{"id":13580478,"url":"https://github.com/salrashid123/squid_proxy","last_synced_at":"2026-01-02T17:31:56.797Z","repository":{"id":49792357,"uuid":"102814898","full_name":"salrashid123/squid_proxy","owner":"salrashid123","description":"Multi-mode Squid Proxy container running SSL intercept","archived":false,"fork":false,"pushed_at":"2024-04-09T02:56:50.000Z","size":146,"stargazers_count":126,"open_issues_count":2,"forks_count":46,"subscribers_count":6,"default_branch":"master","last_synced_at":"2025-01-22T17:46:59.822Z","etag":null,"topics":["squid-proxy","squid3"],"latest_commit_sha":null,"homepage":"","language":"Dockerfile","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/salrashid123.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-09-08T03:48:21.000Z","updated_at":"2025-01-08T04:38:56.000Z","dependencies_parsed_at":"2024-01-16T20:29:24.832Z","dependency_job_id":"fdbbebaa-02eb-4bf8-9012-200522695c4d","html_url":"https://github.com/salrashid123/squid_proxy","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/salrashid123%2Fsquid_proxy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/salrashid123%2Fsquid_proxy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/salrashid123%2Fsquid_proxy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/salrashid123%2Fsquid_proxy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/salrashid123","download_url":"https://codeload.github.com/salrashid123/squid_proxy/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243828567,"owners_count":20354521,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["squid-proxy","squid3"],"created_at":"2024-08-01T15:01:52.179Z","updated_at":"2026-01-02T17:31:56.754Z","avatar_url":"https://github.com/salrashid123.png","language":"Dockerfile","funding_links":[],"categories":["Dockerfile"],"sub_categories":[],"readme":"\n# Squid Proxy \n\n\nSample squid proxy and Dockerfile demonstrating various config modes.\n\nThe Dockerfile and git image compiles squid with `ssl_crtd` enabled which allows for SSL intercept and rewrite.\n\nThe corresponding docker image is on dockerhub:\n\n-  [https://hub.docker.com/r/salrashid123/squidproxy/](https://hub.docker.com/r/salrashid123/squidproxy/)\n\nThe image has no entrypoint set to allow you to test and run different modes.\n\nTo run the image, simply invoke a shell in the container and start squid in the background for the mode you\nare interested in:\n\nThis image should be used for debugging and testing so i've left a lot of stuff in the dockerfile (eg, gcc, python, etc).  \n\nIf you really want to use this in prod, modify the image to and minimize the footprint (use multistage builds, alpine, `distroless` images, etc)\n\n\n```bash\ndocker run  -p 3128:3128 -ti docker.io/salrashid123/squidproxy /bin/bash\n```\n\n\u003e\u003e please note that the root CA's have been updated (on `1/9/22`.  You can find the docker image with the original certs as `salrashid123/squidproxy:1` (or you can regenerate your own image from a prior commit))\n\nThe CA's provided currently are chained (`root-ca.crt` -\u003e `tls-ca.crt` -\u003e `server_crt.pem`. With the combined root and subordinate as `tls-ca-chain.pem`)\n\n\n#### changelog\n\n* 11/20/22: Upgrade to debian-11, `squid-5.7`: \n  * `docker.io/salrashid123/squidproxy@sha256:latest`\n  * `docker.io/salrashid123/squidproxy@sha256:`\n\n* 1/10/22:  Upgrade built in CA, `squid-3.5.27`:  \n  * `docker.io/salrashid123/squidproxy@sha256:b46d3648443d675bb3ac020248495d5d7af1b7f3b683c3068e45c0f040aa5d9c`\n\n\nAlso see\n- [Squid proxy cluster with ssl_bump on Google Cloud](https://github.com/salrashid123/squid_ssl_bump_gcp)\n\n### FORWARD\n\nExplicit forward proxy mode intercepts HTTP traffic and uses CONNECT for https.\n\nLaunch:\n\n```\n$ /apps/squid/sbin/squid -NsY -f /apps/squid.conf.forward \u0026\n```\n\nthen in a new window run both http and https calls:\n\n```bash\ncurl -v -x localhost:3128 -L http://httpbin.org/get\ncurl -v -x localhost:3128 -L https://httpbin.org/get\n```\n\nyou should see a GET and CONNECT logs within the container\n\n```\n$ cat /apps/squid/var/logs/access.log\n1668952181.370    112 192.168.9.1 TCP_MISS/301 1560 GET http://www.bbc.com/ - HIER_DIRECT/151.101.0.81 text/html\n1668952181.517    146 192.168.9.1 TCP_TUNNEL/200 237935 CONNECT www.bbc.com:443 - HIER_DIRECT/151.101.0.81 -\n```\n\nYou can also setup allow/deny rules for the domain:\n- see [squid.conf.allow_domains](squid.conf.allow_domains)\n\n\nIf you want to use `https_port`, use `squid.conf.https_port`.  For `https_port` see [curl options](https://daniel.haxx.se/blog/2016/11/26/https-proxy-with-curl/) like this:\n\n```bash\ncurl -v --proxy-cacert tls-ca.crt  --resolve  squid.yourdomain.com:3128:127.0.0.1  -x https://squid.yourdomain.com:3128  https://httpbin.org/get\n```\n\n\n### HTTPS INTERCEPT\n\n\nIn this mode, an HTTPS connection actually terminates the SSL connection _on the proxy_, then proceeds to \ndownload the certificate for the server you intended to visit.   The proxy server then issues a new certificate with the \nsame specifications of the site you wanted to visit and sends that down.\n\nEssentially, the squid proxy is acting as man-in-the-middle.   Ofcourse, you client needs to trust the certificate for the proxy\nbut if not, you will see a certificate warning.\n\n- [http://www.squid-cache.org/Doc/config/ssl_bump/](http://www.squid-cache.org/Doc/config/ssl_bump/)\n\nHere is the relevant squid conf setting to allow this:\n\nsquid.conf.intercept:\n```\n# Squid normally listens to port 3128\nvisible_hostname squid.yourdomain.com\n\nhttp_port 3128 ssl-bump generate-host-certificates=on cert=/apps/tls-ca.crt key=/apps/tls-ca.key\n\nalways_direct allow all\n\nacl excluded_sites ssl::server_name .wellsfargo.com\nssl_bump splice excluded_sites\nssl_bump bump all\n\nsslproxy_cert_error deny all\nsslcrtd_program /apps/squid/libexec/security_file_certgen -s /apps/squid/var/lib/ssl_db -M 4MB sslcrtd_children 8 startup=1 idle=1\n```\n\nThe configuration above will insepct all SSL traffic but only _splice_ traffic to wellsfargo.com to view its intended SNI (`server_name`).  You can use the splice capability to apply ACL rules against without inspecting.\n\n- [SslPeekAndSplice](https://wiki.squid-cache.org/Features/SslPeekAndSplice)\n\n\nLaunch\n```\n$ docker run  -p 3128:3128 -ti docker.io/salrashid123/squidproxy /apps/squid/sbin/squid -NsY -f /apps/squid.conf.intercept\n```\n\n\nthen in a new window, try to access a secure site\n\n```bash\n$ wget https://raw.githubusercontent.com/salrashid123/squid_proxy/master/tls-ca.crt\n\n$ curl -v --proxy-cacert tls-ca.crt --cacert tls-ca.crt -x localhost:3128  https://www.httpbin.org/get\n```\n\nyou should see the proxy intercept and recreate httpbin's public certificate:\n\n```\n* Server certificate:\n*  subject: CN=www.httpbin.org\n*  start date: Jan  9 22:05:43 2022 GMT\n*  expire date: Jan  9 22:05:43 2032 GMT\n*  subjectAltName: host \"www.httpbin.org\" matched cert's \"www.httpbin.org\"\n*  issuer: C=US; O=Google; OU=Enterprise; CN=Enterprise Subordinate CA       \u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\n*  SSL certificate verify ok.\n* TLSv1.2 (OUT), TLS header, Supplemental data (23):\n\u003e GET /get HTTP/1.1\n\u003e Host: www.httpbin.org\n\u003e User-Agent: curl/7.85.0\n\u003e Accept: */*\n\n```\n\nnote the issuer is the proxy's server certificate (`tls-ca.crt`), NOT httpbin's official public cert\n\nNow try to access `www.wellsfargo.com`.  The configuration above simply views the SNI information without snooping on the data\n\n```\n$ curl -vvvv --proxy-cacert tls-ca.crt --cacert tls-ca.crt -x localhost:3128  https://www.wellsfargo.com\n\n* Server certificate:\n*  subject: jurisdictionC=US; jurisdictionST=Delaware; businessCategory=Private Organization; serialNumber=251212; C=US; ST=California; L=San Francisco; O=Wells Fargo \u0026 Company; CN=www.wellsfargo.com\n*  start date: Aug  3 00:00:00 2022 GMT\n*  expire date: Aug  3 23:59:59 2023 GMT\n*  subjectAltName: host \"www.wellsfargo.com\" matched cert's \"www.wellsfargo.com\"\n*  issuer: C=US; O=DigiCert Inc; CN=DigiCert EV RSA CA G2\n*  SSL certificate verify ok.\n```\n\n- Also see: [How to Add DNS Filtering to Your NAT Instance with Squid](https://aws.amazon.com/blogs/security/how-to-add-dns-filtering-to-your-nat-instance-with-squid/)\n\n#### Content Adaptation\n\n[content_adaptation/](content_adaptation) allows you to not just intercept SSL traffic, but to actually rewrite the content both ways.\n\n### CACHE\n\nHas cache enabled for HTTP traffic\n\nLaunch\n```\n\n$ /apps/squid/sbin/squid -NsY -f /apps/squid.conf.cache\n```\n\nRun two requests\n```\ncurl -s -x localhost:3128 -L http://www.bbc.com/robots.txt\ncurl -s -x localhost:3128 -L http://www.bbc.com/robots.txt\n```\n\nFirst request is a TCP_MISS, the second is TCP_MEM_HIT\n```\n$ cat /apps/squid/var/logs/access.log\n1669042557.206     75 192.168.9.1 TCP_MISS/200 20927 GET http://www.bbc.com/robots.txt - HIER_DIRECT/151.101.0.81 text/plain\n1669042569.313      0 192.168.9.1 TCP_MEM_HIT/200 20935 GET http://www.bbc.com/robots.txt - HIER_NONE/- text/plain\n```\n\n### Basic Auth\n\nEnables squid proxy in default mode but requires a username password for the proxy\n\n - user: user1\n - password:user1\n\n\nLaunch:\n\n```\n$ /apps/squid/sbin/squid -NsY -f /apps/squid.conf.basicauth \u0026\n```\n\n```\n$ curl -v -x localhost:3128 --proxy-user user1:user1 -L http://httpbin.org/get\n```\n\nTHe specific config for this mode:\n\nsquid.conf.basicaith\n\n```\n#user1:user1\n#/apps/squid/squid_passwd:  user1:aje5nXwboMxWY\nauth_param basic program /apps/squid/libexec/basic_ncsa_auth /apps/squid_passwd\nacl authenticated proxy_auth REQUIRED\nhttp_access allow authenticated\nhttp_access deny all\n```\n\nLogs would show\n\n```\n1669042602.565     37 192.168.9.1 TCP_MISS/200 606 GET http://httpbin.org/get user1 HIER_DIRECT/34.203.186.29 application/json\n```\n\n\n### Dockerfile\n```dockerfile\nFROM debian:11 AS build\nRUN apt-get -y update\n\nRUN apt-get install -y curl supervisor git openssl  build-essential libssl-dev wget vim curl git python3 python3-pip procps\nRUN mkdir -p /var/log/supervisor\nCOPY supervisord.conf /etc/supervisor/conf.d/supervisord.conf\nWORKDIR /apps/\nRUN wget -O - http://www.squid-cache.org/Versions/v5/squid-5.7.tar.gz | tar zxfv - \\\n    \u0026\u0026 CPU=$(( `nproc --all`-1 )) \\\n    \u0026\u0026 cd /apps/squid-5.7/ \\\n    \u0026\u0026 ./configure --prefix=/apps/squid --enable-icap-client --enable-ssl --with-openssl --enable-ssl-crtd --enable-auth --enable-basic-auth-helpers=\"NCSA\" \\\n    \u0026\u0026 make -j$CPU \\\n    \u0026\u0026 make install \\\n    \u0026\u0026 cd /apps \\\n    \u0026\u0026 rm -rf /apps/squid-5.7\nADD . /apps/\n\nRUN chown -R nobody:nogroup /apps/\nRUN mkdir -p  /apps/squid/var/lib/\nRUN /apps/squid/libexec/security_file_certgen -c -s /apps/squid/var/lib/ssl_db -M 4MB\nRUN /apps/squid/sbin/squid -N -f /apps/squid.conf.cache -z\nRUN chown -R nobody:nogroup /apps/\nRUN chgrp -R 0 /apps \u0026\u0026 chmod -R g=u /apps\nRUN ln -s /usr/bin/python3 /usr/bin/python\n\nEXPOSE 3128\n#CMD [\"/usr/bin/supervisord\"]\n\n```\n\nlike i said, its a bit of a large, bloated image.\n\n### Generating new CA\n\nTHis repo and image comes with a built-in CA (`root-ca.crt` is the true parent CA that signed a subordinate ca `tls-ca.crt` (yes, i know, its confusing but i used that subca with that name)).  You are free to generate and volume mount your own CA.\n\n- [https://github.com/salrashid123/ca_scratchpad](https://github.com/salrashid123/ca_scratchpad)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsalrashid123%2Fsquid_proxy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsalrashid123%2Fsquid_proxy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsalrashid123%2Fsquid_proxy/lists"}