diff --git a/.github/workflows/dockerimage.yml b/.github/workflows/dockerimage.yml index 3fd4040..5e157b6 100644 --- a/.github/workflows/dockerimage.yml +++ b/.github/workflows/dockerimage.yml @@ -65,13 +65,38 @@ jobs: mv /tmp/.buildx-cache-new /tmp/.buildx-cache - name: Test image - run: docker compose -f docker-compose.test.yml up --pull never sut + run: | + set -ex + docker compose -f docker-compose.test.yml up --pull never sut --exit-code-from sut + docker compose -f docker-compose.test.yml down - - name: Build 'ssl-bump' image + - name: set base image for 'ssl-bump' run: | sed -i "s%FROM b4tman/squid%FROM $TEST_TAG%" ssl-bump/Dockerfile - docker build ssl-bump + + - name: Build 'ssl-bump' image + uses: docker/build-push-action@v5 + with: + context: . + push: false + load: true + tags: ${{ env.TEST_TAG }}-ssl-bump + cache-from: type=local,src=/tmp/.buildx-cache + cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max + # Temp fix + # https://github.com/docker/build-push-action/issues/252 + # https://github.com/moby/buildkit/issues/1896 + - name: Move cache + run: | + rm -rf /tmp/.buildx-cache + mv /tmp/.buildx-cache-new /tmp/.buildx-cache + + - name: Test 'ssl-bump' image + run: | + set -ex + TEST_TAG="${TEST_TAG}-ssl-bump" docker compose -f docker-compose.test.yml up --pull never sut --exit-code-from sut + docker compose -f docker-compose.test.yml down push: needs: test runs-on: ubuntu-20.04 diff --git a/docker-compose.test.yml b/docker-compose.test.yml index ecfb78b..7acf030 100644 --- a/docker-compose.test.yml +++ b/docker-compose.test.yml @@ -2,6 +2,8 @@ version: '2.3' services: proxy: image: "${TEST_TAG}" + volumes: + - './test_localnet.conf:/etc/squid/conf.d/test_localnet.conf:ro' healthcheck: test: ["CMD", "sh", "-exc", "squidclient -T 3 mgr:info 2> /dev/null | grep -qF '200 OK'"] interval: 5s diff --git a/ssl-bump/Dockerfile b/ssl-bump/Dockerfile index 3c77751..1c0f081 100644 --- a/ssl-bump/Dockerfile +++ b/ssl-bump/Dockerfile @@ -1,4 +1,5 @@ FROM b4tman/squid -USER root -CMD ["sh", "-c", "(test -d /var/cache/squid/ssl_db || /usr/lib/squid/security_file_certgen -c -s /var/cache/squid/ssl_db -M 4MB) && /usr/sbin/squid -f ${SQUID_CONFIG_FILE} --foreground -z && exec /usr/sbin/squid -f ${SQUID_CONFIG_FILE} --foreground -YCd 1"] \ No newline at end of file +COPY run.sh / + +CMD ["/run.sh"] \ No newline at end of file diff --git a/ssl-bump/run.sh b/ssl-bump/run.sh new file mode 100644 index 0000000..025c182 --- /dev/null +++ b/ssl-bump/run.sh @@ -0,0 +1,14 @@ +#!/bin/sh + +set -x + +# init ssl_db +if [ ! -d /var/cache/squid/ssl_db ]; then + /usr/lib/squid/security_file_certgen -c -s /var/cache/squid/ssl_db -M 4MB +fi + +# init cache +/usr/sbin/squid -f "${SQUID_CONFIG_FILE}" --foreground -z + +# run squid +exec /usr/sbin/squid -f "${SQUID_CONFIG_FILE}" --foreground -YCd 1 diff --git a/test_localnet.conf b/test_localnet.conf new file mode 100644 index 0000000..dedc763 --- /dev/null +++ b/test_localnet.conf @@ -0,0 +1,11 @@ +acl localnet1 src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) +acl localnet1 src 10.0.0.0/8 # RFC 1918 local private network (LAN) +acl localnet1 src 100.64.0.0/10 # RFC 6598 shared address space (CGN) +acl localnet1 src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines +acl localnet1 src 172.16.0.0/12 # RFC 1918 local private network (LAN) +acl localnet1 src 192.168.0.0/16 # RFC 1918 local private network (LAN) +acl localnet1 src fc00::/7 # RFC 4193 local private network range +acl localnet1 src fe80::/10 # RFC 4291 link-local (directly plugged) machines + +http_access allow localnet1 +http_access allow localhost manager