\ncache_dir ufs /var/spool/squid 100 16 256\n\n#
+    Leave coredumps in the first cache dir\ncoredump_dir /var/spool/squid\n\n\n# Add
+    any of your own refresh_pattern entries above these.\nrefresh_pattern ^ftp:\t\t1440\t20%\t10080\nrefresh_pattern
+    ^gopher:\t1440\t0%\t1440\nrefresh_pattern -i (/cgi-bin/|\\?) 0\t0%\t0\nrefresh_pattern
+    (Release|Packages(.gz)*)$   0    20%  2880\nrefresh_pattern .\t\t0   20% 4320\n\n#
+    Include additional config files from conf.d\ninclude /etc/squid/conf.d/*\n"

kubernetes/deployment.yaml

@@ -0,0 +1,46 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: squid
+  name: squid
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: squid
+  template:
+    metadata:
+      labels:
+        app: squid
+    spec:
+      containers:
+      - image: sameersbn/squid:4.13-10
+        imagePullPolicy: Always
+        name: squid
+        resources:
+          requests:
+            cpu: 100m
+            memory: 128Mi
+          limits:
+            cpu: 1000m
+            memory: 512Mi
+        volumeMounts:
+        - mountPath: /var/spool/squid
+          name: cache-volume
+        - mountPath: /etc/squid/certs
+          name: cert-volume
+        - mountPath: /etc/squid/squid.conf
+          name: config-volume
+          subPath: squid.conf
+      volumes:
+      - name: cache-volume
+        emptyDir: {}
+      - name: cert-volume
+        secret:
+          defaultMode: 420
+          secretName: squid-cert
+      - name: config-volume
+        configMap:
+          defaultMode: 320
+          name: squid-config

kubernetes/secret.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: squid-cert
+type: Opaque
+data: {}