squid-openssl

This repository contains sources for Squid v6.10 container image with OpenSSL, allowing to use Squid for caching both HTTP and HTTPS traffic.

Script in this image will do the following things before starting Squid (paths are local to the container):

• Look for /etc/squid/ssl/squid.crt file and generate if it is not present
• Initialize cache directory /var/spool/squid
• Initialize SSL database in /var/spool/squid/ssl_db

Published images

Published on quay.io:

podman pull quay.io/gevulot/squid-openssl:latest

Building image

podman build -t squid-openssl .

Running Squid from this image with default configuration

Cache, logs and SSL certificates are going to be stored on your system and mounted to the container. This allows you to restart Squid without loosing stored cache entries.

1. Create cache, log and SSL directories

   export SQUID_CACHE=$HOME/squid/cache SQUID_LOG=$HOME/squid/log SQUID_SSL=$HOME/squid/ssl
   mkdir -p $SQUID_CACHE $SQUID_LOG $SQUID_SSL

2. Run container

   podman run \
       --detach \
       --name squid \
       --hostname squidproxy \
       --publish 3128:3128 \
       --userns keep-id:uid=65534,gid=65534 \
       --volume "$SQUID_CACHE":/var/spool/squid \
       --volume "$SQUID_LOG":/var/log/squid \
       --volume "$SQUID_SSL":/etc/squid/ssl \
       squid-openssl

   Note --userns option. Squid is running under nobody(65534) container user. This option is required to allow Squid inside container write to your mounted directories.

3. Verify Squid is running properly

   curl --show-headers --proxy http://localhost:3128 --insecure https://example.com

   Pay attention to response headers. You should see header

   Via: 1.1 squidproxy (squid/6.10)
   

   which means that result was successfully handled by Squid.

   First time you should also see header

   Cache-Status: squidproxy;detail=mismatch
   

   If you re-run cURL command, you should see

   Cache-Status: squidproxy;hit;detail=match
   

   The same proxy works for HTTP:

   curl --show-headers --proxy http://localhost:3128 http://example.com

Usage

Squid SSL certificate

As you probably noticed, we have to provide --insecure option to cURL now. This is because Squid is preforming man-in-the-middle on SSL level and returning its self-signed certificate to the client.

The certificate is located at /etc/squid/ssl/squid.crt. In order to use Squid without ignoring proxy certificates verification you need to add this certificate to trusted certificates on your machine.

Depending on your system it may be done in a different way. E.g. on Ubuntu 24.04 you can do it like this:

apt-get install ca-certificates
cp $SQUID_SSL/squid.crt /usr/local/share/ca-certificates
update-ca-certificates

Now you can verify that you no longer need --insecure option:

curl --proxy http://localhost:3128 https://example.com

Squid configuration

This repository provides default configuration file src/squid.conf. This file is a minimal configuration allowing:

• SSL bumping (to cache both HTTP and HTTPS traffic)
• Disk cache

You can mount your own configuration using:

--volume /path/to/your/conf:/etc/squid/squid.conf

Accessing logs

Logs are stored in $SQUID_LOG:

tail $SQUID_LOG/access.log

Alternatively, you can see Squid logs through container:

podman logs squid

Removing Squid

1. Remove container

   podman stop squid && podman rm squid

2. Remove created files

   rm -rf $SQUID_CACHE $SQUID_LOG $SQUID_SSL

3. Remove Squid certificate from trusted (if you added them)

   Depends on your system. Ubuntu 24.04 example:

   rm /usr/local/share/ca-certificates/squid.crt
   update-ca-certificates -f