bump squid to 7.5

chore: add dalink sponsor link first [skip ci]
Fix Dockerfile and Compose deprecation warnings
2026-05-26 14:06:12 +03:00 · 2026-03-16 16:59:26 +03:00 · 2026-03-13 12:43:29 +03:00 · 2026-03-05 14:23:55 +03:00 · 2026-03-05 13:56:44 +03:00 · 2026-03-04 13:07:25 +03:00
12 changed files with 159 additions and 95 deletions
@@ -0,0 +1 @@
+custom: ['https://dalink.to/b4tman1', 'https://boosty.to/0xffff']
@@ -5,6 +5,7 @@ on:
    # Publish `master` as Docker `latest` image.
    branches:
      - master
+      - v5

    # Publish `v1.2.3` tags as releases.
    tags:
@@ -15,27 +16,30 @@ on:
    branches:
      - "master"

+env:
+  TEST_TAG: b4tman/squid:test
+
 jobs:
  test:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v6

      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v3

      - name: Login to DockerHub
        if: github.event_name != 'pull_request'
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3
        with:
          username: b4tman
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Cache Docker layers
-        uses: actions/cache@v2
+        uses: actions/cache@v5.0.3
        with:
          path: /tmp/.buildx-cache
          key: ${{ runner.os }}-buildx-${{ github.sha }}
@@ -43,14 +47,14 @@ jobs:
            ${{ runner.os }}-buildx-

      - name: Build squid image
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v6
        with:
          context: .
          push: false
-          tags: b4tman/squid
+          load: true # automatically load the single-platform build result to docker images
+          tags: ${{ env.TEST_TAG }}
          cache-from: type=local,src=/tmp/.buildx-cache
-          cache-to: type=local,dest=/tmp/.buildx-cache-new
-          outputs: type=image,name=b4tman/squid,push=false
+          cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max

      # Temp fix
      # https://github.com/docker/build-push-action/issues/252
@@ -61,17 +65,24 @@ jobs:
          mv /tmp/.buildx-cache-new /tmp/.buildx-cache

      - name: Test image
-        run: docker-compose -f docker-compose.test.yml up sut
+        run: |
+          set -ex
+          docker compose -f docker-compose.test.yml up --pull never sut --exit-code-from sut
+          docker compose -f docker-compose.test.yml down

+      - name: set base image for 'ssl-bump'
+        run: |
+          sed -i "s%FROM b4tman/squid%FROM $TEST_TAG%" ssl-bump/Dockerfile
+      
      - name: Build 'ssl-bump' image
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v6
        with:
-          context: ssl-bump
+          context: .
          push: false
-          file: ssl-bump/Dockerfile
-          tags: b4tman/squid:ssl-bump
+          load: true
+          tags: ${{ env.TEST_TAG }}-ssl-bump
          cache-from: type=local,src=/tmp/.buildx-cache
-          cache-to: type=local,dest=/tmp/.buildx-cache-new
+          cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max

      # Temp fix
      # https://github.com/docker/build-push-action/issues/252
@@ -80,17 +91,22 @@ jobs:
        run: |
          rm -rf /tmp/.buildx-cache
          mv /tmp/.buildx-cache-new /tmp/.buildx-cache
-
+          
+      - name: Test 'ssl-bump' image
+        run: |
+          set -ex
+          TEST_TAG="${TEST_TAG}-ssl-bump" docker compose -f docker-compose.test.yml up --pull never sut --exit-code-from sut
+          docker compose -f docker-compose.test.yml down
  push:
    needs: test
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
    if: github.event_name != 'pull_request'
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v6

      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@v3
+        uses: docker/metadata-action@v5
        with:
          images: |
            b4tman/squid
@@ -104,7 +120,7 @@ jobs:

      - name: Docker meta (ssl-bump)
        id: meta_ssl_bump
-        uses: docker/metadata-action@v3
+        uses: docker/metadata-action@v5
        with:
          images: |
            b4tman/squid
@@ -119,7 +135,7 @@ jobs:

      - name: Docker meta (ssl-bump ghcr)
        id: meta_ssl_bump_ghcr
-        uses: docker/metadata-action@v3
+        uses: docker/metadata-action@v5
        with:
          images: |
            ghcr.io/b4tman/squid-ssl-bump
@@ -131,13 +147,13 @@ jobs:
            type=semver,pattern={{major}}.{{minor}}

      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v3

      - name: Cache Docker layers
-        uses: actions/cache@v2
+        uses: actions/cache@v5.0.3
        with:
          path: /tmp/.buildx-cache
          key: ${{ runner.os }}-buildx-${{ github.sha }}
@@ -145,20 +161,20 @@ jobs:
            ${{ runner.os }}-buildx-

      - name: Login to DockerHub
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3
        with:
          username: b4tman
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Login to GHCR
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.CR_PAT }}

      - name: Build squid image
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v6
        with:
          context: .
          push: true
@@ -166,7 +182,7 @@ jobs:
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          cache-from: type=local,src=/tmp/.buildx-cache
-          cache-to: type=local,dest=/tmp/.buildx-cache-new
+          cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max

      # Temp fix
      # https://github.com/docker/build-push-action/issues/252
@@ -177,7 +193,7 @@ jobs:
          mv /tmp/.buildx-cache-new /tmp/.buildx-cache

      - name: Build 'ssl-bump' image
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v6
        with:
          context: ssl-bump
          push: true
@@ -197,7 +213,7 @@ jobs:
          mv /tmp/.buildx-cache-new /tmp/.buildx-cache

      - name: Build 'ssl-bump' image for ghcr
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v6
        with:
          context: ssl-bump
          push: true
@@ -206,7 +222,7 @@ jobs:
          tags: ${{ steps.meta_ssl_bump_ghcr.outputs.tags }}
          labels: ${{ steps.meta_ssl_bump_ghcr.outputs.labels }}
          cache-from: type=local,src=/tmp/.buildx-cache
-          cache-to: type=local,dest=/tmp/.buildx-cache-new
+          cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max

      # Temp fix
      # https://github.com/docker/build-push-action/issues/252
@@ -18,7 +18,7 @@ jobs:
      pull-requests: write

    steps:
-    - uses: actions/stale@v4
+    - uses: actions/stale@v10
      with:
        days-before-stale: 182
        days-before-close: 7
@@ -1,6 +1,6 @@
-FROM alpine:3.15.0 as build
+FROM alpine:3.23.3 AS build

-ENV SQUID_VER 5.4
+ARG SQUID_VER=7.5

 RUN set -x && \
 	apk add --no-cache  \
@@ -9,7 +9,8 @@ RUN set -x && \
 		libc-dev \
 		curl \
 		gnupg \
-		libressl-dev \
+		openssl-dev \
+		openssl-libs-static \
 		perl-dev \
 		autoconf \
 		automake \
@@ -20,32 +21,33 @@ RUN set -x && \
 		libcap-dev \
 		linux-headers

-RUN set -x && \
-	mkdir -p /tmp/build && \
-	cd /tmp/build && \
-    curl -SsL http://www.squid-cache.org/Versions/v${SQUID_VER%%.*}/squid-${SQUID_VER}.tar.gz -o squid-${SQUID_VER}.tar.gz && \
-	curl -SsL http://www.squid-cache.org/Versions/v${SQUID_VER%%.*}/squid-${SQUID_VER}.tar.gz.asc -o squid-${SQUID_VER}.tar.gz.asc
-
-COPY squid-keys.asc /tmp
+WORKDIR /tmp/build

 RUN set -x && \
-	cd /tmp/build && \
-	export GNUPGHOME="$(mktemp -d)" && \
-	gpg --import /tmp/squid-keys.asc && \
+	curl -fSsL "https://github.com/squid-cache/squid/releases/download/SQUID_${SQUID_VER//./_}/squid-${SQUID_VER}.tar.gz" -o squid-${SQUID_VER}.tar.gz && \
+	curl -fSsL "https://github.com/squid-cache/squid/releases/download/SQUID_${SQUID_VER//./_}/squid-${SQUID_VER}.tar.gz.asc" -o squid-${SQUID_VER}.tar.gz.asc
+
+COPY squid-keys.asc /tmp/build
+
+RUN set -x && \
+	GNUPGHOME="$(mktemp -d)" && \
+	export GNUPGHOME && \
+	gpg --import squid-keys.asc && \
 	gpg --batch --verify squid-${SQUID_VER}.tar.gz.asc squid-${SQUID_VER}.tar.gz && \
 	rm -rf "$GNUPGHOME"
-	
+
 RUN set -x && \
-	cd /tmp/build && \	
 	tar --strip 1 -xzf squid-${SQUID_VER}.tar.gz && \
 	\
+	MACHINE=$(uname -m) && \
+	\
 	CFLAGS="-g0 -O2" \
 	CXXFLAGS="-g0 -O2" \
 	LDFLAGS="-s" \
 	\
 	./configure \
-		--build="$(uname -m)" \
-		--host="$(uname -m)" \
+		--build="$MACHINE" \
+		--host="$MACHINE" \
 		--prefix=/usr \
 		--datadir=/usr/share/squid \
 		--sysconfdir=/etc/squid \
@@ -56,7 +58,7 @@ RUN set -x && \
 		--disable-arch-native \
 		--enable-removal-policies="lru,heap" \
 		--enable-auth-digest \
-		--enable-auth-basic="getpwnam,NCSA,DB" \
+		--enable-auth-basic="getpwnam,NCSA,DB,RADIUS" \
 		--enable-basic-auth-helpers="DB" \
 		--enable-epoll \
 		--enable-external-acl-helpers="file_userip,unix_group,wbinfo_group" \
@@ -84,32 +86,27 @@ RUN set -x && \
 		--enable-storeio="diskd rock" \
 		--enable-ipv6 \
 		--enable-translation \
-		--disable-snmp \
+		--enable-snmp \
 		--disable-dependency-tracking \
 		--with-large-files \
 		--with-default-user=squid \
 		--with-openssl \
 		--with-pidfile=/var/run/squid/squid.pid

-# fix build
 RUN set -x && \
-    mkdir -p /tmp/build/tools/squidclient/tests && \
-    mkdir -p /tmp/build/tools/tests
-
-RUN set -x && \
-	cd /tmp/build && \
-	nproc=$(n=$(nproc) ; max_n=6 ; [ $n -le $max_n ] && echo $n || echo $max_n) && \
+	nproc=$(n=$(nproc) ; max_n=6 ; echo $(( n <= max_n ? n : max_n )) ) && \
 	make -j $nproc && \
-	make install && \
-	cd tools/squidclient && make && make install-strip
+	make install

-RUN sed -i '1s;^;include /etc/squid/conf.d/*.conf\n;' /etc/squid/squid.conf
-RUN echo 'include /etc/squid/conf.d.tail/*.conf' >> /etc/squid/squid.conf
+RUN sed -i '1s;^;include /etc/squid/conf.d/*.conf\n;' /etc/squid/squid.conf && \
+	echo 'include /etc/squid/conf.d.tail/*.conf' >> /etc/squid/squid.conf

-FROM alpine:3.15.0
+# --- --- --- --- --- --- --- --- ---
+
+FROM alpine:3.23.3
 	
-ENV SQUID_CONFIG_FILE /etc/squid/squid.conf
-ENV TZ Europe/Moscow
+ENV SQUID_CONFIG_FILE=/etc/squid/squid.conf
+ENV TZ=Europe/Moscow

 RUN set -x && \
 	deluser squid 2>/dev/null; delgroup squid 2>/dev/null; \
@@ -119,37 +116,33 @@ RUN apk add --no-cache \
 		libstdc++ \
 		heimdal-libs \
 		libcap \
-		libressl3.4-libcrypto \
-		libressl3.4-libssl \
-		libltdl	
+		libltdl \
+		apache2-utils \
+		curl \
+		tzdata

 COPY --from=build /etc/squid/ /etc/squid/
 COPY --from=build /usr/lib/squid/ /usr/lib/squid/
 COPY --from=build /usr/share/squid/ /usr/share/squid/
 COPY --from=build /usr/sbin/squid /usr/sbin/squid
-COPY --from=build /usr/bin/squidclient /usr/bin/squidclient

-		
+COPY --chmod=755 run.sh /
+
 RUN install -d -o squid -g squid \
 		/var/cache/squid \
 		/var/log/squid \
 		/var/run/squid && \
-	chmod +x /usr/lib/squid/*
-	
-RUN install -d -m 755 -o squid -g squid \
+	chmod +x /usr/lib/squid/* && \
+	install -d -m 755 -o squid -g squid \
 		/etc/squid/conf.d \
-		/etc/squid/conf.d.tail
-RUN touch /etc/squid/conf.d/placeholder.conf 
+		/etc/squid/conf.d.tail && \
+	touch /etc/squid/conf.d/placeholder.conf
+COPY localnet.conf /etc/squid/conf.d/
 COPY squid-log.conf /etc/squid/conf.d.tail/

-RUN	set -x && \
-	apk add --no-cache --virtual .tz alpine-conf tzdata && \ 
-	/sbin/setup-timezone -z $TZ && \
-	apk del .tz 	
-	
-VOLUME ["/var/cache/squid"]	
+VOLUME ["/var/cache/squid"]
 EXPOSE 3128/tcp

 USER squid

-CMD ["sh", "-c", "/usr/sbin/squid -f ${SQUID_CONFIG_FILE} --foreground -z && exec /usr/sbin/squid -f ${SQUID_CONFIG_FILE} --foreground -YCd 1"]
+CMD ["/run.sh"]
@@ -1,5 +1,3 @@
-[![Drone Build Status](https://cloud.drone.io/api/badges/b4tman/docker-squid/status.svg?ref=refs/heads/master)](https://cloud.drone.io/b4tman/docker-squid)
-![Docker Build Status](https://img.shields.io/docker/cloud/build/b4tman/squid)
 ![Docker Image CI Status](https://github.com/b4tman/docker-squid/workflows/Docker%20Image%20CI/badge.svg)

 # docker-squid
@@ -32,9 +30,21 @@ docker-compose up

 # Configuration

+By default, the image now includes a local network allow-list (`/etc/squid/conf.d/localnet.conf`) so clients from RFC1918/RFC4193 ranges can connect without mounting an extra ACL file.
+
+The image also includes `apache2-utils`, so you can generate and manage `htpasswd` files directly in the container for basic authentication setups.
+
+
 ## Environment variables:

 - **SQUID_CONFIG_FILE**: Specify the configuration file for squid. Defaults to `/etc/squid/squid.conf`.
+- **TZ**: Override the container timezone (for example, `Europe/Berlin`).
+
+You can configure Squid in multiple ways:
+
+- Replace the main configuration file by overriding `SQUID_CONFIG_FILE`.
+- Add configuration snippets to `/etc/squid/conf.d`: all `*.conf` files from this directory are included at the **beginning** of the default configuration.
+- Add configuration snippets to `/etc/squid/conf.d.tail`: all `*.conf` files from this directory are included at the **end** of the default configuration.

 ## Example:

@@ -1,20 +1,16 @@
-version: '2.3'
 services:
  proxy:
-    image: squidproxy
-    build:
-      context: .
-      dockerfile: Dockerfile
+    image: "${TEST_TAG}"
    healthcheck:
-      test: ["CMD", "sh", "-exc", "squidclient -T 3 mgr:info 2> /dev/null | grep -qF '200 OK'"]
+      test: ["CMD", "sh", "-exc", "curl -s -o /dev/null --max-time 3 -w '%{http_code}' 'http://127.0.0.1:3128/squid-internal-mgr/info' 2> /dev/null | grep -qF '200'"]
      interval: 5s
      timeout: 3s
      retries: 5
      start_period: 1s
  sut:
-    image: squidproxy
+    image: "${TEST_TAG}"
    links: 
      - proxy
    depends_on:
      - proxy
-    command: sh -exc "sleep 10 && squidclient -h proxy -T 3 'https://postman-echo.com/get?squidtest=ok' 2> /dev/null | grep -qF '200 OK'"
+    command: sh -exc "sleep 10 && curl --proxy='http://proxy:3128' -s -o /dev/null --max-time 3 -w '%{http_code}' 'https://postman-echo.com/get?squidtest=ok' 2> /dev/null | grep -qF '200'"
@@ -1,4 +1,3 @@
-version: '2'
 services:
  squid:
    image: 'b4tman/squid'
@@ -0,0 +1,11 @@
+acl localnet1 src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
+acl localnet1 src 10.0.0.0/8            # RFC 1918 local private network (LAN)
+acl localnet1 src 100.64.0.0/10         # RFC 6598 shared address space (CGN)
+acl localnet1 src 169.254.0.0/16        # RFC 3927 link-local (directly plugged) machines
+acl localnet1 src 172.16.0.0/12         # RFC 1918 local private network (LAN)
+acl localnet1 src 192.168.0.0/16                # RFC 1918 local private network (LAN)
+acl localnet1 src fc00::/7              # RFC 4193 local private network range
+acl localnet1 src fe80::/10             # RFC 4291 link-local (directly plugged) machines
+
+http_access allow localnet1
+http_access allow localhost manager
@@ -0,0 +1,14 @@
+#!/bin/sh
+
+set -x
+
+# force remove pid
+if [ -e /var/run/squid/squid.pid ]; then
+	rm -f /var/run/squid/squid.pid
+fi
+
+# init cache
+/usr/sbin/squid -f "${SQUID_CONFIG_FILE}" --foreground -z
+
+# run squid
+exec /usr/sbin/squid -f "${SQUID_CONFIG_FILE}" --foreground -YCd 1
@@ -1,4 +1,9 @@
 FROM b4tman/squid

+COPY run.sh /
 USER root
-CMD ["sh", "-c", "(test -d /var/cache/squid/ssl_db || /usr/lib/squid/security_file_certgen -c -s /var/cache/squid/ssl_db -M 4MB) && /usr/sbin/squid -f ${SQUID_CONFIG_FILE} --foreground -z && exec /usr/sbin/squid -f ${SQUID_CONFIG_FILE} --foreground -YCd 1"]
+RUN chmod 755 /run.sh
+
+USER squid
+
+CMD ["/run.sh"]
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+set -x
+
+# init ssl_db
+if [ ! -d /var/cache/squid/ssl_db ]; then
+	/usr/lib/squid/security_file_certgen -c -s /var/cache/squid/ssl_db -M 4MB
+fi
+
+# force remove pid
+if [ -e /var/run/squid/squid.pid ]; then
+	rm -f /var/run/squid/squid.pid
+fi
+
+# init cache
+/usr/sbin/squid -f "${SQUID_CONFIG_FILE}" --foreground -z
+
+# run squid
+exec /usr/sbin/squid -f "${SQUID_CONFIG_FILE}" --foreground -YCd 1
				`@@ -0,0 +1 @@`
				`custom: ['https://dalink.to/b4tman1', 'https://boosty.to/0xffff']`